Author: Marc Deslauriers
Revision Date: 2015-09-01 14:07:19 UTC

* SECURITY UPDATE: denial of service in DNSSEC-signed record validation
  via malformed keys
  - fix validation inlib/dns/hmac_link.c, lib/dns/include/dst/dst.h,
    lib/dns/ncache.c, lib/dns/openssldh_link.c,
    lib/dns/openssldsa_link.c, lib/dns/opensslrsa_link.c,
    lib/dns/resolver.c.
  - CVE-2015-5722

Author: Marc Deslauriers
Revision Date: 2015-09-01 14:07:19 UTC

* SECURITY UPDATE: denial of service in DNSSEC-signed record validation
  via malformed keys
  - fix validation inlib/dns/hmac_link.c, lib/dns/include/dst/dst.h,
    lib/dns/ncache.c, lib/dns/openssldh_link.c,
    lib/dns/openssldsa_link.c, lib/dns/opensslrsa_link.c,
    lib/dns/resolver.c.
  - CVE-2015-5722

Author: Marc Deslauriers
Revision Date: 2015-09-01 14:00:51 UTC

* SECURITY UPDATE: denial of service in DNSSEC-signed record validation
  via malformed keys
  - fix validation inlib/dns/hmac_link.c, lib/dns/include/dst/dst.h,
    lib/dns/ncache.c, lib/dns/openssldh_link.c,
    lib/dns/openssldsa_link.c, lib/dns/opensslecdsa_link.c,
    lib/dns/opensslrsa_link.c, lib/dns/resolver.c.
  - CVE-2015-5722

Author: Marc Deslauriers
Revision Date: 2015-09-01 14:00:51 UTC

* SECURITY UPDATE: denial of service in DNSSEC-signed record validation
  via malformed keys
  - fix validation inlib/dns/hmac_link.c, lib/dns/include/dst/dst.h,
    lib/dns/ncache.c, lib/dns/openssldh_link.c,
    lib/dns/openssldsa_link.c, lib/dns/opensslecdsa_link.c,
    lib/dns/opensslrsa_link.c, lib/dns/resolver.c.
  - CVE-2015-5722

Author: Marc Deslauriers
Revision Date: 2015-09-01 14:00:06 UTC

* SECURITY UPDATE: denial of service in DNSSEC-signed record validation
  via malformed keys
  - fix validation inlib/dns/hmac_link.c, lib/dns/include/dst/dst.h,
    lib/dns/ncache.c, lib/dns/openssldh_link.c,
    lib/dns/openssldsa_link.c, lib/dns/opensslecdsa_link.c,
    lib/dns/opensslrsa_link.c, lib/dns/resolver.c.
  - CVE-2015-5722

Author: Marc Deslauriers
Revision Date: 2015-09-01 14:00:06 UTC

* SECURITY UPDATE: denial of service in DNSSEC-signed record validation
  via malformed keys
  - fix validation inlib/dns/hmac_link.c, lib/dns/include/dst/dst.h,
    lib/dns/ncache.c, lib/dns/openssldh_link.c,
    lib/dns/openssldsa_link.c, lib/dns/opensslecdsa_link.c,
    lib/dns/opensslrsa_link.c, lib/dns/resolver.c.
  - CVE-2015-5722

Author: Marc Deslauriers
Revision Date: 2015-09-01 13:54:11 UTC

* SECURITY UPDATE: denial of service in DNSSEC-signed record validation
  via malformed keys
  - fix validation inlib/dns/hmac_link.c, lib/dns/include/dst/dst.h,
    lib/dns/ncache.c, lib/dns/openssldh_link.c,
    lib/dns/openssldsa_link.c, lib/dns/opensslecdsa_link.c,
    lib/dns/opensslrsa_link.c, lib/dns/resolver.c.
  - CVE-2015-5722

