2023-07-22 02:20:12 |
Bryce Harrington |
bug |
|
|
added bug |
2023-07-22 02:20:14 |
Bryce Harrington |
bind9 (Ubuntu): milestone |
|
ubuntu-23.08 |
|
2023-07-22 02:20:15 |
Bryce Harrington |
nominated for series |
|
Ubuntu Focal |
|
2023-07-22 02:20:16 |
Bryce Harrington |
bug task added |
|
bind9 (Ubuntu Focal) |
|
2023-07-22 02:20:16 |
Bryce Harrington |
nominated for series |
|
Ubuntu Jammy |
|
2023-07-22 02:20:17 |
Bryce Harrington |
bug task added |
|
bind9 (Ubuntu Jammy) |
|
2023-07-22 02:20:18 |
Bryce Harrington |
nominated for series |
|
Ubuntu Lunar |
|
2023-07-22 02:20:19 |
Bryce Harrington |
bug task added |
|
bind9 (Ubuntu Lunar) |
|
2023-07-22 02:20:21 |
Bryce Harrington |
bug |
|
|
added subscriber Canonical Server |
2023-08-02 15:07:06 |
Lena Voytek |
bind9 (Ubuntu Focal): assignee |
|
Lena Voytek (lvoytek) |
|
2023-08-02 15:07:07 |
Lena Voytek |
bind9 (Ubuntu Jammy): assignee |
|
Lena Voytek (lvoytek) |
|
2023-08-02 15:07:11 |
Lena Voytek |
bind9 (Ubuntu Lunar): assignee |
|
Lena Voytek (lvoytek) |
|
2023-08-02 15:07:17 |
Lena Voytek |
bind9 (Ubuntu): assignee |
|
Lena Voytek (lvoytek) |
|
2023-08-06 16:26:50 |
Launchpad Janitor |
bind9 (Ubuntu): status |
New |
Confirmed |
|
2023-08-06 16:26:50 |
Launchpad Janitor |
bind9 (Ubuntu Focal): status |
New |
Confirmed |
|
2023-08-06 16:26:50 |
Launchpad Janitor |
bind9 (Ubuntu Jammy): status |
New |
Confirmed |
|
2023-08-06 16:26:50 |
Launchpad Janitor |
bind9 (Ubuntu Lunar): status |
New |
Confirmed |
|
2023-09-01 21:44:23 |
Lena Voytek |
bind9 (Ubuntu): milestone |
ubuntu-23.08 |
ubuntu-23.09 |
|
2023-09-01 21:44:34 |
Lena Voytek |
bind9 (Ubuntu Lunar): status |
Confirmed |
In Progress |
|
2023-09-05 19:43:39 |
Lena Voytek |
description |
Backport bind9 as MRE to focal, jammy and lunar once the update for mantic has been completed.
<List exact versions being upgraded from and to for each release>
[Impact]
TBD
<List bug links to former cases of MREs for this package>[Major Changes]
TBD
[Test Plan]
<Link to wiki SRU page>TBD
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.
<Also, ...>
|
This bug tracks an update for the bind9 package, moving to versions:
* lunar (23.04): bind9 9.18.18
* jammy (22.04): bind9 9.18.18
* focal (20.04): bind9 9.16.43
These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates.
[Upstream changes]
TODO: List updates, CVE fixes, and relevant bug fixes
TODO: Add a link to the upstream changelog
TODO: Specifically note any backwards-incompatible changes noted by upstream and their announcements/release notes.
[Test Plan]
TODO: Check DEP-8 and reverse-depends DEP-8 tests pass
TODO: if there are any non passing tests - explain why that is ok in this case
TODO: add results of an autopkgtest run against all the new versions
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations.
TODO: consider any other regression potential specific to the version being
updated and list if any. |
|
2023-09-05 19:43:43 |
Lena Voytek |
bind9 (Ubuntu): status |
Confirmed |
In Progress |
|
2023-09-19 15:31:16 |
Lena Voytek |
bind9 (Ubuntu): status |
In Progress |
Fix Released |
|
2023-09-19 15:56:17 |
Lena Voytek |
bind9 (Ubuntu Jammy): status |
Confirmed |
In Progress |
|
2023-09-19 16:26:10 |
Lena Voytek |
description |
This bug tracks an update for the bind9 package, moving to versions:
* lunar (23.04): bind9 9.18.18
* jammy (22.04): bind9 9.18.18
* focal (20.04): bind9 9.16.43
These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates.
