Merge ~ahasenack/ubuntu/+source/bind9:disco-bind9-9.11.5p1-merge into ubuntu/+source/bind9:debian/sid
- Git
- lp:~ahasenack/ubuntu/+source/bind9
- disco-bind9-9.11.5p1-merge
- Merge into debian/sid
Status: | Merged | ||||||||
---|---|---|---|---|---|---|---|---|---|
Approved by: | Christian Ehrhardt | ||||||||
Approved revision: | f02ecb4bb174fbbff04a30d965b64aa78c57d611 | ||||||||
Merge reported by: | Andreas Hasenack | ||||||||
Merged at revision: | f02ecb4bb174fbbff04a30d965b64aa78c57d611 | ||||||||
Proposed branch: | ~ahasenack/ubuntu/+source/bind9:disco-bind9-9.11.5p1-merge | ||||||||
Merge into: | ubuntu/+source/bind9:debian/sid | ||||||||
Diff against target: |
778 lines (+492/-83) 10 files modified
debian/bind9.install (+0/-2) debian/changelog (+420/-0) debian/control (+2/-5) debian/dnsutils.install (+0/-2) debian/libdns1104.symbols (+0/-66) debian/patches/enable-udp-in-host-command.diff (+26/-0) debian/patches/fix-shutdown-race.diff (+41/-0) debian/patches/series (+2/-0) debian/rules (+1/-4) debian/tests/simpletest (+0/-4) |
||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Christian Ehrhardt (community) | Approve | ||
Canonical Server | Pending | ||
Review via email: mp+361928@code.launchpad.net |
Commit message
Description of the change
Merge from debian's 9.11.5P1, which was just an upstream version bump with no further changes. Same here. The patches we added recently and became part of our delta are committed upstream in bind, but didn't make into the 9.11.5P1 cut (I checked their git repo).
Bileto ticket, ppa (still building/running as I write this, I will check its status tomorrow):
Andreas Hasenack (ahasenack) wrote : | # |
Christian Ehrhardt (paelzer) wrote : | # |
I now looked at it quite a while, but can't find anything.
Ack it as the straight forward merge carrying all as-is that it is.
The tests OTOH draw a different picture, mostly dependency issues in libdns and libbind.
I wonder if those are 2nd grade issues of libreadline which we see so often recently or a real issue.
I know that you will retrigger these tests with all_proposed to check if they are succeeding, under that condition ack to the MP.
Andreas Hasenack (ahasenack) wrote : | # |
DEP8 is green after the all-proposed dep8 re-run. Tagging and uploading.
Andreas Hasenack (ahasenack) wrote : | # |
Tagged and uploaded.
Andreas Hasenack (ahasenack) wrote : | # |
bind9 migrated, setting MP to merged:
bind9 | 1:9.11.
Preview Diff
1 | diff --git a/debian/bind9.install b/debian/bind9.install | |||
2 | index 26d595e..fd7f0f5 100644 | |||
3 | --- a/debian/bind9.install | |||
4 | +++ b/debian/bind9.install | |||
5 | @@ -16,7 +16,6 @@ usr/sbin/genrandom | |||
6 | 16 | usr/sbin/isc-hmac-fixup | 16 | usr/sbin/isc-hmac-fixup |
7 | 17 | usr/sbin/named | 17 | usr/sbin/named |
8 | 18 | usr/sbin/named-journalprint | 18 | usr/sbin/named-journalprint |
9 | 19 | usr/sbin/named-nzd2nzf | ||
10 | 20 | usr/sbin/named-pkcs11 | 19 | usr/sbin/named-pkcs11 |
11 | 21 | usr/sbin/nsec3hash | 20 | usr/sbin/nsec3hash |
12 | 22 | usr/sbin/tsig-keygen | 21 | usr/sbin/tsig-keygen |
13 | @@ -32,7 +31,6 @@ usr/share/man/man8/dnssec-importkey.8 | |||
14 | 32 | usr/share/man/man8/genrandom.8 | 31 | usr/share/man/man8/genrandom.8 |
15 | 33 | usr/share/man/man8/isc-hmac-fixup.8 | 32 | usr/share/man/man8/isc-hmac-fixup.8 |
16 | 34 | usr/share/man/man8/named-journalprint.8 | 33 | usr/share/man/man8/named-journalprint.8 |
17 | 35 | usr/share/man/man8/named-nzd2nzf.8 | ||
18 | 36 | usr/share/man/man8/named.8 | 34 | usr/share/man/man8/named.8 |
19 | 37 | usr/share/man/man8/nsec3hash.8 | 35 | usr/share/man/man8/nsec3hash.8 |
20 | 38 | usr/share/man/man8/tsig-keygen.8 | 36 | usr/share/man/man8/tsig-keygen.8 |
21 | diff --git a/debian/changelog b/debian/changelog | |||
22 | index 1cf4a21..279b742 100644 | |||
23 | --- a/debian/changelog | |||
24 | +++ b/debian/changelog | |||
25 | @@ -1,9 +1,68 @@ | |||
26 | 1 | bind9 (1:9.11.5.P1+dfsg-1ubuntu1) disco; urgency=medium | ||
27 | 2 | |||
28 | 3 | * Merge with Debian unstable. Remaining changes: | ||
29 | 4 | - Build without lmdb support as that package is in Universe | ||
30 | 5 | - Don't build dnstap as it depends on universe packages: | ||
31 | 6 | + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and | ||
32 | 7 | protobuf-c-compiler (universe packages) | ||
33 | 8 | + d/dnsutils.install: don't install dnstap | ||
34 | 9 | + d/libdns1104.symbols: don't include dnstap symbols | ||
35 | 10 | + d/rules: don't build dnstap nor install dnstap.proto | ||
36 | 11 | - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line | ||
37 | 12 | option (LP #1804648) | ||
38 | 13 | - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted | ||
39 | 14 | close to a query timeout (LP #1797926) | ||
40 | 15 | - d/t/simpletest: drop the internetsociety.org test as it requires | ||
41 | 16 | network egress access that is not available in the Ubuntu autopkgtest | ||
42 | 17 | farm. | ||
43 | 18 | |||
44 | 19 | -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Jan 2019 18:59:25 -0200 | ||
45 | 20 | |||
46 | 1 | bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium | 21 | bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium |
47 | 2 | 22 | ||
48 | 3 | * New upstream version 9.11.5.P1+dfsg | 23 | * New upstream version 9.11.5.P1+dfsg |
49 | 4 | 24 | ||
50 | 5 | -- Ondřej Surý <ondrej@debian.org> Tue, 18 Dec 2018 13:59:25 +0000 | 25 | -- Ondřej Surý <ondrej@debian.org> Tue, 18 Dec 2018 13:59:25 +0000 |
51 | 6 | 26 | ||
52 | 27 | bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium | ||
53 | 28 | |||
54 | 29 | * Merge with Debian unstable. Remaining changes: | ||
55 | 30 | - Build without lmdb support as that package is in Universe | ||
56 | 31 | - Don't build dnstap as it depends on universe packages: | ||
57 | 32 | + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and | ||
58 | 33 | protobuf-c-compiler (universe packages) | ||
59 | 34 | + d/dnsutils.install: don't install dnstap | ||
60 | 35 | + d/libdns1104.symbols: don't include dnstap symbols | ||
