UbuntuUpdates.org

Package "bind9"

Name: bind9

Description:

Internet Domain Name Server
Latest version: 1:9.18.24-0ubuntu0.23.10.1
Release: mantic (23.10)
Level: proposed
Repository: main
Homepage: https://www.isc.org/downloads/bind/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "bind9"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "bind9" in Mantic

Repository Area Version
base universe 1:9.18.18-0ubuntu2
base main 1:9.18.18-0ubuntu2
security main 1:9.18.18-0ubuntu2.1
security universe 1:9.18.18-0ubuntu2.1
updates main 1:9.18.18-0ubuntu2.1
updates universe 1:9.18.18-0ubuntu2.1
proposed universe 1:9.18.24-0ubuntu0.23.10.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1:9.18.24-0ubuntu0.23.10.1 2024-04-19 15:07:54 UTC

  bind9 (1:9.18.24-0ubuntu0.23.10.1) mantic; urgency=medium

  * New upstream version 9.18.24 (LP: #2040459)
    - Updates:
      + Mark use of AES as the DNS COOKIE algorithm as depricated.
      + Mark resolver-nonbackoff-tries and resolver-retry-interval statements
        as depricated.
      + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and
        2801:1b8:10::b.
      + Mark dnssec-must-be-secure option as deprecated.
      + Honor nsupdate -v option for SOA queries by sending both the UPDATE
        request and the initial query over TCP.
      + Reduce memory consumption through dedicated jemalloc memory arenas.
    - Bug fixes:
      + Fix accidental truncation to 32 bit of statistics channel counters.
      + Do not schedule unsigned versions of inline-signed zones containing
        DNSSEC records for resigning.
      + Take local authoritive data into account when looking up stale data
        from the cache.
      + Fix assertion failure when lock-file used at the same time as named -X.
      + Fix lockfile removal issue when starting named 3+ times.
      + Fix validation of If-Modified-Since header in statistics channel for
        its length.
      + Add Content-Length header bounds check to avoid integer overflow.
      + Fix memory leaks from OpenSSL error stack.
      + Fix SERVFAIL responses after introduction of krb5-subdomain-self-rhs
        and ms-subdomain-self-rhs UPDATE policies.
      + Fix accidental disable of stale-refresh-time feature on rndc flush.
      + Fix possible DNS message corruption from partial writes in TLS DNS.
    - See https://bind9.readthedocs.io/en/v9.18.24/notes.html for additional
      information.
  * Remove CVE patches fixed upstream:
    - CVE-2023-3341.patch
    - CVE-2023-4236.patch
    [ Fixed in 9.18.19 ]
    - 0001-CVE-2023-4408.patch
    - 0002-CVE-2023-5517.patch
    - 0003-CVE-2023-5679.patch
    - 0004-CVE-2023-50387-CVE-2023-50868.patch
    [ Fixed in 9.18.24 ]
  * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the
    standard library stdatomic.h.

 -- Lena Voytek <email address hidden> Tue, 09 Apr 2024 14:28:37 -0700
2040459 MRE updates of bind9 for noble
CVE-2023-3341 A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly
CVE-2023-4236 named may terminate unexpectedly under high DNS-over-TLS query load
CVE-2023-4408 The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS
CVE-2023-5517 A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect <domain>;` is configured,
CVE-2023-5679 A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these
CVE-2023-50387 Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU
CVE-2023-50868 The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of se


About   -   Send Feedback to @ubuntu_updates