Ubuntu
bind9 package

Merge ~ahasenack/ubuntu/+source/bind9:cosmic-bind9-merge-1777935 into ubuntu/+source/bind9:debian/sid

  1. Git
  2. lp:~ahasenack/ubuntu/+source/bind9
  3. cosmic-bind9-merge-1777935
  4. Merge into debian/sid
Proposed by Andreas Hasenack
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: 0dff53cfe1e4f3b6fab2b4d95275540798616abd
Proposed branch: ~ahasenack/ubuntu/+source/bind9:cosmic-bind9-merge-1777935
Merge into: ubuntu/+source/bind9:debian/sid
Diff against target: 403 lines (+315/-5)
4 files modified
debian/bind9.install (+0/-2)
debian/changelog (+312/-0)
debian/control (+2/-2)
debian/rules (+1/-1)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+348316@code.launchpad.net

This proposal supersedes a proposal from 2018-06-20.

Description of the change

Simple merge, one single delta drop on a security patch that was adopted by debian, one simple delta remains because the package is in universe. This is mostly to exercise the merge muscles and to reduce the work for the next time.

PPA with test packages: https://launchpad.net/~ahasenack/+archive/ubuntu/bind9-merge-1777935/+packages (ppa:ahasenack/bind9-merge-1777935)

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

- git ubuntu Linting is good
- upgrade of the package from ppa is good
- qa regression tests - ok
- source build - ok
- lint on built source has no new errors - ok

Also it really ia minor bump, essentially the CVE moves from Ubuntu to Debian and that is it.
This is close to not necessary, looking back I guess some of my testing was not even needed :-)

LGTM

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Indeed, but still good to check that the delta drop didn't inadvertently drop the CVE patch :)

Thanks for the review, could you please push the upload tag and sponsor?