Author: Marc Deslauriers
Revision Date: 2015-09-01 13:54:11 UTC

* SECURITY UPDATE: denial of service in DNSSEC-signed record validation
  via malformed keys
  - fix validation inlib/dns/hmac_link.c, lib/dns/include/dst/dst.h,
    lib/dns/ncache.c, lib/dns/openssldh_link.c,
    lib/dns/openssldsa_link.c, lib/dns/opensslecdsa_link.c,
    lib/dns/opensslrsa_link.c, lib/dns/resolver.c.
  - CVE-2015-5722

Author: Marc Deslauriers
Revision Date: 2015-06-29 15:00:07 UTC

* SECURITY UPDATE: resolver DoS via specially crafted zone data
  - lib/dns/validator.c: don't use uninitialized fixedname.
  - CVE-2015-4620

Author: Marc Deslauriers
Revision Date: 2015-06-29 15:00:07 UTC

* SECURITY UPDATE: resolver DoS via specially crafted zone data
  - lib/dns/validator.c: don't use uninitialized fixedname.
  - CVE-2015-4620

Author: Valdemar Jakobsen
Revision Date: 2015-04-27 08:53:32 UTC

Fix for init script to correctly display status when running inside a
chroot environment.

Author: Michael Gilbert
Revision Date: 2015-02-19 03:42:21 UTC

Fix CVE-2015-1349: named crash due to managed key rollover, primarily only
affecting setups using DNSSEC (closes: #778733).

Author: Michael Gilbert
Revision Date: 2015-02-19 03:42:21 UTC

Fix CVE-2015-1349: named crash due to managed key rollover, primarily only
affecting setups using DNSSEC (closes: #778733).

Author: Marc Deslauriers
Revision Date: 2014-12-09 13:46:06 UTC

* SECURITY UPDATE: denial of service via delegation handling defect
  - limit max recursion in bin/named/config.c, bin/named/query.c,
    bin/named/server.c, lib/dns/adb.c, lib/dns/include/dns/adb.h,
    lib/dns/include/dns/resolver.h, lib/dns/resolver.c,
    lib/export/isc/Makefile.in, lib/isc/Makefile.in, lib/isc/counter.c,
    lib/isc/include/isc/counter.h, lib/isc/include/isc/Makefile.in,
    lib/isc/include/isc/types.h, lib/isc/tests/counter_test.c,
    lib/isccfg/namedconf.c.
  - Based on patch provided by upstream.
  - CVE-2014-8500

Author: Marc Deslauriers
Revision Date: 2014-12-09 13:46:06 UTC

* SECURITY UPDATE: denial of service via delegation handling defect
  - limit max recursion in bin/named/config.c, bin/named/query.c,
    bin/named/server.c, lib/dns/adb.c, lib/dns/include/dns/adb.h,
    lib/dns/include/dns/resolver.h, lib/dns/resolver.c,
    lib/export/isc/Makefile.in, lib/isc/Makefile.in, lib/isc/counter.c,
    lib/isc/include/isc/counter.h, lib/isc/include/isc/Makefile.in,
    lib/isc/include/isc/types.h, lib/isc/tests/counter_test.c,
    lib/isccfg/namedconf.c.
  - Based on patch provided by upstream.
  - CVE-2014-8500

Author: Michael Gilbert
Revision Date: 2014-10-13 04:37:55 UTC

* Non-maintainer upload.
* Mark critical section as not parallel in the makefile. Closes: #762766

Author: Michael Gilbert
Revision Date: 2014-10-13 04:37:55 UTC

* Non-maintainer upload.
* Mark critical section as not parallel in the makefile. Closes: #762766

Author: Kernevil
Revision Date: 2014-03-31 13:50:50 UTC

sdlz patch to also send hmac keys to dlz implementation

Author: Kernevil
Revision Date: 2014-03-31 13:48:23 UTC

sdlz patch to also send hmac keys to dlz implementation

Author: Kernevil
Revision Date: 2014-03-31 13:38:25 UTC

Fix changelog

Author: LaMont Jones
Revision Date: 2014-03-24 06:55:55 UTC

Re-enable rrl (now a configure option). Closes: #741059 LP: #1288823

Author: LaMont Jones
Revision Date: 2014-03-24 06:55:55 UTC

Re-enable rrl (now a configure option). Closes: #741059 LP: #1288823

Author: Leo Iannacone
Revision Date: 2014-02-26 17:24:47 UTC

New patch fix-deliver-rll-h.patch:
Deliver rrl.h in libbind-dev (LP: #1277205).