61 | 36 | + d/rules: don't build dnstap nor install dnstap.proto | ||
62 | 37 | * Dropped: | ||
63 | 38 | - SECURITY UPDATE: denial of service crash when deny-answer-aliases | ||
64 | 39 | option is used | ||
65 | 40 | + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could | ||
66 | 41 | trigger a crash if deny-answer-aliases was set | ||
67 | 42 | + debian/patches/CVE-2018-5740-2.patch: add tests | ||
68 | 43 | + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set | ||
69 | 44 | chainingp correctly, add test | ||
70 | 45 | + CVE-2018-5740 | ||
71 | 46 | [Fixed in new upstream version 9.11.5] | ||
72 | 47 | - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the | ||
73 | 48 | line (Closes: #904983) | ||
74 | 49 | [Fixed in 1:9.11.4+dfsg-4] | ||
75 | 50 | - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440) | ||
76 | 51 | [Fixed in 1:9.11.4.P1+dfsg-1] | ||
77 | 52 | - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol | ||
78 | 53 | (it depends on OpenSSL version) (Closes: #897643) | ||
79 | 54 | [Fixed in 1:9.11.4.P1+dfsg-1] | ||
80 | 55 | * Added: | ||
81 | 56 | - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line | ||
82 | 57 | option (LP: #1804648) | ||
83 | 58 | - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted | ||
84 | 59 | close to a query timeout (LP: #1797926) | ||
85 | 60 | - d/t/simpletest: drop the internetsociety.org test as it requires | ||
86 | 61 | network egress access that is not available in the Ubuntu autopkgtest | ||
87 | 62 | farm. | ||
88 | 63 | |||
89 | 64 | -- Andreas Hasenack <andreas@canonical.com> Thu, 13 Dec 2018 19:40:23 -0200 | ||
90 | 65 | |||
91 | 7 | bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium | 66 | bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium |
92 | 8 | 67 | ||
93 | 9 | * Use team+dns@tracker.debian.org as Maintainer address | 68 | * Use team+dns@tracker.debian.org as Maintainer address |
94 | @@ -65,6 +124,55 @@ bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium | |||
95 | 65 | 124 | ||
96 | 66 | -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200 | 125 | -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200 |
97 | 67 | 126 | ||
98 | 127 | bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high | ||
99 | 128 | |||
100 | 129 | * No change rebuild against openssl 1.1.1 with TLS 1.3 support. | ||
101 | 130 | |||
102 | 131 | -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 29 Sep 2018 01:36:45 +0100 | ||
103 | 132 | |||
104 | 133 | bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium | ||
105 | 134 | |||
106 | 135 | * SECURITY UPDATE: denial of service crash when deny-answer-aliases | ||
107 | 136 | option is used | ||
108 | 137 | - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could | ||
109 | 138 | trigger a crash if deny-answer-aliases was set | ||
110 | 139 | - debian/patches/CVE-2018-5740-2.patch: add tests | ||
111 | 140 | - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set | ||
112 | 141 | chainingp correctly, add test | ||
113 | 142 | - CVE-2018-5740 | ||
114 | 143 | |||
115 | 144 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Sep 2018 11:11:05 +0200 | ||
116 | 145 | |||
117 | 146 | bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium | ||
118 | 147 | |||
119 | 148 | * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol | ||
120 | 149 | (it depends on OpenSSL version) (Closes: #897643) | ||
121 | 150 | |||
122 | 151 | -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 18 Sep 2018 10:39:12 +0200 | ||
123 | 152 | |||
124 | 153 | bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium | ||
125 | 154 | |||
126 | 155 | * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11 | ||
127 | 156 | crashing on startup. (LP: #1769440) | ||
128 | 157 | |||
129 | 158 | -- Karl Stenerud <karl.stenerud@canonical.com> Thu, 30 Aug 2018 07:11:39 -0700 | ||
130 | 159 | |||
131 | 160 | bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium | ||
132 | 161 | |||
133 | 162 | * Merge with Debian unstable. Remaining changes: | ||
134 | 163 | - Build without lmdb support as that package is in Universe | ||
135 | 164 | * Added: | ||
136 | 165 | - Don't build dnstap as it depends on universe packages: | ||
137 | 166 | + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and | ||
138 | 167 | protobuf-c-compiler (universe packages) | ||
139 | 168 | + d/dnsutils.install: don't install dnstap | ||
140 | 169 | + d/libdns1102.symbols: don't include dnstap symbols | ||
141 | 170 | + d/rules: don't build dnstap | ||
142 | 171 | - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the | ||
143 | 172 | line (Closes: #904983) | ||
144 | 173 | |||
145 | 174 | -- Andreas Hasenack <andreas@canonical.com> Mon, 30 Jul 2018 10:56:04 -0300 | ||
146 | 175 | |||
147 | 68 | bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium | 176 | bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium |
148 | 69 | 177 | ||
149 | 70 | * Enable IDN support for dig+host using libidn2 (Closes: #459010) | 178 | * Enable IDN support for dig+host using libidn2 (Closes: #459010) |
150 | @@ -95,6 +203,19 @@ bind9 (1:9.11.4+dfsg-1) unstable; urgency=medium | |||
151 | 95 | 203 | ||
152 | 96 | -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000 | 204 | -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000 |
153 | 97 | 205 | ||
154 | 206 | bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium | ||
155 | 207 | |||
156 | 208 | * Merge with Debian unstable (LP: #1777935). Remaining changes: | ||
157 | 209 | - Build without lmdb support as that package is in Universe | ||
158 | 210 | * Drop: | ||
159 | 211 | - SECURITY UPDATE: improperly permits recursive query service | ||
160 | 212 | + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling | ||
161 | 213 | in bin/named/server.c. | ||
162 | 214 | + CVE-2018-5738 | ||
163 | 215 | [Applied in Debian's 1:9.11.3+dfsg-2] | ||
164 | 216 | |||
165 | 217 | -- Andreas Hasenack <andreas@canonical.com> Wed, 20 Jun 2018 17:42:16 -0300 | ||
