[ubuntu/resolute-proposed] bind9 1:9.20.18-1ubuntu2 (Accepted)

[Marc Deslauriers]

bind9 (1:9.20.18-1ubuntu2) resolute; urgency=medium

  * SECURITY UPDATE: Excessive NSEC3 iterations cause high CPU load during
    insecure delegation validation
    - debian/patches/CVE-2026-1519-1.patch: add reproducers to bin/tests/*.
    - debian/patches/CVE-2026-1519-2.patch: check iterations in
      isdelegation() in lib/dns/validator.c.
    - debian/patches/CVE-2026-1519-3.patch: don't verify already trusted
      rdatasets in lib/dns/include/dns/types.h, lib/dns/validator.c.
    - debian/patches/CVE-2026-1519-4.patch: combine validator_log and
      marksecure in lib/dns/validator.c.
    - debian/patches/CVE-2026-1519-5.patch: check RRset trust in
      validate_neg_rrset() in lib/dns/validator.c.
    - CVE-2026-1519
  * SECURITY UPDATE: Memory leak in code preparing DNSSEC proofs of
    non-existence
    - debian/patches/CVE-2026-3104-1.patch: add tests to bin/tests/*.
    - debian/patches/CVE-2026-3104-2.patch: fix memory leak in QPcache
      addnoqname/addclosest mechanism in lib/dns/qpcache.c,
      lib/dns/rbtdb.c.
    - CVE-2026-3104
  * SECURITY UPDATE: Authenticated query containing a TKEY record may cause
    named to terminate unexpectedly
    - debian/patches/CVE-2026-3119-1.patch: add tests to bin/tests/*.
    - debian/patches/CVE-2026-3119-2.patch: fix a bug in
      dns_tkey_processquery() in lib/dns/tkey.c.
    - CVE-2026-3119
  * SECURITY UPDATE: A stack use-after-return flaw in SIG(0) handling code
    may enable ACL bypass
    - debian/patches/CVE-2026-3591-1.patch: add tests to bin/tests/*.
    - debian/patches/CVE-2026-3591-2.patch: fix stack Use-After-Return in
      SIG(0) handling in bin/named/server.c.
    - CVE-2026-3591

Date: Fri, 27 Mar 2026 11:00:11 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/bind9/1:9.20.18-1ubuntu2
-------------- next part --------------
Format: 1.8
Date: Fri, 27 Mar 2026 11:00:11 -0400
Source: bind9
Built-For-Profiles: derivative.ubuntu noudeb
Architecture: source
Version: 1:9.20.18-1ubuntu2
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 bind9 (1:9.20.18-1ubuntu2) resolute; urgency=medium
 .
   * SECURITY UPDATE: Excessive NSEC3 iterations cause high CPU load during
     insecure delegation validation
     - debian/patches/CVE-2026-1519-1.patch: add reproducers to bin/tests/*.
     - debian/patches/CVE-2026-1519-2.patch: check iterations in
       isdelegation() in lib/dns/validator.c.
     - debian/patches/CVE-2026-1519-3.patch: don't verify already trusted
       rdatasets in lib/dns/include/dns/types.h, lib/dns/validator.c.
     - debian/patches/CVE-2026-1519-4.patch: combine validator_log and
       marksecure in lib/dns/validator.c.
     - debian/patches/CVE-2026-1519-5.patch: check RRset trust in
       validate_neg_rrset() in lib/dns/validator.c.
     - CVE-2026-1519
   * SECURITY UPDATE: Memory leak in code preparing DNSSEC proofs of
     non-existence
     - debian/patches/CVE-2026-3104-1.patch: add tests to bin/tests/*.
     - debian/patches/CVE-2026-3104-2.patch: fix memory leak in QPcache
       addnoqname/addclosest mechanism in lib/dns/qpcache.c,
       lib/dns/rbtdb.c.
     - CVE-2026-3104
   * SECURITY UPDATE: Authenticated query containing a TKEY record may cause
     named to terminate unexpectedly
     - debian/patches/CVE-2026-3119-1.patch: add tests to bin/tests/*.
     - debian/patches/CVE-2026-3119-2.patch: fix a bug in
       dns_tkey_processquery() in lib/dns/tkey.c.
     - CVE-2026-3119
   * SECURITY UPDATE: A stack use-after-return flaw in SIG(0) handling code
     may enable ACL bypass
     - debian/patches/CVE-2026-3591-1.patch: add tests to bin/tests/*.
     - debian/patches/CVE-2026-3591-2.patch: fix stack Use-After-Return in
       SIG(0) handling in bin/named/server.c.
     - CVE-2026-3591
Checksums-Sha1:
 4938e80827bf44a31cd23835a972b1cd9a1de92d 2844 bind9_9.20.18-1ubuntu2.dsc
 4db5452e983d6a1ff931e86b67432932b3c7fa63 84412 bind9_9.20.18-1ubuntu2.debian.tar.xz
 dbdd433073fbaacc8de1751fbbe9ebf30bc5be58 7914 bind9_9.20.18-1ubuntu2_source.buildinfo
Checksums-Sha256:
 d3558ce244ed5daf51cc1185b2b936e17995f542434aace2c91bbf848fe2750b 2844 bind9_9.20.18-1ubuntu2.dsc
 4bdc98387786f7716ce680af592e28d2fad472d0ca3b36b5232c86f2f86b19fa 84412 bind9_9.20.18-1ubuntu2.debian.tar.xz
 c7e9ca5a9fb0963a422558a633124f1cea30531437bba9d37733c00d9e77fd02 7914 bind9_9.20.18-1ubuntu2_source.buildinfo
Files:
 da0d31cc96fc7bbfad3805a99dc16d95 2844 net optional bind9_9.20.18-1ubuntu2.dsc
 8cb11af0ec740c79907555f7b6b45b13 84412 net optional bind9_9.20.18-1ubuntu2.debian.tar.xz
 a2eaf12a48f88bc461417f2b6f993009 7914 net optional bind9_9.20.18-1ubuntu2_source.buildinfo
Original-Maintainer: Debian DNS Team <team+dns at tracker.debian.org>