Merge ~ahasenack/ubuntu/+source/bind9:disco-bind9-merge-9.11.5 into ubuntu/+source/bind9:debian/sid

Proposed by Andreas Hasenack on 2018-12-11
Status: Merged
Approved by: Andreas Hasenack on 2018-12-14
Approved revision: 7d482c21f2a44a48e7b7467705f95eb3ffd5e5c4
Merge reported by: Andreas Hasenack
Merged at revision: 7d482c21f2a44a48e7b7467705f95eb3ffd5e5c4
Proposed branch: ~ahasenack/ubuntu/+source/bind9:disco-bind9-merge-9.11.5
Merge into: ubuntu/+source/bind9:debian/sid
Diff against target: 752 lines (+472/-83)
10 files modified
debian/bind9.install (+0/-2)
debian/changelog (+400/-0)
debian/control (+2/-5)
debian/dnsutils.install (+0/-2)
debian/libdns1104.symbols (+0/-66)
debian/patches/enable-udp-in-host-command.diff (+26/-0)
debian/patches/fix-shutdown-race.diff (+41/-0)
debian/patches/series (+2/-0)
debian/rules (+1/-4)
debian/tests/simpletest (+0/-4)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  2018-12-11 Approve on 2018-12-13
Canonical Server Team 2018-12-11 Pending
Ubuntu Server Dev import team 2018-12-11 Pending
Review via email: mp+360691@code.launchpad.net

Description of the change

Merge from debian

Bileto ticket: https://bileto.ubuntu.com/#/ticket/3555

This is going to need some rebuilds, due to soname bumps:
- bind-dyndb-ldap
- isc-dhcp
- debian-installer

I tested all of them and isc-dhcp actually needed a patch to build with 9.11.5, which I grabbed from debian. I'll MP that too, and the other two are just plain no-change rebuilds.

Some delta was dropped, which is good.

Of the bits that were added, two are applied fixed upstream, so they should vanish soon, but the remaining one is a dep8 change we had to make because our autopkgtest farm doesn't have easy egress access. I tried for a while to come up with ways to detect that and skip the test in this case, which would be acceptable for debian I think, or even find out which resolver the system is using and pointing bind at it via a "forwarders" config directive, but it didn't work out as well as I had hoped. I couldn't even be sure if using a forwarder wasn't going to taint that particular dnssec test.

Since I had spent a lot of time on this already, I decided to just drop that test.

The only remaining delta we have, apart from this new dep8 change, is related to dependencies in universe.

This debian change made me think: https://salsa.debian.org/dns-team/bind9/commit/942705926bff715f1171c6b18fa4a3df54c013fc

It's this d/rules bit:
override_dh_shlibdeps:
 dh_shlibdeps
 # Downgrade libcrypto1.1-udeb dependency from 1.1.1 to 1.1.0
 # The udebs don't use any newer symbols, but due to them using
 # shlibs the dependency is generated anyway. This blocks migration
 # to testing until OpenSSL 1.1.1 is sorted out
 sed -i 's:libcrypto1.1-udeb (>= 1.1.1):libcrypto1.1-udeb (>= 1.1.0):' debian/*-udeb.substvars

Ubuntu has libcrypto1.1-udeb version 1.1.1a in disco:
 libcrypto1.1-udeb | 1.1.1a-1ubuntu2 | disco/main/debian-installer | amd64, arm64, armhf, i386, ppc64el, s390x

Debian too, at the moment:
libcrypto1.1-udeb | 1.1.1a-1 | unstable | amd64, arm64, armel, armhf, hurd-i386, i386, kfreebsd-amd64, kfreebsd-i386, mips, mips64el, mipsel, ppc64el, s390x

That sed line from d/rules no longer matches, because it's looking for 1.1.1, and both debian and ubuntu have 1.1.1a nowadays. It's a noop and not worth adding a delta for. Eventually debian will drop it.

To post a comment you must log in.
Andreas Hasenack (ahasenack) wrote :

back to wip while I confirm that the reverse-depends can be rebuilt

Andreas Hasenack (ahasenack) wrote :

All good

Christian Ehrhardt  (paelzer) wrote :

- All your considerations sound fine to me
- Neither the Debian nor the upstream changelog gave me other reasons to doubt this would be good
- Changes correctly retained/dropped
- yes to the egres test dropping
- patches added are upstream and seem safe

Strictly speaking the commit messages and changeelog could be slightly updated:
+ d/rules: don't build dnstap => add "... nor install dnstap.proto"
+ d/libdns1102.symbols: don't include dnstap symbols => is in d/libdns1104.symbols now
But that is up to you.

