Package "bind9-host"

  bind9 (1:9.18.39-0ubuntu0.22.04.4) jammy-security; urgency=medium

  * SECURITY UPDATE: BIND 9 server memory exhaustion during GSS-API TKEY
    negotiation
    - debian/patches/CVE-2026-3039-pre1.patch: Release gnamebuf also on the
      error path in lib/dns/gssapictx.c.
    - debian/patches/CVE-2026-3039-1.patch: Fix GSS-API context leak in TKEY
      negotiation in lib/dns/gssapictx.c, lib/dns/include/dst/gssapi.h,
      lib/dns/tkey.c.
    - debian/patches/CVE-2026-3039-3.patch: Fix output token and GSS context
      leaks in TKEY/GSS-API error paths in lib/dns/gssapictx.c,
      lib/dns/tkey.c.
    - CVE-2026-3039
  * SECURITY UPDATE: Amplification vulnerabilities via self-pointed glue
    records
    - debian/patches/CVE-2026-3592-1.patch: Limit the number of addresses
      returned per ADB find in bin/named/main.c, lib/dns/adb.c.
    - debian/patches/CVE-2026-3592-2.patch: Remove duplicate addresses from
      the resolver SLIST in lib/dns/resolver.c.
    - debian/patches/CVE-2026-3592-3.patch: Add system test for self-pointed
     glue deduplication in bin/tests/system/selfpointedglue/ns1/named.conf.j2,
      bin/tests/system/selfpointedglue/ns1/root.db,
      bin/tests/system/selfpointedglue/ns2/named.conf.j2,
      bin/tests/system/selfpointedglue/ns2/tld.db,
      bin/tests/system/selfpointedglue/ns3/example.tld.db,
      bin/tests/system/selfpointedglue/ns3/example2.tld.db,
      bin/tests/system/selfpointedglue/ns3/named.conf.j2,
      bin/tests/system/selfpointedglue/ns4/named.args.j2,
      bin/tests/system/selfpointedglue/ns4/named.conf.j2,
      bin/tests/system/selfpointedglue/ns4/root.hint,
      bin/tests/system/selfpointedglue/prereq.sh,
      bin/tests/system/selfpointedglue/tests_selfpointedglue.py.
    - debian/patches/CVE-2026-3592-5.patch: Add SRTT-based server selection
      system test in bin/tests/system/srtt/README,
      bin/tests/system/srtt/ans2/ans.py, bin/tests/system/srtt/ans3/ans.py,
      bin/tests/system/srtt/ans4/ans.py, bin/tests/system/srtt/ans5/ans.py,
      bin/tests/system/srtt/ns1/named.conf.j2,
      bin/tests/system/srtt/ns1/root.db, bin/tests/system/srtt/ns6/named.args,
      bin/tests/system/srtt/ns6/named.conf.j2, bin/tests/system/srtt/prereq.sh,
      bin/tests/system/srtt/srtt_ans.py, bin/tests/system/srtt/tests_srtt.py.
    - CVE-2026-3592
  * SECURITY UPDATE: Invalid handling of CLASS != IN
    - debian/patches/CVE-2026-5946-1.patch: Disable recursion for non-IN
      classes in bin/named/server.c, bin/tests/system/checkconf/tests.sh,
      bin/tests/system/resolver/tests.sh, lib/bind9/check.c.
    - debian/patches/CVE-2026-5946-2.patch: Disable UPDATE and NOTIFY for
      non-IN classes in bin/named/server.c, lib/dns/adb.c,
      lib/ns/client.c, lib/ns/update.c.
    - debian/patches/CVE-2026-5946-3.patch: Validate DNS message CLASS early
      in request processing in bin/tests/system/unknown/tests.sh,
      lib/ns/client.c.
    - debian/patches/CVE-2026-5946-4.patch: Reject meta-classes in UPDATE and
      NOTIFY messages in lib/dns/message.c.
    - debian/patches/CVE-2026-5946-5.patch: Skip "deny-answer-address" for
      non-IN addresses in lib/dns/resolver.c.
    - debian/patches/CVE-2026-5946-6.patch: Test CHAOS view recursion behavior
      in bin/tests/system/checkconf/tests.sh,
      bin/tests/system/checkconf/warn-chaos-recursion.conf,
      bin/tests/system/class/ns1/chaos.db.in,
      bin/tests/system/class/ns1/named.conf.j2,
      bin/tests/system/class/ns2/example.db.in,
      bin/tests/system/class/ns2/localhost.db.in,
      bin/tests/system/class/ns2/named.conf.j2,
      bin/tests/system/class/ns3/named.conf.j2, bin/tests/system/class/setup.sh,
      bin/tests/system/class/tests_class_chaos.py,
      bin/tests/system/isctest/check.py.
    - debian/patches/CVE-2026-5946-7.patch: Test UPDATE behavior in CHAOS and
      other non-IN classes in bin/named/server.c,
      bin/tests/system/class/ns2/localhost.db.in,
      bin/tests/system/class/tests_class_update.py.
    - debian/patches/CVE-2026-5946-8.patch: Test server behavior when sending
      various UPDATE requests in bin/tests/system/class/tests_class_update.py,
      bin/tests/system/nsupdate/setup.sh, bin/tests/system/nsupdate/tests.sh,
      bin/tests/system/packet.pl.
    - debian/patches/CVE-2026-5946-9.patch: Make the RD flag optional in
      isctest.query() in bin/tests/system/isctest/query.py.
    - CVE-2026-5946
  * SECURITY UPDATE: Unbounded resend loop in BIND 9 resolver
    - debian/patches/CVE-2026-5950-1.patch: Add reproducer for BADCOOKIE
      resend loop in bin/tests/system/resend_loop/ans3/ans.py,
      bin/tests/system/resend_loop/ns4/named.conf.j2,
      bin/tests/system/resend_loop/ns4/root.hint,
      bin/tests/system/resend_loop/tests_resend_loop.py.
    - debian/patches/CVE-2026-5950-2.patch: Refactor incrementing query
      counters in lib/dns/resolver.c.
    - debian/patches/CVE-2026-5950-3.patch: rctx_resend() increment query
      counters in lib/dns/resolver.c.
    - CVE-2026-5950

