** Also affects: bind-dyndb-ldap (Ubuntu)
Importance: Undecided
Status: New
** Changed in: bind-dyndb-ldap (Ubuntu)
Status: New => Fix Released
** Changed in: bind-dyndb-ldap (Ubuntu Kinetic)
Status: New => In Progress
** Changed in: bind-dyndb-ldap (Ubuntu Jammy)
Status: New => In Progress
** Changed in: bind-dyndb-ldap (Ubuntu Jammy)
Assignee: (unassigned) => Lena Voytek (lvoytek)
** Changed in: bind-dyndb-ldap (Ubuntu Focal)
Assignee: (unassigned) => Lena Voytek (lvoytek)
** Changed in: bind-dyndb-ldap (Ubuntu Kinetic)
Assignee: (unassigned) => Lena Voytek (lvoytek)
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2003586
Title:
MRE Updates 9.18.12 / 9.16.36
Status in bind-dyndb-ldap package in Ubuntu:
Fix Released
Status in bind9 package in Ubuntu:
Fix Released
Status in bind-dyndb-ldap source package in Focal:
New
Status in bind9 source package in Focal:
New
Status in bind-dyndb-ldap source package in Jammy:
In Progress
Status in bind9 source package in Jammy:
In Progress
Status in bind-dyndb-ldap source package in Kinetic:
In Progress
Status in bind9 source package in Kinetic:
In Progress
Bug description:
This bug tracks an update for the bind9 package, moving to versions:
* Kinetic (22.10): bind9 9.18.12
* Jammy (22.04): bind9 9.18.12
* Focal (20.04): bind9 9.16.36
These updates include bug fixes following the SRU policy exception
defined at https://wiki.ubuntu.com/Bind9Updates.
[Upstream changes]
For bind9 9.18.2-9.18.11, major changes include:
CVE fixes:
CVE-2022-1183
CVE-2022-2795
CVE-2022-2881
CVE-2022-2906
CVE-2022-3080
CVE-2022-38178
CVE-2022-3094
CVE-2022-3736
CVE-2022-3924
Features:
update-quota option
named -V shows supported cryptographic algorithms
Additional info given for recursion not available and query (cache) '...'
denied outputs
Jammy only (Kinetic already has these):
Catalog Zones schema version 2 support in named
DNS error support Stale Answer and Stale NXDOMAIN Answer
remote TLS certificate verification support
reusereport option
Bug Fixes:
https://gitlab.isc.org/isc-projects/bind9/-/issues/3178
https://gitlab.isc.org/isc-projects/bind9/-/issues/3636
https://gitlab.isc.org/isc-projects/bind9/-/issues/3772
https://gitlab.isc.org/isc-projects/bind9/-/issues/3752
https://gitlab.isc.org/isc-projects/bind9/-/issues/3678
https://gitlab.isc.org/isc-projects/bind9/-/issues/3637
https://gitlab.isc.org/isc-projects/bind9/-/issues/3739
https://gitlab.isc.org/isc-projects/bind9/-/issues/3743
https://gitlab.isc.org/isc-projects/bind9/-/issues/3725
https://gitlab.isc.org/isc-projects/bind9/-/issues/3693
https://gitlab.isc.org/isc-projects/bind9/-/issues/3683
https://gitlab.isc.org/isc-projects/bind9/-/issues/3727
https://gitlab.isc.org/isc-projects/bind9/-/issues/3638
https://gitlab.isc.org/isc-projects/bind9/-/issues/3183
https://gitlab.isc.org/isc-projects/bind9/-/issues/3721
https://gitlab.isc.org/isc-projects/bind9/-/issues/3707
https://gitlab.isc.org/isc-projects/bind9/-/issues/3591
https://gitlab.isc.org/isc-projects/bind9/-/issues/3598
https://gitlab.isc.org/isc-projects/bind9/-/issues/3247
https://gitlab.isc.org/isc-projects/bind9/-/issues/2895
https://gitlab.isc.org/isc-projects/bind9/-/issues/3584
https://gitlab.isc.org/isc-projects/bind9/-/issues/3627
https://gitlab.isc.org/isc-projects/bind9/-/issues/3563
https://gitlab.isc.org/isc-projects/bind9/-/issues/3603
https://gitlab.isc.org/isc-projects/bind9/-/issues/3542
https://gitlab.isc.org/isc-projects/bind9/-/issues/3557
https://gitlab.isc.org/isc-projects/bind9/-/issues/2982
https://gitlab.isc.org/isc-projects/bind9/-/issues/3439
https://gitlab.isc.org/isc-projects/bind9/-/issues/3438
https://gitlab.isc.org/isc-projects/bind9/-/issues/2918