166 | 218 | |||
167 | 98 | bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium | 219 | bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium |
168 | 99 | 220 | ||
169 | 100 | * [CVE-2018-5738]: Add upstream fix to close the default open recursion | 221 | * [CVE-2018-5738]: Add upstream fix to close the default open recursion |
170 | @@ -103,6 +224,24 @@ bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium | |||
171 | 103 | 224 | ||
172 | 104 | -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000 | 225 | -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000 |
173 | 105 | 226 | ||
174 | 227 | bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium | ||
175 | 228 | |||
176 | 229 | * SECURITY UPDATE: improperly permits recursive query service | ||
177 | 230 | - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling | ||
178 | 231 | in bin/named/server.c. | ||
179 | 232 | - CVE-2018-5738 | ||
180 | 233 | |||
181 | 234 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Jun 2018 09:41:51 -0400 | ||
182 | 235 | |||
183 | 236 | bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low | ||
184 | 237 | |||
185 | 238 | * New upstream release. (LP: #1763572) | ||
186 | 239 | - fix a crash when configured with ipa-dns-install | ||
187 | 240 | * Merge from Debian unstable. Remaining changes: | ||
188 | 241 | - Build without lmdb support as that package is in Universe | ||
189 | 242 | |||
190 | 243 | -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Apr 2018 07:40:47 +0300 | ||
191 | 244 | |||
192 | 106 | bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium | 245 | bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium |
193 | 107 | 246 | ||
194 | 108 | [ Bernhard Schmidt ] | 247 | [ Bernhard Schmidt ] |
195 | @@ -127,6 +266,61 @@ bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium | |||
196 | 127 | 266 | ||
197 | 128 | -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100 | 267 | -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100 |
198 | 129 | 268 | ||
199 | 269 | bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium | ||
200 | 270 | |||
201 | 271 | * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating | ||
202 | 272 | DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews | ||
203 | 273 | <marka@isc.org>. (LP: #1755439) | ||
204 | 274 | |||
205 | 275 | -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300 | ||
206 | 276 | |||
207 | 277 | bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium | ||
208 | 278 | |||
209 | 279 | * Fix apparmor profile filename (LP: #1754981) | ||
210 | 280 | |||
211 | 281 | -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300 | ||
212 | 282 | |||
213 | 283 | bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high | ||
214 | 284 | |||
215 | 285 | * No change rebuild against openssl1.1. | ||
216 | 286 | |||
217 | 287 | -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:14:22 +0000 | ||
218 | 288 | |||
219 | 289 | bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium | ||
220 | 290 | |||
221 | 291 | * Build without lmdb support as that package is in Universe (LP: #1746296) | ||
222 | 292 | - d/control: remove Build-Depends on liblmdb-dev | ||
223 | 293 | - d/rules: configure --without-lmdb | ||
224 | 294 | - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires | ||
225 | 295 | lmdb. | ||
226 | 296 | |||
227 | 297 | -- Andreas Hasenack <andreas@canonical.com> Tue, 30 Jan 2018 15:21:23 -0200 | ||
228 | 298 | |||
229 | 299 | bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium | ||
230 | 300 | |||
231 | 301 | * Merge with Debian unstable (LP: #1744930). | ||
232 | 302 | * Drop: | ||
233 | 303 | - Add RemainAfterExit to bind9-resolvconf unit configuration file | ||
234 | 304 | (LP #1536181). | ||
235 | 305 | [fixed in 1:9.10.6+dfsg-4] | ||
236 | 306 | - rules: Fix path to libsofthsm2.so. (LP #1685780) | ||
237 | 307 | [adopted in 1:9.10.6+dfsg-5] | ||
238 | 308 | - d/p/CVE-2016-8864-regression-test.patch: tests for the regression | ||
239 | 309 | introduced with the CVE-2016-8864.patch and fixed in | ||
240 | 310 | CVE-2016-8864-regression.patch. | ||
241 | 311 | [applied upstream] | ||
242 | 312 | - d/p/CVE-2016-8864-regression2-test.patch: tests for the second | ||
243 | 313 | regression (RT #44318) introduced with the CVE-2016-8864.patch | ||
244 | 314 | and fixed in CVE-2016-8864-regression2.patch. | ||
245 | 315 | [applied upstream] | ||
246 | 316 | - d/control, d/rules: add json support for the statistics channels. | ||
247 | 317 | (LP #1669193) | ||
248 | 318 | [adopted in 1:9.10.6+dfsg-5] | ||
249 | 319 | * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing | ||
250 | 320 | listing the python ply module as a dependency (Closes: #888463) | ||
251 | 321 | |||
252 | 322 | -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Jan 2018 11:20:33 -0200 | ||
253 | 323 | |||
254 | 130 | bind9 (1:9.11.2.P1-1) unstable; urgency=medium | 324 | bind9 (1:9.11.2.P1-1) unstable; urgency=medium |
255 | 131 | 325 | ||
256 | 132 | * New upstream version 9.11.2-P1 | 326 | * New upstream version 9.11.2-P1 |
257 | @@ -302,6 +496,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium | |||
258 | 302 | 496 | ||
259 | 303 | -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000 | 497 | -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000 |
260 | 304 | 498 | ||
261 | 499 | bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium | ||
262 | 500 | |||
263 | 501 | * Merge with Debian unstable (LP: #1712920). Remaining changes: | ||
264 | 502 | - Add RemainAfterExit to bind9-resolvconf unit configuration file | ||
265 | 503 | (LP #1536181). | ||
266 | 504 | - rules: Fix path to libsofthsm2.so. (LP #1685780) | ||
267 | 505 | - d/p/CVE-2016-8864-regression-test.patch: tests for the regression | ||
268 | 506 | introduced with the CVE-2016-8864.patch and fixed in | ||
269 | 507 | CVE-2016-8864-regression.patch. | ||
270 | 508 | - d/p/CVE-2016-8864-regression2-test.patch: tests for the second | ||