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Tagged, Pushed and sponsored.
Please track migration as usual.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/bind9.install b/debian/bind9.install
2index 26d595e..fd7f0f5 100644
3--- a/debian/bind9.install
4+++ b/debian/bind9.install
5@@ -16,7 +16,6 @@ usr/sbin/genrandom
6 usr/sbin/isc-hmac-fixup
7 usr/sbin/named
8 usr/sbin/named-journalprint
9-usr/sbin/named-nzd2nzf
10 usr/sbin/named-pkcs11
11 usr/sbin/nsec3hash
12 usr/sbin/tsig-keygen
13@@ -32,7 +31,6 @@ usr/share/man/man8/dnssec-importkey.8
14 usr/share/man/man8/genrandom.8
15 usr/share/man/man8/isc-hmac-fixup.8
16 usr/share/man/man8/named-journalprint.8
17-usr/share/man/man8/named-nzd2nzf.8
18 usr/share/man/man8/named.8
19 usr/share/man/man8/nsec3hash.8
20 usr/share/man/man8/tsig-keygen.8
21diff --git a/debian/changelog b/debian/changelog
22index 498470f..a4d3f9d 100644
23--- a/debian/changelog
24+++ b/debian/changelog
25@@ -1,3 +1,16 @@
26+bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium
27+
28+ * Merge with Debian unstable (LP: #1777935). Remaining changes:
29+ - Build without lmdb support as that package is in Universe
30+ * Drop:
31+ - SECURITY UPDATE: improperly permits recursive query service
32+ + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
33+ in bin/named/server.c.
34+ + CVE-2018-5738
35+ [Applied in Debian's 1:9.11.3+dfsg-2]
36+
37+ -- Andreas Hasenack <andreas@canonical.com> Wed, 20 Jun 2018 17:42:16 -0300
38+
39 bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
40
41 * [CVE-2018-5738]: Add upstream fix to close the default open recursion
42@@ -6,6 +19,24 @@ bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
43
44 -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000
45
46+bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium
47+
48+ * SECURITY UPDATE: improperly permits recursive query service
49+ - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
50+ in bin/named/server.c.
51+ - CVE-2018-5738
52+
53+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Jun 2018 09:41:51 -0400
54+
55+bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low
56+
57+ * New upstream release. (LP: #1763572)
58+ - fix a crash when configured with ipa-dns-install
59+ * Merge from Debian unstable. Remaining changes:
60+ - Build without lmdb support as that package is in Universe
61+
62+ -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Apr 2018 07:40:47 +0300
63+
64 bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
65
66 [ Bernhard Schmidt ]
67@@ -30,6 +61,61 @@ bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
68
69 -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100
70
71+bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium
72+
73+ * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating
74+ DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews
75+ <marka@isc.org>. (LP: #1755439)
76+
77+ -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300
78+
79+bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium
80+
81+ * Fix apparmor profile filename (LP: #1754981)
82+
83+ -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300
84+
85+bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high
86+
87+ * No change rebuild against openssl1.1.
88+
89+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:14:22 +0000
90+
91+bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium
92+
93+ * Build without lmdb support as that package is in Universe (LP: #1746296)
94+ - d/control: remove Build-Depends on liblmdb-dev
95+ - d/rules: configure --without-lmdb
96+ - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires
97+ lmdb.
98+
99+ -- Andreas Hasenack <andreas@canonical.com> Tue, 30 Jan 2018 15:21:23 -0200
100+
101+bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium
102+
103+ * Merge with Debian unstable (LP: #1744930).
104+ * Drop:
105+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
106+ (LP #1536181).
107+ [fixed in 1:9.10.6+dfsg-4]
108+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
109+ [adopted in 1:9.10.6+dfsg-5]
110+ - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
111+ introduced with the CVE-2016-8864.patch and fixed in
112+ CVE-2016-8864-regression.patch.
113+ [applied upstream]
114+ - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
115+ regression (RT #44318) introduced with the CVE-2016-8864.patch
116+ and fixed in CVE-2016-8864-regression2.patch.
117+ [applied upstream]
118+ - d/control, d/rules: add json support for the statistics channels.
119+ (LP #1669193)
120+ [adopted in 1:9.10.6+dfsg-5]
121+ * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing
122+ listing the python ply module as a dependency (Closes: #888463)
123+
124+ -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Jan 2018 11:20:33 -0200
125+
126 bind9 (1:9.11.2.P1-1) unstable; urgency=medium
127
128 * New upstream version 9.11.2-P1
129@@ -205,6 +291,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium
130
131 -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000
132
133+bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium
134+
135+ * Merge with Debian unstable (LP: #1712920). Remaining changes:
136+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
137+ (LP #1536181).
138+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
139+ - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
140+ introduced with the CVE-2016-8864.patch and fixed in
141+ CVE-2016-8864-regression.patch.
