[ubuntu/questing-security] bind9 1:9.20.11-1ubuntu2.2 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Mar 25 16:20:39 UTC 2026
bind9 (1:9.20.11-1ubuntu2.2) questing-security; urgency=medium
* SECURITY UPDATE: Excessive NSEC3 iterations cause high CPU load during
insecure delegation validation
- debian/patches/CVE-2026-1519-1.patch: add reproducers to bin/tests/*.
- debian/patches/CVE-2026-1519-2.patch: check iterations in
isdelegation() in lib/dns/validator.c.
- debian/patches/CVE-2026-1519-3.patch: don't verify already trusted
rdatasets in lib/dns/include/dns/types.h, lib/dns/validator.c.
- debian/patches/CVE-2026-1519-4.patch: combine validator_log and
marksecure in lib/dns/validator.c.
- debian/patches/CVE-2026-1519-5.patch: check RRset trust in
validate_neg_rrset() in lib/dns/validator.c.
- CVE-2026-1519
* SECURITY UPDATE: Memory leak in code preparing DNSSEC proofs of
non-existence
- debian/patches/CVE-2026-3104-1.patch: add tests to bin/tests/*.
- debian/patches/CVE-2026-3104-2.patch: fix memory leak in QPcache
addnoqname/addclosest mechanism in lib/dns/qpcache.c,
lib/dns/rbtdb.c.
- CVE-2026-3104
* SECURITY UPDATE: Authenticated query containing a TKEY record may cause
named to terminate unexpectedly
- debian/patches/CVE-2026-3119-1.patch: add tests to bin/tests/*.
- debian/patches/CVE-2026-3119-2.patch: fix a bug in
dns_tkey_processquery() in lib/dns/tkey.c.
- CVE-2026-3119
* SECURITY UPDATE: A stack use-after-return flaw in SIG(0) handling code
may enable ACL bypass
- debian/patches/CVE-2026-3591-1.patch: add tests to bin/tests/*.
- debian/patches/CVE-2026-3591-2.patch: fix stack Use-After-Return in
SIG(0) handling in bin/named/server.c.
- CVE-2026-3591
Date: 2026-03-24 16:45:15.632665+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/bind9/1:9.20.11-1ubuntu2.2
-------------- next part --------------
Sorry, changesfile not available.
More information about the Questing-changes
mailing list