Merge ~rafaeldtinoco/ubuntu/+source/bind9:eoan-bind9-merge into ubuntu/+source/bind9:debian/sid
- Git
- lp:~rafaeldtinoco/ubuntu/+source/bind9
- eoan-bind9-merge
- Merge into debian/sid
Status: | Merged | ||||||||
---|---|---|---|---|---|---|---|---|---|
Approved by: | Andreas Hasenack | ||||||||
Approved revision: | 250b74170dc6263037104e3be555696c69146418 | ||||||||
Merge reported by: | Andreas Hasenack | ||||||||
Merged at revision: | 250b74170dc6263037104e3be555696c69146418 | ||||||||
Proposed branch: | ~rafaeldtinoco/ubuntu/+source/bind9:eoan-bind9-merge | ||||||||
Merge into: | ubuntu/+source/bind9:debian/sid | ||||||||
Diff against target: |
953 lines (+646/-83) 10 files modified
debian/bind9.install (+0/-2) debian/changelog (+574/-0) debian/control (+2/-5) debian/dnsutils.install (+0/-2) debian/libdns1104.symbols (+0/-66) debian/patches/enable-udp-in-host-command.diff (+26/-0) debian/patches/fix-shutdown-race.diff (+41/-0) debian/patches/series (+2/-0) debian/rules (+1/-4) debian/tests/simpletest (+0/-4) |
||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack | Approve | ||
Canonical Server Core Reviewers | Pending | ||
Canonical Server | Pending | ||
Review via email: mp+369410@code.launchpad.net |
Commit message
Description of the change
- 62ffcaf... by Rafael David Tinoco
-
reconstruct-
changelog
Andreas Hasenack (ahasenack) wrote : | # |
Tagged and uploaded:
$ git push pkg upload/
Enumerating objects: 56, done.
Counting objects: 100% (56/56), done.
Delta compression using up to 2 threads
Compressing objects: 100% (41/41), done.
Writing objects: 100% (44/44), 12.36 KiB | 744.00 KiB/s, done.
Total 44 (delta 30), reused 6 (delta 3)
To ssh://git.
* [new tag] upload/
$ dput ubuntu ../bind9_
Checking signature on .changes
gpg: ../bind9_
Checking signature on .dsc
gpg: ../bind9_
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading bind9_9.
Uploading bind9_9.
Uploading bind9_9.
Uploading bind9_9.
Uploading bind9_9.
Successfully uploaded packages.
Andreas Hasenack (ahasenack) wrote : | # |
This migrated already.
Preview Diff
1 | diff --git a/debian/bind9.install b/debian/bind9.install | |||
2 | index 26d595e..fd7f0f5 100644 | |||
3 | --- a/debian/bind9.install | |||
4 | +++ b/debian/bind9.install | |||
5 | @@ -16,7 +16,6 @@ usr/sbin/genrandom | |||
6 | 16 | usr/sbin/isc-hmac-fixup | 16 | usr/sbin/isc-hmac-fixup |
7 | 17 | usr/sbin/named | 17 | usr/sbin/named |
8 | 18 | usr/sbin/named-journalprint | 18 | usr/sbin/named-journalprint |
9 | 19 | usr/sbin/named-nzd2nzf | ||
10 | 20 | usr/sbin/named-pkcs11 | 19 | usr/sbin/named-pkcs11 |
11 | 21 | usr/sbin/nsec3hash | 20 | usr/sbin/nsec3hash |
12 | 22 | usr/sbin/tsig-keygen | 21 | usr/sbin/tsig-keygen |
13 | @@ -32,7 +31,6 @@ usr/share/man/man8/dnssec-importkey.8 | |||
14 | 32 | usr/share/man/man8/genrandom.8 | 31 | usr/share/man/man8/genrandom.8 |
15 | 33 | usr/share/man/man8/isc-hmac-fixup.8 | 32 | usr/share/man/man8/isc-hmac-fixup.8 |
16 | 34 | usr/share/man/man8/named-journalprint.8 | 33 | usr/share/man/man8/named-journalprint.8 |
17 | 35 | usr/share/man/man8/named-nzd2nzf.8 | ||
18 | 36 | usr/share/man/man8/named.8 | 34 | usr/share/man/man8/named.8 |
19 | 37 | usr/share/man/man8/nsec3hash.8 | 35 | usr/share/man/man8/nsec3hash.8 |
20 | 38 | usr/share/man/man8/tsig-keygen.8 | 36 | usr/share/man/man8/tsig-keygen.8 |
21 | diff --git a/debian/changelog b/debian/changelog | |||
22 | index fb0505e..5bd1782 100644 | |||
23 | --- a/debian/changelog | |||
24 | +++ b/debian/changelog | |||
25 | @@ -1,3 +1,28 @@ | |||
26 | 1 | bind9 (1:9.11.5.P4+dfsg-5.1ubuntu1) eoan; urgency=medium | ||
27 | 2 | |||
28 | 3 | * Merge with Debian unstable. Remaining changes: | ||
29 | 4 | - Build without lmdb support as that package is in Universe | ||
30 | 5 | - Don't build dnstap as it depends on universe packages: | ||
31 | 6 | + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and | ||
32 | 7 | protobuf-c-compiler (universe packages) | ||
33 | 8 | + d/dnsutils.install: don't install dnstap | ||
34 | 9 | + d/libdns1104.symbols: don't include dnstap symbols | ||
35 | 10 | + d/rules: don't build dnstap nor install dnstap.proto | ||
36 | 11 | - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line | ||
37 | 12 | option (LP #1804648) | ||
38 | 13 | - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted | ||
39 | 14 | close to a query timeout (LP #1797926) | ||
40 | 15 | - d/t/simpletest: drop the internetsociety.org test as it requires | ||
41 | 16 | network egress access that is not available in the Ubuntu autopkgtest | ||
42 | 17 | farm. | ||
43 | 18 | * Dropped: | ||
44 | 19 | - SECURITY UPDATE: DoS via malformed packets | ||
45 | 20 | + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c | ||
46 | 21 | + CVE-2019-6471 | ||
47 | 22 | [Fixed in 1:9.11.5.P4+dfsg-5.1] | ||
48 | 23 | |||
49 | 24 | -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Thu, 27 Jun 2019 14:54:25 +0000 | ||
50 | 25 | |||
51 | 1 | bind9 (1:9.11.5.P4+dfsg-5.1) unstable; urgency=high | 26 | bind9 (1:9.11.5.P4+dfsg-5.1) unstable; urgency=high |
52 | 2 | 27 | ||
53 | 3 | * Non-maintainer upload. | 28 | * Non-maintainer upload. |
54 | @@ -6,6 +31,29 @@ bind9 (1:9.11.5.P4+dfsg-5.1) unstable; urgency=high | |||
55 | 6 | 31 | ||
56 | 7 | -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jun 2019 11:24:31 +0200 | 32 | -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jun 2019 11:24:31 +0200 |
57 | 8 | 33 | ||
58 | 34 | bind9 (1:9.11.5.P4+dfsg-5ubuntu1) eoan; urgency=medium | ||
59 | 35 | |||
60 | 36 | * Merge with Debian unstable. Remaining changes: | ||
61 | 37 | - Build without lmdb support as that package is in Universe | ||
62 | 38 | - Don't build dnstap as it depends on universe packages: | ||
63 | 39 | + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and | ||
64 | 40 | protobuf-c-compiler (universe packages) | ||
65 | 41 | + d/dnsutils.install: don't install dnstap | ||
66 | 42 | + d/libdns1104.symbols: don't include dnstap symbols | ||
67 | 43 | + d/rules: don't build dnstap nor install dnstap.proto | ||
68 | 44 | - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line | ||
69 | 45 | option (LP #1804648) | ||
70 | 46 | - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted | ||
71 | 47 | close to a query timeout (LP #1797926) | ||
72 | 48 | - d/t/simpletest: drop the internetsociety.org test as it requires | ||
73 | 49 | network egress access that is not available in the Ubuntu autopkgtest | ||
74 | 50 | farm. | ||
75 | 51 | - SECURITY UPDATE: DoS via malformed packets | ||
76 | 52 | + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c | ||
77 | 53 | + CVE-2019-6471 | ||
78 | 54 | |||
79 | 55 | -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Fri, 21 Jun 2019 18:06:22 +0000 | ||
80 | 56 | |||
81 | 9 | bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium | 57 | bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium |
82 | 10 | 58 | ||
83 | 11 | * AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ. | 59 | * AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ. |
84 | @@ -13,6 +61,69 @@ bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium | |||
85 | 13 | 61 | ||
86 | 14 | -- Bernhard Schmidt <berni@debian.org> Fri, 03 May 2019 19:44:57 +0200 | 62 | -- Bernhard Schmidt <berni@debian.org> Fri, 03 May 2019 19:44:57 +0200 |
