Package "bind9"

  bind9 (1:9.20.11-0ubuntu0.2) plucky-security; urgency=medium

  * SECURITY UPDATE: Resource exhaustion via malformed DNSKEY handling
    - debian/patches/CVE-2025-8677.patch: count invalid keys as validation
      failures in lib/dns/validator.c.
    - CVE-2025-8677
  * SECURITY UPDATE: Cache poisoning attacks with unsolicited RRs
    - debian/patches/CVE-2025-40778.patch: no longer accept DNAME records
      or extraneous NS records in the AUTHORITY section unless these are
      received via spoofing-resistant transport in doc/arm/reference.rst,
      lib/dns/include/dns/message.h, lib/dns/message.c, lib/dns/resolver.c.
    - CVE-2025-40778
  * SECURITY UPDATE: Cache poisoning due to weak PRNG
    - debian/patches/CVE-2025-40780.patch: change internal random generator
      to a cryptographically secure pseudo-random generator in
      configure.ac, lib/isc/Makefile.am, lib/isc/hash.c, lib/isc/hashmap.c,
      lib/isc/include/isc/nonce.h, lib/isc/include/isc/random.h,
      lib/isc/random.c, tests/isc/random_test.c.
    - CVE-2025-40780

 -- Marc Deslauriers <email address hidden> Tue, 21 Oct 2025 08:32:47 -0400

  bind9 (1:9.20.11-0ubuntu0.1) plucky; urgency=medium

  * New upstream release 9.20.11 (LP: #2112520)
    - Features:
      + Add support for the CO flag to dig.
      + Implement a new notify-defer configuration option.
      + Add support for EDE 20 (Not Authoritative).
      + Add support for EDE 7 and EDE 8.
      + Add support for displaying and receiving BADVERS to dig.
      + Add an rndc command to reset some statistics counters.
      + Implement the min-transfer-rate-in configuration option.
      + Add HTTPS record query to host command line tool.
      + Implement sig0key-checks-limit and sig0message-checks-limit.
      + Add support for EDE code 1 and 2.
      + Add an rndc command to toggle jemalloc profiling.
      + Add support for multiple extended DNS errors.
      + Add Extended DNS Error Code 22
      + No Reachable Authority.
      + Add a new option to configure the maximum number of outgoing queries
        per client request.
    - Updates:
      + Implement the systemd notification protocol manually to remove
        dependency on libsystemd.
      + Return DNS COOKIE and NSID with BADVERS.
      + Print the expiration time of stale records.
      + Use the Server Name Indication (SNI) extension for all outgoing TLS
        connections.
      + Revert performance optimization for NSEC3 lookups introduced in BIND
        9.20.2 to avoid risks associated with a complex code change.
      + Rename parental-agents and primaries to remote-servers internally.
      + Add none parameter to query-source and query-source-v6 to disable IPv4
        or IPv6 upstream queries but allow listening to queries from clients on
        IPv4 or IPv6.
    - Bug Fixes:
      + Correct the default interface-interval from 60s to 60m.
      + Fix a purge-keys bug when using multiple views of a zone.
      + Fix zone refresh after deletion.
      + Fix failure to refresh when named reconfigured during SOA request step.
      + Fix EDNS YAML output in dig.
      + Fix RDATA checks for PRIVATEOID keys.
      + Fix a serve-stale issue with a delegated zone.
      + Stop caching lack of EDNS support.
      + Fix resolver statistics counters for timed-out responses.
      + Fix nested DNS validation assertion failure.
      + Wait for memory reclamation to finish in named-checkconf.
      + Ensure max-clients-per-query is at least clients-per-query.
      + Fix write after free in validator code.
      + Don’t enforce NOAUTH/NOCONF flags in DNSKEYs.
      + Fix DNSSEC timing issues.
      + Fix inconsistency in CNAME/DNAME handling during resolution.
      + Fix dual-stack-servers configuration option.
      + Fix a data race causing a permanent active client increase.
      + Fix deferred validation of unsigned DS and DNSKEY records.
      + Fix RPZ race condition during a reconfiguration.
      + Fix “CNAME and other data check” not being applied to all types.
      + Relax private DNSKEY and RRSIG constraints.
      + Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
      + Fix TTL issue with ANY queries processed through RPZ “passthru”.
      + Check for a NULL key in dnssec-signzone when setting offline.
      + Fix a bug in the statistics channel when querying zone transfer
        information.
      + Fix assertion failure when dumping recursing clients.
      + Dump the active resolver fetches from dns_resolver_dumpfetches().
      + Fix recently expired records sending timestamps in the future.
      + Fix YAML string not terminated in negative response in delv.
      + Fix a bug in dnssec-signzone related to keys being offline.
      + Apply the memory limit only to ADB database items.
      + Avoid unnecessary locking in the zone/cache database.
      + Fix nsupdate hang when processing a large update.
      + Fix possible assertion failure when reloading server while processing
        update policy rules.
      + Preserve cache across reconfig when using attach-cache.
      + Resolve the spurious drops in performance due to glue cache.
      + Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys.
      + Fix improper handling of unknown directives in resolv.conf.
      + Fix response policy zones and catalog zones with an $INCLUDE statement
        defined.
    - See https://bind9.readthedocs.io/en/v9.20.11/notes.html for additional
      information.
  * Remove patches fixed upstream:
    - d/p/CVE-2025-40775.patch
      [Fixed in 9.20.9]
    - d/p/CVE-2025-40777.patch
      [Fixed in 9.20.11]
    - d/p/0003-Revert-Fix-the-glue-table-in-the-QP-and-RBT-zone-dat.patch
    - d/p/0004-Rewrite-the-GLUE-cache-in-QP-zone-database.patch
      [Fixed in 9.20.5]
  * d/bind9.postinst: Perform config check in postinst. (LP: #1492212)
  * d/README.Debian: Update to properly describe the new version.
  * d/control: Switch from pkg-config to pkgconf dependency.

 -- Lena Voytek <email address hidden> Mon, 28 Jul 2025 09:40:43 -0400

  bind9 (1:9.20.4-3ubuntu1.2) plucky-security; urgency=medium

  * SECURITY UPDATE: possible assertion failure when
    'stale-answer-client-timeout' is set to '0'
    - debian/patches/CVE-2025-40777.patch: fix logic in lib/ns/query.c.
    - CVE-2025-40777

 -- Marc Deslauriers <email address hidden> Tue, 15 Jul 2025 07:25:25 -0400

  bind9 (1:9.20.4-3ubuntu1.1) plucky-security; urgency=medium

  * SECURITY UPDATE: message with invalid TSIG causes an assertion failure
    - debian/patches/CVE-2025-40775.patch: properly validate messages in
      lib/dns/include/dns/message.h, lib/dns/include/dns/tsig.h,
      lib/dns/message.c, lib/dns/tsig.c, tests/dns/tsig_test.c.
    - CVE-2025-40775

 -- Marc Deslauriers <email address hidden> Tue, 20 May 2025 07:25:11 -0400