freeipa team mailing list archive

Thread
Date
[Bug 2040459] Re: MRE updates of bind9 for noble

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <2040459@xxxxxxxxxxxxxxxxxx>
Date: Wed, 05 Jun 2024 09:09:53 -0000
Reply-to: Bug 2040459 <2040459@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
This bug was fixed in the package bind9 - 1:9.18.24-0ubuntu0.23.10.1

---------------
bind9 (1:9.18.24-0ubuntu0.23.10.1) mantic; urgency=medium

  * New upstream version 9.18.24 (LP: #2040459)
    - Updates:
      + Mark use of AES as the DNS COOKIE algorithm as depricated.
      + Mark resolver-nonbackoff-tries and resolver-retry-interval statements
        as depricated.
      + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and
        2801:1b8:10::b.
      + Mark dnssec-must-be-secure option as deprecated.
      + Honor nsupdate -v option for SOA queries by sending both the UPDATE
        request and the initial query over TCP.
      + Reduce memory consumption through dedicated jemalloc memory arenas.
    - Bug fixes:
      + Fix accidental truncation to 32 bit of statistics channel counters.
      + Do not schedule unsigned versions of inline-signed zones containing
        DNSSEC records for resigning.
      + Take local authoritive data into account when looking up stale data
        from the cache.
      + Fix assertion failure when lock-file used at the same time as named -X.
      + Fix lockfile removal issue when starting named 3+ times.
      + Fix validation of If-Modified-Since header in statistics channel for
        its length.
      + Add Content-Length header bounds check to avoid integer overflow.
      + Fix memory leaks from OpenSSL error stack.
      + Fix SERVFAIL responses after introduction of krb5-subdomain-self-rhs
        and ms-subdomain-self-rhs UPDATE policies.
      + Fix accidental disable of stale-refresh-time feature on rndc flush.
      + Fix possible DNS message corruption from partial writes in TLS DNS.
    - See https://bind9.readthedocs.io/en/v9.18.24/notes.html for additional
      information.
  * Remove CVE patches fixed upstream:
    - CVE-2023-3341.patch
    - CVE-2023-4236.patch
    [ Fixed in 9.18.19 ]
    - 0001-CVE-2023-4408.patch
    - 0002-CVE-2023-5517.patch
    - 0003-CVE-2023-5679.patch
    - 0004-CVE-2023-50387-CVE-2023-50868.patch
    [ Fixed in 9.18.24 ]
  * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the
    standard library stdatomic.h.

 -- Lena Voytek <lena.voytek@xxxxxxxxxxxxx>  Tue, 09 Apr 2024 14:28:37
-0700

** Changed in: bind9 (Ubuntu Mantic)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3341

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4236

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4408

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-50387

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-50868

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-5517

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-5679

** Changed in: bind-dyndb-ldap (Ubuntu Mantic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2040459

Title:
  MRE updates of bind9 for noble

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Jammy:
  Fix Released
Status in bind9 source package in Jammy:
  Fix Released
Status in bind-dyndb-ldap source package in Mantic:
  Fix Released
Status in bind9 source package in Mantic:
  Fix Released
Status in bind-dyndb-ldap source package in Noble:
  Fix Released
Status in bind9 source package in Noble:
  Fix Released

Bug description:
  This bug tracks an update for the bind9 package, moving to versions:

  * Mantic (23.10): bind9 9.18.24
  * Jammy (22.04): bind9 9.18.24

  These updates include bug fixes following the SRU policy exception
  defined at https://wiki.ubuntu.com/Bind9Updates.

  [Upstream changes]

  Changes from 9.18.18 - 9.18.24 include:

  CVE fixes (These already existed as patches but are now included as part of upstream):
  CVE-2023-3341
  CVE-2023-4236
  CVE-2023-4408
  CVE-2023-5517
  CVE-2023-5679
  CVE-2023-50387
  CVE-2023-50868

  Deprecations:
  Use of AES as the DNS COOKIE algorithm
  resolver-nonbackoff-tries and resolver-retry-interval statements
  dnssec-must-be-secure option

  Updates:
  Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and 2801:1b8:10::b.
  Honor nsupdate -v option for SOA queries by sending both the UPDATE request and the initial query over TCP.
  Reduce memory consumption through dedicated jemalloc memory arenas.

  Bug fixes:
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4467 - Fix accidental truncation to 32 bit of statistics channel counters.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4350 - Do not schedule unsigned versions of inline-signed zones containing DNSSEC records for resigning.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4355 - Take local authoritive data into account when looking up stale data from the cache.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4386 - Fix assertion failure when lock-file used at the same time as named -X.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4387 - Fix lockfile removal issue when starting named 3+ times.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4124 - Fix validation of If-Modified-Since header in statistics channel for its length.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4125 - Add Content-Length header bounds check to avoid integer overflow.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4159 - Fix memory leaks from OpenSSL error stack.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4280 - Fix SERVFAIL responses after introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs UPDATE policies.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4278 - Fix accidental disable of stale-refresh-time feature on rndc flush.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4255 - Fix possible DNS message corruption from partial writes in TLS DNS.

  Full release notes available here -
  https://bind9.readthedocs.io/en/v9.18.24/notes.html

  [Test Plan]

  DEP-8 Tests:

  simpletest - Confirms bind9 daemon starts successfully and dig can
  find 127.0.0.1 through the default setup of bind9

  zonetest - Added in this update, currently in lunar. Confirms the
  functionality of named and bind9 by creating a local DNS zone and
  domain, and having dig look it up

  dyndb-ldap - Verifies functionality of bind-dyndb-ldap against the
  updated bind9 package with a basic setup. This also fails
  intentionally prior to bind-dyndb-ldap being rebuilt against the
  package, as this is a necessary step for bind9 updates.

  validation - This test is provided by Debian and consistently fails
  both before and after the update due to several issues. It is marked
  as flaky, and does not block autopkgtest passing overall

  [Regression Potential]

  Upstream has an extensive build and integration test suite. So
  regressions would likely arise from a change in interaction with
  Ubuntu-specific integrations. Alternatively, regressions may arise for
  users due to behavior changes from the many bug fixes and minor
  feature updates.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2040459/+subscriptions