** Description changed: This bug tracks an update for the bind9 package, moving to versions: - * Plucky (25.04): Bind9 9.20.10 - * Oracular (24.10): Bind9 9.20.10 - * Noble (24.04): Bind9 9.18.37 - * Jammy (22.04): Bind9 9.18.37 + * Plucky (25.04): Bind9 9.20.11 + * Noble (24.04): Bind9 9.18.38 + * Jammy (22.04): Bind9 9.18.38 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] - 9.20.5-9.20.10: + 9.20.5-9.20.11: CVE fixes (These already existed as patches but are now included as part of upstream): + CVE-2025-40777 CVE-2025-40775 CVE-2024-12705 CVE-2024-11187 Features: + https://gitlab.isc.org/isc-projects/bind9/-/issues/5319 - Add support for the CO flag to dig. https://gitlab.isc.org/isc-projects/bind9/-/issues/5259 - Implement a new notify-defer configuration option. https://gitlab.isc.org/isc-projects/bind9/-/issues/1836 - Add support for EDE 20 (Not Authoritative). https://gitlab.isc.org/isc-projects/bind9/-/issues/2715 - Add support for EDE 7 and EDE 8. https://gitlab.isc.org/isc-projects/bind9/-/issues/5234 - Add support for displaying and receiving BADVERS to dig. https://gitlab.isc.org/isc-projects/bind9/-/issues/5251 - Add an rndc command to reset some statistics counters. https://gitlab.isc.org/isc-projects/bind9/-/issues/3914 - Implement the min-transfer-rate-in configuration option. Add HTTPS record query to host command line tool. https://gitlab.isc.org/isc-projects/bind9/-/issues/5050 - Implement sig0key-checks-limit and sig0message-checks-limit. https://gitlab.isc.org/isc-projects/bind9/-/issues/2715 - Add support for EDE code 1 and 2. https://gitlab.isc.org/isc-projects/bind9/-/issues/4759 - Add an rndc command to toggle jemalloc profiling. https://gitlab.isc.org/isc-projects/bind9/-/issues/5085 - Add support for multiple extended DNS errors. https://gitlab.isc.org/isc-projects/bind9/-/issues/2268 - Add Extended DNS Error Code 22 - No Reachable Authority. https://gitlab.isc.org/isc-projects/bind9/-/issues/4980, https://gitlab.isc.org/isc-projects/bind9/-/issues/4921 - Add a new option to configure the maximum number of outgoing queries per client request. Updates: Implement the systemd notification protocol manually to remove dependency on libsystemd. https://gitlab.isc.org/isc-projects/bind9/-/issues/5235 - Return DNS COOKIE and NSID with BADVERS. Print the expiration time of stale records. https://gitlab.isc.org/isc-projects/bind9/-/issues/5099 - Use the Server Name Indication (SNI) extension for all outgoing TLS connections. https://gitlab.isc.org/isc-projects/bind9/-/issues/5108 - Revert performance optimization for NSEC3 lookups introduced in BIND 9.20.2 to avoid risks associated with a complex code change. https://gitlab.isc.org/isc-projects/bind9/-/issues/4544 - Rename parental-agents and primaries to remote-servers internally. https://gitlab.isc.org/isc-projects/bind9/-/issues/4981 - Add none parameter to query-source and query-source-v6 to disable IPv4 or IPv6 upstream queries but allow listening to queries from clients on IPv4 or IPv6. + https://gitlab.isc.org/isc-projects/bind9/-/issues/5352 - Use IPv6 queries in delv +ns. Bug Fixes: + https://gitlab.isc.org/isc-projects/bind9/-/issues/5246 - Correct the default interface-interval from 60s to 60m. + https://gitlab.isc.org/isc-projects/bind9/-/issues/5315 - Fix a purge-keys bug when using multiple views of a zone. https://gitlab.isc.org/isc-projects/bind9/-/issues/5291 - Fix zone refresh after deletion. https://gitlab.isc.org/isc-projects/bind9/-/issues/5307 - Fix failure to refresh when named reconfigured during SOA request step. https://gitlab.isc.org/isc-projects/bind9/-/issues/5014 - Fix EDNS YAML output in dig. https://gitlab.isc.org/isc-projects/bind9/-/issues/5270 - Fix RDATA checks for PRIVATEOID keys. https://gitlab.isc.org/isc-projects/bind9/-/issues/5275 - Fix a serve-stale issue with a delegated zone. https://gitlab.isc.org/isc-projects/bind9/-/issues/3949, https://gitlab.isc.org/isc-projects/bind9/-/issues/5066 - Stop caching lack of EDNS support. https://gitlab.isc.org/isc-projects/bind9/-/issues/5193 - Fix resolver statistics counters for timed-out responses. https://gitlab.isc.org/isc-projects/bind9/-/issues/5213 - Fix nested DNS validation assertion failure. https://gitlab.isc.org/isc-projects/bind9/-/issues/5220 - Wait for memory reclamation to finish in named-checkconf. https://gitlab.isc.org/isc-projects/bind9/-/issues/5224 - Ensure max-clients-per-query is at least clients-per-query. https://gitlab.isc.org/isc-projects/bind9/-/issues/5239 - Fix write after free in validator code. https://gitlab.isc.org/isc-projects/bind9/-/issues/5240 - Don’t enforce NOAUTH/NOCONF flags