[Upstream changes]
TODO: List updates, CVE fixes, and relevant bug fixes
TODO: Add a link to the upstream changelog
TODO: Specifically note any backwards-incompatible changes noted by upstream and their announcements/release notes.
[Test Plan]
TODO: Check DEP-8 and reverse-depends DEP-8 tests pass
TODO: if there are any non passing tests - explain why that is ok in this case
TODO: add results of an autopkgtest run against all the new versions
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations.
TODO: consider any other regression potential specific to the version being
updated and list if any. |
This bug tracks an update for the bind9 package, moving to versions:
* lunar (23.04): bind9 9.18.18
* jammy (22.04): bind9 9.18.18
* focal (20.04): bind9 9.16.43
These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates.
[Upstream changes]
9.18.13-9.18.18 for lunar and jammy:
Updates:
Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection.
Mark dialup and heartbeat-interval options as deprecated.
Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally.
Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named.
Mark TKEY mode 2 as deprecated.
Mark delegation-only and root-delegation-only as deprecated.
Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time.
Bug Fixes:
Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed.
Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure.
Fix the ability to read HMAC-MD5 key files (LP: #2015176).
Fix stability issues with the catalog zone implementation.
Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration.
Do not return delegation from cache after stale-answer-client-timeout.
Fix failure to auto-tune clients-per-query limit in some situations.
Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements.
Bring rndc read timeout back to 60 seconds from 30.
Treat libuv returning ISC_R_INVALIDPROTO as a network error.
Clean up empty-non-terminal NSEC3 records.
Fix log file rotation cleanup for absolute file path destinations.
Fix various catalog zone processing crashes.
Fix transfer hang when downloading large zones over TLS.
Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone.
Delay DNSSEC key queries until all zones have finished loading.
CVE Fixes - already available as patches:
CVE-2023-2828
CVE-2023-2911
For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for-bind-9-18-18
While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise.
[Test Plan]
TODO: Check DEP-8 and reverse-depends DEP-8 tests pass
TODO: if there are any non passing tests - explain why that is ok in this case
TODO: add results of an autopkgtest run against all the new versions
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations.
TODO: consider any other regression potential specific to the version being
updated and list if any. |
|
2023-09-19 17:32:27 |
Lena Voytek |
bug task added |
|
bind-dyndb-ldap (Ubuntu) |
|
2023-09-19 17:32:35 |
Lena Voytek |
bind-dyndb-ldap (Ubuntu Jammy): status |
New |
In Progress |
|
2023-09-19 17:32:38 |
Lena Voytek |
bind-dyndb-ldap (Ubuntu Lunar): status |
New |
In Progress |
|
2023-09-19 17:32:41 |
Lena Voytek |
bind-dyndb-ldap (Ubuntu): status |
New |
Fix Released |
|
2023-09-19 17:32:56 |
Lena Voytek |
bind-dyndb-ldap (Ubuntu Focal): status |
New |
Triaged |
|
2023-09-19 17:32:59 |
Lena Voytek |
bind9 (Ubuntu Focal): status |
Confirmed |
Triaged |
|
2023-09-19 20:05:49 |
Lena Voytek |
description |
This bug tracks an update for the bind9 package, moving to versions:
* lunar (23.04): bind9 9.18.18
* jammy (22.04): bind9 9.18.18
* focal (20.04): bind9 9.16.43
These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates.
[Upstream changes]
9.18.13-9.18.18 for lunar and jammy:
Updates:
Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection.
Mark dialup and heartbeat-interval options as deprecated.
Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally.
Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named.
Mark TKEY mode 2 as deprecated.
Mark delegation-only and root-delegation-only as deprecated.
Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time.
Bug Fixes:
Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed.
Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure.
Fix the ability to read HMAC-MD5 key files (LP: #2015176).
Fix stability issues with the catalog zone implementation.
Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration.
Do not return delegation from cache after stale-answer-client-timeout.
Fix failure to auto-tune clients-per-query limit in some situations.
Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements.
Bring rndc read timeout back to 60 seconds from 30.