87 | 15 | 63 | ||
88 | 64 | bind9 (1:9.11.5.P4+dfsg-4ubuntu2) eoan; urgency=medium | ||
89 | 65 | |||
90 | 66 | * SECURITY UPDATE: DoS via malformed packets | ||
91 | 67 | - debian/patches/CVE-2019-6471.patch: fix race condition in | ||
92 | 68 | lib/dns/dispatch.c. | ||
93 | 69 | - CVE-2019-6471 | ||
94 | 70 | |||
95 | 71 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Jun 2019 08:15:00 -0400 | ||
96 | 72 | |||
97 | 73 | bind9 (1:9.11.5.P4+dfsg-4ubuntu1) eoan; urgency=medium | ||
98 | 74 | |||
99 | 75 | * Merge with Debian unstable. Remaining changes: | ||
100 | 76 | - Build without lmdb support as that package is in Universe | ||
101 | 77 | - Don't build dnstap as it depends on universe packages: | ||
102 | 78 | + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and | ||
103 | 79 | protobuf-c-compiler (universe packages) | ||
104 | 80 | + d/dnsutils.install: don't install dnstap | ||
105 | 81 | + d/libdns1104.symbols: don't include dnstap symbols | ||
106 | 82 | + d/rules: don't build dnstap nor install dnstap.proto | ||
107 | 83 | - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line | ||
108 | 84 | option (LP #1804648) | ||
109 | 85 | - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted | ||
110 | 86 | close to a query timeout (LP #1797926) | ||
111 | 87 | - d/t/simpletest: drop the internetsociety.org test as it requires | ||
112 | 88 | network egress access that is not available in the Ubuntu autopkgtest | ||
113 | 89 | farm. | ||
114 | 90 | * Dropped: | ||
115 | 91 | - SECURITY UPDATE: memory leak via specially crafted packet | ||
116 | 92 | + debian/patches/CVE-2018-5744.patch: silently drop additional keytag | ||
117 | 93 | options in bin/named/client.c. | ||
118 | 94 | + CVE-2018-5744 | ||
119 | 95 | [Fixed upstream in 9.11.5-P2] | ||
120 | 96 | - SECURITY UPDATE: assertion failure when a trust anchor rolls over to an | ||
121 | 97 | unsupported key algorithm when using managed-keys | ||
122 | 98 | + debian/patches/CVE-2018-5745.patch: properly handle situations when | ||
123 | 99 | the key tag cannot be computed in lib/dns/include/dst/dst.h, | ||
124 | 100 | lib/dns/zone.c. | ||
125 | 101 | + CVE-2018-5745 | ||
126 | 102 | [Fixed upstream in 9.11.5-P2] | ||
127 | 103 | - SECURITY UPDATE: Controls for zone transfers may not be properly | ||
128 | 104 | applied to Dynamically Loadable Zones (DLZs) if the zones are writable | ||
129 | 105 | + debian/patches/CVE-2019-6465.patch: handle zone transfers marked in | ||
130 | 106 | the zone table as a DLZ zone bin/named/xfrout.c. | ||
131 | 107 | + CVE-2019-6465 | ||
132 | 108 | [Fixed upstream in 9.11.5-P3] | ||
133 | 109 | - SECURITY UPDATE: limiting simultaneous TCP clients is ineffective | ||
134 | 110 | + debian/patches/CVE-2018-5743.patch: add reference counting in | ||
135 | 111 | bin/named/client.c, bin/named/include/named/client.h, | ||
136 | 112 | bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c, | ||
137 | 113 | lib/isc/include/isc/quota.h, lib/isc/quota.c, | ||
138 | 114 | lib/isc/win32/libisc.def.in. | ||
139 | 115 | + debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic | ||
140 | 116 | operations with isc_refcount reference counting in | ||
141 | 117 | bin/named/client.c, bin/named/include/named/interfacemgr.h, | ||
142 | 118 | bin/named/interfacemgr.c. | ||
143 | 119 | + debian/libisc1100.symbols: added new symbols. | ||
144 | 120 | + CVE-2018-5743 | ||
145 | 121 | [Fixed in 1:9.11.5.P4+dfsg-4] | ||
146 | 122 | - d/rules: add back EdDSA support (LP #1825712) | ||
147 | 123 | [Fixed in 1:9.11.5.P4+dfsg-4] | ||
148 | 124 | |||
149 | 125 | -- Andreas Hasenack <andreas@canonical.com> Thu, 02 May 2019 13:35:59 -0300 | ||
150 | 126 | |||
151 | 16 | bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium | 127 | bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium |
152 | 17 | 128 | ||
153 | 18 | [ Bernhard Schmidt ] | 129 | [ Bernhard Schmidt ] |
154 | @@ -85,12 +196,114 @@ bind9 (1:9.11.5.P1+dfsg-2) unstable; urgency=medium | |||
155 | 85 | 196 | ||
156 | 86 | -- Bernhard Schmidt <berni@debian.org> Tue, 12 Feb 2019 00:34:21 +0100 | 197 | -- Bernhard Schmidt <berni@debian.org> Tue, 12 Feb 2019 00:34:21 +0100 |
157 | 87 | 198 | ||
158 | 199 | bind9 (1:9.11.5.P1+dfsg-1ubuntu4) eoan; urgency=medium | ||
159 | 200 | |||
160 | 201 | * d/rules: add back EdDSA support (LP: #1825712) | ||
161 | 202 | |||
162 | 203 | -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Apr 2019 14:04:37 +0000 | ||
163 | 204 | |||
164 | 205 | bind9 (1:9.11.5.P1+dfsg-1ubuntu3) eoan; urgency=medium | ||
165 | 206 | |||
166 | 207 | * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective | ||
167 | 208 | - debian/patches/CVE-2018-5743.patch: add reference counting in | ||
168 | 209 | bin/named/client.c, bin/named/include/named/client.h, | ||
169 | 210 | bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c, | ||
170 | 211 | lib/isc/include/isc/quota.h, lib/isc/quota.c, | ||
171 | 212 | lib/isc/win32/libisc.def.in. | ||
172 | 213 | - debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic | ||
173 | 214 | operations with isc_refcount reference counting in | ||
174 | 215 | bin/named/client.c, bin/named/include/named/interfacemgr.h, | ||
175 | 216 | bin/named/interfacemgr.c. | ||
176 | 217 | - debian/libisc1100.symbols: added new symbols. | ||
177 | 218 | - CVE-2018-5743 | ||
178 | 219 | |||
179 | 220 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 24 Apr 2019 05:00:07 -0400 | ||
180 | 221 | |||
181 | 222 | bind9 (1:9.11.5.P1+dfsg-1ubuntu2) disco; urgency=medium | ||
182 | 223 | |||
183 | 224 | * SECURITY UPDATE: memory leak via specially crafted packet | ||
184 | 225 | - debian/patches/CVE-2018-5744.patch: silently drop additional keytag | ||
185 | 226 | options in bin/named/client.c. | ||
186 | 227 | - CVE-2018-5744 | ||
187 | 228 | * SECURITY UPDATE: assertion failure when a trust anchor rolls over to an | ||
188 | 229 | unsupported key algorithm when using managed-keys | ||
189 | 230 | - debian/patches/CVE-2018-5745.patch: properly handle situations when | ||
190 | 231 | the key tag cannot be computed in lib/dns/include/dst/dst.h, | ||
191 | 232 | lib/dns/zone.c. | ||
192 | 233 | - CVE-2018-5745 | ||
193 | 234 | * SECURITY UPDATE: Controls for zone transfers may not be properly | ||
194 | 235 | applied to Dynamically Loadable Zones (DLZs) if the zones are writable | ||
195 | 236 | - debian/patches/CVE-2019-6465.patch: handle zone transfers marked in | ||
196 | 237 | the zone table as a DLZ zone bin/named/xfrout.c. | ||
197 | 238 | - CVE-2019-6465 | ||
198 | 239 | |||
199 | 240 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 22 Feb 2019 10:52:30 +0100 | ||
200 | 241 | |||
201 | 242 | bind9 (1:9.11.5.P1+dfsg-1ubuntu1) disco; urgency=medium | ||
202 | 243 | |||
203 | 244 | * Merge with Debian unstable. Remaining changes: | ||
204 | 245 | - Build without lmdb support as that package is in Universe | ||
205 | 246 | - Don't build dnstap as it depends on universe packages: | ||
206 | 247 | + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and | ||
207 | 248 | protobuf-c-compiler (universe packages) | ||
208 | 249 | + d/dnsutils.install: don't install dnstap | ||
209 | 250 | + d/libdns1104.symbols: don't include dnstap symbols | ||
