Merge ~ahasenack/ubuntu/+source/bind9:cosmic-merge-9.11.4+dfsg-3 into ubuntu/+source/bind9:debian/sid

Proposed by Andreas Hasenack
Status: Merged
Merge reported by: Robie Basak
Merged at revision: a23f713b30390c517196a821e6108c63aa57631f
Proposed branch: ~ahasenack/ubuntu/+source/bind9:cosmic-merge-9.11.4+dfsg-3
Merge into: ubuntu/+source/bind9:debian/sid
Diff against target: 582 lines (+332/-80)
7 files modified
debian/bind9.install (+0/-2)
debian/changelog (+328/-0)
debian/control (+2/-5)
debian/dnsutils.install (+0/-2)
debian/extras/apparmor.d/usr.sbin.named (+1/-1)
debian/libdns1102.symbols (+0/-66)
debian/rules (+1/-4)
Reviewer Review Type Date Requested Status
Robie Basak Approve
Canonical Server Pending
Review via email: mp+351764@code.launchpad.net

Description of the change

Merge from Debian 9.11.4+dfsg-3

Added delta:
- drop dnstap build, as it requires packages from universe
- fix a typo in the apparmor profile for reading the new dnsroot hints file (probably already fixed in debian by the time you read this)

New important change: linking with libidn2, to enable idn support in dig. This fixes an old bug (over 10 years old!) in ubuntu (and debian): https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/175316

PPA with test packages: https://launchpad.net/~ahasenack/+archive/ubuntu/bind-merge-9.11.4/+packages

While I was preparing this merge, a new debian release happened (dfsg-3), so I rebased on top of that and recreated the merge tags. I think it worked, but let me know if something is not right.

TESTING
1) idn
#Install bind from cosmic:
sudo apt install bind9

# query an IDN domain:
$ dig @127.0.0.1 +idnout räksmörgås.se
You will get:
a) a note saying dig was compiled without idn support:
;; IDN support not enabled
(...)
b) no IP
;; QUESTION SECTION:
;r\195\164ksm\195\182rg\195\165s.se. IN A

;; AUTHORITY SECTION:
se. 7158 IN SOA catcher-in-the-rye.nic.se. registry-default.nic.se. 2018073006 1800 1800 864000 7200

Repeat with the updated package:
$ dig @127.0.0.1 +idnout räksmörgås.se
a) no note about missing IDN support
b) an actual answer after a properly formatted question section:
;; QUESTION SECTION:
;räksmörgås.se. IN A

;; ANSWER SECTION:
räksmörgås.se. 60 IN A 91.226.36.2

Finally, one can also check that the new dig is linked with libidn:
$ ldd $(which dig)|grep libidn
 libidn2.so.0 => /usr/lib/x86_64-linux-gnu/libidn2.so.0 (0x00007f474a810000)

2) dns-root-data dependency:
After updating the bind9 package, check that /etc/bind/named.conf.default-zones now uses /usr/share/dns/root.hints for the "." hint root zone:
ubuntu@cosmic-bind9-merge-9114:/etc/bind$ cat named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
 type hint;
 file "/usr/share/dns/root.hints";
};

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This needs to happen to fix the UI of this MP:
<cjwatson> Right, the scan oopses
<cjwatson> *oopsed
<cjwatson> rbasak,nacc: ^- around? could you do 'lp-shell production devel' and then 'lp.load("/~usd-import-team/ubuntu/+source/bind9/+git/bind9").rescan()' please?
<cjwatson> the hosting backend had lost its mind temporarily

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The above was done.

Revision history for this message
Robie Basak (racb) wrote :

dnstap delta -> good for now. I wonder if we want to enable this long term though?