271 | 509 | regression (RT #44318) introduced with the CVE-2016-8864.patch | ||
272 | 510 | and fixed in CVE-2016-8864-regression2.patch. | ||
273 | 511 | - d/control, d/rules: add json support for the statistics channels. | ||
274 | 512 | (LP #1669193) | ||
275 | 513 | |||
276 | 514 | -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Aug 2017 18:28:00 -0300 | ||
277 | 515 | |||
278 | 516 | bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium | ||
279 | 517 | |||
280 | 518 | * Non-maintainer upload. | ||
281 | 519 | * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794) | ||
282 | 520 | |||
283 | 521 | -- Bernhard Schmidt <berni@debian.org> Fri, 11 Aug 2017 19:10:07 +0200 | ||
284 | 522 | |||
285 | 523 | bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium | ||
286 | 524 | |||
287 | 525 | * Merge with Debian unstable (LP: #1701687). Remaining changes: | ||
288 | 526 | - Add RemainAfterExit to bind9-resolvconf unit configuration file | ||
289 | 527 | (LP #1536181). | ||
290 | 528 | - rules: Fix path to libsofthsm2.so. (LP #1685780) | ||
291 | 529 | * Drop: | ||
292 | 530 | - SECURITY UPDATE: denial of service via assertion failure | ||
293 | 531 | + debian/patches/CVE-2016-2776.patch: properly handle lengths in | ||
294 | 532 | lib/dns/message.c. | ||
295 | 533 | + CVE-2016-2776 | ||
296 | 534 | + [Fixed in Debian 1:9.10.3.dfsg.P4-11] | ||
297 | 535 | - SECURITY UPDATE: assertion failure via class mismatch | ||
298 | 536 | + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY | ||
299 | 537 | records in lib/dns/resolver.c. | ||
300 | 538 | + CVE-2016-9131 | ||
301 | 539 | + [Fixed in Debian 1:9.10.3.dfsg.P4-11] | ||
302 | 540 | - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information | ||
303 | 541 | + debian/patches/CVE-2016-9147.patch: fix logic when records are | ||
304 | 542 | returned without the requested data in lib/dns/resolver.c. | ||
305 | 543 | + CVE-2016-9147 | ||
306 | 544 | + [Fixed in Debian 1:9.10.3.dfsg.P4-11] | ||
307 | 545 | - SECURITY UPDATE: assertion failure via unusually-formed DS record | ||
308 | 546 | + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in | ||
309 | 547 | lib/dns/message.c, lib/dns/resolver.c. | ||
310 | 548 | + CVE-2016-9444 | ||
311 | 549 | + [Fixed in Debian 1:9.10.3.dfsg.P4-11] | ||
312 | 550 | - SECURITY UPDATE: regression in CVE-2016-8864 | ||
313 | 551 | + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in | ||
314 | 552 | responses in lib/dns/resolver.c, added tests to | ||
315 | 553 | bin/tests/system/dname/ns2/example.db, | ||
316 | 554 | bin/tests/system/dname/tests.sh. | ||
317 | 555 | + No CVE number | ||
318 | 556 | + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12] | ||
319 | 557 | - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing | ||
320 | 558 | a NULL pointer | ||
321 | 559 | + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz | ||
322 | 560 | combination in bin/named/query.c, lib/dns/message.c, | ||
323 | 561 | lib/dns/rdataset.c. | ||
324 | 562 | + CVE-2017-3135 | ||
325 | 563 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12] | ||
326 | 564 | - SECURITY UPDATE: regression in CVE-2016-8864 | ||
327 | 565 | + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME | ||
328 | 566 | was still being cached when it should have been in lib/dns/resolver.c, | ||
329 | 567 | added tests to bin/tests/system/dname/ans3/ans.pl, | ||
330 | 568 | bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. | ||
331 | 569 | + No CVE number | ||
332 | 570 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12] | ||
333 | 571 | - SECURITY UPDATE: Denial of Service due to an error handling | ||
334 | 572 | synthesized records when using DNS64 with "break-dnssec yes;" | ||
335 | 573 | + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() | ||
336 | 574 | called. | ||
337 | 575 | + CVE-2017-3136 | ||
338 | 576 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] | ||
339 | 577 | - SECURITY UPDATE: Denial of Service due to resolver terminating when | ||
340 | 578 | processing a response packet containing a CNAME or DNAME | ||
341 | 579 | + debian/patches/CVE-2017-3137.patch: don't expect a specific | ||
342 | 580 | ordering of answer components; add testcases. | ||
343 | 581 | + CVE-2017-3137 | ||
344 | 582 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files] | ||
345 | 583 | - SECURITY UPDATE: Denial of Service when receiving a null command on | ||
346 | 584 | the control channel | ||
347 | 585 | + debian/patches/CVE-2017-3138.patch: don't throw an assert if no | ||
348 | 586 | command token is given; add testcase. | ||
349 | 587 | + CVE-2017-3138 | ||
350 | 588 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] | ||
351 | 589 | - SECURITY UPDATE: TSIG authentication issues | ||
352 | 590 | + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in | ||
353 | 591 | lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. | ||
354 | 592 | + CVE-2017-3142 | ||
355 | 593 | + CVE-2017-3143 | ||
356 | 594 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4] | ||
357 | 595 | * d/p/CVE-2016-8864-regression-test.patch: tests for the regression | ||
358 | 596 | introduced with the CVE-2016-8864.patch and fixed in | ||
359 | 597 | CVE-2016-8864-regression.patch. | ||
360 | 598 | * d/p/CVE-2016-8864-regression2-test.patch: tests for the second | ||
361 | 599 | regression (RT #44318) introduced with the CVE-2016-8864.patch | ||
362 | 600 | and fixed in CVE-2016-8864-regression2.patch. | ||
363 | 601 | * d/control, d/rules: add json support for the statistics channels. | ||
364 | 602 | (LP: #1669193) | ||
365 | 603 | |||
366 | 604 | -- Andreas Hasenack <andreas@canonical.com> Fri, 11 Aug 2017 17:12:09 -0300 | ||
367 | 605 | |||
368 | 606 | bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium | ||
369 | 607 | |||
370 | 608 | * Non-maintainer upload. | ||
371 | 609 | * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG | ||
372 | 610 | signed TCP message sequences where not all the messages contain TSIG | ||