The autopkgtests look good, I think last cycle we also ran [1] against it.
I don't remember if that was helpful, if it was you might run that again before an upload.

All my feedback was ack/suggestion - so you already have my +1 on this - thanks for the Merge!

[1]: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-bind9.py

review: Approve
995f96b... by Andreas Hasenack on 2018-12-13

merge-changelogs

60f880e... by Andreas Hasenack on 2018-12-13

reconstruct-changelog

acc2688... by Andreas Hasenack on 2018-12-13

update-maintainer

Andreas Hasenack (ahasenack) wrote :

Good suggestions, particularly the libdns1104.symbols one. I remember I was amazed how git was able to track the patch across a file rename, but didn't think about checking the filename in the changelog message.

I push-forced these changes, sorry, but I wanted to keep the changelog auto-generated correctly via git ubuntu merge finish.

I'll next run the qa-regression tests.

Christian Ehrhardt  (paelzer) wrote :

Ack to the changelog changes - thanks!

Andreas Hasenack (ahasenack) wrote :

Regarding the qa-regression-tests, I get 4 dnssec failures with the current version of bind in disco, and the same failures with the updated one:

9.11.4 (current in disco): https://pastebin.ubuntu.com/p/YDsd7sJbVs/
9.11.5 (this MP): https://pastebin.ubuntu.com/p/XbrmN5Y2G3/

Since it's the same tests that failed, it's no regression. I asked #security and #ubuntu-hardened if these are known failures.

Andreas Hasenack (ahasenack) wrote :

Tagged and uploaded, thanks.

Andreas Hasenack (ahasenack) wrote :