> probably already fixed in debian by the time you read this

Yes :)

But no need to merge that.

review: Approve
Revision history for this message
Robie Basak (racb) wrote :

In proposed.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/bind9.install b/debian/bind9.install
2index 26d595e..fd7f0f5 100644
3--- a/debian/bind9.install
4+++ b/debian/bind9.install
5@@ -16,7 +16,6 @@ usr/sbin/genrandom
6 usr/sbin/isc-hmac-fixup
7 usr/sbin/named
8 usr/sbin/named-journalprint
9-usr/sbin/named-nzd2nzf
10 usr/sbin/named-pkcs11
11 usr/sbin/nsec3hash
12 usr/sbin/tsig-keygen
13@@ -32,7 +31,6 @@ usr/share/man/man8/dnssec-importkey.8
14 usr/share/man/man8/genrandom.8
15 usr/share/man/man8/isc-hmac-fixup.8
16 usr/share/man/man8/named-journalprint.8
17-usr/share/man/man8/named-nzd2nzf.8
18 usr/share/man/man8/named.8
19 usr/share/man/man8/nsec3hash.8
20 usr/share/man/man8/tsig-keygen.8
21diff --git a/debian/changelog b/debian/changelog
22index 43d88de..ee9789e 100644
23--- a/debian/changelog
24+++ b/debian/changelog
25@@ -1,3 +1,19 @@
26+bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium
27+
28+ * Merge with Debian unstable. Remaining changes:
29+ - Build without lmdb support as that package is in Universe
30+ * Added:
31+ - Don't build dnstap as it depends on universe packages:
32+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
33+ protobuf-c-compiler (universe packages)
34+ + d/dnsutils.install: don't install dnstap
35+ + d/libdns1102.symbols: don't include dnstap symbols
36+ + d/rules: don't build dnstap
37+ - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
38+ line (Closes: #904983)
39+
40+ -- Andreas Hasenack <andreas@canonical.com> Mon, 30 Jul 2018 10:56:04 -0300
41+
42 bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium
43
44 * Enable IDN support for dig+host using libidn2 (Closes: #459010)
45@@ -28,6 +44,19 @@ bind9 (1:9.11.4+dfsg-1) unstable; urgency=medium
46
47 -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000
48
49+bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium
50+
51+ * Merge with Debian unstable (LP: #1777935). Remaining changes:
52+ - Build without lmdb support as that package is in Universe
53+ * Drop:
54+ - SECURITY UPDATE: improperly permits recursive query service
55+ + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
56+ in bin/named/server.c.
57+ + CVE-2018-5738
58+ [Applied in Debian's 1:9.11.3+dfsg-2]
59+
60+ -- Andreas Hasenack <andreas@canonical.com> Wed, 20 Jun 2018 17:42:16 -0300
61+
62 bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
63
64 * [CVE-2018-5738]: Add upstream fix to close the default open recursion
65@@ -36,6 +65,24 @@ bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
66
67 -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000
68
69+bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium
70+
71+ * SECURITY UPDATE: improperly permits recursive query service
72+ - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
73+ in bin/named/server.c.
74+ - CVE-2018-5738
75+
76+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Jun 2018 09:41:51 -0400
77+
78+bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low
79+
80+ * New upstream release. (LP: #1763572)
81+ - fix a crash when configured with ipa-dns-install
82+ * Merge from Debian unstable. Remaining changes:
83+ - Build without lmdb support as that package is in Universe
84+
85+ -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Apr 2018 07:40:47 +0300
86+
87 bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
88
89 [ Bernhard Schmidt ]
90@@ -60,6 +107,61 @@ bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
91
92 -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100
93
94+bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium
95+
96+ * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating
97+ DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews
98+ <marka@isc.org>. (LP: #1755439)
99+
100+ -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300
101+