142+ - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
143+ regression (RT #44318) introduced with the CVE-2016-8864.patch
144+ and fixed in CVE-2016-8864-regression2.patch.
145+ - d/control, d/rules: add json support for the statistics channels.
146+ (LP #1669193)
147+
148+ -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Aug 2017 18:28:00 -0300
149+
150+bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium
151+
152+ * Non-maintainer upload.
153+ * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)
154+
155+ -- Bernhard Schmidt <berni@debian.org> Fri, 11 Aug 2017 19:10:07 +0200
156+
157+bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium
158+
159+ * Merge with Debian unstable (LP: #1701687). Remaining changes:
160+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
161+ (LP #1536181).
162+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
163+ * Drop:
164+ - SECURITY UPDATE: denial of service via assertion failure
165+ + debian/patches/CVE-2016-2776.patch: properly handle lengths in
166+ lib/dns/message.c.
167+ + CVE-2016-2776
168+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
169+ - SECURITY UPDATE: assertion failure via class mismatch
170+ + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
171+ records in lib/dns/resolver.c.
172+ + CVE-2016-9131
173+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
174+ - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
175+ + debian/patches/CVE-2016-9147.patch: fix logic when records are
176+ returned without the requested data in lib/dns/resolver.c.
177+ + CVE-2016-9147
178+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
179+ - SECURITY UPDATE: assertion failure via unusually-formed DS record
180+ + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
181+ lib/dns/message.c, lib/dns/resolver.c.
182+ + CVE-2016-9444
183+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
184+ - SECURITY UPDATE: regression in CVE-2016-8864
185+ + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
186+ responses in lib/dns/resolver.c, added tests to
187+ bin/tests/system/dname/ns2/example.db,
188+ bin/tests/system/dname/tests.sh.
189+ + No CVE number
190+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
191+ - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
192+ a NULL pointer
193+ + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
194+ combination in bin/named/query.c, lib/dns/message.c,
195+ lib/dns/rdataset.c.
196+ + CVE-2017-3135
197+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
198+ - SECURITY UPDATE: regression in CVE-2016-8864
199+ + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
200+ was still being cached when it should have been in lib/dns/resolver.c,
201+ added tests to bin/tests/system/dname/ans3/ans.pl,
202+ bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
203+ + No CVE number
204+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
205+ - SECURITY UPDATE: Denial of Service due to an error handling
206+ synthesized records when using DNS64 with "break-dnssec yes;"
207+ + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
208+ called.
209+ + CVE-2017-3136
210+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
211+ - SECURITY UPDATE: Denial of Service due to resolver terminating when
212+ processing a response packet containing a CNAME or DNAME
213+ + debian/patches/CVE-2017-3137.patch: don't expect a specific
214+ ordering of answer components; add testcases.
215+ + CVE-2017-3137
216+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
217+ - SECURITY UPDATE: Denial of Service when receiving a null command on
218+ the control channel
219+ + debian/patches/CVE-2017-3138.patch: don't throw an assert if no
220+ command token is given; add testcase.
221+ + CVE-2017-3138
222+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
223+ - SECURITY UPDATE: TSIG authentication issues
224+ + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
225+ lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
226+ + CVE-2017-3142
227+ + CVE-2017-3143
228+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4]
229+ * d/p/CVE-2016-8864-regression-test.patch: tests for the regression
230+ introduced with the CVE-2016-8864.patch and fixed in
231+ CVE-2016-8864-regression.patch.
232+ * d/p/CVE-2016-8864-regression2-test.patch: tests for the second
233+ regression (RT #44318) introduced with the CVE-2016-8864.patch
234+ and fixed in CVE-2016-8864-regression2.patch.
235+ * d/control, d/rules: add json support for the statistics channels.
236+ (LP: #1669193)
237+
238+ -- Andreas Hasenack <andreas@canonical.com> Fri, 11 Aug 2017 17:12:09 -0300
239+
240+bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
241+
242+ * Non-maintainer upload.
243+ * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
244+ signed TCP message sequences where not all the messages contain TSIG
245+ records. These may be used in AXFR and IXFR responses.
246+ (Closes: #868952)
247+
248+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jul 2017 22:28:32 +0200
249+
250+bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
251+
252+ * Non-maintainer upload.
253+
254+ [ Yves-Alexis Perez ]
255+ * debian/patches:
256+ - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
257+ CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
258+ transfers. An attacker may be able to circumvent TSIG authentication of
259+ AXFR and Notify requests.
260+ CVE-2017-3143: error in TSIG authentication can permit unauthorized