Author: Marc Deslauriers
Revision Date: 2014-01-10 09:41:43 UTC

* SECURITY UPDATE: denial of service when processing NSEC3-signed zone
  queries
  - debian/patches/CVE-2014-0591.patch: don't call memcpy with
    overlapping ranges in bin/named/query.c.
  - patch backported from 9.9.4-P2.
  - CVE-2014-0591

Author: Marc Deslauriers
Revision Date: 2014-01-10 09:41:43 UTC

* SECURITY UPDATE: denial of service when processing NSEC3-signed zone
  queries
  - debian/patches/CVE-2014-0591.patch: don't call memcpy with
    overlapping ranges in bin/named/query.c.
  - patch backported from 9.9.4-P2.
  - CVE-2014-0591

Author: Marc Deslauriers
Revision Date: 2014-01-10 09:43:20 UTC

* SECURITY UPDATE: denial of service when processing NSEC3-signed zone
  queries
  - debian/patches/CVE-2014-0591.patch: don't call memcpy with
    overlapping ranges in bin/named/query.c.
  - patch backported from 9.8.6-P2.
  - CVE-2014-0591

Author: Marc Deslauriers
Revision Date: 2014-01-10 09:43:20 UTC

* SECURITY UPDATE: denial of service when processing NSEC3-signed zone
  queries
  - debian/patches/CVE-2014-0591.patch: don't call memcpy with
    overlapping ranges in bin/named/query.c.
  - patch backported from 9.8.6-P2.
  - CVE-2014-0591

Author: Marc Deslauriers
Revision Date: 2014-01-10 09:42:41 UTC

* SECURITY UPDATE: denial of service when processing NSEC3-signed zone
  queries
  - debian/patches/CVE-2014-0591.patch: don't call memcpy with
    overlapping ranges in bin/named/query.c.
  - patch backported from 9.9.4-P2.
  - CVE-2014-0591

Author: Marc Deslauriers
Revision Date: 2014-01-10 09:42:41 UTC

* SECURITY UPDATE: denial of service when processing NSEC3-signed zone
  queries
  - debian/patches/CVE-2014-0591.patch: don't call memcpy with
    overlapping ranges in bin/named/query.c.
  - patch backported from 9.9.4-P2.
  - CVE-2014-0591

Author: Adam Conrad
Revision Date: 2013-10-07 23:09:45 UTC

Use dh_autotools-dev to update config.{sub,guess} for new ports.

Author: Adam Conrad
Revision Date: 2013-10-07 23:09:45 UTC

Use dh_autotools-dev to update config.{sub,guess} for new ports.

Author: Yolanda Robla
Revision Date: 2013-07-11 12:18:30 UTC

updated way to get distribution

Author: Robie Basak
Revision Date: 2013-04-10 16:50:28 UTC

* configure.in: detect libxml 2.9 as well as 2.[678] (LP: #1164475).
* debian/control: add Build-Depends on dh-autoreconf.
* debian/rules: use dh_autoreconf and dh_autoreconf_clean.

Author: Robie Basak
Revision Date: 2013-04-10 16:50:28 UTC

* configure.in: detect libxml 2.9 as well as 2.[678] (LP: #1164475).
* debian/control: add Build-Depends on dh-autoreconf.
* debian/rules: use dh_autoreconf and dh_autoreconf_clean.