102+bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium
103+
104+ * Fix apparmor profile filename (LP: #1754981)
105+
106+ -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300
107+
108+bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high
109+
110+ * No change rebuild against openssl1.1.
111+
112+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:14:22 +0000
113+
114+bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium
115+
116+ * Build without lmdb support as that package is in Universe (LP: #1746296)
117+ - d/control: remove Build-Depends on liblmdb-dev
118+ - d/rules: configure --without-lmdb
119+ - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires
120+ lmdb.
121+
122+ -- Andreas Hasenack <andreas@canonical.com> Tue, 30 Jan 2018 15:21:23 -0200
123+
124+bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium
125+
126+ * Merge with Debian unstable (LP: #1744930).
127+ * Drop:
128+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
129+ (LP #1536181).
130+ [fixed in 1:9.10.6+dfsg-4]
131+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
132+ [adopted in 1:9.10.6+dfsg-5]
133+ - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
134+ introduced with the CVE-2016-8864.patch and fixed in
135+ CVE-2016-8864-regression.patch.
136+ [applied upstream]
137+ - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
138+ regression (RT #44318) introduced with the CVE-2016-8864.patch
139+ and fixed in CVE-2016-8864-regression2.patch.
140+ [applied upstream]
141+ - d/control, d/rules: add json support for the statistics channels.
142+ (LP #1669193)
143+ [adopted in 1:9.10.6+dfsg-5]
144+ * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing
145+ listing the python ply module as a dependency (Closes: #888463)
146+
147+ -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Jan 2018 11:20:33 -0200
148+
149 bind9 (1:9.11.2.P1-1) unstable; urgency=medium
150
151 * New upstream version 9.11.2-P1
152@@ -235,6 +337,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium
153
154 -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000
155
156+bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium
157+
158+ * Merge with Debian unstable (LP: #1712920). Remaining changes:
159+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
160+ (LP #1536181).
161+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
162+ - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
163+ introduced with the CVE-2016-8864.patch and fixed in
164+ CVE-2016-8864-regression.patch.
165+ - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
166+ regression (RT #44318) introduced with the CVE-2016-8864.patch
167+ and fixed in CVE-2016-8864-regression2.patch.
168+ - d/control, d/rules: add json support for the statistics channels.
169+ (LP #1669193)
170+
171+ -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Aug 2017 18:28:00 -0300
172+
173+bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium
174+
175+ * Non-maintainer upload.
176+ * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)
177+
178+ -- Bernhard Schmidt <berni@debian.org> Fri, 11 Aug 2017 19:10:07 +0200
179+
180+bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium
181+
182+ * Merge with Debian unstable (LP: #1701687). Remaining changes:
183+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
184+ (LP #1536181).
185+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
186+ * Drop:
187+ - SECURITY UPDATE: denial of service via assertion failure
188+ + debian/patches/CVE-2016-2776.patch: properly handle lengths in
189+ lib/dns/message.c.
190+ + CVE-2016-2776
191+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
192+ - SECURITY UPDATE: assertion failure via class mismatch
193+ + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
194+ records in lib/dns/resolver.c.
195+ + CVE-2016-9131
196+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
197+ - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
198+ + debian/patches/CVE-2016-9147.patch: fix logic when records are