This migrated.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/bind9.install b/debian/bind9.install
2index 26d595e..fd7f0f5 100644
3--- a/debian/bind9.install
4+++ b/debian/bind9.install
5@@ -16,7 +16,6 @@ usr/sbin/genrandom
6 usr/sbin/isc-hmac-fixup
7 usr/sbin/named
8 usr/sbin/named-journalprint
9-usr/sbin/named-nzd2nzf
10 usr/sbin/named-pkcs11
11 usr/sbin/nsec3hash
12 usr/sbin/tsig-keygen
13@@ -32,7 +31,6 @@ usr/share/man/man8/dnssec-importkey.8
14 usr/share/man/man8/genrandom.8
15 usr/share/man/man8/isc-hmac-fixup.8
16 usr/share/man/man8/named-journalprint.8
17-usr/share/man/man8/named-nzd2nzf.8
18 usr/share/man/man8/named.8
19 usr/share/man/man8/nsec3hash.8
20 usr/share/man/man8/tsig-keygen.8
21diff --git a/debian/changelog b/debian/changelog
22index 1e26d11..91bda1e 100644
23--- a/debian/changelog
24+++ b/debian/changelog
25@@ -1,3 +1,42 @@
26+bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium
27+
28+ * Merge with Debian unstable. Remaining changes:
29+ - Build without lmdb support as that package is in Universe
30+ - Don't build dnstap as it depends on universe packages:
31+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
32+ protobuf-c-compiler (universe packages)
33+ + d/dnsutils.install: don't install dnstap
34+ + d/libdns1104.symbols: don't include dnstap symbols
35+ + d/rules: don't build dnstap nor install dnstap.proto
36+ * Dropped:
37+ - SECURITY UPDATE: denial of service crash when deny-answer-aliases
38+ option is used
39+ + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
40+ trigger a crash if deny-answer-aliases was set
41+ + debian/patches/CVE-2018-5740-2.patch: add tests
42+ + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
43+ chainingp correctly, add test
44+ + CVE-2018-5740
45+ [Fixed in new upstream version 9.11.5]
46+ - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
47+ line (Closes: #904983)
48+ [Fixed in 1:9.11.4+dfsg-4]
49+ - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440)
50+ [Fixed in 1:9.11.4.P1+dfsg-1]
51+ - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
52+ (it depends on OpenSSL version) (Closes: #897643)
53+ [Fixed in 1:9.11.4.P1+dfsg-1]
54+ * Added:
55+ - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
56+ option (LP: #1804648)
57+ - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
58+ close to a query timeout (LP: #1797926)
59+ - d/t/simpletest: drop the internetsociety.org test as it requires
60+ network egress access that is not available in the Ubuntu autopkgtest
61+ farm.
62+
63+ -- Andreas Hasenack <andreas@canonical.com> Thu, 13 Dec 2018 19:40:23 -0200
64+
65 bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium
66
67 * Use team+dns@tracker.debian.org as Maintainer address
68@@ -59,6 +98,55 @@ bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium
69
70 -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200
71
72+bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high
73+
74+ * No change rebuild against openssl 1.1.1 with TLS 1.3 support.
75+
76+ -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 29 Sep 2018 01:36:45 +0100
77+
78+bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium
79+
80+ * SECURITY UPDATE: denial of service crash when deny-answer-aliases
81+ option is used
82+ - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
83+ trigger a crash if deny-answer-aliases was set
84+ - debian/patches/CVE-2018-5740-2.patch: add tests
85+ - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
86+ chainingp correctly, add test
87+ - CVE-2018-5740
88+
89+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Sep 2018 11:11:05 +0200
90+
91+bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium
92+
93+ * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
94+ (it depends on OpenSSL version) (Closes: #897643)
95+
96+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 18 Sep 2018 10:39:12 +0200
97+
98+bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium
99+
100+ * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11
101+ crashing on startup. (LP: #1769440)
102+
103+ -- Karl Stenerud <karl.stenerud@canonical.com> Thu, 30 Aug 2018 07:11:39 -0700
104+
105+bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium
106+
107+ * Merge with Debian unstable. Remaining changes:
108+ - Build without lmdb support as that package is in Universe
109+ * Added:
110+ - Don't build dnstap as it depends on universe packages:
111+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
112+ protobuf-c-compiler (universe packages)
113+ + d/dnsutils.install: don't install dnstap
114+ + d/libdns1102.symbols: don't include dnstap symbols
115+ + d/rules: don't build dnstap
116+ - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
