bind9 - Debian Package Tracker

general

source: bind9 (main)
version: 1:9.20.10-1
maintainer: Debian DNS Team (DMD)
uploaders: Bernhard Schmidt [DMD] – Ondřej Surý [DMD]
arch: all any
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:9.11.5.P4+dfsg-5.1+deb10u7
o-o-sec: 1:9.11.5.P4+dfsg-5.1+deb10u11
oldstable: 1:9.16.50-1~deb11u2
old-sec: 1:9.16.50-1~deb11u3
old-bpo: 1:9.18.24-1~bpo11+1
old-p-u: 1:9.16.50-1~deb11u2
stable: 1:9.18.33-1~deb12u2
stable-sec: 1:9.18.33-1~deb12u2
testing: 1:9.20.9-1
unstable: 1:9.20.10-1
exp: 1:9.21.9-1

versioned links

1:9.11.5.P4+dfsg-5.1+deb10u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:9.11.5.P4+dfsg-5.1+deb10u11: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:9.16.50-1~deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:9.16.50-1~deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:9.18.24-1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:9.18.33-1~deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:9.20.4-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:9.20.9-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:9.20.10-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:9.21.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:9.21.9-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

bind9 (13 bugs: 1, 7, 5, 0)
bind9-dev
bind9-dnsutils
bind9-doc (3 bugs: 0, 2, 1, 0)
bind9-host (1 bugs: 0, 1, 0, 0)
bind9-libs (1 bugs: 0, 0, 1, 0)
bind9-utils

action needed

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2023-04-21 Last update: 2025-07-17 16:02

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2025-40777: If a `named` caching resolver is configured with `serve-stale-enable` `yes`, and with `stale-answer-client-timeout` set to `0` (the only allowable value other than `disabled`), and if the resolver, in the process of resolving a query, encounters a CNAME chain involving a specific combination of cached or authoritative records, the daemon will abort with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.10, 9.21.0 through 9.21.9, and 9.20.9-S1 through 9.20.10-S1.

Created: 2025-07-16 Last update: 2025-07-17 15:03

2 security issues in bullseye high

There are 2 open security issues in bullseye.

1 important issue:

CVE-2025-40777: If a `named` caching resolver is configured with `serve-stale-enable` `yes`, and with `stale-answer-client-timeout` set to `0` (the only allowable value other than `disabled`), and if the resolver, in the process of resolving a query, encounters a CNAME chain involving a specific combination of cached or authoritative records, the daemon will abort with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.10, 9.21.0 through 9.21.9, and 9.20.9-S1 through 9.20.10-S1.

1 ignored issue:

CVE-2022-2881: The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process.

Created: 2025-07-16 Last update: 2025-07-17 15:03

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2025-40777: If a `named` caching resolver is configured with `serve-stale-enable` `yes`, and with `stale-answer-client-timeout` set to `0` (the only allowable value other than `disabled`), and if the resolver, in the process of resolving a query, encounters a CNAME chain involving a specific combination of cached or authoritative records, the daemon will abort with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.10, 9.21.0 through 9.21.9, and 9.20.9-S1 through 9.20.10-S1.

Created: 2025-07-16 Last update: 2025-07-17 15:03

2 security issues in buster high

There are 2 open security issues in buster.

1 important issue:

CVE-2023-4408: The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

1 ignored issue:

CVE-2022-3094: Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don't intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1.

Created: 2024-02-13 Last update: 2024-06-29 13:15

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2025-01-06 Last update: 2025-07-19 08:30

Multiarch hinter reports 1 issue(s) normal

There are issues with the multiarch metadata for this package.

dnsutils could be marked Multi-Arch: foreign

Created: 2016-09-14 Last update: 2025-07-19 07:03

Depends on packages which need a new maintainer normal

The packages that bind9 depends on which need a new maintainer are:

db-defaults (#1055344)
- Build-Depends: libdb-dev

Created: 2023-11-04 Last update: 2025-07-19 07:02

lintian reports 5 warnings normal

Lintian reports 5 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-07-17 Last update: 2025-07-17 06:00

debian/patches: 2 patches to forward upstream low

Among the 2 debian patches available in version 1:9.20.11-1 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-07-17 11:34

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2022-01-27 Last update: 2022-01-27 08:02

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-03-24 Last update: 2020-03-24 06:20

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.2).