199+ returned without the requested data in lib/dns/resolver.c.
200+ + CVE-2016-9147
201+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
202+ - SECURITY UPDATE: assertion failure via unusually-formed DS record
203+ + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
204+ lib/dns/message.c, lib/dns/resolver.c.
205+ + CVE-2016-9444
206+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
207+ - SECURITY UPDATE: regression in CVE-2016-8864
208+ + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
209+ responses in lib/dns/resolver.c, added tests to
210+ bin/tests/system/dname/ns2/example.db,
211+ bin/tests/system/dname/tests.sh.
212+ + No CVE number
213+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
214+ - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
215+ a NULL pointer
216+ + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
217+ combination in bin/named/query.c, lib/dns/message.c,
218+ lib/dns/rdataset.c.
219+ + CVE-2017-3135
220+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
221+ - SECURITY UPDATE: regression in CVE-2016-8864
222+ + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
223+ was still being cached when it should have been in lib/dns/resolver.c,
224+ added tests to bin/tests/system/dname/ans3/ans.pl,
225+ bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
226+ + No CVE number
227+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
228+ - SECURITY UPDATE: Denial of Service due to an error handling
229+ synthesized records when using DNS64 with "break-dnssec yes;"
230+ + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
231+ called.
232+ + CVE-2017-3136
233+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
234+ - SECURITY UPDATE: Denial of Service due to resolver terminating when
235+ processing a response packet containing a CNAME or DNAME
236+ + debian/patches/CVE-2017-3137.patch: don't expect a specific
237+ ordering of answer components; add testcases.
238+ + CVE-2017-3137
239+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
240+ - SECURITY UPDATE: Denial of Service when receiving a null command on
241+ the control channel
242+ + debian/patches/CVE-2017-3138.patch: don't throw an assert if no
243+ command token is given; add testcase.
244+ + CVE-2017-3138
245+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
246+ - SECURITY UPDATE: TSIG authentication issues
247+ + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
248+ lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
249+ + CVE-2017-3142
250+ + CVE-2017-3143
251+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4]
252+ * d/p/CVE-2016-8864-regression-test.patch: tests for the regression
253+ introduced with the CVE-2016-8864.patch and fixed in
254+ CVE-2016-8864-regression.patch.
255+ * d/p/CVE-2016-8864-regression2-test.patch: tests for the second
256+ regression (RT #44318) introduced with the CVE-2016-8864.patch
257+ and fixed in CVE-2016-8864-regression2.patch.
258+ * d/control, d/rules: add json support for the statistics channels.
259+ (LP: #1669193)
260+
261+ -- Andreas Hasenack <andreas@canonical.com> Fri, 11 Aug 2017 17:12:09 -0300
262+
263+bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
264+
265+ * Non-maintainer upload.
266+ * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
267+ signed TCP message sequences where not all the messages contain TSIG
268+ records. These may be used in AXFR and IXFR responses.
269+ (Closes: #868952)
270+
271+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jul 2017 22:28:32 +0200
272+
273+bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
274+
275+ * Non-maintainer upload.
276+
277+ [ Yves-Alexis Perez ]
278+ * debian/patches:
279+ - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
280+ CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
281+ transfers. An attacker may be able to circumvent TSIG authentication of
282+ AXFR and Notify requests.
283+ CVE-2017-3143: error in TSIG authentication can permit unauthorized