210 | 251 | + d/rules: don't build dnstap nor install dnstap.proto | ||
211 | 252 | - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line | ||
212 | 253 | option (LP #1804648) | ||
213 | 254 | - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted | ||
214 | 255 | close to a query timeout (LP #1797926) | ||
215 | 256 | - d/t/simpletest: drop the internetsociety.org test as it requires | ||
216 | 257 | network egress access that is not available in the Ubuntu autopkgtest | ||
217 | 258 | farm. | ||
218 | 259 | |||
219 | 260 | -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Jan 2019 18:59:25 -0200 | ||
220 | 261 | |||
221 | 88 | bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium | 262 | bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium |
222 | 89 | 263 | ||
223 | 90 | * New upstream version 9.11.5.P1+dfsg | 264 | * New upstream version 9.11.5.P1+dfsg |
224 | 91 | 265 | ||
225 | 92 | -- Ondřej Surý <ondrej@debian.org> Tue, 18 Dec 2018 13:59:25 +0000 | 266 | -- Ondřej Surý <ondrej@debian.org> Tue, 18 Dec 2018 13:59:25 +0000 |
226 | 93 | 267 | ||
227 | 268 | bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium | ||
228 | 269 | |||
229 | 270 | * Merge with Debian unstable. Remaining changes: | ||
230 | 271 | - Build without lmdb support as that package is in Universe | ||
231 | 272 | - Don't build dnstap as it depends on universe packages: | ||
232 | 273 | + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and | ||
233 | 274 | protobuf-c-compiler (universe packages) | ||
234 | 275 | + d/dnsutils.install: don't install dnstap | ||
235 | 276 | + d/libdns1104.symbols: don't include dnstap symbols | ||
236 | 277 | + d/rules: don't build dnstap nor install dnstap.proto | ||
237 | 278 | * Dropped: | ||
238 | 279 | - SECURITY UPDATE: denial of service crash when deny-answer-aliases | ||
239 | 280 | option is used | ||
240 | 281 | + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could | ||
241 | 282 | trigger a crash if deny-answer-aliases was set | ||
242 | 283 | + debian/patches/CVE-2018-5740-2.patch: add tests | ||
243 | 284 | + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set | ||
244 | 285 | chainingp correctly, add test | ||
245 | 286 | + CVE-2018-5740 | ||
246 | 287 | [Fixed in new upstream version 9.11.5] | ||
247 | 288 | - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the | ||
248 | 289 | line (Closes: #904983) | ||
249 | 290 | [Fixed in 1:9.11.4+dfsg-4] | ||
250 | 291 | - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440) | ||
251 | 292 | [Fixed in 1:9.11.4.P1+dfsg-1] | ||
252 | 293 | - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol | ||
253 | 294 | (it depends on OpenSSL version) (Closes: #897643) | ||
254 | 295 | [Fixed in 1:9.11.4.P1+dfsg-1] | ||
255 | 296 | * Added: | ||
256 | 297 | - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line | ||
257 | 298 | option (LP: #1804648) | ||
258 | 299 | - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted | ||
259 | 300 | close to a query timeout (LP: #1797926) | ||
260 | 301 | - d/t/simpletest: drop the internetsociety.org test as it requires | ||
261 | 302 | network egress access that is not available in the Ubuntu autopkgtest | ||
262 | 303 | farm. | ||
263 | 304 | |||
264 | 305 | -- Andreas Hasenack <andreas@canonical.com> Thu, 13 Dec 2018 19:40:23 -0200 | ||
265 | 306 | |||
266 | 94 | bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium | 307 | bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium |
267 | 95 | 308 | ||
268 | 96 | * Use team+dns@tracker.debian.org as Maintainer address | 309 | * Use team+dns@tracker.debian.org as Maintainer address |
269 | @@ -152,6 +365,55 @@ bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium | |||
270 | 152 | 365 | ||
271 | 153 | -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200 | 366 | -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200 |
272 | 154 | 367 | ||
273 | 368 | bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high | ||
274 | 369 | |||
275 | 370 | * No change rebuild against openssl 1.1.1 with TLS 1.3 support. | ||
276 | 371 | |||
277 | 372 | -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 29 Sep 2018 01:36:45 +0100 | ||
278 | 373 | |||
279 | 374 | bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium | ||
280 | 375 | |||
281 | 376 | * SECURITY UPDATE: denial of service crash when deny-answer-aliases | ||
282 | 377 | option is used | ||
283 | 378 | - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could | ||
284 | 379 | trigger a crash if deny-answer-aliases was set | ||
285 | 380 | - debian/patches/CVE-2018-5740-2.patch: add tests | ||
286 | 381 | - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set | ||
287 | 382 | chainingp correctly, add test | ||
288 | 383 | - CVE-2018-5740 | ||
289 | 384 | |||
290 | 385 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Sep 2018 11:11:05 +0200 | ||
291 | 386 | |||
292 | 387 | bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium | ||
293 | 388 | |||
294 | 389 | * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol | ||
295 | 390 | (it depends on OpenSSL version) (Closes: #897643) | ||
296 | 391 | |||
297 | 392 | -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 18 Sep 2018 10:39:12 +0200 | ||
298 | 393 | |||
299 | 394 | bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium | ||
300 | 395 | |||
301 | 396 | * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11 | ||
302 | 397 | crashing on startup. (LP: #1769440) | ||
303 | 398 | |||
304 | 399 | -- Karl Stenerud <karl.stenerud@canonical.com> Thu, 30 Aug 2018 07:11:39 -0700 | ||
305 | 400 | |||
306 | 401 | bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium | ||
307 | 402 | |||
308 | 403 | * Merge with Debian unstable. Remaining changes: | ||
309 | 404 | - Build without lmdb support as that package is in Universe | ||
310 | 405 | * Added: | ||
311 | 406 | - Don't build dnstap as it depends on universe packages: | ||
312 | 407 | + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and | ||
313 | 408 | protobuf-c-compiler (universe packages) | ||
314 | 409 | + d/dnsutils.install: don't install dnstap | ||
315 | 410 | + d/libdns1102.symbols: don't include dnstap symbols | ||
316 | 411 | + d/rules: don't build dnstap | ||
317 | 412 | - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the | ||
318 | 413 | line (Closes: #904983) | ||
319 | 414 | |||
320 | 415 | -- Andreas Hasenack <andreas@canonical.com> Mon, 30 Jul 2018 10:56:04 -0300 | ||
321 | 416 | |||
322 | 155 | bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium | 417 | bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium |
323 | 156 | 418 | ||
324 | 157 | * Enable IDN support for dig+host using libidn2 (Closes: #459010) | 419 | * Enable IDN support for dig+host using libidn2 (Closes: #459010) |
325 | @@ -182,6 +444,19 @@ bind9 (1:9.11.4+dfsg-1) unstable; urgency=medium | |||
326 | 182 | 444 | ||
327 | 183 | -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000 | 445 | -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000 |
328 | 184 | 446 | ||
329 | 447 | bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium | ||
330 | 448 | |||
331 | 449 | * Merge with Debian unstable (LP: #1777935). Remaining changes: | ||
332 | 450 | - Build without lmdb support as that package is in Universe | ||