373 | 611 | records. These may be used in AXFR and IXFR responses. | ||
374 | 612 | (Closes: #868952) | ||
375 | 613 | |||
376 | 614 | -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jul 2017 22:28:32 +0200 | ||
377 | 615 | |||
378 | 616 | bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high | ||
379 | 617 | |||
380 | 618 | * Non-maintainer upload. | ||
381 | 619 | |||
382 | 620 | [ Yves-Alexis Perez ] | ||
383 | 621 | * debian/patches: | ||
384 | 622 | - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses | ||
385 | 623 | CVE-2017-3142: error in TSIG authentication can permit unauthorized zone | ||
386 | 624 | transfers. An attacker may be able to circumvent TSIG authentication of | ||
387 | 625 | AXFR and Notify requests. | ||
388 | 626 | CVE-2017-3143: error in TSIG authentication can permit unauthorized | ||
389 | 627 | dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) | ||
390 | 628 | signature for a dynamic update. | ||
391 | 629 | (Closes: #866564) | ||
392 | 630 | |||
393 | 631 | -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jul 2017 22:13:21 +0200 | ||
394 | 632 | |||
395 | 305 | bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium | 633 | bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium |
396 | 306 | 634 | ||
397 | 307 | [ Bernhard Schmidt ] | 635 | [ Bernhard Schmidt ] |
398 | @@ -408,6 +736,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium | |||
399 | 408 | 736 | ||
400 | 409 | -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000 | 737 | -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000 |
401 | 410 | 738 | ||
402 | 739 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium | ||
403 | 740 | |||
404 | 741 | * SECURITY UPDATE: TSIG authentication issues | ||
405 | 742 | - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in | ||
406 | 743 | lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. | ||
407 | 744 | - CVE-2017-3142 | ||
408 | 745 | - CVE-2017-3143 | ||
409 | 746 | |||
410 | 747 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jul 2017 09:48:13 -0400 | ||
411 | 748 | |||
412 | 749 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium | ||
413 | 750 | |||
414 | 751 | * rules: Fix path to libsofthsm2.so. (LP: #1685780) | ||
415 | 752 | |||
416 | 753 | -- Timo Aaltonen <tjaalton@debian.org> Mon, 24 Apr 2017 15:01:30 +0300 | ||
417 | 754 | |||
418 | 755 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium | ||
419 | 756 | |||
420 | 757 | * SECURITY UPDATE: Denial of Service due to an error handling | ||
421 | 758 | synthesized records when using DNS64 with "break-dnssec yes;" | ||
422 | 759 | - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() | ||
423 | 760 | called. | ||
424 | 761 | - CVE-2017-3136 | ||
425 | 762 | * SECURITY UPDATE: Denial of Service due to resolver terminating when | ||
426 | 763 | processing a response packet containing a CNAME or DNAME | ||
427 | 764 | - debian/patches/CVE-2017-3137.patch: don't expect a specific | ||
428 | 765 | ordering of answer components; add testcases. | ||
429 | 766 | - CVE-2017-3137 | ||
430 | 767 | * SECURITY UPDATE: Denial of Service when receiving a null command on | ||
431 | 768 | the control channel | ||
432 | 769 | - debian/patches/CVE-2017-3138.patch: don't throw an assert if no | ||
433 | 770 | command token is given; add testcase. | ||
434 | 771 | - CVE-2017-3138 | ||
435 | 772 | |||
436 | 773 | -- Steve Beattie <sbeattie@ubuntu.com> Wed, 12 Apr 2017 01:32:15 -0700 | ||
437 | 774 | |||
438 | 775 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium | ||
439 | 776 | |||
440 | 777 | * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing | ||
441 | 778 | a NULL pointer | ||
442 | 779 | - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz | ||
443 | 780 | combination in bin/named/query.c, lib/dns/message.c, | ||
444 | 781 | lib/dns/rdataset.c. | ||
445 | 782 | - CVE-2017-3135 | ||
446 | 783 | * SECURITY UPDATE: regression in CVE-2016-8864 | ||
447 | 784 | - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME | ||
448 | 785 | was still being cached when it should have been in lib/dns/resolver.c, | ||
449 | 786 | added tests to bin/tests/system/dname/ans3/ans.pl, | ||
450 | 787 | bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. | ||
451 | 788 | - No CVE number | ||
452 | 789 | |||
453 | 790 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Feb 2017 09:37:39 -0500 | ||
454 | 791 | |||
455 | 792 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium | ||
456 | 793 | |||
457 | 794 | * SECURITY UPDATE: assertion failure via class mismatch | ||
458 | 795 | - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY | ||
459 | 796 | records in lib/dns/resolver.c. | ||
460 | 797 | - CVE-2016-9131 | ||
461 | 798 | * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information | ||
462 | 799 | - debian/patches/CVE-2016-9147.patch: fix logic when records are | ||
463 | 800 | returned without the requested data in lib/dns/resolver.c. | ||
464 | 801 | - CVE-2016-9147 | ||
465 | 802 | * SECURITY UPDATE: assertion failure via unusually-formed DS record | ||
466 | 803 | - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in | ||
467 | 804 | lib/dns/message.c, lib/dns/resolver.c. | ||
468 | 805 | - CVE-2016-9444 | ||
469 | 806 | * SECURITY UPDATE: regression in CVE-2016-8864 | ||
470 | 807 | - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in | ||
471 | 808 | responses in lib/dns/resolver.c, added tests to | ||
472 | 809 | bin/tests/system/dname/ns2/example.db, | ||
473 | 810 | bin/tests/system/dname/tests.sh. | ||
474 | 811 | - No CVE number | ||
475 | 812 | |||
476 | 813 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jan 2017 09:28:10 -0500 | ||
477 | 814 | |||
478 | 815 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium | ||
479 | 816 | |||
480 | 817 | * Add RemainAfterExit to bind9-resolvconf unit configuration file | ||
481 | 818 | (LP: #1536181). | ||
482 | 819 | |||
483 | 820 | -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Tue, 15 Nov 2016 08:24:58 -0800 | ||