284+ dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
285+ signature for a dynamic update.
286+ (Closes: #866564)
287+
288+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jul 2017 22:13:21 +0200
289+
290 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium
291
292 [ Bernhard Schmidt ]
293@@ -341,6 +577,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium
294
295 -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000
296
297+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium
298+
299+ * SECURITY UPDATE: TSIG authentication issues
300+ - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
301+ lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
302+ - CVE-2017-3142
303+ - CVE-2017-3143
304+
305+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jul 2017 09:48:13 -0400
306+
307+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium
308+
309+ * rules: Fix path to libsofthsm2.so. (LP: #1685780)
310+
311+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 24 Apr 2017 15:01:30 +0300
312+
313+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium
314+
315+ * SECURITY UPDATE: Denial of Service due to an error handling
316+ synthesized records when using DNS64 with "break-dnssec yes;"
317+ - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
318+ called.
319+ - CVE-2017-3136
320+ * SECURITY UPDATE: Denial of Service due to resolver terminating when
321+ processing a response packet containing a CNAME or DNAME
322+ - debian/patches/CVE-2017-3137.patch: don't expect a specific
323+ ordering of answer components; add testcases.
324+ - CVE-2017-3137
325+ * SECURITY UPDATE: Denial of Service when receiving a null command on
326+ the control channel
327+ - debian/patches/CVE-2017-3138.patch: don't throw an assert if no
328+ command token is given; add testcase.
329+ - CVE-2017-3138
330+
331+ -- Steve Beattie <sbeattie@ubuntu.com> Wed, 12 Apr 2017 01:32:15 -0700
332+
333+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium
334+
335+ * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
336+ a NULL pointer
337+ - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
338+ combination in bin/named/query.c, lib/dns/message.c,
339+ lib/dns/rdataset.c.
340+ - CVE-2017-3135
341+ * SECURITY UPDATE: regression in CVE-2016-8864
342+ - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
343+ was still being cached when it should have been in lib/dns/resolver.c,
344+ added tests to bin/tests/system/dname/ans3/ans.pl,
345+ bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
346+ - No CVE number
347+
348+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Feb 2017 09:37:39 -0500
349+
350+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium
351+
352+ * SECURITY UPDATE: assertion failure via class mismatch
353+ - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
354+ records in lib/dns/resolver.c.
355+ - CVE-2016-9131
356+ * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
357+ - debian/patches/CVE-2016-9147.patch: fix logic when records are
358+ returned without the requested data in lib/dns/resolver.c.
359+ - CVE-2016-9147
360+ * SECURITY UPDATE: assertion failure via unusually-formed DS record
361+ - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
362+ lib/dns/message.c, lib/dns/resolver.c.
363+ - CVE-2016-9444
364+ * SECURITY UPDATE: regression in CVE-2016-8864
365+ - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
366+ responses in lib/dns/resolver.c, added tests to
367+ bin/tests/system/dname/ns2/example.db,
368+ bin/tests/system/dname/tests.sh.
369+ - No CVE number
370+
371+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jan 2017 09:28:10 -0500
372+
373+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium
374+
375+ * Add RemainAfterExit to bind9-resolvconf unit configuration file
376+ (LP: #1536181).
377+
378+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Tue, 15 Nov 2016 08:24:58 -0800
379+
380+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium
381+