117+ line (Closes: #904983)
118+
119+ -- Andreas Hasenack <andreas@canonical.com> Mon, 30 Jul 2018 10:56:04 -0300
120+
121 bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium
122
123 * Enable IDN support for dig+host using libidn2 (Closes: #459010)
124@@ -89,6 +177,19 @@ bind9 (1:9.11.4+dfsg-1) unstable; urgency=medium
125
126 -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000
127
128+bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium
129+
130+ * Merge with Debian unstable (LP: #1777935). Remaining changes:
131+ - Build without lmdb support as that package is in Universe
132+ * Drop:
133+ - SECURITY UPDATE: improperly permits recursive query service
134+ + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
135+ in bin/named/server.c.
136+ + CVE-2018-5738
137+ [Applied in Debian's 1:9.11.3+dfsg-2]
138+
139+ -- Andreas Hasenack <andreas@canonical.com> Wed, 20 Jun 2018 17:42:16 -0300
140+
141 bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
142
143 * [CVE-2018-5738]: Add upstream fix to close the default open recursion
144@@ -97,6 +198,24 @@ bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
145
146 -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000
147
148+bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium
149+
150+ * SECURITY UPDATE: improperly permits recursive query service
151+ - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
152+ in bin/named/server.c.
153+ - CVE-2018-5738
154+
155+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Jun 2018 09:41:51 -0400
156+
157+bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low
158+
159+ * New upstream release. (LP: #1763572)
160+ - fix a crash when configured with ipa-dns-install
161+ * Merge from Debian unstable. Remaining changes:
162+ - Build without lmdb support as that package is in Universe
163+
164+ -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Apr 2018 07:40:47 +0300
165+
166 bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
167
168 [ Bernhard Schmidt ]
169@@ -121,6 +240,61 @@ bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
170
171 -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100
172
173+bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium
174+
175+ * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating
176+ DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews
177+ <marka@isc.org>. (LP: #1755439)
178+
179+ -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300
180+
181+bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium
182+
183+ * Fix apparmor profile filename (LP: #1754981)
184+
185+ -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300
186+
187+bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high
188+
189+ * No change rebuild against openssl1.1.
190+
191+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:14:22 +0000
192+
193+bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium
194+
195+ * Build without lmdb support as that package is in Universe (LP: #1746296)
196+ - d/control: remove Build-Depends on liblmdb-dev
197+ - d/rules: configure --without-lmdb
198+ - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires
199+ lmdb.
200+
201+ -- Andreas Hasenack <andreas@canonical.com> Tue, 30 Jan 2018 15:21:23 -0200
202+
203+bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium
204+
205+ * Merge with Debian unstable (LP: #1744930).
206+ * Drop:
207+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
208+ (LP #1536181).
209+ [fixed in 1:9.10.6+dfsg-4]
210+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
211+ [adopted in 1:9.10.6+dfsg-5]
212+ - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
213+ introduced with the CVE-2016-8864.patch and fixed in
214+ CVE-2016-8864-regression.patch.
215+ [applied upstream]
216+ - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
217+ regression (RT #44318) introduced with the CVE-2016-8864.patch
218+ and fixed in CVE-2016-8864-regression2.patch.
219+ [applied upstream]
220+ - d/control, d/rules: add json support for the statistics channels.
221+ (LP #1669193)
222+ [adopted in 1:9.10.6+dfsg-5]
223+ * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing
224+ listing the python ply module as a dependency (Closes: #888463)
225+
226+ -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Jan 2018 11:20:33 -0200
227+
228 bind9 (1:9.11.2.P1-1) unstable; urgency=medium
229
230 * New upstream version 9.11.2-P1
231@@ -296,6 +470,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium
232
233 -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000
234
235+bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium
236+
237+ * Merge with Debian unstable (LP: #1712920). Remaining changes:
238+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
239+ (LP #1536181).
240+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
241+ - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
242+ introduced with the CVE-2016-8864.patch and fixed in
243+ CVE-2016-8864-regression.patch.
244+ - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
245+ regression (RT #44318) introduced with the CVE-2016-8864.patch
246+ and fixed in CVE-2016-8864-regression2.patch.
247+ - d/control, d/rules: add json support for the statistics channels.
248+ (LP #1669193)
249+
250+ -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Aug 2017 18:28:00 -0300
251+
252+bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium
253+
254+ * Non-maintainer upload.
255+ * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)
256+
257+ -- Bernhard Schmidt <berni@debian.org> Fri, 11 Aug 2017 19:10:07 +0200
258+
259+bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium
260+
261+ * Merge with Debian unstable (LP: #1701687). Remaining changes:
262+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
263+ (LP #1536181).
264+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
265+ * Drop:
266+ - SECURITY UPDATE: denial of service via assertion failure
267+ + debian/patches/CVE-2016-2776.patch: properly handle lengths in
268+ lib/dns/message.c.
269+ + CVE-2016-2776
270+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
271+ - SECURITY UPDATE: assertion failure via class mismatch
272+ + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
273+ records in lib/dns/resolver.c.
274+ + CVE-2016-9131
275+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
276+ - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
277+ + debian/patches/CVE-2016-9147.patch: fix logic when records are
278+ returned without the requested data in lib/dns/resolver.c.
279+ + CVE-2016-9147
280+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
281+ - SECURITY UPDATE: assertion failure via unusually-formed DS record
282+ + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
283+ lib/dns/message.c, lib/dns/resolver.c.
284+ + CVE-2016-9444
285+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
286+ - SECURITY UPDATE: regression in CVE-2016-8864
287+ + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
288+ responses in lib/dns/resolver.c, added tests to
289+ bin/tests/system/dname/ns2/example.db,
290+ bin/tests/system/dname/tests.sh.
291+ + No CVE number
292+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
293+ - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
294+ a NULL pointer
295+ + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
296+ combination in bin/named/query.c, lib/dns/message.c,
297+ lib/dns/rdataset.c.
298+ + CVE-2017-3135
299+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
300+ - SECURITY UPDATE: regression in CVE-2016-8864
301+ + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
302+ was still being cached when it should have been in lib/dns/resolver.c,
303+ added tests to bin/tests/system/dname/ans3/ans.pl,
304+ bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
305+ + No CVE number
306+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
307+ - SECURITY UPDATE: Denial of Service due to an error handling
308+ synthesized records when using DNS64 with "break-dnssec yes;"
309+ + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
310+ called.
311+ + CVE-2017-3136
312+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
313+ - SECURITY UPDATE: Denial of Service due to resolver terminating when
314+ processing a response packet containing a CNAME or DNAME
315+ + debian/patches/CVE-2017-3137.patch: don't expect a specific
316+ ordering of answer components; add testcases.
317+ + CVE-2017-3137
318+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
319+ - SECURITY UPDATE: Denial of Service when receiving a null command on
320+ the control channel
321+ + debian/patches/CVE-2017-3138.patch: don't throw an assert if no
322+ command token is given; add testcase.
323+ + CVE-2017-3138
324+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
325+ - SECURITY UPDATE: TSIG authentication issues
326+ + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
327+ lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
328+ + CVE-2017-3142
329+ + CVE-2017-3143
330+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4]
331+ * d/p/CVE-2016-8864-regression-test.patch: tests for the regression
332+ introduced with the CVE-2016-8864.patch and fixed in
333+ CVE-2016-8864-regression.patch.
334+ * d/p/CVE-2016-8864-regression2-test.patch: tests for the second
335+ regression (RT #44318) introduced with the CVE-2016-8864.patch