https://gitlab.isc.org/isc-projects/bind9/-/issues/3462
https://gitlab.isc.org/isc-projects/bind9/-/issues/3400
https://gitlab.isc.org/isc-projects/bind9/-/issues/3402
https://gitlab.isc.org/isc-projects/bind9/-/issues/3152
https://gitlab.isc.org/isc-projects/bind9/-/issues/3415
https://gitlab.isc.org/isc-projects/bind9/-/issues/2506
Jammy only:
https://gitlab.isc.org/isc-projects/bind9/-/issues/3327
https://gitlab.isc.org/isc-projects/bind9/-/issues/3380
https://gitlab.isc.org/isc-projects/bind9/-/issues/3302
https://gitlab.isc.org/isc-projects/bind9/-/issues/2931
https://gitlab.isc.org/isc-projects/bind9/-/issues/3242
https://gitlab.isc.org/isc-projects/bind9/-/issues/3020
https://gitlab.isc.org/isc-projects/bind9/-/issues/3128
https://gitlab.isc.org/isc-projects/bind9/-/issues/3145
https://gitlab.isc.org/isc-projects/bind9/-/issues/3184
https://gitlab.isc.org/isc-projects/bind9/-/issues/3205
https://gitlab.isc.org/isc-projects/bind9/-/issues/3244
https://gitlab.isc.org/isc-projects/bind9/-/issues/3248
https://gitlab.isc.org/isc-projects/bind9/-/issues/3142
https://gitlab.isc.org/isc-projects/bind9/-/issues/3200
This will also fix bugs LP: #1258003, LP: #1970252, and LP: #2006972
Full release notes for versions 9.18.2-9.18.11:
https://bind9.readthedocs.io/en/v9_18_11/notes.html#notes-for-
bind-9-18-11
[Test Plan]
DEP-8 Tests:
simpletest - Confirms bind9 daemon starts successfully and dig can
find 127.0.0.1 through the default setup of bind9
zonetest - Added in this update, currently in lunar. Confirms the
functionality of named and bind9 by creating a local DNS zone and
domain, and having dig look it up
validation - This test is provided by Debian and consistently fails
both before and after the update due to several issues. It is marked
as flaky, and does not block autopkgtest passing overall
Bug fix tests:
Test for LP: #1258003 fix:
# lxc launch images:ubuntu/{kinetic, jammy} test-bind9
# lxc exec test-bind9
# apt update && apt dist-upgrade -y
# apt install dnsutils -y
# dig google.com +nssearch +tcp
- Before the update this leads to a crash ending in "Aborted (core dumped)"
without showing all addresses while after it will show that there was a
communication error with addresses it did not get a response from and finish
running through all addresses
Test for LP: #1970252 fix:
# lxc launch images:ubuntu/{kinetic, jammy} test-bind9
# lxc exec test-bind9
# apt update && apt dist-upgrade -y
# apt install dnsutils -y
# dig +nssearch isc.org
- Before the update this also leads to a crash ending in "Aborted (core
dumped)" after failing to get a response from an ipv6 address while after it
will again show that there was a communication error with addresses it did not
get a response from
Test for LP: #2006972 fix:
# lxc launch images:ubuntu/jammy test-bind9
# lxc exec test-bind9 bash
# apt update && apt dist-upgrade
# apt install bind9
# cat <<EOF >/etc/bind/named.conf.options
options {
directory "/var/cache/bind";
dnssec-validation auto;
listen-on-v6 { any; };
};
plugin query "filter-aaaa.so" {
filter-aaaa-on-v4 yes;
};
EOF
# named-checkconf
- Before the update this fails since named is looking for filter-aaaa.so in
/usr/lib/x86_64-linux-gnu/named instead of the correct location
/usr/lib/x86_64-linux-gnu/bind. After the fix named-checkconf succeeds.
[Regression Potential]
Upstream has an extensive build and integration test suite. So
regressions would likely arise from a change in interaction with
Ubuntu-specific integrations. Alternatively, regressions may arise for
users due to behavior changes from the many bug fixes and minor
feature updates.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2003586/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