Treat libuv returning ISC_R_INVALIDPROTO as a network error.
Clean up empty-non-terminal NSEC3 records.
Fix log file rotation cleanup for absolute file path destinations.
Fix various catalog zone processing crashes.
Fix transfer hang when downloading large zones over TLS.
Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone.
Delay DNSSEC key queries until all zones have finished loading.
CVE Fixes - already available as patches:
CVE-2023-2828
CVE-2023-2911
For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for-bind-9-18-18
While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise.
[Test Plan]
TODO: Check DEP-8 and reverse-depends DEP-8 tests pass
TODO: if there are any non passing tests - explain why that is ok in this case
TODO: add results of an autopkgtest run against all the new versions
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations.
TODO: consider any other regression potential specific to the version being
updated and list if any. |
This bug tracks an update for the bind9 package, moving to versions:
* lunar (23.04): bind9 9.18.18
* jammy (22.04): bind9 9.18.18
* focal (20.04): bind9 9.16.43
These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates.
[Upstream changes]
9.18.13-9.18.18 for lunar and jammy:
Updates:
Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection.
Mark dialup and heartbeat-interval options as deprecated.
Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally.
Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named.
Mark TKEY mode 2 as deprecated.
Mark delegation-only and root-delegation-only as deprecated.
Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time.
Bug Fixes:
Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed.
Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure.
Fix the ability to read HMAC-MD5 key files (LP: #2015176).
Fix stability issues with the catalog zone implementation.
Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration.
Do not return delegation from cache after stale-answer-client-timeout.
Fix failure to auto-tune clients-per-query limit in some situations.
Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements.
Bring rndc read timeout back to 60 seconds from 30.
Treat libuv returning ISC_R_INVALIDPROTO as a network error.
Clean up empty-non-terminal NSEC3 records.
Fix log file rotation cleanup for absolute file path destinations.
Fix various catalog zone processing crashes.
Fix transfer hang when downloading large zones over TLS.
Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone.
Delay DNSSEC key queries until all zones have finished loading.
CVE Fixes - already available as patches:
CVE-2023-2828
CVE-2023-2911
For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for-bind-9-18-18
While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise.
[Test Plan]
DEP-8 test results:
simpletest PASS
validation FLAKY non-zero exit status 1
zonetest PASS
validation is known to be broken in its current state, both due to a need for internet access and incorrect output checking, so the failure is expected.
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. |
|
2023-09-19 20:08:53 |
Lena Voytek |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/bind9/+git/bind9/+merge/451681 |
|
2023-09-19 20:13:01 |
Lena Voytek |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/bind9/+git/bind9/+merge/451683 |
|
2023-09-19 20:16:45 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/451685 |
|
2023-09-19 20:18:28 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/451686 |
|
2023-09-21 18:27:45 |
Lena Voytek |
description |
This bug tracks an update for the bind9 package, moving to versions:
* lunar (23.04): bind9 9.18.18
* jammy (22.04): bind9 9.18.18
* focal (20.04): bind9 9.16.43
These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates.
[Upstream changes]
9.18.13-9.18.18 for lunar and jammy:
Updates:
Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection.
Mark dialup and heartbeat-interval options as deprecated.
Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally.
Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named.
Mark TKEY mode 2 as deprecated.
Mark delegation-only and root-delegation-only as deprecated.
Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time.
Bug Fixes:
Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed.
Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure.
Fix the ability to read HMAC-MD5 key files (LP: #2015176).
Fix stability issues with the catalog zone implementation.
Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration.
Do not return delegation from cache after stale-answer-client-timeout.
Fix failure to auto-tune clients-per-query limit in some situations.
Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements.
Bring rndc read timeout back to 60 seconds from 30.
Treat libuv returning ISC_R_INVALIDPROTO as a network error.
Clean up empty-non-terminal NSEC3 records.
Fix log file rotation cleanup for absolute file path destinations.
Fix various catalog zone processing crashes.
Fix transfer hang when downloading large zones over TLS.
Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone.
Delay DNSSEC key queries until all zones have finished loading.
CVE Fixes - already available as patches:
CVE-2023-2828
CVE-2023-2911
For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for-bind-9-18-18
While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise.
