[ubuntu/plucky-security] bind9 1:9.20.11-0ubuntu0.2 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Oct 22 16:49:27 UTC 2025
bind9 (1:9.20.11-0ubuntu0.2) plucky-security; urgency=medium
* SECURITY UPDATE: Resource exhaustion via malformed DNSKEY handling
- debian/patches/CVE-2025-8677.patch: count invalid keys as validation
failures in lib/dns/validator.c.
- CVE-2025-8677
* SECURITY UPDATE: Cache poisoning attacks with unsolicited RRs
- debian/patches/CVE-2025-40778.patch: no longer accept DNAME records
or extraneous NS records in the AUTHORITY section unless these are
received via spoofing-resistant transport in doc/arm/reference.rst,
lib/dns/include/dns/message.h, lib/dns/message.c, lib/dns/resolver.c.
- CVE-2025-40778
* SECURITY UPDATE: Cache poisoning due to weak PRNG
- debian/patches/CVE-2025-40780.patch: change internal random generator
to a cryptographically secure pseudo-random generator in
configure.ac, lib/isc/Makefile.am, lib/isc/hash.c, lib/isc/hashmap.c,
lib/isc/include/isc/nonce.h, lib/isc/include/isc/random.h,
lib/isc/random.c, tests/isc/random_test.c.
- CVE-2025-40780
bind9 (1:9.20.11-0ubuntu0.1) plucky; urgency=medium
* New upstream release 9.20.11 (LP: #2112520)
- Features:
+ Add support for the CO flag to dig.
+ Implement a new notify-defer configuration option.
+ Add support for EDE 20 (Not Authoritative).
+ Add support for EDE 7 and EDE 8.
+ Add support for displaying and receiving BADVERS to dig.
+ Add an rndc command to reset some statistics counters.
+ Implement the min-transfer-rate-in configuration option.
+ Add HTTPS record query to host command line tool.
+ Implement sig0key-checks-limit and sig0message-checks-limit.
+ Add support for EDE code 1 and 2.
+ Add an rndc command to toggle jemalloc profiling.
+ Add support for multiple extended DNS errors.
+ Add Extended DNS Error Code 22
+ No Reachable Authority.
+ Add a new option to configure the maximum number of outgoing queries
per client request.
- Updates:
+ Implement the systemd notification protocol manually to remove
dependency on libsystemd.
+ Return DNS COOKIE and NSID with BADVERS.
+ Print the expiration time of stale records.
+ Use the Server Name Indication (SNI) extension for all outgoing TLS
connections.
+ Revert performance optimization for NSEC3 lookups introduced in BIND
9.20.2 to avoid risks associated with a complex code change.
+ Rename parental-agents and primaries to remote-servers internally.
+ Add none parameter to query-source and query-source-v6 to disable IPv4
or IPv6 upstream queries but allow listening to queries from clients on
IPv4 or IPv6.
- Bug Fixes:
+ Correct the default interface-interval from 60s to 60m.
+ Fix a purge-keys bug when using multiple views of a zone.
+ Fix zone refresh after deletion.
+ Fix failure to refresh when named reconfigured during SOA request step.
+ Fix EDNS YAML output in dig.
+ Fix RDATA checks for PRIVATEOID keys.
+ Fix a serve-stale issue with a delegated zone.
+ Stop caching lack of EDNS support.
+ Fix resolver statistics counters for timed-out responses.
+ Fix nested DNS validation assertion failure.
+ Wait for memory reclamation to finish in named-checkconf.
+ Ensure max-clients-per-query is at least clients-per-query.
+ Fix write after free in validator code.
+ Don’t enforce NOAUTH/NOCONF flags in DNSKEYs.
+ Fix DNSSEC timing issues.
+ Fix inconsistency in CNAME/DNAME handling during resolution.
+ Fix dual-stack-servers configuration option.
+ Fix a data race causing a permanent active client increase.
+ Fix deferred validation of unsigned DS and DNSKEY records.
+ Fix RPZ race condition during a reconfiguration.
+ Fix “CNAME and other data check” not being applied to all types.
+ Relax private DNSKEY and RRSIG constraints.
+ Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
+ Fix TTL issue with ANY queries processed through RPZ “passthru”.
+ Check for a NULL key in dnssec-signzone when setting offline.
+ Fix a bug in the statistics channel when querying zone transfer
information.
+ Fix assertion failure when dumping recursing clients.
+ Dump the active resolver fetches from dns_resolver_dumpfetches().
+ Fix recently expired records sending timestamps in the future.
+ Fix YAML string not terminated in negative response in delv.
+ Fix a bug in dnssec-signzone related to keys being offline.
+ Apply the memory limit only to ADB database items.
+ Avoid unnecessary locking in the zone/cache database.
+ Fix nsupdate hang when processing a large update.
+ Fix possible assertion failure when reloading server while processing
update policy rules.
+ Preserve cache across reconfig when using attach-cache.
+ Resolve the spurious drops in performance due to glue cache.
+ Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys.
+ Fix improper handling of unknown directives in resolv.conf.
+ Fix response policy zones and catalog zones with an $INCLUDE statement
defined.
- See https://bind9.readthedocs.io/en/v9.20.11/notes.html for additional
information.
* Remove patches fixed upstream:
- d/p/CVE-2025-40775.patch
[Fixed in 9.20.9]
- d/p/CVE-2025-40777.patch
[Fixed in 9.20.11]
- d/p/0003-Revert-Fix-the-glue-table-in-the-QP-and-RBT-zone-dat.patch
- d/p/0004-Rewrite-the-GLUE-cache-in-QP-zone-database.patch
[Fixed in 9.20.5]
* d/bind9.postinst: Perform config check in postinst. (LP: #1492212)
* d/README.Debian: Update to properly describe the new version.
* d/control: Switch from pkg-config to pkgconf dependency.
Date: 2025-10-21 14:08:13.105970+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/bind9/1:9.20.11-0ubuntu0.2
-------------- next part --------------
Sorry, changesfile not available.
More information about the plucky-changes
mailing list