382+ * SECURITY UPDATE: denial of service via assertion failure
383+ - debian/patches/CVE-2016-2776.patch: properly handle lengths in
384+ lib/dns/message.c.
385+ - CVE-2016-2776
386+
387+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2016 14:31:17 -0400
388+
389 bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium
390
391 * Non-maintainer upload.
392diff --git a/debian/control b/debian/control
393index ed09635..269d2e2 100644
394--- a/debian/control
395+++ b/debian/control
396@@ -1,7 +1,8 @@
397 Source: bind9
398 Section: net
399 Priority: optional
400-Maintainer: BIND 9 Package <bind9@package.debian.org>
401+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
402+XSBC-Original-Maintainer: BIND 9 Package <bind9@package.debian.org>
403 Uploaders: LaMont Jones <lamont@debian.org>,
404 Michael Gilbert <mgilbert@debian.org>,
405 Robie Basak <robie.basak@canonical.com>,
406@@ -15,18 +16,14 @@ Build-Depends: bison,
407 dpkg-dev (>= 1.16.1~),
408 libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386],
409 libdb-dev (>>4.6),
410- libfstrm-dev,
411 libgeoip-dev (>= 1.4.6.dfsg-5),
412 libidn2-dev,
413 libjson-c-dev,
414 libkrb5-dev,
415 libldap2-dev,
416- liblmdb-dev,
417- libprotobuf-c-dev,
418 libssl-dev,
419 libtool,
420 libxml2-dev,
421- protobuf-c-compiler,
422 python3,
423 python3-distutils,
424 python3-ply
425diff --git a/debian/dnsutils.install b/debian/dnsutils.install
426index 90e4fba..5e6b7d9 100644
427--- a/debian/dnsutils.install
428+++ b/debian/dnsutils.install
429@@ -1,12 +1,10 @@
430 usr/bin/delv
431 usr/bin/dig
432-usr/bin/dnstap-read
433 usr/bin/mdig
434 usr/bin/nslookup
435 usr/bin/nsupdate
436 usr/share/man/man1/delv.1
437 usr/share/man/man1/dig.1
438-usr/share/man/man1/dnstap-read.1
439 usr/share/man/man1/mdig.1
440 usr/share/man/man1/nslookup.1
441 usr/share/man/man1/nsupdate.1
442diff --git a/debian/extras/apparmor.d/usr.sbin.named b/debian/extras/apparmor.d/usr.sbin.named
443index 23f22c5..87d528f 100644
444--- a/debian/extras/apparmor.d/usr.sbin.named
445+++ b/debian/extras/apparmor.d/usr.sbin.named
446@@ -30,7 +30,7 @@
447 /etc/ssl/openssl.cnf r,
448
449 # root hints from dns-data-root
450- /usr/share/dns/root.* r
451+ /usr/share/dns/root.* r,
452
453 # GeoIP data files for GeoIP ACLs
454 /usr/share/GeoIP/** r,
455diff --git a/debian/libdns1102.symbols b/debian/libdns1102.symbols
456index 44fd5c1..b6264ad 100644
457--- a/debian/libdns1102.symbols
458+++ b/debian/libdns1102.symbols
459@@ -358,21 +358,6 @@ libdns-pkcs11.so.1102 libdns1102 #MINVER#
460 dns_dsdigest_format@Base 1:9.11.3+dfsg
461 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg
462 dns_dsdigest_totext@Base 1:9.11.3+dfsg
463- dns_dt_attach@Base 1:9.11.4+dfsg-2
464- dns_dt_close@Base 1:9.11.4+dfsg-2
465- dns_dt_create@Base 1:9.11.4+dfsg-2
466- dns_dt_datatotext@Base 1:9.11.4+dfsg-2
467- dns_dt_detach@Base 1:9.11.4+dfsg-2
468- dns_dt_getframe@Base 1:9.11.4+dfsg-2
469- dns_dt_getstats@Base 1:9.11.4+dfsg-2
470- dns_dt_open@Base 1:9.11.4+dfsg-2
471- dns_dt_parse@Base 1:9.11.4+dfsg-2
472- dns_dt_reopen@Base 1:9.11.4+dfsg-2
473- dns_dt_send@Base 1:9.11.4+dfsg-2
474- dns_dt_setidentity@Base 1:9.11.4+dfsg-2
475- dns_dt_setversion@Base 1:9.11.4+dfsg-2
476- dns_dt_shutdown@Base 1:9.11.4+dfsg-2
477- dns_dtdata_free@Base 1:9.11.4+dfsg-2
478 dns_dumpctx_attach@Base 1:9.11.3+dfsg
479 dns_dumpctx_cancel@Base 1:9.11.3+dfsg
480 dns_dumpctx_db@Base 1:9.11.3+dfsg
481@@ -1440,24 +1425,6 @@ libdns-pkcs11.so.1102 libdns1102 #MINVER#
482 dns_zt_setviewcommit@Base 1:9.11.3+dfsg
483 dns_zt_setviewrevert@Base 1:9.11.3+dfsg
484 dns_zt_unmount@Base 1:9.11.3+dfsg
485- dnstap__dnstap__descriptor@Base 1:9.11.4+dfsg-2
486- dnstap__dnstap__free_unpacked@Base 1:9.11.4+dfsg-2
487- dnstap__dnstap__get_packed_size@Base 1:9.11.4+dfsg-2
488- dnstap__dnstap__init@Base 1:9.11.4+dfsg-2
489- dnstap__dnstap__pack@Base 1:9.11.4+dfsg-2
490- dnstap__dnstap__pack_to_buffer@Base 1:9.11.4+dfsg-2
491- dnstap__dnstap__type__descriptor@Base 1:9.11.4+dfsg-2
492- dnstap__dnstap__unpack@Base 1:9.11.4+dfsg-2
