[Freeipa] [Bug 2112520] Re: Backport upstream microreleases for questing cycle

Wed, 10 Sep 2025 13:46:03 -0700 

This bug was fixed in the package bind-dyndb-ldap -
11.9-5ubuntu0.22.04.12

---------------
bind-dyndb-ldap (11.9-5ubuntu0.22.04.12) jammy; urgency=medium

  * No change rebuild with bind9-libs 1:9.18.39-0ubuntu0.22.04.1
    (LP: #2112520)

 -- Lena Voytek <[email protected]>  Tue, 19 Aug 2025 15:00:48
-0400

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2112520

Title:
  Backport upstream microreleases for questing cycle

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Jammy:
  Fix Released
Status in bind9 source package in Jammy:
  Fix Released
Status in bind-dyndb-ldap source package in Noble:
  Fix Released
Status in bind9 source package in Noble:
  Fix Released
Status in bind9 source package in Oracular:
  Won't Fix
Status in bind9 source package in Plucky:
  Fix Released
Status in bind9 source package in Questing:
  Fix Released

Bug description:
  This bug tracks an update for the bind9 package, moving to versions:

  * Plucky (25.04): Bind9 9.20.11
  * Noble (24.04): Bind9 9.18.39
  * Jammy (22.04): Bind9 9.18.39

  These updates include bug fixes following the SRU policy exception
  defined at https://wiki.ubuntu.com/Bind9Updates.

  [Upstream changes]

  9.20.5-9.20.11:

  CVE fixes (These already existed as patches but are now included as
  part of upstream):

  CVE-2025-40777
  CVE-2025-40775
  CVE-2024-12705
  CVE-2024-11187

  Features:

  https://gitlab.isc.org/isc-projects/bind9/-/issues/5319 - Add support for the 
CO flag to dig.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5259 - Implement a new 
notify-defer configuration option.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/1836 - Add support for EDE 
20 (Not Authoritative).
  https://gitlab.isc.org/isc-projects/bind9/-/issues/2715 - Add support for EDE 
7 and EDE 8.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5234 - Add support for 
displaying and receiving BADVERS to dig.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5251 - Add an rndc command 
to reset some statistics counters.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3914 - Implement the 
min-transfer-rate-in configuration option.
  Add HTTPS record query to host command line tool.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5050 - Implement 
sig0key-checks-limit and sig0message-checks-limit.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/2715 - Add support for EDE 
code 1 and 2.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4759 - Add an rndc command 
to toggle jemalloc profiling.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5085 - Add support for 
multiple extended DNS errors.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/2268 - Add Extended DNS 
Error Code 22 - No Reachable Authority.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4980, 
https://gitlab.isc.org/isc-projects/bind9/-/issues/4921 - Add a new option to 
configure the maximum number of outgoing queries per client request.

  Updates:

  Implement the systemd notification protocol manually to remove dependency on 
libsystemd.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5235 - Return DNS COOKIE 
and NSID with BADVERS.
  Print the expiration time of stale records.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5099 - Use the Server Name 
Indication (SNI) extension for all outgoing TLS connections.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5108 - Revert performance 
optimization for NSEC3 lookups introduced in BIND 9.20.2 to avoid risks 
associated with a complex code change.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4544 - Rename 
parental-agents and primaries to remote-servers internally.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4981 - Add none parameter 
to query-source and query-source-v6 to disable IPv4 or IPv6 upstream queries 
but allow listening to queries from clients on IPv4 or IPv6.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5352 - Use IPv6 queries in 
delv +ns.

  Bug Fixes:

  https://gitlab.isc.org/isc-projects/bind9/-/issues/5246 - Correct the default 
interface-interval from 60s to 60m.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5315 - Fix a purge-keys 
bug when using multiple views of a zone.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5291 - Fix zone refresh 
after deletion.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5307 - Fix failure to 
refresh when named reconfigured during SOA request step.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5014 - Fix EDNS YAML 
output in dig.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5270 - Fix RDATA checks 
for PRIVATEOID keys.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5275 - Fix a serve-stale 
issue with a delegated zone.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3949, 
https://gitlab.isc.org/isc-projects/bind9/-/issues/5066 - Stop caching lack of 
EDNS support.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5193 - Fix resolver 
statistics counters for timed-out responses.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5213 - Fix nested DNS 
validation assertion failure.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5220 - Wait for memory 
reclamation to finish in named-checkconf.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5224 - Ensure 
max-clients-per-query is at least clients-per-query.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5239 - Fix write after 
free in validator code.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5240 - Don’t enforce 
NOAUTH/NOCONF flags in DNSKEYs.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5242 - Fix DNSSEC timing 
issues.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5201 - Fix inconsistency 
in CNAME/DNAME handling during resolution.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5019 - Fix 
dual-stack-servers configuration option.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5053 - Fix a data race 
causing a permanent active client increase.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5066 - Fix deferred 
validation of unsigned DS and DNSKEY records.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5146 - Fix RPZ race 
condition during a reconfiguration.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5150 - Fix “CNAME and 
other data check” not being applied to all types.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5167 - Relax private 
DNSKEY and RRSIG constraints.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5185 - Remove 
NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5187 - Fix TTL issue with 
ANY queries processed through RPZ “passthru”.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5192 - Check for a NULL 
key in dnssec-signzone when setting offline.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5198 - Fix a bug in the 
statistics channel when querying zone transfer information.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5200 - Fix assertion 
failure when dumping recursing clients.
  Dump the active resolver fetches from dns_resolver_dumpfetches().
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5094 - Fix recently 
expired records sending timestamps in the future.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5098 - Fix YAML string not 
terminated in negative response in delv.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5126 - Fix a bug in 
dnssec-signzone related to keys being offline.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5127 - Apply the memory 
limit only to ADB database items.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5130 - Avoid unnecessary 
locking in the zone/cache database.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4910 - Fix nsupdate hang 
when processing a large update.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5006 - Fix possible 
assertion failure when reloading server while processing update policy rules.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5061 - Preserve cache 
across reconfig when using attach-cache.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5064 - Resolve the 
spurious drops in performance due to glue cache.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5070 - Fix dnssec-signzone 
signing non-DNSKEY RRsets with revoked keys.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5084 - Fix improper 
handling of unknown directives in resolv.conf.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5111 - Fix response policy 
zones and catalog zones with an $INCLUDE statement defined.