Author: LaMont Jones
Revision Date: 2012-04-13 12:09:24 UTC

[Christoph Egger]

* define _GNU_SOURCE on kfreebsd et al. Closes: #658201

[LaMont Jones]

* chmod typo in postinst. LP: #980798
* Correctly order debhelper bits in postrm. Closes: #661040

Author: Marc Deslauriers
Revision Date: 2013-03-28 15:25:23 UTC

* SECURITY UPDATE: denial of service via regex syntax checking
  - configure,configure.in,config.h.in: remove check for regex.h to
    disable regex syntax checking.
  - CVE-2013-2266

Author: Marc Deslauriers
Revision Date: 2013-03-28 15:25:23 UTC

* SECURITY UPDATE: denial of service via regex syntax checking
  - configure,configure.in,config.h.in: remove check for regex.h to
    disable regex syntax checking.
  - CVE-2013-2266

Author: Marc Deslauriers
Revision Date: 2012-10-05 10:53:14 UTC

* SECURITY UPDATE: denial of service via specific combinations of RDATA
  - bin/named/query.c: fix logic
  - Patch backported from 9.8.3-P4
  - CVE-2012-5166

Author: Marc Deslauriers
Revision Date: 2012-10-05 10:53:14 UTC

* SECURITY UPDATE: denial of service via specific combinations of RDATA
  - bin/named/query.c: fix logic
  - Patch backported from 9.8.3-P4
  - CVE-2012-5166

Author: Marc Deslauriers
Revision Date: 2012-10-05 09:47:25 UTC

* SECURITY UPDATE: denial of service via specific combinations of RDATA
  - bin/named/query.c: fix logic
  - Patch backported from 9.8.3-P4
  - CVE-2012-5166

Author: Marc Deslauriers
Revision Date: 2012-10-05 09:47:25 UTC

* SECURITY UPDATE: denial of service via specific combinations of RDATA
  - bin/named/query.c: fix logic
  - Patch backported from 9.8.3-P4
  - CVE-2012-5166

Author: Marc Deslauriers
Revision Date: 2012-10-05 09:41:37 UTC

* SECURITY UPDATE: denial of service via specific combinations of RDATA
  - bin/named/query.c: fix logic
  - Patch backported from 9.8.3-P4
  - CVE-2012-5166

Author: Marc Deslauriers
Revision Date: 2012-09-12 15:57:47 UTC

* SECURITY UPDATE: denial of service via large crafted resource record
  - check length in lib/dns/include/dns/rdata.h,
    lib/dns/{master,rdata,rdataslab}.c. Added tests to
    lib/dns/tests/Makefile.in, lib/dns/tests/{master,rdata}_test.c,
    lib/dns/tests/testdata/master/master1{5,6}.data.
  - Patch backported from 9.8.3-P3
  - CVE-2012-4244

Author: Marc Deslauriers
Revision Date: 2011-11-16 14:27:21 UTC

* SECURITY UPDATE: denial of service via specially crafted packet
  - debian/patches/CVE-2011-4313.patch: correctly handle cache lookups
    that return RRSIG data associated with nonexistent records in
    bin/named/query.c,lib/dns/rbtdb.c.
  - CVE-2011-4313

Author: Marc Deslauriers
Revision Date: 2011-11-16 14:27:21 UTC

* SECURITY UPDATE: denial of service via specially crafted packet
  - debian/patches/CVE-2011-4313.patch: correctly handle cache lookups
    that return RRSIG data associated with nonexistent records in
    bin/named/query.c,lib/dns/rbtdb.c.
  - CVE-2011-4313

Author: Martin Pitt
Revision Date: 2011-07-14 14:16:46 UTC

debian/apparmor-profile: Allow /var/run and /run. (LP: #810270)

Author: Marc Deslauriers
Revision Date: 2011-03-30 10:19:37 UTC

debian/rules, configure, contrib/dlz/config.dlz.in: use
DEB_HOST_MULTIARCH so we can find multiarch libraries and fix FTBFS.
(LP: #745642)

Author: Dave Walker
Revision Date: 2011-02-10 15:16:51 UTC

lib/dns/validator.c: Correctly check that DNSSEC/DLV auth status before
declaring the chain broken. Mainly resolving DNSSEC validation errors
when a new DS record is inserted into a trusted DNSSEC validation tree.
Causing a return of SERVFAIL to queries under the newly inserted DS.
Patch courtesy of upstream [RT #21131]. (LP: #651875)