493- dnstap__message__descriptor@Base 1:9.11.4+dfsg-2
494- dnstap__message__free_unpacked@Base 1:9.11.4+dfsg-2
495- dnstap__message__get_packed_size@Base 1:9.11.4+dfsg-2
496- dnstap__message__init@Base 1:9.11.4+dfsg-2
497- dnstap__message__pack@Base 1:9.11.4+dfsg-2
498- dnstap__message__pack_to_buffer@Base 1:9.11.4+dfsg-2
499- dnstap__message__type__descriptor@Base 1:9.11.4+dfsg-2
500- dnstap__message__unpack@Base 1:9.11.4+dfsg-2
501- dnstap__socket_family__descriptor@Base 1:9.11.4+dfsg-2
502- dnstap__socket_protocol__descriptor@Base 1:9.11.4+dfsg-2
503 dst__entropy_getdata@Base 1:9.11.3+dfsg
504 dst__entropy_status@Base 1:9.11.3+dfsg
505 dst__gssapi_init@Base 1:9.11.3+dfsg
506@@ -1937,21 +1904,6 @@ libdns.so.1102 libdns1102 #MINVER#
507 dns_dsdigest_format@Base 1:9.11.3+dfsg
508 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg
509 dns_dsdigest_totext@Base 1:9.11.3+dfsg
510- dns_dt_attach@Base 1:9.11.4+dfsg-2
511- dns_dt_close@Base 1:9.11.4+dfsg-2
512- dns_dt_create@Base 1:9.11.4+dfsg-2
513- dns_dt_datatotext@Base 1:9.11.4+dfsg-2
514- dns_dt_detach@Base 1:9.11.4+dfsg-2
515- dns_dt_getframe@Base 1:9.11.4+dfsg-2
516- dns_dt_getstats@Base 1:9.11.4+dfsg-2
517- dns_dt_open@Base 1:9.11.4+dfsg-2
518- dns_dt_parse@Base 1:9.11.4+dfsg-2
519- dns_dt_reopen@Base 1:9.11.4+dfsg-2
520- dns_dt_send@Base 1:9.11.4+dfsg-2
521- dns_dt_setidentity@Base 1:9.11.4+dfsg-2
522- dns_dt_setversion@Base 1:9.11.4+dfsg-2
523- dns_dt_shutdown@Base 1:9.11.4+dfsg-2
524- dns_dtdata_free@Base 1:9.11.4+dfsg-2
525 dns_dumpctx_attach@Base 1:9.11.3+dfsg
526 dns_dumpctx_cancel@Base 1:9.11.3+dfsg
527 dns_dumpctx_db@Base 1:9.11.3+dfsg
528@@ -3026,24 +2978,6 @@ libdns.so.1102 libdns1102 #MINVER#
529 dns_zt_setviewcommit@Base 1:9.11.3+dfsg
530 dns_zt_setviewrevert@Base 1:9.11.3+dfsg
531 dns_zt_unmount@Base 1:9.11.3+dfsg
532- dnstap__dnstap__descriptor@Base 1:9.11.4+dfsg-2
533- dnstap__dnstap__free_unpacked@Base 1:9.11.4+dfsg-2
534- dnstap__dnstap__get_packed_size@Base 1:9.11.4+dfsg-2
535- dnstap__dnstap__init@Base 1:9.11.4+dfsg-2
536- dnstap__dnstap__pack@Base 1:9.11.4+dfsg-2
537- dnstap__dnstap__pack_to_buffer@Base 1:9.11.4+dfsg-2
538- dnstap__dnstap__type__descriptor@Base 1:9.11.4+dfsg-2
539- dnstap__dnstap__unpack@Base 1:9.11.4+dfsg-2
540- dnstap__message__descriptor@Base 1:9.11.4+dfsg-2
541- dnstap__message__free_unpacked@Base 1:9.11.4+dfsg-2
542- dnstap__message__get_packed_size@Base 1:9.11.4+dfsg-2
543- dnstap__message__init@Base 1:9.11.4+dfsg-2
544- dnstap__message__pack@Base 1:9.11.4+dfsg-2
545- dnstap__message__pack_to_buffer@Base 1:9.11.4+dfsg-2
546- dnstap__message__type__descriptor@Base 1:9.11.4+dfsg-2
547- dnstap__message__unpack@Base 1:9.11.4+dfsg-2
548- dnstap__socket_family__descriptor@Base 1:9.11.4+dfsg-2
549- dnstap__socket_protocol__descriptor@Base 1:9.11.4+dfsg-2
550 dst__entropy_getdata@Base 1:9.11.3+dfsg
551 dst__entropy_status@Base 1:9.11.3+dfsg
552 dst__gssapi_init@Base 1:9.11.3+dfsg
553diff --git a/debian/rules b/debian/rules
554index 9814ae5..eff33da 100755
555--- a/debian/rules
556+++ b/debian/rules
557@@ -82,7 +82,7 @@ override_dh_auto_configure:
558 --with-gssapi=/usr \
559 --with-libidn2 \
560 --with-libjson=/usr \
561- --with-lmdb=/usr \
562+ --without-lmdb \
563 --with-gnu-ld \
564 --with-geoip=/usr \
565 --with-atf=no \
566@@ -92,7 +92,6 @@ override_dh_auto_configure:
567 --enable-native-pkcs11 \
568 --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \
569 --with-randomdev=/dev/urandom \
570- --enable-dnstap \
571 $(EXTRA_FEATURES)
572 dh_auto_configure -B build-udeb -- \
573 --sysconfdir=/etc/bind \
574@@ -117,8 +116,6 @@ override_dh_auto_configure:
575 # no need to build these targets here
576 sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile
577 sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile
578- cp lib/dns/dnstap.proto build/lib/dns
579- cp lib/dns-pkcs11/dnstap.proto build/lib/dns-pkcs11
580
581 override_dh_auto_build:
582 dh_auto_build -B build

Subscribers

People subscribed via source and target branches