484 | 821 | |||
485 | 822 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium | ||
486 | 823 | |||
487 | 824 | * SECURITY UPDATE: denial of service via assertion failure | ||
488 | 825 | - debian/patches/CVE-2016-2776.patch: properly handle lengths in | ||
489 | 826 | lib/dns/message.c. | ||
490 | 827 | - CVE-2016-2776 | ||
491 | 828 | |||
492 | 829 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2016 14:31:17 -0400 | ||
493 | 830 | |||
494 | 411 | bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium | 831 | bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium |
495 | 412 | 832 | ||
496 | 413 | * Non-maintainer upload. | 833 | * Non-maintainer upload. |
497 | diff --git a/debian/control b/debian/control | |||
498 | index 73c2a17..3d7f03d 100644 | |||
499 | --- a/debian/control | |||
500 | +++ b/debian/control | |||
501 | @@ -1,7 +1,8 @@ | |||
502 | 1 | Source: bind9 | 1 | Source: bind9 |
503 | 2 | Section: net | 2 | Section: net |
504 | 3 | Priority: optional | 3 | Priority: optional |
506 | 4 | Maintainer: Debian DNS Team <team+dns@tracker.debian.org> | 4 | Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
507 | 5 | XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org> | ||
508 | 5 | Uploaders: LaMont Jones <lamont@debian.org>, | 6 | Uploaders: LaMont Jones <lamont@debian.org>, |
509 | 6 | Michael Gilbert <mgilbert@debian.org>, | 7 | Michael Gilbert <mgilbert@debian.org>, |
510 | 7 | Robie Basak <robie.basak@canonical.com>, | 8 | Robie Basak <robie.basak@canonical.com>, |
511 | @@ -15,18 +16,14 @@ Build-Depends: bison, | |||
512 | 15 | dpkg-dev (>= 1.16.1~), | 16 | dpkg-dev (>= 1.16.1~), |
513 | 16 | libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], | 17 | libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], |
514 | 17 | libdb-dev (>>4.6), | 18 | libdb-dev (>>4.6), |
515 | 18 | libfstrm-dev, | ||
516 | 19 | libgeoip-dev (>= 1.4.6.dfsg-5), | 19 | libgeoip-dev (>= 1.4.6.dfsg-5), |
517 | 20 | libidn2-dev, | 20 | libidn2-dev, |
518 | 21 | libjson-c-dev, | 21 | libjson-c-dev, |
519 | 22 | libkrb5-dev, | 22 | libkrb5-dev, |
520 | 23 | libldap2-dev, | 23 | libldap2-dev, |
521 | 24 | liblmdb-dev, | ||
522 | 25 | libprotobuf-c-dev, | ||
523 | 26 | libssl-dev, | 24 | libssl-dev, |
524 | 27 | libtool, | 25 | libtool, |
525 | 28 | libxml2-dev, | 26 | libxml2-dev, |
526 | 29 | protobuf-c-compiler, | ||
527 | 30 | python3, | 27 | python3, |
528 | 31 | python3-distutils, | 28 | python3-distutils, |
529 | 32 | python3-ply | 29 | python3-ply |
530 | diff --git a/debian/dnsutils.install b/debian/dnsutils.install | |||
531 | index 90e4fba..5e6b7d9 100644 | |||
532 | --- a/debian/dnsutils.install | |||
533 | +++ b/debian/dnsutils.install | |||
534 | @@ -1,12 +1,10 @@ | |||
535 | 1 | usr/bin/delv | 1 | usr/bin/delv |
536 | 2 | usr/bin/dig | 2 | usr/bin/dig |
537 | 3 | usr/bin/dnstap-read | ||
538 | 4 | usr/bin/mdig | 3 | usr/bin/mdig |
539 | 5 | usr/bin/nslookup | 4 | usr/bin/nslookup |
540 | 6 | usr/bin/nsupdate | 5 | usr/bin/nsupdate |
541 | 7 | usr/share/man/man1/delv.1 | 6 | usr/share/man/man1/delv.1 |
542 | 8 | usr/share/man/man1/dig.1 | 7 | usr/share/man/man1/dig.1 |
543 | 9 | usr/share/man/man1/dnstap-read.1 | ||
544 | 10 | usr/share/man/man1/mdig.1 | 8 | usr/share/man/man1/mdig.1 |
545 | 11 | usr/share/man/man1/nslookup.1 | 9 | usr/share/man/man1/nslookup.1 |
546 | 12 | usr/share/man/man1/nsupdate.1 | 10 | usr/share/man/man1/nsupdate.1 |
547 | diff --git a/debian/libdns1104.symbols b/debian/libdns1104.symbols | |||
548 | index a3b9f10..7b6020e 100644 | |||
549 | --- a/debian/libdns1104.symbols | |||
550 | +++ b/debian/libdns1104.symbols | |||
551 | @@ -358,21 +358,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER# | |||
552 | 358 | dns_dsdigest_format@Base 1:9.11.3+dfsg | 358 | dns_dsdigest_format@Base 1:9.11.3+dfsg |
553 | 359 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg | 359 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg |
554 | 360 | dns_dsdigest_totext@Base 1:9.11.3+dfsg | 360 | dns_dsdigest_totext@Base 1:9.11.3+dfsg |
555 | 361 | dns_dt_attach@Base 1:9.11.4+dfsg-2 | ||
556 | 362 | dns_dt_close@Base 1:9.11.4+dfsg-2 | ||
557 | 363 | dns_dt_create@Base 1:9.11.4+dfsg-2 | ||
558 | 364 | dns_dt_datatotext@Base 1:9.11.4+dfsg-2 | ||
559 | 365 | dns_dt_detach@Base 1:9.11.4+dfsg-2 | ||
560 | 366 | dns_dt_getframe@Base 1:9.11.4+dfsg-2 | ||
561 | 367 | dns_dt_getstats@Base 1:9.11.4+dfsg-2 | ||
562 | 368 | dns_dt_open@Base 1:9.11.4+dfsg-2 | ||
563 | 369 | dns_dt_parse@Base 1:9.11.4+dfsg-2 | ||
564 | 370 | dns_dt_reopen@Base 1:9.11.4+dfsg-2 | ||
565 | 371 | dns_dt_send@Base 1:9.11.4+dfsg-2 | ||
566 | 372 | dns_dt_setidentity@Base 1:9.11.4+dfsg-2 | ||
567 | 373 | dns_dt_setversion@Base 1:9.11.4+dfsg-2 | ||
568 | 374 | dns_dt_shutdown@Base 1:9.11.4+dfsg-2 | ||
569 | 375 | dns_dtdata_free@Base 1:9.11.4+dfsg-2 | ||
570 | 376 | dns_dumpctx_attach@Base 1:9.11.3+dfsg | 361 | dns_dumpctx_attach@Base 1:9.11.3+dfsg |
571 | 377 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg | 362 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg |
572 | 378 | dns_dumpctx_db@Base 1:9.11.3+dfsg | 363 | dns_dumpctx_db@Base 1:9.11.3+dfsg |
573 | @@ -1443,24 +1428,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER# | |||
574 | 1443 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg | 1428 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg |
575 | 1444 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg | 1429 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg |
576 | 1445 | dns_zt_unmount@Base 1:9.11.3+dfsg | 1430 | dns_zt_unmount@Base 1:9.11.3+dfsg |
577 | 1446 | dnstap__dnstap__descriptor@Base 1:9.11.4+dfsg-2 | ||
578 | 1447 | dnstap__dnstap__free_unpacked@Base 1:9.11.4+dfsg-2 | ||
579 | 1448 | dnstap__dnstap__get_packed_size@Base 1:9.11.4+dfsg-2 | ||
580 | 1449 | dnstap__dnstap__init@Base 1:9.11.4+dfsg-2 | ||
581 | 1450 | dnstap__dnstap__pack@Base 1:9.11.4+dfsg-2 | ||
582 | 1451 | dnstap__dnstap__pack_to_buffer@Base 1:9.11.4+dfsg-2 | ||