333 | 451 | * Drop: | ||
334 | 452 | - SECURITY UPDATE: improperly permits recursive query service | ||
335 | 453 | + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling | ||
336 | 454 | in bin/named/server.c. | ||
337 | 455 | + CVE-2018-5738 | ||
338 | 456 | [Applied in Debian's 1:9.11.3+dfsg-2] | ||
339 | 457 | |||
340 | 458 | -- Andreas Hasenack <andreas@canonical.com> Wed, 20 Jun 2018 17:42:16 -0300 | ||
341 | 459 | |||
342 | 185 | bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium | 460 | bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium |
343 | 186 | 461 | ||
344 | 187 | * [CVE-2018-5738]: Add upstream fix to close the default open recursion | 462 | * [CVE-2018-5738]: Add upstream fix to close the default open recursion |
345 | @@ -190,6 +465,24 @@ bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium | |||
346 | 190 | 465 | ||
347 | 191 | -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000 | 466 | -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000 |
348 | 192 | 467 | ||
349 | 468 | bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium | ||
350 | 469 | |||
351 | 470 | * SECURITY UPDATE: improperly permits recursive query service | ||
352 | 471 | - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling | ||
353 | 472 | in bin/named/server.c. | ||
354 | 473 | - CVE-2018-5738 | ||
355 | 474 | |||
356 | 475 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Jun 2018 09:41:51 -0400 | ||
357 | 476 | |||
358 | 477 | bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low | ||
359 | 478 | |||
360 | 479 | * New upstream release. (LP: #1763572) | ||
361 | 480 | - fix a crash when configured with ipa-dns-install | ||
362 | 481 | * Merge from Debian unstable. Remaining changes: | ||
363 | 482 | - Build without lmdb support as that package is in Universe | ||
364 | 483 | |||
365 | 484 | -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Apr 2018 07:40:47 +0300 | ||
366 | 485 | |||
367 | 193 | bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium | 486 | bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium |
368 | 194 | 487 | ||
369 | 195 | [ Bernhard Schmidt ] | 488 | [ Bernhard Schmidt ] |
370 | @@ -214,6 +507,61 @@ bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium | |||
371 | 214 | 507 | ||
372 | 215 | -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100 | 508 | -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100 |
373 | 216 | 509 | ||
374 | 510 | bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium | ||
375 | 511 | |||
376 | 512 | * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating | ||
377 | 513 | DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews | ||
378 | 514 | <marka@isc.org>. (LP: #1755439) | ||
379 | 515 | |||
380 | 516 | -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300 | ||
381 | 517 | |||
382 | 518 | bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium | ||
383 | 519 | |||
384 | 520 | * Fix apparmor profile filename (LP: #1754981) | ||
385 | 521 | |||
386 | 522 | -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300 | ||
387 | 523 | |||
388 | 524 | bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high | ||
389 | 525 | |||
390 | 526 | * No change rebuild against openssl1.1. | ||
391 | 527 | |||
392 | 528 | -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:14:22 +0000 | ||
393 | 529 | |||
394 | 530 | bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium | ||
395 | 531 | |||
396 | 532 | * Build without lmdb support as that package is in Universe (LP: #1746296) | ||
397 | 533 | - d/control: remove Build-Depends on liblmdb-dev | ||
398 | 534 | - d/rules: configure --without-lmdb | ||
399 | 535 | - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires | ||
400 | 536 | lmdb. | ||
401 | 537 | |||
402 | 538 | -- Andreas Hasenack <andreas@canonical.com> Tue, 30 Jan 2018 15:21:23 -0200 | ||
403 | 539 | |||
404 | 540 | bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium | ||
405 | 541 | |||
406 | 542 | * Merge with Debian unstable (LP: #1744930). | ||
407 | 543 | * Drop: | ||
408 | 544 | - Add RemainAfterExit to bind9-resolvconf unit configuration file | ||
409 | 545 | (LP #1536181). | ||
410 | 546 | [fixed in 1:9.10.6+dfsg-4] | ||
411 | 547 | - rules: Fix path to libsofthsm2.so. (LP #1685780) | ||
412 | 548 | [adopted in 1:9.10.6+dfsg-5] | ||
413 | 549 | - d/p/CVE-2016-8864-regression-test.patch: tests for the regression | ||
414 | 550 | introduced with the CVE-2016-8864.patch and fixed in | ||
415 | 551 | CVE-2016-8864-regression.patch. | ||
416 | 552 | [applied upstream] | ||
417 | 553 | - d/p/CVE-2016-8864-regression2-test.patch: tests for the second | ||
418 | 554 | regression (RT #44318) introduced with the CVE-2016-8864.patch | ||
419 | 555 | and fixed in CVE-2016-8864-regression2.patch. | ||
420 | 556 | [applied upstream] | ||
421 | 557 | - d/control, d/rules: add json support for the statistics channels. | ||
422 | 558 | (LP #1669193) | ||
423 | 559 | [adopted in 1:9.10.6+dfsg-5] | ||
424 | 560 | * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing | ||
425 | 561 | listing the python ply module as a dependency (Closes: #888463) | ||
426 | 562 | |||
427 | 563 | -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Jan 2018 11:20:33 -0200 | ||
428 | 564 | |||
429 | 217 | bind9 (1:9.11.2.P1-1) unstable; urgency=medium | 565 | bind9 (1:9.11.2.P1-1) unstable; urgency=medium |
430 | 218 | 566 | ||
431 | 219 | * New upstream version 9.11.2-P1 | 567 | * New upstream version 9.11.2-P1 |
432 | @@ -389,6 +737,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium | |||
433 | 389 | 737 | ||
434 | 390 | -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000 | 738 | -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000 |
435 | 391 | 739 | ||
436 | 740 | bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium | ||
437 | 741 | |||
438 | 742 | * Merge with Debian unstable (LP: #1712920). Remaining changes: | ||
439 | 743 | - Add RemainAfterExit to bind9-resolvconf unit configuration file | ||
440 | 744 | (LP #1536181). | ||
441 | 745 | - rules: Fix path to libsofthsm2.so. (LP #1685780) | ||
442 | 746 | - d/p/CVE-2016-8864-regression-test.patch: tests for the regression | ||
443 | 747 | introduced with the CVE-2016-8864.patch and fixed in | ||
444 | 748 | CVE-2016-8864-regression.patch. | ||
445 | 749 | - d/p/CVE-2016-8864-regression2-test.patch: tests for the second | ||
446 | 750 | regression (RT #44318) introduced with the CVE-2016-8864.patch | ||
447 | 751 | and fixed in CVE-2016-8864-regression2.patch. | ||
448 | 752 | - d/control, d/rules: add json support for the statistics channels. | ||
449 | 753 | (LP #1669193) | ||
450 | 754 | |||
451 | 755 | -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Aug 2017 18:28:00 -0300 | ||
452 | 756 | |||
453 | 757 | bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium | ||
454 | 758 | |||
455 | 759 | * Non-maintainer upload. | ||
456 | 760 | * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794) | ||
457 | 761 | |||
458 | 762 | -- Bernhard Schmidt <berni@debian.org> Fri, 11 Aug 2017 19:10:07 +0200 | ||
459 | 763 | |||
460 | 764 | bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium | ||
461 | 765 | |||
462 | 766 | * Merge with Debian unstable (LP: #1701687). Remaining changes: | ||
