[ubuntu/questing-security] bind9 1:9.20.11-1ubuntu2.1 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Oct 22 16:49:26 UTC 2025
bind9 (1:9.20.11-1ubuntu2.1) questing-security; urgency=medium
* SECURITY UPDATE: Resource exhaustion via malformed DNSKEY handling
- debian/patches/CVE-2025-8677.patch: count invalid keys as validation
failures in lib/dns/validator.c.
- CVE-2025-8677
* SECURITY UPDATE: Cache poisoning attacks with unsolicited RRs
- debian/patches/CVE-2025-40778.patch: no longer accept DNAME records
or extraneous NS records in the AUTHORITY section unless these are
received via spoofing-resistant transport in doc/arm/reference.rst,
lib/dns/include/dns/message.h, lib/dns/message.c, lib/dns/resolver.c.
- CVE-2025-40778
* SECURITY UPDATE: Cache poisoning due to weak PRNG
- debian/patches/CVE-2025-40780.patch: change internal random generator
to a cryptographically secure pseudo-random generator in
configure.ac, lib/isc/Makefile.am, lib/isc/hash.c, lib/isc/hashmap.c,
lib/isc/include/isc/nonce.h, lib/isc/include/isc/random.h,
lib/isc/random.c, tests/isc/random_test.c.
- CVE-2025-40780
Date: 2025-10-21 14:09:13.796770+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/bind9/1:9.20.11-1ubuntu2.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Questing-changes
mailing list