583 | 1452 | dnstap__dnstap__type__descriptor@Base 1:9.11.4+dfsg-2 | ||
584 | 1453 | dnstap__dnstap__unpack@Base 1:9.11.4+dfsg-2 | ||
585 | 1454 | dnstap__message__descriptor@Base 1:9.11.4+dfsg-2 | ||
586 | 1455 | dnstap__message__free_unpacked@Base 1:9.11.4+dfsg-2 | ||
587 | 1456 | dnstap__message__get_packed_size@Base 1:9.11.4+dfsg-2 | ||
588 | 1457 | dnstap__message__init@Base 1:9.11.4+dfsg-2 | ||
589 | 1458 | dnstap__message__pack@Base 1:9.11.4+dfsg-2 | ||
590 | 1459 | dnstap__message__pack_to_buffer@Base 1:9.11.4+dfsg-2 | ||
591 | 1460 | dnstap__message__type__descriptor@Base 1:9.11.4+dfsg-2 | ||
592 | 1461 | dnstap__message__unpack@Base 1:9.11.4+dfsg-2 | ||
593 | 1462 | dnstap__socket_family__descriptor@Base 1:9.11.4+dfsg-2 | ||
594 | 1463 | dnstap__socket_protocol__descriptor@Base 1:9.11.4+dfsg-2 | ||
595 | 1464 | dst__entropy_getdata@Base 1:9.11.3+dfsg | 1431 | dst__entropy_getdata@Base 1:9.11.3+dfsg |
596 | 1465 | dst__entropy_status@Base 1:9.11.3+dfsg | 1432 | dst__entropy_status@Base 1:9.11.3+dfsg |
597 | 1466 | dst__gssapi_init@Base 1:9.11.3+dfsg | 1433 | dst__gssapi_init@Base 1:9.11.3+dfsg |
598 | @@ -1940,21 +1907,6 @@ libdns.so.1104 libdns1104 #MINVER# | |||
599 | 1940 | dns_dsdigest_format@Base 1:9.11.3+dfsg | 1907 | dns_dsdigest_format@Base 1:9.11.3+dfsg |
600 | 1941 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg | 1908 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg |
601 | 1942 | dns_dsdigest_totext@Base 1:9.11.3+dfsg | 1909 | dns_dsdigest_totext@Base 1:9.11.3+dfsg |
602 | 1943 | dns_dt_attach@Base 1:9.11.4+dfsg-2 | ||
603 | 1944 | dns_dt_close@Base 1:9.11.4+dfsg-2 | ||
604 | 1945 | dns_dt_create@Base 1:9.11.4+dfsg-2 | ||
605 | 1946 | dns_dt_datatotext@Base 1:9.11.4+dfsg-2 | ||
606 | 1947 | dns_dt_detach@Base 1:9.11.4+dfsg-2 | ||
607 | 1948 | dns_dt_getframe@Base 1:9.11.4+dfsg-2 | ||
608 | 1949 | dns_dt_getstats@Base 1:9.11.4+dfsg-2 | ||
609 | 1950 | dns_dt_open@Base 1:9.11.4+dfsg-2 | ||
610 | 1951 | dns_dt_parse@Base 1:9.11.4+dfsg-2 | ||
611 | 1952 | dns_dt_reopen@Base 1:9.11.4+dfsg-2 | ||
612 | 1953 | dns_dt_send@Base 1:9.11.4+dfsg-2 | ||
613 | 1954 | dns_dt_setidentity@Base 1:9.11.4+dfsg-2 | ||
614 | 1955 | dns_dt_setversion@Base 1:9.11.4+dfsg-2 | ||
615 | 1956 | dns_dt_shutdown@Base 1:9.11.4+dfsg-2 | ||
616 | 1957 | dns_dtdata_free@Base 1:9.11.4+dfsg-2 | ||
617 | 1958 | dns_dumpctx_attach@Base 1:9.11.3+dfsg | 1910 | dns_dumpctx_attach@Base 1:9.11.3+dfsg |
618 | 1959 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg | 1911 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg |
619 | 1960 | dns_dumpctx_db@Base 1:9.11.3+dfsg | 1912 | dns_dumpctx_db@Base 1:9.11.3+dfsg |
620 | @@ -3032,24 +2984,6 @@ libdns.so.1104 libdns1104 #MINVER# | |||
621 | 3032 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg | 2984 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg |
622 | 3033 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg | 2985 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg |
623 | 3034 | dns_zt_unmount@Base 1:9.11.3+dfsg | 2986 | dns_zt_unmount@Base 1:9.11.3+dfsg |
624 | 3035 | dnstap__dnstap__descriptor@Base 1:9.11.4+dfsg-2 | ||
625 | 3036 | dnstap__dnstap__free_unpacked@Base 1:9.11.4+dfsg-2 | ||
626 | 3037 | dnstap__dnstap__get_packed_size@Base 1:9.11.4+dfsg-2 | ||
627 | 3038 | dnstap__dnstap__init@Base 1:9.11.4+dfsg-2 | ||
628 | 3039 | dnstap__dnstap__pack@Base 1:9.11.4+dfsg-2 | ||
629 | 3040 | dnstap__dnstap__pack_to_buffer@Base 1:9.11.4+dfsg-2 | ||
630 | 3041 | dnstap__dnstap__type__descriptor@Base 1:9.11.4+dfsg-2 | ||
631 | 3042 | dnstap__dnstap__unpack@Base 1:9.11.4+dfsg-2 | ||
632 | 3043 | dnstap__message__descriptor@Base 1:9.11.4+dfsg-2 | ||
633 | 3044 | dnstap__message__free_unpacked@Base 1:9.11.4+dfsg-2 | ||
634 | 3045 | dnstap__message__get_packed_size@Base 1:9.11.4+dfsg-2 | ||
635 | 3046 | dnstap__message__init@Base 1:9.11.4+dfsg-2 | ||
636 | 3047 | dnstap__message__pack@Base 1:9.11.4+dfsg-2 | ||
637 | 3048 | dnstap__message__pack_to_buffer@Base 1:9.11.4+dfsg-2 | ||
638 | 3049 | dnstap__message__type__descriptor@Base 1:9.11.4+dfsg-2 | ||
639 | 3050 | dnstap__message__unpack@Base 1:9.11.4+dfsg-2 | ||
640 | 3051 | dnstap__socket_family__descriptor@Base 1:9.11.4+dfsg-2 | ||
641 | 3052 | dnstap__socket_protocol__descriptor@Base 1:9.11.4+dfsg-2 | ||
642 | 3053 | dst__entropy_getdata@Base 1:9.11.3+dfsg | 2987 | dst__entropy_getdata@Base 1:9.11.3+dfsg |
643 | 3054 | dst__entropy_status@Base 1:9.11.3+dfsg | 2988 | dst__entropy_status@Base 1:9.11.3+dfsg |
644 | 3055 | dst__gssapi_init@Base 1:9.11.3+dfsg | 2989 | dst__gssapi_init@Base 1:9.11.3+dfsg |
645 | diff --git a/debian/patches/enable-udp-in-host-command.diff b/debian/patches/enable-udp-in-host-command.diff | |||
646 | 3056 | new file mode 100644 | 2990 | new file mode 100644 |
647 | index 0000000..5444ae7 | |||
648 | --- /dev/null | |||
649 | +++ b/debian/patches/enable-udp-in-host-command.diff | |||
650 | @@ -0,0 +1,26 @@ | |||
651 | 1 | Description: Fix parsing of host(1)'s -U command line option | ||
652 | 2 | Author: Andreas Hasenack <andreas@canonical.com> | ||
653 | 3 | Bug: https://gitlab.isc.org/isc-projects/bind9/issues/769 | ||
654 | 4 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1804648 | ||
655 | 5 | Applied-Upstream: https://gitlab.isc.org/isc-projects/bind9/commit/5e2cd91321cdda1707411c4e268d364f03f63935 | ||
656 | 6 | Last-Update: 2018-12-06 | ||
657 | 7 | --- | ||
658 | 8 | This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ | ||
659 | 9 | --- a/bin/dig/host.c | ||
660 | 10 | +++ b/bin/dig/host.c | ||
661 | 11 | @@ -158,6 +158,7 @@ | ||
662 | 12 | " -s a SERVFAIL response should stop query\n" | ||
663 | 13 | " -t specifies the query type\n" | ||
664 | 14 | " -T enables TCP/IP mode\n" | ||
665 | 15 | +" -U enables UDP mode\n" | ||
666 | 16 | " -v enables verbose output\n" | ||
667 | 17 | " -V print version number and exit\n" | ||
668 | 18 | " -w specifies to wait forever for a reply\n" | ||
669 | 19 | @@ -657,6 +658,7 @@ | ||
670 | 20 | case 'N': break; | ||