463 | 767 | - Add RemainAfterExit to bind9-resolvconf unit configuration file | ||
464 | 768 | (LP #1536181). | ||
465 | 769 | - rules: Fix path to libsofthsm2.so. (LP #1685780) | ||
466 | 770 | * Drop: | ||
467 | 771 | - SECURITY UPDATE: denial of service via assertion failure | ||
468 | 772 | + debian/patches/CVE-2016-2776.patch: properly handle lengths in | ||
469 | 773 | lib/dns/message.c. | ||
470 | 774 | + CVE-2016-2776 | ||
471 | 775 | + [Fixed in Debian 1:9.10.3.dfsg.P4-11] | ||
472 | 776 | - SECURITY UPDATE: assertion failure via class mismatch | ||
473 | 777 | + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY | ||
474 | 778 | records in lib/dns/resolver.c. | ||
475 | 779 | + CVE-2016-9131 | ||
476 | 780 | + [Fixed in Debian 1:9.10.3.dfsg.P4-11] | ||
477 | 781 | - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information | ||
478 | 782 | + debian/patches/CVE-2016-9147.patch: fix logic when records are | ||
479 | 783 | returned without the requested data in lib/dns/resolver.c. | ||
480 | 784 | + CVE-2016-9147 | ||
481 | 785 | + [Fixed in Debian 1:9.10.3.dfsg.P4-11] | ||
482 | 786 | - SECURITY UPDATE: assertion failure via unusually-formed DS record | ||
483 | 787 | + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in | ||
484 | 788 | lib/dns/message.c, lib/dns/resolver.c. | ||
485 | 789 | + CVE-2016-9444 | ||
486 | 790 | + [Fixed in Debian 1:9.10.3.dfsg.P4-11] | ||
487 | 791 | - SECURITY UPDATE: regression in CVE-2016-8864 | ||
488 | 792 | + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in | ||
489 | 793 | responses in lib/dns/resolver.c, added tests to | ||
490 | 794 | bin/tests/system/dname/ns2/example.db, | ||
491 | 795 | bin/tests/system/dname/tests.sh. | ||
492 | 796 | + No CVE number | ||
493 | 797 | + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12] | ||
494 | 798 | - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing | ||
495 | 799 | a NULL pointer | ||
496 | 800 | + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz | ||
497 | 801 | combination in bin/named/query.c, lib/dns/message.c, | ||
498 | 802 | lib/dns/rdataset.c. | ||
499 | 803 | + CVE-2017-3135 | ||
500 | 804 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12] | ||
501 | 805 | - SECURITY UPDATE: regression in CVE-2016-8864 | ||
502 | 806 | + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME | ||
503 | 807 | was still being cached when it should have been in lib/dns/resolver.c, | ||
504 | 808 | added tests to bin/tests/system/dname/ans3/ans.pl, | ||
505 | 809 | bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. | ||
506 | 810 | + No CVE number | ||
507 | 811 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12] | ||
508 | 812 | - SECURITY UPDATE: Denial of Service due to an error handling | ||
509 | 813 | synthesized records when using DNS64 with "break-dnssec yes;" | ||
510 | 814 | + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() | ||
511 | 815 | called. | ||
512 | 816 | + CVE-2017-3136 | ||
513 | 817 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] | ||
514 | 818 | - SECURITY UPDATE: Denial of Service due to resolver terminating when | ||
515 | 819 | processing a response packet containing a CNAME or DNAME | ||
516 | 820 | + debian/patches/CVE-2017-3137.patch: don't expect a specific | ||
517 | 821 | ordering of answer components; add testcases. | ||
518 | 822 | + CVE-2017-3137 | ||
519 | 823 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files] | ||
520 | 824 | - SECURITY UPDATE: Denial of Service when receiving a null command on | ||
521 | 825 | the control channel | ||
522 | 826 | + debian/patches/CVE-2017-3138.patch: don't throw an assert if no | ||
523 | 827 | command token is given; add testcase. | ||
524 | 828 | + CVE-2017-3138 | ||
525 | 829 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] | ||
526 | 830 | - SECURITY UPDATE: TSIG authentication issues | ||
527 | 831 | + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in | ||
528 | 832 | lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. | ||
529 | 833 | + CVE-2017-3142 | ||
530 | 834 | + CVE-2017-3143 | ||
531 | 835 | + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4] | ||
532 | 836 | * d/p/CVE-2016-8864-regression-test.patch: tests for the regression | ||
533 | 837 | introduced with the CVE-2016-8864.patch and fixed in | ||
534 | 838 | CVE-2016-8864-regression.patch. | ||
535 | 839 | * d/p/CVE-2016-8864-regression2-test.patch: tests for the second | ||
536 | 840 | regression (RT #44318) introduced with the CVE-2016-8864.patch | ||
537 | 841 | and fixed in CVE-2016-8864-regression2.patch. | ||
538 | 842 | * d/control, d/rules: add json support for the statistics channels. | ||
539 | 843 | (LP: #1669193) | ||
540 | 844 | |||
541 | 845 | -- Andreas Hasenack <andreas@canonical.com> Fri, 11 Aug 2017 17:12:09 -0300 | ||
542 | 846 | |||
543 | 847 | bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium | ||
544 | 848 | |||
545 | 849 | * Non-maintainer upload. | ||
546 | 850 | * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG | ||
547 | 851 | signed TCP message sequences where not all the messages contain TSIG | ||
548 | 852 | records. These may be used in AXFR and IXFR responses. | ||
549 | 853 | (Closes: #868952) | ||
550 | 854 | |||
551 | 855 | -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jul 2017 22:28:32 +0200 | ||
552 | 856 | |||
553 | 857 | bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high | ||
554 | 858 | |||
555 | 859 | * Non-maintainer upload. | ||
556 | 860 | |||
557 | 861 | [ Yves-Alexis Perez ] | ||
558 | 862 | * debian/patches: | ||
559 | 863 | - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses | ||
560 | 864 | CVE-2017-3142: error in TSIG authentication can permit unauthorized zone | ||
561 | 865 | transfers. An attacker may be able to circumvent TSIG authentication of | ||
562 | 866 | AXFR and Notify requests. | ||
563 | 867 | CVE-2017-3143: error in TSIG authentication can permit unauthorized | ||
564 | 868 | dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) | ||
565 | 869 | signature for a dynamic update. | ||
566 | 870 | (Closes: #866564) | ||
567 | 871 | |||
568 | 872 | -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jul 2017 22:13:21 +0200 | ||
569 | 873 | |||
570 | 392 | bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium | 874 | bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium |
571 | 393 | 875 | ||
572 | 394 | [ Bernhard Schmidt ] | 876 | [ Bernhard Schmidt ] |
573 | @@ -495,6 +977,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium | |||
574 | 495 | 977 | ||
575 | 496 | -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000 | 978 | -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000 |
576 | 497 | 979 | ||
577 | 980 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium | ||
578 | 981 | |||
579 | 982 | * SECURITY UPDATE: TSIG authentication issues | ||
580 | 983 | - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in | ||
581 | 984 | lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. | ||
582 | 985 | - CVE-2017-3142 | ||
583 | 986 | - CVE-2017-3143 | ||
584 | 987 | |||
585 | 988 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jul 2017 09:48:13 -0400 | ||
586 | 989 | |||
587 | 990 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium | ||
