[ubuntu/resolute-proposed] bind9 1:9.20.11-1ubuntu3 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Thu Oct 23 11:34:19 UTC 2025 

bind9 (1:9.20.11-1ubuntu3) resolute; urgency=medium

  * SECURITY UPDATE: Resource exhaustion via malformed DNSKEY handling
    - debian/patches/CVE-2025-8677.patch: count invalid keys as validation
      failures in lib/dns/validator.c.
    - CVE-2025-8677
  * SECURITY UPDATE: Cache poisoning attacks with unsolicited RRs
    - debian/patches/CVE-2025-40778.patch: no longer accept DNAME records
      or extraneous NS records in the AUTHORITY section unless these are
      received via spoofing-resistant transport in doc/arm/reference.rst,
      lib/dns/include/dns/message.h, lib/dns/message.c, lib/dns/resolver.c.
    - CVE-2025-40778
  * SECURITY UPDATE: Cache poisoning due to weak PRNG
    - debian/patches/CVE-2025-40780.patch: change internal random generator
      to a cryptographically secure pseudo-random generator in
      configure.ac, lib/isc/Makefile.am, lib/isc/hash.c, lib/isc/hashmap.c,
      lib/isc/include/isc/nonce.h, lib/isc/include/isc/random.h,
      lib/isc/random.c, tests/isc/random_test.c.
    - CVE-2025-40780

Date: Tue, 21 Oct 2025 07:57:20 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/bind9/1:9.20.11-1ubuntu3
-------------- next part --------------
Format: 1.8
Date: Tue, 21 Oct 2025 07:57:20 -0400
Source: bind9
Built-For-Profiles: noudeb
Architecture: source
Version: 1:9.20.11-1ubuntu3
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 bind9 (1:9.20.11-1ubuntu3) resolute; urgency=medium
 .
   * SECURITY UPDATE: Resource exhaustion via malformed DNSKEY handling
     - debian/patches/CVE-2025-8677.patch: count invalid keys as validation
       failures in lib/dns/validator.c.
     - CVE-2025-8677
   * SECURITY UPDATE: Cache poisoning attacks with unsolicited RRs
     - debian/patches/CVE-2025-40778.patch: no longer accept DNAME records
       or extraneous NS records in the AUTHORITY section unless these are
       received via spoofing-resistant transport in doc/arm/reference.rst,
       lib/dns/include/dns/message.h, lib/dns/message.c, lib/dns/resolver.c.
     - CVE-2025-40778
   * SECURITY UPDATE: Cache poisoning due to weak PRNG
     - debian/patches/CVE-2025-40780.patch: change internal random generator
       to a cryptographically secure pseudo-random generator in
       configure.ac, lib/isc/Makefile.am, lib/isc/hash.c, lib/isc/hashmap.c,
       lib/isc/include/isc/nonce.h, lib/isc/include/isc/random.h,
       lib/isc/random.c, tests/isc/random_test.c.
     - CVE-2025-40780
Checksums-Sha1:
 14faeda15fb9e56ecf0a1d689f5377e604571e06 3099 bind9_9.20.11-1ubuntu3.dsc
 5334d5b9d9bbac8c8c80a9c795bbcf8a12bc496f 80608 bind9_9.20.11-1ubuntu3.debian.tar.xz
 02c003b0c078eaa489712cf1400a47078bbd59f6 8036 bind9_9.20.11-1ubuntu3_source.buildinfo
Checksums-Sha256:
 40972e7e4f639b1a0b65e0c4c341b54aed6cfa10510055e9c236ef5d87400db9 3099 bind9_9.20.11-1ubuntu3.dsc
 894f9064b6958048a9b7f2e0498dbb4d164610d65810b8d0c82cb225ba07f0ad 80608 bind9_9.20.11-1ubuntu3.debian.tar.xz
 730f53ce0e0c450720a67bb14982b7e013934f5dc899e4beb703dd419013054b 8036 bind9_9.20.11-1ubuntu3_source.buildinfo
Files:
 e8d100a4ac373153742cfabe2a3efbcf 3099 net optional bind9_9.20.11-1ubuntu3.dsc
 29cb469720170a5ebc3c47577c6b729f 80608 net optional bind9_9.20.11-1ubuntu3.debian.tar.xz
 8b281a91fb161ff25f48b8018d4b7826 8036 net optional bind9_9.20.11-1ubuntu3_source.buildinfo
Original-Maintainer: Debian DNS Team <team+dns at tracker.debian.org>

More information about the Resolute-changes mailing list