Created: 2024-04-07 Last update: 2025-06-20 09:53

testing migrations

This package will soon be part of the auto-libxml2 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for bind9 (1:9.20.9-1 to 1:9.20.11-1): BLOCKED: Needs an approval (either due to a freeze, the source suite or a manual hint)
- Issues preventing migration:
- ∙ ∙ blocked by freeze: is a key package (Follow the freeze policy when applying for an unblock)
- ∙ ∙ Too young, only 2 of 20 days old
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/b/bind9.html
- ∙ ∙ autopkgtest for bind9/1:9.20.11-1: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- ∙ ∙ Waiting for reproducibility test results on armhf - info ♻
- Not considered

news

[rss feed]

[2025-07-17] Accepted bind9 1:9.21.10-4 (source) into experimental (Ondřej Surý)
[2025-07-17] Accepted bind9 1:9.21.10-2 (source) into experimental (Ondřej Surý)
[2025-07-16] Accepted bind9 1:9.21.10-1 (source) into experimental (Ondřej Surý)
[2025-07-16] Accepted bind9 1:9.20.11-1 (source) into unstable (Ondřej Surý)
[2025-06-20] Accepted bind9 1:9.21.9-1 (source) into experimental (Ondřej Surý)
[2025-06-20] Accepted bind9 1:9.20.10-1 (source) into unstable (Ondřej Surý)
[2025-05-28] Accepted bind9 1:9.20.9-2 (source) into unstable (Ondřej Surý)
[2025-05-26] bind9 1:9.20.9-1 MIGRATED to testing (Debian testing watch)
[2025-05-21] Accepted bind9 1:9.20.9-1 (source) into unstable (Ondřej Surý)
[2025-04-29] bind9 1:9.20.8-6 MIGRATED to testing (Debian testing watch)
[2025-04-18] Accepted bind9 1:9.20.8-6 (source) into unstable (Ondřej Surý)
[2025-04-17] Accepted bind9 1:9.20.8-5 (source) into unstable (Ondřej Surý)
[2025-04-17] Accepted bind9 1:9.20.8-4 (source) into unstable (Ondřej Surý)
[2025-04-17] Accepted bind9 1:9.20.8-3 (source) into unstable (Ondřej Surý)
[2025-04-17] Accepted bind9 1:9.20.8-2 (source) into unstable (Ondřej Surý)
[2025-04-16] Accepted bind9 1:9.21.7-1 (source) into experimental (Ondřej Surý)
[2025-04-16] Accepted bind9 1:9.20.8-1 (source) into unstable (Ondřej Surý)
[2025-03-22] bind9 1:9.20.7-1 MIGRATED to testing (Debian testing watch)
[2025-03-19] Accepted bind9 1:9.21.6-1 (source) into experimental (Ondřej Surý)
[2025-03-19] Accepted bind9 1:9.20.7-1 (source) into unstable (Ondřej Surý)
[2025-03-17] bind9 1:9.20.5-1 MIGRATED to testing (Debian testing watch)
[2025-02-11] Accepted bind9 1:9.16.50-1~deb11u3 (source) into oldstable-security (Paride Legovini)
[2025-01-30] Accepted bind9 1:9.20.5-1 (source) into unstable (Ondřej Surý)
[2025-01-30] Accepted bind9 1:9.18.33-1~deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Ondřej Surý)
[2025-01-29] Accepted bind9 1:9.18.33-1~deb12u2 (source) into stable-security (Debian FTP Masters) (signed by: Ondřej Surý)
[2025-01-28] bind9 1:9.20.4-4 MIGRATED to testing (Debian testing watch)
[2025-01-21] Accepted bind9 1:9.20.4-4 (source) into unstable (Ondřej Surý)
[2024-12-25] bind9 1:9.20.4-3 MIGRATED to testing (Debian testing watch)
[2024-12-19] Accepted bind9 1:9.20.4-3 (source) into unstable (Ondřej Surý)
[2024-12-17] bind9 1:9.20.4-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 19 20
RC: 1
I&N: 9 10
M&W: 9
F&P: 0
patch: 2

links

homepage
lintian (0, 5)
buildd: logs, exp, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (100, -)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:9.20.10-1ubuntu1
67 bugs (4 patches)
patches for 1:9.20.10-1ubuntu1