588 | 991 | |||
589 | 992 | * rules: Fix path to libsofthsm2.so. (LP: #1685780) | ||
590 | 993 | |||
591 | 994 | -- Timo Aaltonen <tjaalton@debian.org> Mon, 24 Apr 2017 15:01:30 +0300 | ||
592 | 995 | |||
593 | 996 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium | ||
594 | 997 | |||
595 | 998 | * SECURITY UPDATE: Denial of Service due to an error handling | ||
596 | 999 | synthesized records when using DNS64 with "break-dnssec yes;" | ||
597 | 1000 | - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() | ||
598 | 1001 | called. | ||
599 | 1002 | - CVE-2017-3136 | ||
600 | 1003 | * SECURITY UPDATE: Denial of Service due to resolver terminating when | ||
601 | 1004 | processing a response packet containing a CNAME or DNAME | ||
602 | 1005 | - debian/patches/CVE-2017-3137.patch: don't expect a specific | ||
603 | 1006 | ordering of answer components; add testcases. | ||
604 | 1007 | - CVE-2017-3137 | ||
605 | 1008 | * SECURITY UPDATE: Denial of Service when receiving a null command on | ||
606 | 1009 | the control channel | ||
607 | 1010 | - debian/patches/CVE-2017-3138.patch: don't throw an assert if no | ||
608 | 1011 | command token is given; add testcase. | ||
609 | 1012 | - CVE-2017-3138 | ||
610 | 1013 | |||
611 | 1014 | -- Steve Beattie <sbeattie@ubuntu.com> Wed, 12 Apr 2017 01:32:15 -0700 | ||
612 | 1015 | |||
613 | 1016 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium | ||
614 | 1017 | |||
615 | 1018 | * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing | ||
616 | 1019 | a NULL pointer | ||
617 | 1020 | - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz | ||
618 | 1021 | combination in bin/named/query.c, lib/dns/message.c, | ||
619 | 1022 | lib/dns/rdataset.c. | ||
620 | 1023 | - CVE-2017-3135 | ||
621 | 1024 | * SECURITY UPDATE: regression in CVE-2016-8864 | ||
622 | 1025 | - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME | ||
623 | 1026 | was still being cached when it should have been in lib/dns/resolver.c, | ||
624 | 1027 | added tests to bin/tests/system/dname/ans3/ans.pl, | ||
625 | 1028 | bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. | ||
626 | 1029 | - No CVE number | ||
627 | 1030 | |||
628 | 1031 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Feb 2017 09:37:39 -0500 | ||
629 | 1032 | |||
630 | 1033 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium | ||
631 | 1034 | |||
632 | 1035 | * SECURITY UPDATE: assertion failure via class mismatch | ||
633 | 1036 | - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY | ||
634 | 1037 | records in lib/dns/resolver.c. | ||
635 | 1038 | - CVE-2016-9131 | ||
636 | 1039 | * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information | ||
637 | 1040 | - debian/patches/CVE-2016-9147.patch: fix logic when records are | ||
638 | 1041 | returned without the requested data in lib/dns/resolver.c. | ||
639 | 1042 | - CVE-2016-9147 | ||
640 | 1043 | * SECURITY UPDATE: assertion failure via unusually-formed DS record | ||
641 | 1044 | - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in | ||
642 | 1045 | lib/dns/message.c, lib/dns/resolver.c. | ||
643 | 1046 | - CVE-2016-9444 | ||
644 | 1047 | * SECURITY UPDATE: regression in CVE-2016-8864 | ||
645 | 1048 | - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in | ||
646 | 1049 | responses in lib/dns/resolver.c, added tests to | ||
647 | 1050 | bin/tests/system/dname/ns2/example.db, | ||
648 | 1051 | bin/tests/system/dname/tests.sh. | ||
649 | 1052 | - No CVE number | ||
650 | 1053 | |||
651 | 1054 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jan 2017 09:28:10 -0500 | ||
652 | 1055 | |||
653 | 1056 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium | ||
654 | 1057 | |||
655 | 1058 | * Add RemainAfterExit to bind9-resolvconf unit configuration file | ||
656 | 1059 | (LP: #1536181). | ||
657 | 1060 | |||
658 | 1061 | -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Tue, 15 Nov 2016 08:24:58 -0800 | ||
659 | 1062 | |||
660 | 1063 | bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium | ||
661 | 1064 | |||
662 | 1065 | * SECURITY UPDATE: denial of service via assertion failure | ||
663 | 1066 | - debian/patches/CVE-2016-2776.patch: properly handle lengths in | ||
664 | 1067 | lib/dns/message.c. | ||
665 | 1068 | - CVE-2016-2776 | ||
666 | 1069 | |||
667 | 1070 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2016 14:31:17 -0400 | ||
668 | 1071 | |||
669 | 498 | bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium | 1072 | bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium |
670 | 499 | 1073 | ||
671 | 500 | * Non-maintainer upload. | 1074 | * Non-maintainer upload. |
672 | diff --git a/debian/control b/debian/control | |||
673 | index 73c2a17..3d7f03d 100644 | |||
674 | --- a/debian/control | |||
675 | +++ b/debian/control | |||
676 | @@ -1,7 +1,8 @@ | |||
677 | 1 | Source: bind9 | 1 | Source: bind9 |
678 | 2 | Section: net | 2 | Section: net |
679 | 3 | Priority: optional | 3 | Priority: optional |
681 | 4 | Maintainer: Debian DNS Team <team+dns@tracker.debian.org> | 4 | Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
682 | 5 | XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org> | ||
683 | 5 | Uploaders: LaMont Jones <lamont@debian.org>, | 6 | Uploaders: LaMont Jones <lamont@debian.org>, |
684 | 6 | Michael Gilbert <mgilbert@debian.org>, | 7 | Michael Gilbert <mgilbert@debian.org>, |
685 | 7 | Robie Basak <robie.basak@canonical.com>, | 8 | Robie Basak <robie.basak@canonical.com>, |
686 | @@ -15,18 +16,14 @@ Build-Depends: bison, | |||
687 | 15 | dpkg-dev (>= 1.16.1~), | 16 | dpkg-dev (>= 1.16.1~), |
688 | 16 | libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], | 17 | libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], |
689 | 17 | libdb-dev (>>4.6), | 18 | libdb-dev (>>4.6), |
690 | 18 | libfstrm-dev, | ||
691 | 19 | libgeoip-dev (>= 1.4.6.dfsg-5), | 19 | libgeoip-dev (>= 1.4.6.dfsg-5), |
692 | 20 | libidn2-dev, | 20 | libidn2-dev, |
693 | 21 | libjson-c-dev, | 21 | libjson-c-dev, |
694 | 22 | libkrb5-dev, | 22 | libkrb5-dev, |
695 | 23 | libldap2-dev, | 23 | libldap2-dev, |
696 | 24 | liblmdb-dev, | ||
697 | 25 | libprotobuf-c-dev, | ||
698 | 26 | libssl-dev, | 24 | libssl-dev, |
699 | 27 | libtool, | 25 | libtool, |
700 | 28 | libxml2-dev, | 26 | libxml2-dev, |
701 | 29 | protobuf-c-compiler, | ||
702 | 30 | python3, | 27 | python3, |
703 | 31 | python3-distutils, | 28 | python3-distutils, |
704 | 32 | python3-ply | 29 | python3-ply |
705 | diff --git a/debian/dnsutils.install b/debian/dnsutils.install | |||
706 | index 90e4fba..5e6b7d9 100644 | |||
707 | --- a/debian/dnsutils.install | |||
708 | +++ b/debian/dnsutils.install | |||
709 | @@ -1,12 +1,10 @@ | |||
710 | 1 | usr/bin/delv | 1 | usr/bin/delv |
711 | 2 | usr/bin/dig | 2 | usr/bin/dig |
712 | 3 | usr/bin/dnstap-read | ||
713 | 4 | usr/bin/mdig | 3 | usr/bin/mdig |
714 | 5 | usr/bin/nslookup | 4 | usr/bin/nslookup |
715 | 6 | usr/bin/nsupdate | 5 | usr/bin/nsupdate |
716 | 7 | usr/share/man/man1/delv.1 | 6 | usr/share/man/man1/delv.1 |
717 | 8 | usr/share/man/man1/dig.1 | 7 | usr/share/man/man1/dig.1 |
718 | 9 | usr/share/man/man1/dnstap-read.1 | ||
719 | 10 | usr/share/man/man1/mdig.1 | 8 | usr/share/man/man1/mdig.1 |