Author: Marc Deslauriers
Revision Date: 2010-11-26 17:04:49 UTC

* SECURITY UPDATE: denial of service via ncache entry and a rrsig for the
  same type
  - lib/dns/rbtdb.c: properly mark existing RRSIG records as stale.
  - bin/tests/system/resolver/*: added tests.
  - CVE-2010-3613
* SECURITY UPDATE: answers incorrectly marked as insecure during key
  algorithm rollover
  - lib/dns/include/dns/types.h, lib/dns/validator.c: improve logic.
  - bin/tests/system/dnssec/*: added tests.
  - CVE-2010-3614

Author: Marc Deslauriers
Revision Date: 2010-11-26 17:04:49 UTC

* SECURITY UPDATE: denial of service via ncache entry and a rrsig for the
  same type
  - lib/dns/rbtdb.c: properly mark existing RRSIG records as stale.
  - bin/tests/system/resolver/*: added tests.
  - CVE-2010-3613
* SECURITY UPDATE: answers incorrectly marked as insecure during key
  algorithm rollover
  - lib/dns/include/dns/types.h, lib/dns/validator.c: improve logic.
  - bin/tests/system/dnssec/*: added tests.
  - CVE-2010-3614

Author: Marc Deslauriers
Revision Date: 2010-11-26 12:54:23 UTC

* SECURITY UPDATE: denial of service via ncache entry and a rrsig for the
  same type
  - lib/dns/rbtdb.c: properly mark existing RRSIG records as stale. Also
    required backport of change #1997.
  - CVE-2010-3613
* SECURITY UPDATE: answers incorrectly marked as insecure during key
  algorithm rollover
  - lib/dns/include/dns/types.h, lib/dns/validator.c: improve logic.
  - CVE-2010-3614

Author: Marc Deslauriers
Revision Date: 2010-11-26 12:54:23 UTC

* SECURITY UPDATE: denial of service via ncache entry and a rrsig for the
  same type
  - lib/dns/rbtdb.c: properly mark existing RRSIG records as stale. Also
    required backport of change #1997.
  - CVE-2010-3613
* SECURITY UPDATE: answers incorrectly marked as insecure during key
  algorithm rollover
  - lib/dns/include/dns/types.h, lib/dns/validator.c: improve logic.
  - CVE-2010-3614

Author: LaMont Jones
Revision Date: 2010-07-16 05:24:38 UTC

Correct conflicts for bind9-host

Author: LaMont Jones
Revision Date: 2010-03-17 09:09:35 UTC

build for upload

Author: LaMont Jones
Revision Date: 2010-03-17 09:09:35 UTC

build for upload

Author: Andres Rodriguez
Revision Date: 2010-03-16 19:23:36 UTC

* Add apport hook (LP: #533601):
  - debian/bind9.apport: Added.
  - debian/control: Build-Depends on dh-apport.
  - debian/rules: Add dh_apport.

Author: Marc Deslauriers
Revision Date: 2010-01-19 13:11:22 UTC

* SECURITY UPDATE: incorrect cache update from additional section
  - bin/named/query.c, lib/dns/include/dns/{db.h,types.h},
    lib/dns/{rbtdb.c,resolver.c,validator.c}: further fixes backported
    from 9.5.2-P2
  - CVE-2009-4022
* SECURITY UPDATE: incorrect caching of bogus NXDOMAIN responses
  - bin/named/query.c, lib/dns/include/dns/{db.h,types.h},
    lib/dns/{rbtdb.c,resolver.c,validator.c}: fixes backported from
    9.5.2-P2
  - CVE-2010-0097