 -- Marc Deslauriers <email address hidden> Thu, 21 May 2026 10:42:08 -0400

  bind9 (1:9.18.39-0ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Excessive NSEC3 iterations cause high CPU load during
    insecure delegation validation
    - debian/patches/CVE-2026-1519-1.patch: add reproducers to bin/tests/*.
    - debian/patches/CVE-2026-1519-2.patch: check iterations in
      isdelegation() in lib/dns/validator.c.
    - debian/patches/CVE-2026-1519-3.patch: don't verify already trusted
      rdatasets in lib/dns/include/dns/types.h, lib/dns/validator.c.
    - debian/patches/CVE-2026-1519-4.patch: check RRset trust in
      validate_neg_rrset() in lib/dns/validator.c.
    - CVE-2026-1519

 -- Marc Deslauriers <email address hidden> Tue, 24 Mar 2026 11:31:16 -0400

  bind9 (1:9.18.39-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Resource exhaustion via malformed DNSKEY handling
    - debian/patches/CVE-2025-8677.patch: count invalid keys as validation
      failures in lib/dns/validator.c.
    - CVE-2025-8677
  * SECURITY UPDATE: Cache poisoning attacks with unsolicited RRs
    - debian/patches/CVE-2025-40778.patch: no longer accept DNAME records
      or extraneous NS records in the AUTHORITY section unless these are
      received via spoofing-resistant transport in
      lib/dns/include/dns/message.h, lib/dns/message.c, lib/dns/resolver.c.
    - CVE-2025-40778
  * SECURITY UPDATE: Cache poisoning due to weak PRNG
    - debian/patches/CVE-2025-40780.patch: change internal random generator
      to a cryptographically secure pseudo-random generator in
      lib/isc/include/isc/random.h, lib/isc/random.c,
      tests/isc/random_test.c.
    - CVE-2025-40780

 -- Marc Deslauriers <email address hidden> Tue, 21 Oct 2025 09:15:59 -0400

  bind9 (1:9.18.30-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Many records in the additional section cause CPU
    exhaustion
    - debian/patches/CVE-2024-11187.patch: limit the additional processing
      for large RDATA sets in bin/tests/*, lib/dns/include/dns/rdataset.h,
      lib/dns/rbtdb.c, lib/dns/rdataset.c, lib/dns/resolver.c,
      lib/ns/query.c.
    - CVE-2024-11187
  * SECURITY UPDATE: DNS-over-HTTPS implementation suffers from multiple
    issues under heavy query load
    - debian/patches/CVE-2024-12705.patch: fix flooding issues in
      lib/isc/netmgr/http.c, lib/isc/netmgr/netmgr-int.h,
      lib/isc/netmgr/netmgr.c, lib/isc/netmgr/tcp.c,
      lib/isc/netmgr/tlsstream.c.
    - CVE-2024-12705

 -- Marc Deslauriers <email address hidden> Tue, 28 Jan 2025 09:30:35 -0500

  bind9 (1:9.18.28-0ubuntu0.22.04.1) jammy-security; urgency=medium

  * Updated to 9.18.28 to fix multiple security issues.
    - CVE-2024-0760: A flood of DNS messages over TCP may make the server
      unstable
    - CVE-2024-1737: BIND's database will be slow if a very large number of
      RRs exist at the same name
    - CVE-2024-1975: SIG(0) can be used to exhaust CPU resources
    - CVE-2024-4076: Assertion failure when serving both stale cache data
      and authoritative zone content

 -- Marc Deslauriers <email address hidden> Tue, 16 Jul 2024 14:16:20 -0400