[Test Plan]
DEP-8 test results:
simpletest PASS
validation FLAKY non-zero exit status 1
zonetest PASS
validation is known to be broken in its current state, both due to a need for internet access and incorrect output checking, so the failure is expected.
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. |
This bug tracks an update for the bind9 package, moving to versions:
* lunar (23.04): bind9 9.18.18
* jammy (22.04): bind9 9.18.18
* focal (20.04): bind9 9.16.43
These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates.
[Upstream changes]
9.18.13-9.18.18 for lunar and jammy:
Updates:
Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection.
Mark dialup and heartbeat-interval options as deprecated.
Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally.
Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named.
Mark TKEY mode 2 as deprecated.
Mark delegation-only and root-delegation-only as deprecated.
Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time.
Bug Fixes:
Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed.
Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure.
Fix the ability to read HMAC-MD5 key files (LP: #2015176).
Fix stability issues with the catalog zone implementation.
Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration.
Do not return delegation from cache after stale-answer-client-timeout.
Fix failure to auto-tune clients-per-query limit in some situations.
Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements.
Bring rndc read timeout back to 60 seconds from 30.
Treat libuv returning ISC_R_INVALIDPROTO as a network error.
Clean up empty-non-terminal NSEC3 records.
Fix log file rotation cleanup for absolute file path destinations.
Fix various catalog zone processing crashes.
Fix transfer hang when downloading large zones over TLS.
Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone.
Delay DNSSEC key queries until all zones have finished loading.
CVE Fixes - already available as patches:
CVE-2023-2828
CVE-2023-2911
For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for-bind-9-18-18
While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise.
[Test Plan]
DEP-8 test results:
simpletest PASS
validation FLAKY non-zero exit status 1
zonetest PASS
dyndb-ldap PASS
validation is known to be broken in its current state, both due to a need for internet access and incorrect output checking, so the failure is expected.
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. |
|
2023-09-22 16:26:19 |
Andreas Hasenack |
description |
This bug tracks an update for the bind9 package, moving to versions:
* lunar (23.04): bind9 9.18.18
* jammy (22.04): bind9 9.18.18
* focal (20.04): bind9 9.16.43
These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates.
[Upstream changes]
9.18.13-9.18.18 for lunar and jammy:
Updates:
Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection.
Mark dialup and heartbeat-interval options as deprecated.
Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally.
Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named.
Mark TKEY mode 2 as deprecated.
Mark delegation-only and root-delegation-only as deprecated.
Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time.
Bug Fixes:
Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed.
Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure.
Fix the ability to read HMAC-MD5 key files (LP: #2015176).
Fix stability issues with the catalog zone implementation.
Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration.
Do not return delegation from cache after stale-answer-client-timeout.
Fix failure to auto-tune clients-per-query limit in some situations.
Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements.
Bring rndc read timeout back to 60 seconds from 30.
Treat libuv returning ISC_R_INVALIDPROTO as a network error.
Clean up empty-non-terminal NSEC3 records.
Fix log file rotation cleanup for absolute file path destinations.
Fix various catalog zone processing crashes.
Fix transfer hang when downloading large zones over TLS.
Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone.
Delay DNSSEC key queries until all zones have finished loading.
CVE Fixes - already available as patches:
CVE-2023-2828
CVE-2023-2911
For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for-bind-9-18-18
While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise.
[Test Plan]
DEP-8 test results:
simpletest PASS
validation FLAKY non-zero exit status 1
zonetest PASS
dyndb-ldap PASS
validation is known to be broken in its current state, both due to a need for internet access and incorrect output checking, so the failure is expected.
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. |
This bug tracks an update for the bind9 package, moving to versions:
* lunar (23.04): bind9 9.18.18
* jammy (22.04): bind9 9.18.18
* focal (20.04): bind9 9.16.43
These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates.
[Upstream changes]
9.18.13-9.18.18 for lunar and jammy:
Updates:
Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection.
Mark dialup and heartbeat-interval options as deprecated.
Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally.
Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named.
Mark TKEY mode 2 as deprecated.
Mark delegation-only and root-delegation-only as deprecated.
Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time.
Bug Fixes:
Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed.
Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure.
Fix the ability to read HMAC-MD5 key files (LP: #2015176).
Fix stability issues with the catalog zone implementation.
Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration.
Do not return delegation from cache after stale-answer-client-timeout.
