[FFe] Update bind9 to 9.18.1

Bug #1965981 reported by Sergio Durigan Junior
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Fix Released
Fix Released

Bug Description

Bind9 released version 9.18.1 recently, and we should have it in Jammy.

This new release is already availble in Debian unstable, and contains a sizeable list of bugfixes. It is the first point release after bind9 9.18.0, and the project has a track record of fixing important bugs in the .1 release.

You can see the release notes for 9.18.1 here: https://bind9.readthedocs.io/en/v9_18_1/notes.html

For more detailed notes: https://gitlab.isc.org/isc-projects/bind9/-/blob/1a4e4c2989ede3f993fc352b6c77929f8c286887/CHANGES

There are 3 items described as Feature Changes:

  * The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent by a client are now included in the client information sent to DLZ modules when processing queries. [GL #3082]

  * DEBUG(1)-level messages were added when starting and ending the BIND 9 task-exclusive mode that stops normal DNS operation (e.g. for reconfiguration, interface scans, and other events that require exclusive access to a shared resource). [GL #3137]

  * The limit on the number of simultaneously processed pipelined DNS queries received over TCP has been removed. Previously, it was capped at 23 queries processed at the same time. [GL #3141]

The last 2 changes seem trivial; the first one seems to aim at a specific scenario and I find it unlikely that it will affect most users.

PPA with the proposed changes: https://launchpad.net/~sergiodj/+archive/ubuntu/bind9-merge/+packages

Tags: server-todo
description: updated
Changed in bind9 (Ubuntu Jammy):
status: Confirmed → New
Changed in bind9 (Ubuntu Jammy):
assignee: Sergio Durigan Junior (sergiodj) → nobody
Revision history for this message
Brian Murray (brian-murray) wrote :

This update seems fine to me, thanks for providing detailed information about the changes.

Changed in bind9 (Ubuntu Jammy):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.3 KiB)

This bug was fixed in the package bind9 - 1:9.18.1-1ubuntu1

bind9 (1:9.18.1-1ubuntu1) jammy; urgency=medium

  * Merge with Debian unstable (LP: #1965981). Remaining changes:
    - Don't build dnstap as it depends on universe packages:
      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
        protobuf-c-compiler (universe packages)
      + d/dnsutils.install: don't install dnstap
      + d/libdns1104.symbols: don't include dnstap symbols
      + d/rules: don't build dnstap nor install dnstap.proto
    - Add back apport:
      + d/bind9.apport: add back old bind9 apport hook, but without calling
        attach_conffiles() since that is already done by apport itself, with
        confirmation from the user.
      + d/control, d/rules: build-depends on dh-apport and use it
    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
    - d/bind9.named.service: use systemd Type=forking to signal daemon init.
      This fixes a regression of #900788 where services whose startup depend
      on name resolutions may fail due to bind9 not being ready (LP #1899902).
    - d/control: remove optional libjemalloc-dev Build-Depends as it is not in
    - d/NEWS: mention some of the relevant changes in 9.18.0 packaging
      or functionality that may affect usability.
  * Dropped changes:
    - d/p/0003-Remove-spurious-debugging-true.patch: remove development leftover
      debugging flag from nslookup code (LP: #1961556).
      [ Incorporated in 9.18.1. ]
    - SECURITY UPDATE: cache poisoning via bogus NS records
      + debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of
        records into the cache in lib/dns/resolver.c.
      + CVE-2021-25220
      [ Incorporated in 9.18.1. ]
    - SECURITY UPDATE: DoS via specially crafted TCP stream
      + debian/patches/CVE-2022-0396.patch: ensure correct ordering in
      + CVE-2022-0396
      [ Incorporated in 9.18.1. ]
    - SECURITY UPDATE: DNAME insist with synth-from-dnssec enabled
      + debian/patches/CVE-2022-0635.patch: fix logic in lib/dns/rbtdb.c.
      + CVE-2022-0635
      [ Incorporated in 9.18.1. ]
    - SECURITY UPDATE: Assertion failure on delayed DS lookup
      + debian/patches/CVE-2022-0667.patch: fix logic in lib/dns/resolver.c.
      + CVE-2022-0667
      [ Incorporated in 9.18.1. ]
  * Added changes:
    - d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe.patch,
      Fix dig error when trying the next server after a TCP connection
      failure. This upstream patchset also fixes a crash when using
      the "host" com...


Changed in bind9 (Ubuntu Jammy):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.