Author: Marc Deslauriers
Revision Date: 2010-01-19 13:11:22 UTC

* SECURITY UPDATE: incorrect cache update from additional section
  - bin/named/query.c, lib/dns/include/dns/{db.h,types.h},
    lib/dns/{rbtdb.c,resolver.c,validator.c}: further fixes backported
    from 9.5.2-P2
  - CVE-2009-4022
* SECURITY UPDATE: incorrect caching of bogus NXDOMAIN responses
  - bin/named/query.c, lib/dns/include/dns/{db.h,types.h},
    lib/dns/{rbtdb.c,resolver.c,validator.c}: fixes backported from
    9.5.2-P2
  - CVE-2010-0097

Author: Marc Deslauriers
Revision Date: 2010-01-19 13:07:12 UTC

* SECURITY UPDATE: incorrect cache update from additional section
  - bin/named/query.c, lib/dns/include/dns/{db.h,types.h},
    lib/dns/{rbtdb.c,resolver.c,validator.c}: further fixes backported
    from 9.5.2-P2
  - CVE-2009-4022
* SECURITY UPDATE: incorrect caching of bogus NXDOMAIN responses
  - bin/named/query.c, lib/dns/include/dns/{db.h,types.h},
    lib/dns/{rbtdb.c,resolver.c,validator.c}: fixes backported from
    9.5.2-P2
  - CVE-2010-0097

Author: Marc Deslauriers
Revision Date: 2010-01-19 13:07:12 UTC

* SECURITY UPDATE: incorrect cache update from additional section
  - bin/named/query.c, lib/dns/include/dns/{db.h,types.h},
    lib/dns/{rbtdb.c,resolver.c,validator.c}: further fixes backported
    from 9.5.2-P2
  - CVE-2009-4022
* SECURITY UPDATE: incorrect caching of bogus NXDOMAIN responses
  - bin/named/query.c, lib/dns/include/dns/{db.h,types.h},
    lib/dns/{rbtdb.c,resolver.c,validator.c}: fixes backported from
    9.5.2-P2
  - CVE-2010-0097

Author: LaMont Jones
Revision Date: 2009-08-17 06:53:11 UTC

Build-Depend on the fixed libgeoip-dev. Closes: #540973

Author: LaMont Jones
Revision Date: 2009-03-20 19:08:03 UTC

[Internet Software Consortium, Inc]

* 9.5.1-P2
  - DNSSEC lookaside validation failed to handle unknown algorithms. [RT #19479]

[LaMont Jones]

* meta: fix override disparity

[Sven Joachim]

* meta: pass host and build into configure for hybrid build machines.
  Closes: #515110

Author: Matt LaPlante
Revision Date: 2008-12-02 22:52:17 UTC

Port LaMont Jones' IPv6 fix to Intrepid. (LP: #249824)

Author: Nicolas Valcarcel
Revision Date: 2008-08-26 20:00:01 UTC

* Add ufw integration:
  - Created debian/bind9.ufw.profile
  - debian/rules:
    + install profile
  - debian/control
    + Suggest ufw

Author: LaMont Jones
Revision Date: 2008-09-26 06:38:32 UTC

* apparmor profile: add /var/log/named
* dig: add -DDIG_SIGCHASE to compile options. LP: #257682

Author: LaMont Jones
Revision Date: 2008-04-08 22:45:57 UTC

[Jamie Strandboge]

* debian/bind9.preinst: AA force-complain on upgrade without existing
  profile. LP: #204658

[LaMont Jones]

* host: manpage inaccurately describes default query. LP: #203087

Author: Jamie Strandboge
Revision Date: 2009-01-07 17:02:43 UTC

* SECURITY UPDATE: clients treat malformed signatures as good when verifying
  server DSA and ECDSA certificates.
  - update lib/dns/openssldsa_link.c to properly check the return code of
    DSA_do_verify()
  - CVE-2009-0025

Author: Soren Hansen
Revision Date: 2008-01-11 11:55:57 UTC

* l.root-servers.net. got a new IP. (LP #160176)
* Modify Maintainer value to match the DebianMaintainerField
  specification.