261+ dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
262+ signature for a dynamic update.
263+ (Closes: #866564)
264+
265+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jul 2017 22:13:21 +0200
266+
267 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium
268
269 [ Bernhard Schmidt ]
270@@ -311,6 +531,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium
271
272 -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000
273
274+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium
275+
276+ * SECURITY UPDATE: TSIG authentication issues
277+ - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
278+ lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
279+ - CVE-2017-3142
280+ - CVE-2017-3143
281+
282+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jul 2017 09:48:13 -0400
283+
284+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium
285+
286+ * rules: Fix path to libsofthsm2.so. (LP: #1685780)
287+
288+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 24 Apr 2017 15:01:30 +0300
289+
290+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium
291+
292+ * SECURITY UPDATE: Denial of Service due to an error handling
293+ synthesized records when using DNS64 with "break-dnssec yes;"
294+ - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
295+ called.
296+ - CVE-2017-3136
297+ * SECURITY UPDATE: Denial of Service due to resolver terminating when
298+ processing a response packet containing a CNAME or DNAME
299+ - debian/patches/CVE-2017-3137.patch: don't expect a specific
300+ ordering of answer components; add testcases.
301+ - CVE-2017-3137
302+ * SECURITY UPDATE: Denial of Service when receiving a null command on
303+ the control channel
304+ - debian/patches/CVE-2017-3138.patch: don't throw an assert if no
305+ command token is given; add testcase.
306+ - CVE-2017-3138
307+
308+ -- Steve Beattie <sbeattie@ubuntu.com> Wed, 12 Apr 2017 01:32:15 -0700
309+
310+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium
311+
312+ * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
313+ a NULL pointer
314+ - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
315+ combination in bin/named/query.c, lib/dns/message.c,
316+ lib/dns/rdataset.c.
317+ - CVE-2017-3135
318+ * SECURITY UPDATE: regression in CVE-2016-8864
319+ - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
320+ was still being cached when it should have been in lib/dns/resolver.c,
321+ added tests to bin/tests/system/dname/ans3/ans.pl,
322+ bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
323+ - No CVE number
324+
325+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Feb 2017 09:37:39 -0500
326+
327+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium
328+
329+ * SECURITY UPDATE: assertion failure via class mismatch
330+ - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
331+ records in lib/dns/resolver.c.
332+ - CVE-2016-9131
333+ * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
334+ - debian/patches/CVE-2016-9147.patch: fix logic when records are
335+ returned without the requested data in lib/dns/resolver.c.
336+ - CVE-2016-9147
337+ * SECURITY UPDATE: assertion failure via unusually-formed DS record
338+ - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
339+ lib/dns/message.c, lib/dns/resolver.c.
340+ - CVE-2016-9444
341+ * SECURITY UPDATE: regression in CVE-2016-8864
342+ - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
343+ responses in lib/dns/resolver.c, added tests to
344+ bin/tests/system/dname/ns2/example.db,
345+ bin/tests/system/dname/tests.sh.
346+ - No CVE number
347+
348+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jan 2017 09:28:10 -0500
349+
350+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium
351+
352+ * Add RemainAfterExit to bind9-resolvconf unit configuration file
353+ (LP: #1536181).
354+
355+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Tue, 15 Nov 2016 08:24:58 -0800
356+
357+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium
358+
359+ * SECURITY UPDATE: denial of service via assertion failure
360+ - debian/patches/CVE-2016-2776.patch: properly handle lengths in
361+ lib/dns/message.c.
362+ - CVE-2016-2776
363+
364+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2016 14:31:17 -0400
365+
366 bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium
367
368 * Non-maintainer upload.
369diff --git a/debian/control b/debian/control
370index 32ab301..ebe3509 100644
371--- a/debian/control
372+++ b/debian/control
373@@ -1,7 +1,8 @@
374 Source: bind9
375 Section: net
376 Priority: optional
377-Maintainer: BIND 9 Package <bind9@package.debian.org>
378+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
379+XSBC-Original-Maintainer: BIND 9 Package <bind9@package.debian.org>
380 Uploaders: LaMont Jones <lamont@debian.org>,
381 Michael Gilbert <mgilbert@debian.org>,
382 Robie Basak <robie.basak@canonical.com>,
383@@ -19,7 +20,6 @@ Build-Depends: bison,
384 libjson-c-dev,
385 libkrb5-dev,
386 libldap2-dev,
387- liblmdb-dev,
388 libssl-dev,
389 libtool,
390 libxml2-dev,
391diff --git a/debian/rules b/debian/rules
392index f1d6823..40a5097 100755
393--- a/debian/rules
394+++ b/debian/rules
395@@ -80,7 +80,7 @@ override_dh_auto_configure:
396 --with-openssl=/usr \
397 --with-gssapi=/usr \
398 --with-libjson=/usr \
399- --with-lmdb=/usr \
400+ --without-lmdb \
401 --with-gnu-ld \
402 --with-geoip=/usr \
403 --with-atf=no \

Subscribers

People subscribed via source and target branches