  Full release notes available here -
  https://bind9.readthedocs.io/en/v9.20.11/notes.html

  9.18.31-9.18.39:

  CVE fixes (These already existed as patches but are now included as
  part of upstream):

  CVE-2024-12705
  CVE-2024-11187

  Features:

  https://gitlab.isc.org/isc-projects/bind9/-/issues/5440 - Add support for 
parsing the DSYNC record
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5319 - Add support for the 
CO flag to dig.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4980, 
https://gitlab.isc.org/isc-projects/bind9/-/issues/4921 - Add a new option to 
configure the maximum number of outgoing queries per client request.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4947 - Add WALLET type.

  Updates:

  https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10739 - Add 
deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest type 1.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5247 - Make TLS data 
processing more reliable in various network conditions.
  Print the expiration time of the stale records.
  Remove –with-tuning=small/large configuration option.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4896 - Update built-in 
bind.keys file with the new 2025 IANA root key.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4865 - Move contributed 
DLZ modules into a separate repository.
  Emit more helpful log messages for exceeding max-records-per-type.
  Harden key management when key files have become unavailable.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4928 - Allow IXFR-to-AXFR 
fallback on DNS_R_TOOMANYRECORDS.

  Bug Fixes:
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5357 - Fix a possible 
crash when adding a zone while recursing.
  https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10708 - Clean 
enough memory when adding new ADB names/entries under memory pressure. 
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3014 - Prevent spurious 
validation failures.
  https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10758 - Rescan the 
interfaces again when reconfiguring the server.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5246 - Correct the default 
interface-interval from 60s to 60m.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5315 - Fix a purge-keys 
bug when using multiple views of a zone.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5383 - Fix issue with 
unanswered queries with serve-stale enabled.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3949, 
https://gitlab.isc.org/isc-projects/bind9/-/issues/5066 - Stop caching lack of 
EDNS support.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5193 - Fix resolver 
statistics counters for timed-out responses.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5240 - Don’t enforce 
NOAUTH/NOCONF flags in DNSKEYs.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5201 - Fix inconsistency 
in CNAME/DNAME handling during resolution.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5066 - Fix deferred 
validation of unsigned DS and DNSKEY records.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5146 - Fix RPZ race 
condition during a reconfiguration.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5150 - Fix “CNAME and 
other data check” not being applied to all types.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5185 - Remove 
NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3885 - Fix rndc flushname 
for longer name server names.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5094 - Fix recently 
expired records sending timestamps in the future.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5098 - Fix YAML string not 
terminated in negative response in delv.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5127 - Apply the memory 
limit only to ADB database items.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5130 - Avoid unnecessary 
locking in the zone/cache database.
  Improve the resolver performance under attack.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4910 - Fix nsupdate hang 
when processing a large update.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5006 - Fix possible 
assertion failure when reloading server while processing update policy rules.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5070 - Fix dnssec-signzone 
signing non-DNSKEY RRsets with revoked keys.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5084 - Fix improper 
handling of unknown directives in resolv.conf.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4922 - Fix dig parsing of 
{&dns}.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4950 - Fix NSEC3 closest 
encloser lookup for names with empty non-terminals.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4993 - Fix display of dig 
options with format form [+-]option=<value>.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/5008 - Provide more 
visibility into TLS configuration errors by logging
  https://gitlab.isc.org/isc-projects/bind9/-/issues/1793 - Fix a statistics 
channel counter bug when “forward only” zones are used.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4850 - Fix wrong address 
queries in the static-stub implementation.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4930 - Limit the outgoing 
UDP send queue size.
  https://gitlab.isc.org/isc-projects/bind9/-/issues/4936 - Do not set 
SO_INCOMING_CPU.

  Full release notes available here -
  https://bind9.readthedocs.io/en/v9.18.39/notes.html

  [Test Plan]

  DEP-8 Tests:

  simpletest - Confirms bind9 daemon starts successfully and dig can
  find 127.0.0.1 through the default setup of bind9

  zonetest - Added in this update, currently in lunar. Confirms the
  functionality of named and bind9 by creating a local DNS zone and
  domain, and having dig look it up

  dyndb-ldap (noble and earlier) - Verifies functionality of bind-dyndb-
  ldap against the updated bind9 package with a basic setup. This also
  fails intentionally prior to bind-dyndb-ldap being rebuilt against the
  package, as this is a necessary step for bind9 updates.

  validation - This test is provided by Debian and consistently fails
  both before and after the update due to several issues. It is marked
  as flaky, and does not block autopkgtest passing overall

  [Regression Potential]

  Upstream has an extensive build and integration test suite. So
  regressions would likely arise from a change in interaction with
  Ubuntu-specific integrations.

  Previous Backports:

  (LP: #2003586)
  (LP: #2028413)
  (LP: #2040459)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2112520/+subscriptions


_______________________________________________
Mailing list: https://launchpad.net/~freeipa
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

Reply via email to