671 | 21 | case 'R': break; | ||
672 | 22 | case 'T': break; | ||
673 | 23 | + case 'U': break; | ||
674 | 24 | case 'W': break; | ||
675 | 25 | default: | ||
676 | 26 | show_usage(); | ||
677 | diff --git a/debian/patches/fix-shutdown-race.diff b/debian/patches/fix-shutdown-race.diff | |||
678 | 0 | new file mode 100644 | 27 | new file mode 100644 |
679 | index 0000000..f10f51f | |||
680 | --- /dev/null | |||
681 | +++ b/debian/patches/fix-shutdown-race.diff | |||
682 | @@ -0,0 +1,41 @@ | |||
683 | 1 | From f2ca287330110993609fa0443d3bdb17629bd979 Mon Sep 17 00:00:00 2001 | ||
684 | 2 | From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org> | ||
685 | 3 | Date: Tue, 13 Nov 2018 13:50:47 +0100 | ||
686 | 4 | Subject: [PATCH 1/2] Fix a shutdown race in bin/dig/dighost.c | ||
687 | 5 | |||
688 | 6 | If a tool using the routines defined in bin/dig/dighost.c is sent an | ||
689 | 7 | interruption signal around the time a connection timeout is scheduled to | ||
690 | 8 | fire, connect_timeout() may be executed after destroy_libs() detaches | ||
691 | 9 | from the global task (setting 'global_task' to NULL), which results in a | ||
692 | 10 | crash upon a UDP retry due to bringup_timer() attempting to create a | ||
693 | 11 | timer with 'task' set to NULL. Fix by preventing connect_timeout() from | ||
694 | 12 | attempting a retry when shutdown is in progress. | ||
695 | 13 | |||
696 | 14 | (cherry picked from commit 462175659674a10c0d39c7c328f1a5324ce2e38b) | ||
697 | 15 | |||
698 | 16 | Origin: https://gitlab.isc.org/isc-projects/bind9/merge_requests/1040/diffs | ||
699 | 17 | Bug: https://gitlab.isc.org/isc-projects/bind9/issues/599 | ||
700 | 18 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1797926 | ||
701 | 19 | Last-Update: 2018-12-06 | ||
702 | 20 | |||
703 | 21 | --- | ||
704 | 22 | bin/dig/dighost.c | 5 +++++ | ||
705 | 23 | 1 file changed, 5 insertions(+) | ||
706 | 24 | diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c | ||
707 | 25 | index 39abb9d0fd..17e0328228 100644 | ||
708 | 26 | --- a/bin/dig/dighost.c | ||
709 | 27 | +++ b/bin/dig/dighost.c | ||
710 | 28 | @@ -3240,6 +3240,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) { | ||
711 | 29 | |||
712 | 30 | INSIST(!free_now); | ||
713 | 31 | |||
714 | 32 | + if (cancel_now) { | ||
715 | 33 | + UNLOCK_LOOKUP; | ||
716 | 34 | + return; | ||
717 | 35 | + } | ||
718 | 36 | + | ||
719 | 37 | if ((query != NULL) && (query->lookup->current_query != NULL) && | ||
720 | 38 | ISC_LINK_LINKED(query->lookup->current_query, link) && | ||
721 | 39 | (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) { | ||
722 | 40 | -- | ||
723 | 41 | 2.18.1 | ||
724 | diff --git a/debian/patches/series b/debian/patches/series | |||
725 | index 348be41..75144c4 100644 | |||
726 | --- a/debian/patches/series | |||
727 | +++ b/debian/patches/series | |||
728 | @@ -8,3 +8,5 @@ | |||
729 | 8 | 80_reproducible_build.diff | 8 | 80_reproducible_build.diff |
730 | 9 | Add_--install-layout=deb_to_setup.py_call.patch | 9 | Add_--install-layout=deb_to_setup.py_call.patch |
731 | 10 | skip-rtld-deepbind-for-dyndb.diff | 10 | skip-rtld-deepbind-for-dyndb.diff |
732 | 11 | enable-udp-in-host-command.diff | ||
733 | 12 | fix-shutdown-race.diff | ||
734 | diff --git a/debian/rules b/debian/rules | |||
735 | index 7edd414..1a22081 100755 | |||
736 | --- a/debian/rules | |||
737 | +++ b/debian/rules | |||
738 | @@ -91,7 +91,7 @@ override_dh_auto_configure: | |||
739 | 91 | --with-gssapi=/usr \ | 91 | --with-gssapi=/usr \ |
740 | 92 | --with-libidn2 \ | 92 | --with-libidn2 \ |
741 | 93 | --with-libjson=/usr \ | 93 | --with-libjson=/usr \ |
743 | 94 | --with-lmdb=/usr \ | 94 | --without-lmdb \ |
744 | 95 | --with-gnu-ld \ | 95 | --with-gnu-ld \ |
745 | 96 | --with-geoip=/usr \ | 96 | --with-geoip=/usr \ |
746 | 97 | --with-atf=no \ | 97 | --with-atf=no \ |
747 | @@ -101,7 +101,6 @@ override_dh_auto_configure: | |||
748 | 101 | --enable-native-pkcs11 \ | 101 | --enable-native-pkcs11 \ |
749 | 102 | --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \ | 102 | --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \ |
750 | 103 | --with-randomdev=/dev/urandom \ | 103 | --with-randomdev=/dev/urandom \ |
751 | 104 | --enable-dnstap \ | ||
752 | 105 | --with-eddsa=no \ | 104 | --with-eddsa=no \ |
753 | 106 | $(EXTRA_FEATURES) | 105 | $(EXTRA_FEATURES) |
754 | 107 | dh_auto_configure -B build-udeb -- \ | 106 | dh_auto_configure -B build-udeb -- \ |
755 | @@ -128,8 +127,6 @@ override_dh_auto_configure: | |||
756 | 128 | # no need to build these targets here | 127 | # no need to build these targets here |
757 | 129 | sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile | 128 | sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile |
758 | 130 | sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile | 129 | sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile |
759 | 131 | cp lib/dns/dnstap.proto build/lib/dns | ||
760 | 132 | cp lib/dns-pkcs11/dnstap.proto build/lib/dns-pkcs11 | ||
761 | 133 | 130 | ||
762 | 134 | override_dh_auto_build: | 131 | override_dh_auto_build: |
763 | 135 | dh_auto_build -B build | 132 | dh_auto_build -B build |
764 | diff --git a/debian/tests/simpletest b/debian/tests/simpletest | |||
765 | index 468a7c5..34b0b25 100755 | |||
766 | --- a/debian/tests/simpletest | |||
767 | +++ b/debian/tests/simpletest | |||
768 | @@ -10,10 +10,6 @@ setup() { | |||
769 | 10 | run() { | 10 | run() { |
770 | 11 | # Make a query against a local zone | 11 | # Make a query against a local zone |
771 | 12 | dig -x 127.0.0.1 @127.0.0.1 | 12 | dig -x 127.0.0.1 @127.0.0.1 |
772 | 13 | |||
773 | 14 | # Make a query against an external nameserver and check for DNSSEC validation | ||
774 | 15 | echo "Checking for DNSSEC validation status of internetsociety.org" | ||
775 | 16 | dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY' | ||
776 | 17 | } | 13 | } |
777 | 18 | 14 | ||
778 | 19 | teardown() { | 15 | teardown() { |
Retriggering tests with proposed