Author: Jamie Strandboge
Revision Date: 2009-01-07 17:02:43 UTC

* SECURITY UPDATE: clients treat malformed signatures as good when verifying
  server DSA and ECDSA certificates.
  - update lib/dns/openssldsa_link.c to properly check the return code of
    DSA_do_verify()
  - CVE-2009-0025

Author: LaMont Jones
Revision Date: 2007-10-04 08:30:55 UTC

Only deliver upstream changes with bind9-doc

Author: LaMont Jones
Revision Date: 2008-07-06 19:32:07 UTC

* SECURITY UPDATE: Randomize UDP query source ports to improve forgery resilience.
* References
  CVE-2008-1447

Author: Soren Hansen
Revision Date: 2008-01-11 11:39:21 UTC

l.root-servers.net. got a new IP. (LP #160176)

Author: LaMont Jones
Revision Date: 2008-07-06 19:32:07 UTC

* SECURITY UPDATE: Randomize UDP query source ports to improve forgery resilience.
* References
  CVE-2008-1447

Author: Martin Pitt
Revision Date: 2007-02-20 12:26:57 UTC

debian/control: Update maintainer fields according to debian-
maintainer-field spec.

Author: Soren Hansen
Revision Date: 2008-01-11 11:36:47 UTC

l.root-servers.net. got a new IP. (LP #160176)

Author: Soren Hansen
Revision Date: 2008-01-11 11:36:47 UTC

l.root-servers.net. got a new IP. (LP #160176)

Author: Kees Cook
Revision Date: 2007-07-24 13:15:45 UTC

* SECURITY UPDATE: query responses could be forged remotely.
* bin/named/client.c, lib/dispatch.c, lib/include/dispatch.h:
  upstream fixes back ported.
* References
  CVE-2007-2926

Author: Kees Cook
Revision Date: 2006-09-28 16:38:15 UTC

* SECURITY UPDATE: name servers accessible from the Internet could be
  used as an amplifier in DDoS attacks against other networks.
* debian/named.conf.options: allow recursion only on localnets. This
  matches the default configuration of listening on all interfaces, and
  gives a reasonable balance between allowing local recursion, and
  protecting the server from being used in a DDoS attack.
* References
  CVE-2006-0987
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248899

Author: Soren Hansen
Revision Date: 2008-01-11 11:35:38 UTC

l.root-servers.net. got a new IP. (LP #160176)

Author: Matthias Klose
Revision Date: 2006-02-16 13:06:30 UTC

Drop build dependency on g++-3.4 (#292958 was filed for g++-3.3,
fixed in g++-3.4 and up).

Author: Kees Cook
Revision Date: 2007-01-31 15:10:26 UTC

* SECURITY UPDATE: remote denial of service.
* lib/dns/include/dns/validator.h, lib/dns/{validator,resolver}.c,
  lib/dns/api: fixes based on upstream changes between bind 9.3.3 and
  9.3.4, thanks to Stew Benedict, applied inline.
* References
  CVE-2007-0493 CVE-2007-0494

Author: LaMont Jones
Revision Date: 2005-04-19 10:21:58 UTC

resync with debian

Author: Martin Pitt
Revision Date: 2006-09-07 14:03:41 UTC

* SECURITY UPDATE:
* lib/dns/resolver.c: Ported upstream patch from 9.3.2-P1 (thanks to LaMont
  Jones for doing that) to fix the following flaws:
  - A remote user (DNS server) can send specially crafted RRset responses in
    return to a recursive SIG query to cause the requesting named service to
    crash [CVE-2006-4095].
  - A remote user can also send specially crafted queries to trigger an
    INSIST failure and cause the requesting service(s) to crash
    [CVE-2006-4096].

Author: Thom May
Revision Date: 2004-11-29 10:53:47 UTC

* Nathaniel McCallum
  - debian/init.d: pretty initscript
  - debian/control: versioned depend on lsb-base

Author: LaMont Jones
Revision Date: 2004-09-23 09:11:37 UTC

* New upstream version. Closes: #269157 and others.
* Version debhelper build-dep. Closes: #262720