Package "bind9"

  bind9 (1:9.18.28-0ubuntu0.22.04.1) jammy-security; urgency=medium

  * Updated to 9.18.28 to fix multiple security issues.
    - CVE-2024-0760: A flood of DNS messages over TCP may make the server
      unstable
    - CVE-2024-1737: BIND's database will be slow if a very large number of
      RRs exist at the same name
    - CVE-2024-1975: SIG(0) can be used to exhaust CPU resources
    - CVE-2024-4076: Assertion failure when serving both stale cache data
      and authoritative zone content

 -- Marc Deslauriers <email address hidden> Tue, 16 Jul 2024 14:16:20 -0400

  bind9 (1:9.18.18-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Multiple security issues
    - debian/patches/0001-CVE-2023-4408.patch: Parsing large DNS messages
      may cause excessive CPU load.
    - debian/patches/0002-CVE-2023-5517.patch: Querying RFC 1918 reverse
      zones may cause an assertion failure when nxdomain-redirect is
      enabled.
    - debian/patches/0003-CVE-2023-5679.patch: Enabling both DNS64 and
      serve-stale may cause an assertion failure during recursive
      resolution.
    - debian/patches/0004-CVE-2023-50387-CVE-2023-50868.patch: Extreme CPU
      consumption in DNSSEC validator and Preparing an NSEC3 closest
      encloser proof can exhaust CPU resources.
    - CVE-2023-4408
    - CVE-2023-5517
    - CVE-2023-5679
    - CVE-2023-50387
    - CVE-2023-50868

 -- Marc Deslauriers <email address hidden> Mon, 12 Feb 2024 14:29:56 -0500

  bind9 (1:9.18.12-0ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS via recusive packet parsing
    - debian/patches/CVE-2023-3341.patch: add a max depth check to
      lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c.
    - CVE-2023-3341
  * SECURITY UPDATE: Dos via DNS-over-TLS queries
    - debian/patches/CVE-2023-4236.patch: check return code in
      lib/isc/netmgr/tlsdns.c.
    - CVE-2023-4236

 -- Marc Deslauriers <email address hidden> Tue, 19 Sep 2023 07:21:46 -0400

  bind9 (1:9.18.12-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Configured cache size limit can be significantly
    exceeded
    - debian/patches/CVE-2023-2828.patch: fix cache expiry in
      lib/dns/rbtdb.c.
    - CVE-2023-2828
  * SECURITY UPDATE: Exceeding the recursive-clients quota may cause named
    to terminate unexpectedly when stale-answer-client-timeout is set to 0
    - debian/patches/CVE-2023-2911.patch: fix refreshing queries in
      lib/ns/query.c.
    - CVE-2023-2911

 -- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:29:34 -0400

  bind9 (1:9.18.1-1ubuntu1.3) jammy-security; urgency=medium

  * SECURITY UPDATE: An UPDATE message flood may cause named to exhaust all
    available memory
    - debian/patches/CVE-2022-3094.patch: add counter in
      bin/named/bind9.xsl, bin/named/statschannel.c, doc/arm/reference.rst,
      lib/ns/include/ns/server.h, lib/ns/include/ns/stats.h,
      lib/ns/server.c, lib/ns/update.c.
    - CVE-2022-3094
  * SECURITY UPDATE: named configured to answer from stale cache may
    terminate unexpectedly while processing RRSIG queries
    - debian/patches/CVE-2022-3736.patch: fix logic in lib/ns/query.c.
    - CVE-2022-3736
  * SECURITY UPDATE: named configured to answer from stale cache may
    terminate unexpectedly at recursive-clients soft quota
    - debian/patches/CVE-2022-3924.patch: improve logic in
      lib/dns/resolver.c, lib/ns/query.c.
    - CVE-2022-3924

 -- Marc Deslauriers <email address hidden> Tue, 24 Jan 2023 08:18:53 -0500