Fix failure to auto-tune clients-per-query limit in some situations.
Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements.
Bring rndc read timeout back to 60 seconds from 30.
Treat libuv returning ISC_R_INVALIDPROTO as a network error.
Clean up empty-non-terminal NSEC3 records.
Fix log file rotation cleanup for absolute file path destinations.
Fix various catalog zone processing crashes.
Fix transfer hang when downloading large zones over TLS.
Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone.
Delay DNSSEC key queries until all zones have finished loading.
CVE Fixes - already available as patches:
CVE-2023-2828
CVE-2023-2911
For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for-bind-9-18-18
While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise.
[Test Plan]
DEP-8 test results:
simpletest PASS
validation FLAKY non-zero exit status 1
zonetest PASS
dyndb-ldap PASS
validation is known to be broken in its current state, both due to a need for internet access and incorrect output checking, so the failure is expected.
[Other Information]
Note to SRU team: this update must happen together with src:bind-dyndb-ldap, and in a particular order:
- first src:bind9 must be accepted
- once src:bind9 is fully built in all architectures, *then* src:bind-dyndb-ldap can be accepted. In other words, src:bind-dyndb-ldap must build with the new src:bind9 version.
- it is expected that until both packages are in proposed, DEP8 tests will fail. That's our safeguard against mistakenly releasing them out of sync
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. |
|
2023-09-22 16:26:52 |
Andreas Hasenack |
description |
This bug tracks an update for the bind9 package, moving to versions:
* lunar (23.04): bind9 9.18.18
* jammy (22.04): bind9 9.18.18
* focal (20.04): bind9 9.16.43
These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates.
[Upstream changes]
9.18.13-9.18.18 for lunar and jammy:
Updates:
Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection.
Mark dialup and heartbeat-interval options as deprecated.
Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally.
Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named.
Mark TKEY mode 2 as deprecated.
Mark delegation-only and root-delegation-only as deprecated.
Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time.
Bug Fixes:
Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed.
Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure.
Fix the ability to read HMAC-MD5 key files (LP: #2015176).
Fix stability issues with the catalog zone implementation.
Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration.
Do not return delegation from cache after stale-answer-client-timeout.
Fix failure to auto-tune clients-per-query limit in some situations.
Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements.
Bring rndc read timeout back to 60 seconds from 30.
Treat libuv returning ISC_R_INVALIDPROTO as a network error.
Clean up empty-non-terminal NSEC3 records.
Fix log file rotation cleanup for absolute file path destinations.
Fix various catalog zone processing crashes.
Fix transfer hang when downloading large zones over TLS.
Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone.
Delay DNSSEC key queries until all zones have finished loading.
CVE Fixes - already available as patches:
CVE-2023-2828
CVE-2023-2911
For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for-bind-9-18-18
While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise.
[Test Plan]
DEP-8 test results:
simpletest PASS
validation FLAKY non-zero exit status 1
zonetest PASS
dyndb-ldap PASS
validation is known to be broken in its current state, both due to a need for internet access and incorrect output checking, so the failure is expected.
[Other Information]
Note to SRU team: this update must happen together with src:bind-dyndb-ldap, and in a particular order:
- first src:bind9 must be accepted
- once src:bind9 is fully built in all architectures, *then* src:bind-dyndb-ldap can be accepted. In other words, src:bind-dyndb-ldap must build with the new src:bind9 version.
- it is expected that until both packages are in proposed, DEP8 tests will fail. That's our safeguard against mistakenly releasing them out of sync
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. |
This bug tracks an update for the bind9 package, moving to versions:
* lunar (23.04): bind9 9.18.18
* jammy (22.04): bind9 9.18.18
* focal (20.04): bind9 9.16.43
These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates.
[Upstream changes]
9.18.13-9.18.18 for lunar and jammy:
Updates:
Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection.
Mark dialup and heartbeat-interval options as deprecated.
Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally.
Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named.
Mark TKEY mode 2 as deprecated.
Mark delegation-only and root-delegation-only as deprecated.
Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time.
Bug Fixes:
Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed.
Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure.
Fix the ability to read HMAC-MD5 key files (LP: #2015176).
Fix stability issues with the catalog zone implementation.
Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration.
Do not return delegation from cache after stale-answer-client-timeout.
Fix failure to auto-tune clients-per-query limit in some situations.
Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements.
Bring rndc read timeout back to 60 seconds from 30.
Treat libuv returning ISC_R_INVALIDPROTO as a network error.
Clean up empty-non-terminal NSEC3 records.
Fix log file rotation cleanup for absolute file path destinations.
Fix various catalog zone processing crashes.
Fix transfer hang when downloading large zones over TLS.
Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone.
Delay DNSSEC key queries until all zones have finished loading.
CVE Fixes - already available as patches:
CVE-2023-2828
CVE-2023-2911
For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for-bind-9-18-18
While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise.
[Test Plan]
DEP-8 test results:
simpletest PASS
validation FLAKY non-zero exit status 1
zonetest PASS
dyndb-ldap PASS
validation is known to be broken in its current state, both due to a need for internet access and incorrect output checking, so the failure is expected.
[Other Information]
Note to SRU team: this update must happen together with src:bind-dyndb-ldap, and in a particular order:
- first src:bind9 must be accepted
- once src:bind9 is fully built in all architectures, *then* src:bind-dyndb-ldap can be accepted. In other words, src:bind-dyndb-ldap must build with the new src:bind9 version.
- it is expected that until both packages are in proposed and built in the correct order, DEP8 tests will fail. That's our safeguard against mistakenly releasing them out of sync
[Regression Potential]
Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. |
|
2023-09-22 17:37:42 |
Tamas Papp |
bug |
|
|
added subscriber Tamas Papp |
2023-09-22 21:43:11 |
Ubuntu Archive Robot |
bug |
|
|
added subscriber Andreas Hasenack |
2023-09-29 20:33:00 |
Steve Langasek |
bind9 (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2023-09-29 20:33:02 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-09-29 20:33:13 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
2023-09-29 20:33:21 |
Steve Langasek |
tags |
needs-mre-backport |
needs-mre-backport verification-needed verification-needed-jammy |
|
2023-09-29 20:35:00 |
Steve Langasek |
bind9 (Ubuntu Lunar): status |
In Progress |
Fix Committed |
|
2023-09-29 20:35:06 |
Steve Langasek |
tags |
needs-mre-backport verification-needed verification-needed-jammy |
needs-mre-backport verification-needed verification-needed-jammy verification-needed-lunar |
|
2023-09-30 06:49:40 |
Steve Langasek |
bind-dyndb-ldap (Ubuntu Lunar): status |
In Progress |
Fix Committed |
|
2023-09-30 06:50:29 |
Steve Langasek |
bind-dyndb-ldap (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2023-10-02 14:57:02 |
Lena Voytek |
tags |
needs-mre-backport verification-needed verification-needed-jammy verification-needed-lunar |
needs-mre-backport verification-done verification-done-jammy verification-done-lunar |
|
2023-10-25 06:30:42 |
Bryce Harrington |
bind-dyndb-ldap (Ubuntu): milestone |
|
mantic-updates |
|
2023-10-26 14:41:28 |
Launchpad Janitor |
bind9 (Ubuntu Lunar): status |
Fix Committed |
Fix Released |
|
2023-10-26 14:41:28 |
Launchpad Janitor |
cve linked |
|
2023-2828 |
|
2023-10-26 14:41:28 |
Launchpad Janitor |
cve linked |
|
2023-2911 |
|
2023-10-26 14:41:28 |
Launchpad Janitor |
cve linked |
|
2023-3341 |
|
2023-10-26 14:41:43 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-10-26 14:41:57 |
Launchpad Janitor |
bind-dyndb-ldap (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2023-10-26 14:44:21 |
Launchpad Janitor |
bind-dyndb-ldap (Ubuntu Lunar): status |
Fix Committed |
Fix Released |
|
2023-10-26 14:44:29 |
Launchpad Janitor |
bind9 (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2024-02-28 14:51:41 |
Marc Deslauriers |
bind-dyndb-ldap (Ubuntu Focal): status |
Triaged |
Fix Released |
|
2024-02-28 14:51:46 |
Marc Deslauriers |
bind9 (Ubuntu Focal): status |
Triaged |
Fix Committed |
|
2024-02-28 14:51:51 |
Marc Deslauriers |
bind-dyndb-ldap (Ubuntu Focal): status |
Fix Released |
Won't Fix |
|