720 | 11 | usr/share/man/man1/nslookup.1 | 9 | usr/share/man/man1/nslookup.1 |
721 | 12 | usr/share/man/man1/nsupdate.1 | 10 | usr/share/man/man1/nsupdate.1 |
722 | diff --git a/debian/libdns1104.symbols b/debian/libdns1104.symbols | |||
723 | index d7c98d4..7b6020e 100644 | |||
724 | --- a/debian/libdns1104.symbols | |||
725 | +++ b/debian/libdns1104.symbols | |||
726 | @@ -358,21 +358,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER# | |||
727 | 358 | dns_dsdigest_format@Base 1:9.11.3+dfsg | 358 | dns_dsdigest_format@Base 1:9.11.3+dfsg |
728 | 359 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg | 359 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg |
729 | 360 | dns_dsdigest_totext@Base 1:9.11.3+dfsg | 360 | dns_dsdigest_totext@Base 1:9.11.3+dfsg |
730 | 361 | dns_dt_attach@Base 1:9.11.4.P1 | ||
731 | 362 | dns_dt_close@Base 1:9.11.4.P1 | ||
732 | 363 | dns_dt_create@Base 1:9.11.4.P1 | ||
733 | 364 | dns_dt_datatotext@Base 1:9.11.4.P1 | ||
734 | 365 | dns_dt_detach@Base 1:9.11.4.P1 | ||
735 | 366 | dns_dt_getframe@Base 1:9.11.4.P1 | ||
736 | 367 | dns_dt_getstats@Base 1:9.11.4.P1 | ||
737 | 368 | dns_dt_open@Base 1:9.11.4.P1 | ||
738 | 369 | dns_dt_parse@Base 1:9.11.4.P1 | ||
739 | 370 | dns_dt_reopen@Base 1:9.11.4.P1 | ||
740 | 371 | dns_dt_send@Base 1:9.11.4.P1 | ||
741 | 372 | dns_dt_setidentity@Base 1:9.11.4.P1 | ||
742 | 373 | dns_dt_setversion@Base 1:9.11.4.P1 | ||
743 | 374 | dns_dt_shutdown@Base 1:9.11.4.P1 | ||
744 | 375 | dns_dtdata_free@Base 1:9.11.4.P1 | ||
745 | 376 | dns_dumpctx_attach@Base 1:9.11.3+dfsg | 361 | dns_dumpctx_attach@Base 1:9.11.3+dfsg |
746 | 377 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg | 362 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg |
747 | 378 | dns_dumpctx_db@Base 1:9.11.3+dfsg | 363 | dns_dumpctx_db@Base 1:9.11.3+dfsg |
748 | @@ -1443,24 +1428,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER# | |||
749 | 1443 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg | 1428 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg |
750 | 1444 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg | 1429 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg |
751 | 1445 | dns_zt_unmount@Base 1:9.11.3+dfsg | 1430 | dns_zt_unmount@Base 1:9.11.3+dfsg |
752 | 1446 | dnstap__dnstap__descriptor@Base 1:9.11.4.P1 | ||
753 | 1447 | dnstap__dnstap__free_unpacked@Base 1:9.11.4.P1 | ||
754 | 1448 | dnstap__dnstap__get_packed_size@Base 1:9.11.4.P1 | ||
755 | 1449 | dnstap__dnstap__init@Base 1:9.11.4.P1 | ||
756 | 1450 | dnstap__dnstap__pack@Base 1:9.11.4.P1 | ||
757 | 1451 | dnstap__dnstap__pack_to_buffer@Base 1:9.11.4.P1 | ||
758 | 1452 | dnstap__dnstap__type__descriptor@Base 1:9.11.4.P1 | ||
759 | 1453 | dnstap__dnstap__unpack@Base 1:9.11.4.P1 | ||
760 | 1454 | dnstap__message__descriptor@Base 1:9.11.4.P1 | ||
761 | 1455 | dnstap__message__free_unpacked@Base 1:9.11.4.P1 | ||
762 | 1456 | dnstap__message__get_packed_size@Base 1:9.11.4.P1 | ||
763 | 1457 | dnstap__message__init@Base 1:9.11.4.P1 | ||
764 | 1458 | dnstap__message__pack@Base 1:9.11.4.P1 | ||
765 | 1459 | dnstap__message__pack_to_buffer@Base 1:9.11.4.P1 | ||
766 | 1460 | dnstap__message__type__descriptor@Base 1:9.11.4.P1 | ||
767 | 1461 | dnstap__message__unpack@Base 1:9.11.4.P1 | ||
768 | 1462 | dnstap__socket_family__descriptor@Base 1:9.11.4.P1 | ||
769 | 1463 | dnstap__socket_protocol__descriptor@Base 1:9.11.4.P1 | ||
770 | 1464 | dst__entropy_getdata@Base 1:9.11.3+dfsg | 1431 | dst__entropy_getdata@Base 1:9.11.3+dfsg |
771 | 1465 | dst__entropy_status@Base 1:9.11.3+dfsg | 1432 | dst__entropy_status@Base 1:9.11.3+dfsg |
772 | 1466 | dst__gssapi_init@Base 1:9.11.3+dfsg | 1433 | dst__gssapi_init@Base 1:9.11.3+dfsg |
773 | @@ -1940,21 +1907,6 @@ libdns.so.1104 libdns1104 #MINVER# | |||
774 | 1940 | dns_dsdigest_format@Base 1:9.11.3+dfsg | 1907 | dns_dsdigest_format@Base 1:9.11.3+dfsg |
775 | 1941 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg | 1908 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg |
776 | 1942 | dns_dsdigest_totext@Base 1:9.11.3+dfsg | 1909 | dns_dsdigest_totext@Base 1:9.11.3+dfsg |
777 | 1943 | dns_dt_attach@Base 1:9.11.4.P1 | ||
778 | 1944 | dns_dt_close@Base 1:9.11.4.P1 | ||
779 | 1945 | dns_dt_create@Base 1:9.11.4.P1 | ||
780 | 1946 | dns_dt_datatotext@Base 1:9.11.4.P1 | ||
781 | 1947 | dns_dt_detach@Base 1:9.11.4.P1 | ||
782 | 1948 | dns_dt_getframe@Base 1:9.11.4.P1 | ||
783 | 1949 | dns_dt_getstats@Base 1:9.11.4.P1 | ||
784 | 1950 | dns_dt_open@Base 1:9.11.4.P1 | ||
785 | 1951 | dns_dt_parse@Base 1:9.11.4.P1 | ||
786 | 1952 | dns_dt_reopen@Base 1:9.11.4.P1 | ||
787 | 1953 | dns_dt_send@Base 1:9.11.4.P1 | ||
788 | 1954 | dns_dt_setidentity@Base 1:9.11.4.P1 | ||
789 | 1955 | dns_dt_setversion@Base 1:9.11.4.P1 | ||
790 | 1956 | dns_dt_shutdown@Base 1:9.11.4.P1 | ||
791 | 1957 | dns_dtdata_free@Base 1:9.11.4.P1 | ||
792 | 1958 | dns_dumpctx_attach@Base 1:9.11.3+dfsg | 1910 | dns_dumpctx_attach@Base 1:9.11.3+dfsg |
793 | 1959 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg | 1911 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg |
794 | 1960 | dns_dumpctx_db@Base 1:9.11.3+dfsg | 1912 | dns_dumpctx_db@Base 1:9.11.3+dfsg |
795 | @@ -3032,24 +2984,6 @@ libdns.so.1104 libdns1104 #MINVER# | |||
796 | 3032 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg | 2984 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg |
797 | 3033 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg | 2985 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg |
798 | 3034 | dns_zt_unmount@Base 1:9.11.3+dfsg | 2986 | dns_zt_unmount@Base 1:9.11.3+dfsg |
799 | 3035 | dnstap__dnstap__descriptor@Base 1:9.11.4.P1 | ||
800 | 3036 | dnstap__dnstap__free_unpacked@Base 1:9.11.4.P1 | ||
801 | 3037 | dnstap__dnstap__get_packed_size@Base 1:9.11.4.P1 | ||
802 | 3038 | dnstap__dnstap__init@Base 1:9.11.4.P1 | ||
803 | 3039 | dnstap__dnstap__pack@Base 1:9.11.4.P1 | ||
804 | 3040 | dnstap__dnstap__pack_to_buffer@Base 1:9.11.4.P1 | ||
805 | 3041 | dnstap__dnstap__type__descriptor@Base 1:9.11.4.P1 | ||
806 | 3042 | dnstap__dnstap__unpack@Base 1:9.11.4.P1 | ||
807 | 3043 | dnstap__message__descriptor@Base 1:9.11.4.P1 | ||
808 | 3044 | dnstap__message__free_unpacked@Base 1:9.11.4.P1 | ||
809 | 3045 | dnstap__message__get_packed_size@Base 1:9.11.4.P1 | ||
810 | 3046 | dnstap__message__init@Base 1:9.11.4.P1 | ||
811 | 3047 | dnstap__message__pack@Base 1:9.11.4.P1 | ||
812 | 3048 | dnstap__message__pack_to_buffer@Base 1:9.11.4.P1 | ||
813 | 3049 | dnstap__message__type__descriptor@Base 1:9.11.4.P1 | ||
814 | 3050 | dnstap__message__unpack@Base 1:9.11.4.P1 | ||
815 | 3051 | dnstap__socket_family__descriptor@Base 1:9.11.4.P1 | ||
816 | 3052 | dnstap__socket_protocol__descriptor@Base 1:9.11.4.P1 | ||
817 | 3053 | dst__entropy_getdata@Base 1:9.11.3+dfsg | 2987 | dst__entropy_getdata@Base 1:9.11.3+dfsg |
818 | 3054 | dst__entropy_status@Base 1:9.11.3+dfsg | 2988 | dst__entropy_status@Base 1:9.11.3+dfsg |
819 | 3055 | dst__gssapi_init@Base 1:9.11.3+dfsg | 2989 | dst__gssapi_init@Base 1:9.11.3+dfsg |
820 | diff --git a/debian/patches/enable-udp-in-host-command.diff b/debian/patches/enable-udp-in-host-command.diff | |||
821 | 3056 | new file mode 100644 | 2990 | new file mode 100644 |
822 | index 0000000..5444ae7 | |||
823 | --- /dev/null | |||