in DNSKEYs. https://gitlab.isc.org/isc-projects/bind9/-/issues/5242 - Fix DNSSEC timing issues. https://gitlab.isc.org/isc-projects/bind9/-/issues/5201 - Fix inconsistency in CNAME/DNAME handling during resolution. https://gitlab.isc.org/isc-projects/bind9/-/issues/5019 - Fix dual-stack-servers configuration option. https://gitlab.isc.org/isc-projects/bind9/-/issues/5053 - Fix a data race causing a permanent active client increase. https://gitlab.isc.org/isc-projects/bind9/-/issues/5066 - Fix deferred validation of unsigned DS and DNSKEY records. https://gitlab.isc.org/isc-projects/bind9/-/issues/5146 - Fix RPZ race condition during a reconfiguration. https://gitlab.isc.org/isc-projects/bind9/-/issues/5150 - Fix “CNAME and other data check” not being applied to all types. https://gitlab.isc.org/isc-projects/bind9/-/issues/5167 - Relax private DNSKEY and RRSIG constraints. https://gitlab.isc.org/isc-projects/bind9/-/issues/5185 - Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse(). https://gitlab.isc.org/isc-projects/bind9/-/issues/5187 - Fix TTL issue with ANY queries processed through RPZ “passthru”. https://gitlab.isc.org/isc-projects/bind9/-/issues/5192 - Check for a NULL key in dnssec-signzone when setting offline. https://gitlab.isc.org/isc-projects/bind9/-/issues/5198 - Fix a bug in the statistics channel when querying zone transfer information. https://gitlab.isc.org/isc-projects/bind9/-/issues/5200 - Fix assertion failure when dumping recursing clients. Dump the active resolver fetches from dns_resolver_dumpfetches(). https://gitlab.isc.org/isc-projects/bind9/-/issues/5094 - Fix recently expired records sending timestamps in the future. https://gitlab.isc.org/isc-projects/bind9/-/issues/5098 - Fix YAML string not terminated in negative response in delv. https://gitlab.isc.org/isc-projects/bind9/-/issues/5126 - Fix a bug in dnssec-signzone related to keys being offline. https://gitlab.isc.org/isc-projects/bind9/-/issues/5127 - Apply the memory limit only to ADB database items. https://gitlab.isc.org/isc-projects/bind9/-/issues/5130 - Avoid unnecessary locking in the zone/cache database. https://gitlab.isc.org/isc-projects/bind9/-/issues/4910 - Fix nsupdate hang when processing a large update. https://gitlab.isc.org/isc-projects/bind9/-/issues/5006 - Fix possible assertion failure when reloading server while processing update policy rules. https://gitlab.isc.org/isc-projects/bind9/-/issues/5061 - Preserve cache across reconfig when using attach-cache. https://gitlab.isc.org/isc-projects/bind9/-/issues/5064 - Resolve the spurious drops in performance due to glue cache. https://gitlab.isc.org/isc-projects/bind9/-/issues/5070 - Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys. https://gitlab.isc.org/isc-projects/bind9/-/issues/5084 - Fix improper handling of unknown directives in resolv.conf. https://gitlab.isc.org/isc-projects/bind9/-/issues/5111 - Fix response policy zones and catalog zones with an $INCLUDE statement defined. Full release notes available here - - https://bind9.readthedocs.io/en/v9.20.10/notes.html + https://bind9.readthedocs.io/en/v9.20.11/notes.html - 9.18.31-9.18.37: + 9.18.31-9.18.38: CVE fixes (These already existed as patches but are now included as part of upstream): CVE-2024-12705 CVE-2024-11187 Features: + https://gitlab.isc.org/isc-projects/bind9/-/issues/5319 - Add support for the CO flag to dig. https://gitlab.isc.org/isc-projects/bind9/-/issues/4980, https://gitlab.isc.org/isc-projects/bind9/-/issues/4921 - Add a new option to configure the maximum number of outgoing queries per client request. https://gitlab.isc.org/isc-projects/bind9/-/issues/4947 - Add WALLET type. Updates: https://gitlab.isc.org/isc-projects/bind9/-/issues/5247 - Make TLS data processing more reliable in various network conditions. Print the expiration time of the stale records. Remove –with-tuning=small/large configuration option. https://gitlab.isc.org/isc-projects/bind9/-/issues/4896 - Update built-in bind.keys file with the new 2025 IANA root key. https://gitlab.isc.org/isc-projects/bind9/-/issues/4865 - Move contributed DLZ modules into a separate repository. Emit more helpful log messages for exceeding max-records-per-type. Harden key management when key files have become unavailable. https://gitlab.isc.org/isc-projects/bind9/-/issues/4928 - Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS. - Bug Fixes: + https://gitlab.isc.org/isc-projects/bind9/-/issues/5246 - Correct the default interface-interval from 60s to 60m. + https://gitlab.isc.org/isc-projects/bind9/-/issues/5315 - Fix a purge-keys bug when using multiple views of a