336+ and fixed in CVE-2016-8864-regression2.patch.
337+ * d/control, d/rules: add json support for the statistics channels.
338+ (LP: #1669193)
339+
340+ -- Andreas Hasenack <andreas@canonical.com> Fri, 11 Aug 2017 17:12:09 -0300
341+
342+bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
343+
344+ * Non-maintainer upload.
345+ * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
346+ signed TCP message sequences where not all the messages contain TSIG
347+ records. These may be used in AXFR and IXFR responses.
348+ (Closes: #868952)
349+
350+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jul 2017 22:28:32 +0200
351+
352+bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
353+
354+ * Non-maintainer upload.
355+
356+ [ Yves-Alexis Perez ]
357+ * debian/patches:
358+ - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
359+ CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
360+ transfers. An attacker may be able to circumvent TSIG authentication of
361+ AXFR and Notify requests.
362+ CVE-2017-3143: error in TSIG authentication can permit unauthorized
363+ dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
364+ signature for a dynamic update.
365+ (Closes: #866564)
366+
367+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jul 2017 22:13:21 +0200
368+
369 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium
370
371 [ Bernhard Schmidt ]
372@@ -402,6 +710,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium
373
374 -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000
375
376+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium
377+
378+ * SECURITY UPDATE: TSIG authentication issues
379+ - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
380+ lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
381+ - CVE-2017-3142
382+ - CVE-2017-3143
383+
384+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jul 2017 09:48:13 -0400
385+
386+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium
387+
388+ * rules: Fix path to libsofthsm2.so. (LP: #1685780)
389+
390+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 24 Apr 2017 15:01:30 +0300
391+
392+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium
393+
394+ * SECURITY UPDATE: Denial of Service due to an error handling
395+ synthesized records when using DNS64 with "break-dnssec yes;"
396+ - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
397+ called.
398+ - CVE-2017-3136
399+ * SECURITY UPDATE: Denial of Service due to resolver terminating when
400+ processing a response packet containing a CNAME or DNAME
401+ - debian/patches/CVE-2017-3137.patch: don't expect a specific
402+ ordering of answer components; add testcases.
403+ - CVE-2017-3137
404+ * SECURITY UPDATE: Denial of Service when receiving a null command on
405+ the control channel
406+ - debian/patches/CVE-2017-3138.patch: don't throw an assert if no
407+ command token is given; add testcase.
408+ - CVE-2017-3138
409+
410+ -- Steve Beattie <sbeattie@ubuntu.com> Wed, 12 Apr 2017 01:32:15 -0700
411+
412+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium
413+
414+ * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
415+ a NULL pointer
416+ - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
417+ combination in bin/named/query.c, lib/dns/message.c,
418+ lib/dns/rdataset.c.
419+ - CVE-2017-3135
420+ * SECURITY UPDATE: regression in CVE-2016-8864
421+ - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
422+ was still being cached when it should have been in lib/dns/resolver.c,
423+ added tests to bin/tests/system/dname/ans3/ans.pl,
424+ bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
425+ - No CVE number
426+
427+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Feb 2017 09:37:39 -0500
428+
429+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium
430+
431+ * SECURITY UPDATE: assertion failure via class mismatch
432+ - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
433+ records in lib/dns/resolver.c.
434+ - CVE-2016-9131
435+ * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
436+ - debian/patches/CVE-2016-9147.patch: fix logic when records are
437+ returned without the requested data in lib/dns/resolver.c.
438+ - CVE-2016-9147
439+ * SECURITY UPDATE: assertion failure via unusually-formed DS record
440+ - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
441+ lib/dns/message.c, lib/dns/resolver.c.
442+ - CVE-2016-9444
443+ * SECURITY UPDATE: regression in CVE-2016-8864
444+ - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
445+ responses in lib/dns/resolver.c, added tests to
446+ bin/tests/system/dname/ns2/example.db,
447+ bin/tests/system/dname/tests.sh.
448+ - No CVE number
449+