824 | +++ b/debian/patches/enable-udp-in-host-command.diff | |||
825 | @@ -0,0 +1,26 @@ | |||
826 | 1 | Description: Fix parsing of host(1)'s -U command line option | ||
827 | 2 | Author: Andreas Hasenack <andreas@canonical.com> | ||
828 | 3 | Bug: https://gitlab.isc.org/isc-projects/bind9/issues/769 | ||
829 | 4 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1804648 | ||
830 | 5 | Applied-Upstream: https://gitlab.isc.org/isc-projects/bind9/commit/5e2cd91321cdda1707411c4e268d364f03f63935 | ||
831 | 6 | Last-Update: 2018-12-06 | ||
832 | 7 | --- | ||
833 | 8 | This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ | ||
834 | 9 | --- a/bin/dig/host.c | ||
835 | 10 | +++ b/bin/dig/host.c | ||
836 | 11 | @@ -158,6 +158,7 @@ | ||
837 | 12 | " -s a SERVFAIL response should stop query\n" | ||
838 | 13 | " -t specifies the query type\n" | ||
839 | 14 | " -T enables TCP/IP mode\n" | ||
840 | 15 | +" -U enables UDP mode\n" | ||
841 | 16 | " -v enables verbose output\n" | ||
842 | 17 | " -V print version number and exit\n" | ||
843 | 18 | " -w specifies to wait forever for a reply\n" | ||
844 | 19 | @@ -657,6 +658,7 @@ | ||
845 | 20 | case 'N': break; | ||
846 | 21 | case 'R': break; | ||
847 | 22 | case 'T': break; | ||
848 | 23 | + case 'U': break; | ||
849 | 24 | case 'W': break; | ||
850 | 25 | default: | ||
851 | 26 | show_usage(); | ||
852 | diff --git a/debian/patches/fix-shutdown-race.diff b/debian/patches/fix-shutdown-race.diff | |||
853 | 0 | new file mode 100644 | 27 | new file mode 100644 |
854 | index 0000000..f10f51f | |||
855 | --- /dev/null | |||
856 | +++ b/debian/patches/fix-shutdown-race.diff | |||
857 | @@ -0,0 +1,41 @@ | |||
858 | 1 | From f2ca287330110993609fa0443d3bdb17629bd979 Mon Sep 17 00:00:00 2001 | ||
859 | 2 | From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org> | ||
860 | 3 | Date: Tue, 13 Nov 2018 13:50:47 +0100 | ||
861 | 4 | Subject: [PATCH 1/2] Fix a shutdown race in bin/dig/dighost.c | ||
862 | 5 | |||
863 | 6 | If a tool using the routines defined in bin/dig/dighost.c is sent an | ||
864 | 7 | interruption signal around the time a connection timeout is scheduled to | ||
865 | 8 | fire, connect_timeout() may be executed after destroy_libs() detaches | ||
866 | 9 | from the global task (setting 'global_task' to NULL), which results in a | ||
867 | 10 | crash upon a UDP retry due to bringup_timer() attempting to create a | ||
868 | 11 | timer with 'task' set to NULL. Fix by preventing connect_timeout() from | ||
869 | 12 | attempting a retry when shutdown is in progress. | ||
870 | 13 | |||
871 | 14 | (cherry picked from commit 462175659674a10c0d39c7c328f1a5324ce2e38b) | ||
872 | 15 | |||
873 | 16 | Origin: https://gitlab.isc.org/isc-projects/bind9/merge_requests/1040/diffs | ||
874 | 17 | Bug: https://gitlab.isc.org/isc-projects/bind9/issues/599 | ||
875 | 18 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1797926 | ||
876 | 19 | Last-Update: 2018-12-06 | ||
877 | 20 | |||
878 | 21 | --- | ||
879 | 22 | bin/dig/dighost.c | 5 +++++ | ||
880 | 23 | 1 file changed, 5 insertions(+) | ||
881 | 24 | diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c | ||
882 | 25 | index 39abb9d0fd..17e0328228 100644 | ||
883 | 26 | --- a/bin/dig/dighost.c | ||
884 | 27 | +++ b/bin/dig/dighost.c | ||
885 | 28 | @@ -3240,6 +3240,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) { | ||
886 | 29 | |||
887 | 30 | INSIST(!free_now); | ||
888 | 31 | |||
889 | 32 | + if (cancel_now) { | ||
890 | 33 | + UNLOCK_LOOKUP; | ||
891 | 34 | + return; | ||
892 | 35 | + } | ||
893 | 36 | + | ||
894 | 37 | if ((query != NULL) && (query->lookup->current_query != NULL) && | ||
895 | 38 | ISC_LINK_LINKED(query->lookup->current_query, link) && | ||
896 | 39 | (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) { | ||
897 | 40 | -- | ||
898 | 41 | 2.18.1 | ||
899 | diff --git a/debian/patches/series b/debian/patches/series | |||
900 | index c303f7f..11e3421 100644 | |||
901 | --- a/debian/patches/series | |||
902 | +++ b/debian/patches/series | |||
903 | @@ -13,3 +13,5 @@ keymgr-dont-immediately-delete.diff | |||
904 | 13 | 0013-Replace-atomic-operations-in-bin-named-client.c-with.patch | 13 | 0013-Replace-atomic-operations-in-bin-named-client.c-with.patch |
905 | 14 | 0014-Disable-broken-Ed448-support.patch | 14 | 0014-Disable-broken-Ed448-support.patch |
906 | 15 | 0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch | 15 | 0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch |
907 | 16 | enable-udp-in-host-command.diff | ||
908 | 17 | fix-shutdown-race.diff | ||
909 | diff --git a/debian/rules b/debian/rules | |||
910 | index c8d745c..717ecb9 100755 | |||
911 | --- a/debian/rules | |||
912 | +++ b/debian/rules | |||
913 | @@ -91,7 +91,7 @@ override_dh_auto_configure: | |||
914 | 91 | --with-gssapi=/usr \ | 91 | --with-gssapi=/usr \ |
915 | 92 | --with-libidn2 \ | 92 | --with-libidn2 \ |
916 | 93 | --with-libjson=/usr \ | 93 | --with-libjson=/usr \ |
918 | 94 | --with-lmdb=/usr \ | 94 | --without-lmdb \ |
919 | 95 | --with-gnu-ld \ | 95 | --with-gnu-ld \ |
920 | 96 | --with-geoip=/usr \ | 96 | --with-geoip=/usr \ |
921 | 97 | --with-atf=no \ | 97 | --with-atf=no \ |
922 | @@ -101,7 +101,6 @@ override_dh_auto_configure: | |||
923 | 101 | --enable-native-pkcs11 \ | 101 | --enable-native-pkcs11 \ |
924 | 102 | --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \ | 102 | --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \ |
925 | 103 | --with-randomdev=/dev/urandom \ | 103 | --with-randomdev=/dev/urandom \ |
926 | 104 | --enable-dnstap \ | ||
927 | 105 | $(EXTRA_FEATURES) | 104 | $(EXTRA_FEATURES) |
928 | 106 | dh_auto_configure -B build-udeb -- \ | 105 | dh_auto_configure -B build-udeb -- \ |
929 | 107 | --sysconfdir=/etc/bind \ | 106 | --sysconfdir=/etc/bind \ |
930 | @@ -126,8 +125,6 @@ override_dh_auto_configure: | |||
931 | 126 | # no need to build these targets here | 125 | # no need to build these targets here |
932 | 127 | sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile | 126 | sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile |
933 | 128 | sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile | 127 | sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile |
934 | 129 | cp lib/dns/dnstap.proto build/lib/dns | ||
935 | 130 | cp lib/dns-pkcs11/dnstap.proto build/lib/dns-pkcs11 | ||
936 | 131 | 128 | ||
937 | 132 | override_dh_auto_build: | 129 | override_dh_auto_build: |
938 | 133 | dh_auto_build -B build | 130 | dh_auto_build -B build |
939 | diff --git a/debian/tests/simpletest b/debian/tests/simpletest | |||
940 | index 468a7c5..34b0b25 100755 | |||
941 | --- a/debian/tests/simpletest | |||
942 | +++ b/debian/tests/simpletest | |||
943 | @@ -10,10 +10,6 @@ setup() { | |||
944 | 10 | run() { | 10 | run() { |
945 | 11 | # Make a query against a local zone | 11 | # Make a query against a local zone |
946 | 12 | dig -x 127.0.0.1 @127.0.0.1 | 12 | dig -x 127.0.0.1 @127.0.0.1 |
947 | 13 | |||
948 | 14 | # Make a query against an external nameserver and check for DNSSEC validation | ||
949 | 15 | echo "Checking for DNSSEC validation status of internetsociety.org" | ||
950 | 16 | dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY' | ||
951 | 17 | } | 13 | } |
952 | 18 | 14 | ||
953 | 19 | teardown() { | 15 | teardown() { |
+1