zone. + https://gitlab.isc.org/isc-projects/bind9/-/issues/5383 - Fix issue with unanswered queries with serve-stale enabled. https://gitlab.isc.org/isc-projects/bind9/-/issues/3949, https://gitlab.isc.org/isc-projects/bind9/-/issues/5066 - Stop caching lack of EDNS support. https://gitlab.isc.org/isc-projects/bind9/-/issues/5193 - Fix resolver statistics counters for timed-out responses. https://gitlab.isc.org/isc-projects/bind9/-/issues/5240 - Don’t enforce NOAUTH/NOCONF flags in DNSKEYs. https://gitlab.isc.org/isc-projects/bind9/-/issues/5201 - Fix inconsistency in CNAME/DNAME handling during resolution. https://gitlab.isc.org/isc-projects/bind9/-/issues/5066 - Fix deferred validation of unsigned DS and DNSKEY records. https://gitlab.isc.org/isc-projects/bind9/-/issues/5146 - Fix RPZ race condition during a reconfiguration. https://gitlab.isc.org/isc-projects/bind9/-/issues/5150 - Fix “CNAME and other data check” not being applied to all types. https://gitlab.isc.org/isc-projects/bind9/-/issues/5185 - Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse(). https://gitlab.isc.org/isc-projects/bind9/-/issues/3885 - Fix rndc flushname for longer name server names. https://gitlab.isc.org/isc-projects/bind9/-/issues/5094 - Fix recently expired records sending timestamps in the future. https://gitlab.isc.org/isc-projects/bind9/-/issues/5098 - Fix YAML string not terminated in negative response in delv. https://gitlab.isc.org/isc-projects/bind9/-/issues/5127 - Apply the memory limit only to ADB database items. https://gitlab.isc.org/isc-projects/bind9/-/issues/5130 - Avoid unnecessary locking in the zone/cache database. Improve the resolver performance under attack. https://gitlab.isc.org/isc-projects/bind9/-/issues/4910 - Fix nsupdate hang when processing a large update. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5006 - Fix possible assertion failure when reloading server while processing update policy rules. + https://gitlab.isc.org/isc-projects/bind9/-/issues/5006 - Fix possible assertion failure when reloading server while processing update policy rules. https://gitlab.isc.org/isc-projects/bind9/-/issues/5070 - Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys. https://gitlab.isc.org/isc-projects/bind9/-/issues/5084 - Fix improper handling of unknown directives in resolv.conf. https://gitlab.isc.org/isc-projects/bind9/-/issues/4922 - Fix dig parsing of {&dns}. https://gitlab.isc.org/isc-projects/bind9/-/issues/4950 - Fix NSEC3 closest encloser lookup for names with empty non-terminals. https://gitlab.isc.org/isc-projects/bind9/-/issues/4993 - Fix display of dig options with format form [+-]option=<value>. - https://gitlab.isc.org/isc-projects/bind9/-/issues/5008 - Provide more visibility into TLS configuration errors by logging + https://gitlab.isc.org/isc-projects/bind9/-/issues/5008 - Provide more visibility into TLS configuration errors by logging https://gitlab.isc.org/isc-projects/bind9/-/issues/1793 - Fix a statistics channel counter bug when “forward only” zones are used. https://gitlab.isc.org/isc-projects/bind9/-/issues/4850 - Fix wrong address queries in the static-stub implementation. https://gitlab.isc.org/isc-projects/bind9/-/issues/4930 - Limit the outgoing UDP send queue size. https://gitlab.isc.org/isc-projects/bind9/-/issues/4936 - Do not set SO_INCOMING_CPU. Full release notes available here - - https://bind9.readthedocs.io/en/v9.18.37/notes.html + https://bind9.readthedocs.io/en/v9.18.38/notes.html [Test Plan] DEP-8 Tests: simpletest - Confirms bind9 daemon starts successfully and dig can find 127.0.0.1 through the default setup of bind9 zonetest - Added in this update, currently in lunar. Confirms the functionality of named and bind9 by creating a local DNS zone and domain, and having dig look it up dyndb-ldap (noble and earlier) - Verifies functionality of bind-dyndb- ldap against the updated bind9 package with a basic setup. This also fails intentionally prior to bind-dyndb-ldap being rebuilt against the package, as this is a necessary step for bind9 updates. validation - This test is provided by Debian and consistently fails both before and after the update due to several issues. It is marked as flaky, and does not block autopkgtest passing overall [Regression Potential] Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu- specific integrations. Previous Backports: (LP: #2003586) (LP: #2028413) (LP: #2040459)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2112520 Title: Backport upstream microreleases for questing cycle To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/2112520/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
