Package "bind9utils"

  bind9 (1:9.18.28-0ubuntu0.22.04.1) jammy-security; urgency=medium

  * Updated to 9.18.28 to fix multiple security issues.
    - CVE-2024-0760: A flood of DNS messages over TCP may make the server
      unstable
    - CVE-2024-1737: BIND's database will be slow if a very large number of
      RRs exist at the same name
    - CVE-2024-1975: SIG(0) can be used to exhaust CPU resources
    - CVE-2024-4076: Assertion failure when serving both stale cache data
      and authoritative zone content

 -- Marc Deslauriers <email address hidden> Tue, 16 Jul 2024 14:16:20 -0400

  bind9 (1:9.18.24-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream version 9.18.24 (LP: #2040459)
    - Updates:
      + Mark use of AES as the DNS COOKIE algorithm as depricated.
      + Mark resolver-nonbackoff-tries and resolver-retry-interval statements
        as depricated.
      + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and
        2801:1b8:10::b.
      + Mark dnssec-must-be-secure option as deprecated.
      + Honor nsupdate -v option for SOA queries by sending both the UPDATE
        request and the initial query over TCP.
      + Reduce memory consumption through dedicated jemalloc memory arenas.
    - Bug fixes:
      + Fix accidental truncation to 32 bit of statistics channel counters.
      + Do not schedule unsigned versions of inline-signed zones containing
        DNSSEC records for resigning.
      + Take local authoritive data into account when looking up stale data
        from the cache.
      + Fix assertion failure when lock-file used at the same time as named -X.
      + Fix lockfile removal issue when starting named 3+ times.
      + Fix validation of If-Modified-Since header in statistics channel for
        its length.
      + Add Content-Length header bounds check to avoid integer overflow.
      + Fix memory leaks from OpenSSL error stack.
      + Fix SERVFAIL responses after introduction of krb5-subdomain-self-rhs
        and ms-subdomain-self-rhs UPDATE policies.
      + Fix accidental disable of stale-refresh-time feature on rndc flush.
      + Fix possible DNS message corruption from partial writes in TLS DNS.
    - See https://bind9.readthedocs.io/en/v9.18.24/notes.html for additional
      information.
  * Remove CVE patches fixed upstream:
    - CVE-2023-3341.patch
    - CVE-2023-4236.patch
    [ Fixed in 9.18.19 ]
    - 0001-CVE-2023-4408.patch
    - 0002-CVE-2023-5517.patch
    - 0003-CVE-2023-5679.patch
    - 0004-CVE-2023-50387-CVE-2023-50868.patch
    [ Fixed in 9.18.24 ]
  * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the
    standard library stdatomic.h.

 -- Lena Voytek <email address hidden> Thu, 11 Apr 2024 14:11:18 -0700

  bind9 (1:9.18.18-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Multiple security issues
    - debian/patches/0001-CVE-2023-4408.patch: Parsing large DNS messages
      may cause excessive CPU load.
    - debian/patches/0002-CVE-2023-5517.patch: Querying RFC 1918 reverse
      zones may cause an assertion failure when nxdomain-redirect is
      enabled.
    - debian/patches/0003-CVE-2023-5679.patch: Enabling both DNS64 and
      serve-stale may cause an assertion failure during recursive
      resolution.
    - debian/patches/0004-CVE-2023-50387-CVE-2023-50868.patch: Extreme CPU
      consumption in DNSSEC validator and Preparing an NSEC3 closest
      encloser proof can exhaust CPU resources.
    - CVE-2023-4408
    - CVE-2023-5517
    - CVE-2023-5679
    - CVE-2023-50387
    - CVE-2023-50868

 -- Marc Deslauriers <email address hidden> Mon, 12 Feb 2024 14:29:56 -0500

  bind9 (1:9.18.18-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream release 9.18.18 (LP: #2028413)
    - Updates:
      + Mark a primary server as temporarily unreachable when a TCP connection
        response to an SOA query times out, matching behavior of a refused TCP
        connection.
      + Mark dialup and heartbeat-interval options as deprecated.
      + Retry DNS queries without an EDNS COOKIE when the first response is
        FORMERR with the EDNS COOKIE that was sent originally.
      + Use NS records for the relaxed QNAME minimization mode to reduce the
        number of queries from named.
      + Mark TKEY mode 2 as deprecated.
      + Mark delegation-only and root-delegation-only as deprecated.
      + Run RPZ and catalog zone updates on specialized offload threads to
        reduce blocked query processing time.
    - Bug Fixes:
      + Fix assertion failure from processing already-queued queries while
        server is being reconfigured or cache is being flushed.
      + Fix failure to load zones containing resource records with a TTL value
        larger than 86400 seconds when dnssec-policy is set to insecure.
      + Fix the ability to read HMAC-MD5 key files (LP: #2015176).
      + Fix stability issues with the catalog zone implementation.
      + Fix bind9 getting stuck when listen-on statement for HTTP is removed
        from configuration.
      + Do not return delegation from cache after stale-answer-client-timeout.
      + Fix failure to auto-tune clients-per-query limit in some situations.
      + Fix proper timeouts when using max-transfer-time-in and
        max-transfer-idle-in statements.
      + Bring rndc read timeout back to 60 seconds from 30.
      + Treat libuv returning ISC_R_INVALIDPROTO as a network error.
      + Clean up empty-non-terminal NSEC3 records.
      + Fix log file rotation cleanup for absolute file path destinations.
      + Fix various catalog zone processing crashes.
      + Fix transfer hang when downloading large zones over TLS.
      + Fix named crash when adding a new zone into the configuration file for
        a name which was already configured as member zone for a catalog zone.
      + Delay DNSSEC key queries until all zones have finished loading.
    - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional
      information.
  * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in
    9.18.16.
  * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18.
  * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650)

 -- Lena Voytek <email address hidden> Wed, 20 Sep 2023 15:15:41 -0700

  bind9 (1:9.18.12-0ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS via recusive packet parsing
    - debian/patches/CVE-2023-3341.patch: add a max depth check to
      lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c.
    - CVE-2023-3341
  * SECURITY UPDATE: Dos via DNS-over-TLS queries
    - debian/patches/CVE-2023-4236.patch: check return code in
      lib/isc/netmgr/tlsdns.c.
    - CVE-2023-4236

 -- Marc Deslauriers <email address hidden> Tue, 19 Sep 2023 07:21:46 -0400