450+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jan 2017 09:28:10 -0500
451+
452+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium
453+
454+ * Add RemainAfterExit to bind9-resolvconf unit configuration file
455+ (LP: #1536181).
456+
457+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Tue, 15 Nov 2016 08:24:58 -0800
458+
459+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium
460+
461+ * SECURITY UPDATE: denial of service via assertion failure
462+ - debian/patches/CVE-2016-2776.patch: properly handle lengths in
463+ lib/dns/message.c.
464+ - CVE-2016-2776
465+
466+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2016 14:31:17 -0400
467+
468 bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium
469
470 * Non-maintainer upload.
471diff --git a/debian/control b/debian/control
472index 73c2a17..3d7f03d 100644
473--- a/debian/control
474+++ b/debian/control
475@@ -1,7 +1,8 @@
476 Source: bind9
477 Section: net
478 Priority: optional
479-Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
480+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
481+XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
482 Uploaders: LaMont Jones <lamont@debian.org>,
483 Michael Gilbert <mgilbert@debian.org>,
484 Robie Basak <robie.basak@canonical.com>,
485@@ -15,18 +16,14 @@ Build-Depends: bison,
486 dpkg-dev (>= 1.16.1~),
487 libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386],
488 libdb-dev (>>4.6),
489- libfstrm-dev,
490 libgeoip-dev (>= 1.4.6.dfsg-5),
491 libidn2-dev,
492 libjson-c-dev,
493 libkrb5-dev,
494 libldap2-dev,
495- liblmdb-dev,
496- libprotobuf-c-dev,
497 libssl-dev,
498 libtool,
499 libxml2-dev,
500- protobuf-c-compiler,
501 python3,
502 python3-distutils,
503 python3-ply
504diff --git a/debian/dnsutils.install b/debian/dnsutils.install
505index 90e4fba..5e6b7d9 100644
506--- a/debian/dnsutils.install
507+++ b/debian/dnsutils.install
508@@ -1,12 +1,10 @@
509 usr/bin/delv
510 usr/bin/dig
511-usr/bin/dnstap-read
512 usr/bin/mdig
513 usr/bin/nslookup
514 usr/bin/nsupdate
515 usr/share/man/man1/delv.1
516 usr/share/man/man1/dig.1
517-usr/share/man/man1/dnstap-read.1
518 usr/share/man/man1/mdig.1
519 usr/share/man/man1/nslookup.1
520 usr/share/man/man1/nsupdate.1
521diff --git a/debian/libdns1104.symbols b/debian/libdns1104.symbols
522index a3b9f10..7b6020e 100644
523--- a/debian/libdns1104.symbols
524+++ b/debian/libdns1104.symbols
525@@ -358,21 +358,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER#
526 dns_dsdigest_format@Base 1:9.11.3+dfsg
527 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg
528 dns_dsdigest_totext@Base 1:9.11.3+dfsg
529- dns_dt_attach@Base 1:9.11.4+dfsg-2
530- dns_dt_close@Base 1:9.11.4+dfsg-2
531- dns_dt_create@Base 1:9.11.4+dfsg-2
532- dns_dt_datatotext@Base 1:9.11.4+dfsg-2
533- dns_dt_detach@Base 1:9.11.4+dfsg-2
534- dns_dt_getframe@Base 1:9.11.4+dfsg-2
535- dns_dt_getstats@Base 1:9.11.4+dfsg-2
536- dns_dt_open@Base 1:9.11.4+dfsg-2
537- dns_dt_parse@Base 1:9.11.4+dfsg-2
538- dns_dt_reopen@Base 1:9.11.4+dfsg-2
539- dns_dt_send@Base 1:9.11.4+dfsg-2
540- dns_dt_setidentity@Base 1:9.11.4+dfsg-2
541- dns_dt_setversion@Base 1:9.11.4+dfsg-2
542- dns_dt_shutdown@Base 1:9.11.4+dfsg-2
543- dns_dtdata_free@Base 1:9.11.4+dfsg-2
544 dns_dumpctx_attach@Base 1:9.11.3+dfsg
545 dns_dumpctx_cancel@Base 1:9.11.3+dfsg
546 dns_dumpctx_db@Base 1:9.11.3+dfsg
547@@ -1443,24 +1428,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER#
548 dns_zt_setviewcommit@Base 1:9.11.3+dfsg
549 dns_zt_setviewrevert@Base 1:9.11.3+dfsg
550 dns_zt_unmount@Base 1:9.11.3+dfsg
551- dnstap__dnstap__descriptor@Base 1:9.11.4+dfsg-2
552- dnstap__dnstap__free_unpacked@Base 1:9.11.4+dfsg-2
553- dnstap__dnstap__get_packed_size@Base 1:9.11.4+dfsg-2
554- dnstap__dnstap__init@Base 1:9.11.4+dfsg-2
555- dnstap__dnstap__pack@Base 1:9.11.4+dfsg-2
556- dnstap__dnstap__pack_to_buffer@Base 1:9.11.4+dfsg-2
557- dnstap__dnstap__type__descriptor@Base 1:9.11.4+dfsg-2
558- dnstap__dnstap__unpack@Base 1:9.11.4+dfsg-2
559- dnstap__message__descriptor@Base 1:9.11.4+dfsg-2
560- dnstap__message__free_unpacked@Base 1:9.11.4+dfsg-2
561- dnstap__message__get_packed_size@Base 1:9.11.4+dfsg-2
562- dnstap__message__init@Base 1:9.11.4+dfsg-2
563- dnstap__message__pack@Base 1:9.11.4+dfsg-2
564- dnstap__message__pack_to_buffer@Base 1:9.11.4+dfsg-2
565- dnstap__message__type__descriptor@Base 1:9.11.4+dfsg-2
566- dnstap__message__unpack@Base 1:9.11.4+dfsg-2
567- dnstap__socket_family__descriptor@Base 1:9.11.4+dfsg-2
568- dnstap__socket_protocol__descriptor@Base 1:9.11.4+dfsg-2
569 dst__entropy_getdata@Base 1:9.11.3+dfsg
570 dst__entropy_status@Base 1:9.11.3+dfsg
571 dst__gssapi_init@Base 1:9.11.3+dfsg
572@@ -1940,21 +1907,6 @@ libdns.so.1104 libdns1104 #MINVER#
573 dns_dsdigest_format@Base 1:9.11.3+dfsg
574 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg
575 dns_dsdigest_totext@Base 1:9.11.3+dfsg
576- dns_dt_attach@Base 1:9.11.4+dfsg-2
577- dns_dt_close@Base 1:9.11.4+dfsg-2
578- dns_dt_create@Base 1:9.11.4+dfsg-2
579- dns_dt_datatotext@Base 1:9.11.4+dfsg-2
580- dns_dt_detach@Base 1:9.11.4+dfsg-2
581- dns_dt_getframe@Base 1:9.11.4+dfsg-2
582- dns_dt_getstats@Base 1:9.11.4+dfsg-2
583- dns_dt_open@Base 1:9.11.4+dfsg-2
584- dns_dt_parse@Base 1:9.11.4+dfsg-2
585- dns_dt_reopen@Base 1:9.11.4+dfsg-2
586- dns_dt_send@Base 1:9.11.4+dfsg-2
587- dns_dt_setidentity@Base 1:9.11.4+dfsg-2
588- dns_dt_setversion@Base 1:9.11.4+dfsg-2
589- dns_dt_shutdown@Base 1:9.11.4+dfsg-2
590- dns_dtdata_free@Base 1:9.11.4+dfsg-2
591 dns_dumpctx_attach@Base 1:9.11.3+dfsg
592 dns_dumpctx_cancel@Base 1:9.11.3+dfsg
593 dns_dumpctx_db@Base 1:9.11.3+dfsg
594@@ -3032,24 +2984,6 @@ libdns.so.1104 libdns1104 #MINVER#
595 dns_zt_setviewcommit@Base 1:9.11.3+dfsg
596 dns_zt_setviewrevert@Base 1:9.11.3+dfsg
597 dns_zt_unmount@Base 1:9.11.3+dfsg
598- dnstap__dnstap__descriptor@Base 1:9.11.4+dfsg-2
599- dnstap__dnstap__free_unpacked@Base 1:9.11.4+dfsg-2
600- dnstap__dnstap__get_packed_size@Base 1:9.11.4+dfsg-2
601- dnstap__dnstap__init@Base 1:9.11.4+dfsg-2
602- dnstap__dnstap__pack@Base 1:9.11.4+dfsg-2
603- dnstap__dnstap__pack_to_buffer@Base 1:9.11.4+dfsg-2
604- dnstap__dnstap__type__descriptor@Base 1:9.11.4+dfsg-2
605- dnstap__dnstap__unpack@Base 1:9.11.4+dfsg-2
606- dnstap__message__descriptor@Base 1:9.11.4+dfsg-2
607- dnstap__message__free_unpacked@Base 1:9.11.4+dfsg-2
608- dnstap__message__get_packed_size@Base 1:9.11.4+dfsg-2
609- dnstap__message__init@Base 1:9.11.4+dfsg-2
610- dnstap__message__pack@Base 1:9.11.4+dfsg-2
611- dnstap__message__pack_to_buffer@Base 1:9.11.4+dfsg-2
612- dnstap__message__type__descriptor@Base 1:9.11.4+dfsg-2
613- dnstap__message__unpack@Base 1:9.11.4+dfsg-2
614- dnstap__socket_family__descriptor@Base 1:9.11.4+dfsg-2
615- dnstap__socket_protocol__descriptor@Base 1:9.11.4+dfsg-2
616 dst__entropy_getdata@Base 1:9.11.3+dfsg
617 dst__entropy_status@Base 1:9.11.3+dfsg
618 dst__gssapi_init@Base 1:9.11.3+dfsg
619diff --git a/debian/patches/enable-udp-in-host-command.diff b/debian/patches/enable-udp-in-host-command.diff
620new file mode 100644
621index 0000000..5444ae7
622--- /dev/null
623+++ b/debian/patches/enable-udp-in-host-command.diff
624@@ -0,0 +1,26 @@
625+Description: Fix parsing of host(1)'s -U command line option
626+Author: Andreas Hasenack <andreas@canonical.com>
627+Bug: https://gitlab.isc.org/isc-projects/bind9/issues/769
628+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1804648
629+Applied-Upstream: https://gitlab.isc.org/isc-projects/bind9/commit/5e2cd91321cdda1707411c4e268d364f03f63935
630+Last-Update: 2018-12-06
631+---
632+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
633+--- a/bin/dig/host.c
634++++ b/bin/dig/host.c
635+@@ -158,6 +158,7 @@
636+ " -s a SERVFAIL response should stop query\n"
637+ " -t specifies the query type\n"
638+ " -T enables TCP/IP mode\n"
639++" -U enables UDP mode\n"
640+ " -v enables verbose output\n"
641+ " -V print version number and exit\n"
642+ " -w specifies to wait forever for a reply\n"
643+@@ -657,6 +658,7 @@
644+ case 'N': break;
645+ case 'R': break;
646+ case 'T': break;
647++ case 'U': break;
648+ case 'W': break;
649+ default:
650+ show_usage();
651diff --git a/debian/patches/fix-shutdown-race.diff b/debian/patches/fix-shutdown-race.diff
652new file mode 100644
653index 0000000..f10f51f
654--- /dev/null
655+++ b/debian/patches/fix-shutdown-race.diff
656@@ -0,0 +1,41 @@
657+From f2ca287330110993609fa0443d3bdb17629bd979 Mon Sep 17 00:00:00 2001
658+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
659+Date: Tue, 13 Nov 2018 13:50:47 +0100
660+Subject: [PATCH 1/2] Fix a shutdown race in bin/dig/dighost.c
661+
662+If a tool using the routines defined in bin/dig/dighost.c is sent an
663+interruption signal around the time a connection timeout is scheduled to
664+fire, connect_timeout() may be executed after destroy_libs() detaches
665+from the global task (setting 'global_task' to NULL), which results in a
666+crash upon a UDP retry due to bringup_timer() attempting to create a
667+timer with 'task' set to NULL. Fix by preventing connect_timeout() from
668+attempting a retry when shutdown is in progress.
669+
670+(cherry picked from commit 462175659674a10c0d39c7c328f1a5324ce2e38b)
671+
672+Origin: https://gitlab.isc.org/isc-projects/bind9/merge_requests/1040/diffs
673+Bug: https://gitlab.isc.org/isc-projects/bind9/issues/599
674+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1797926
675+Last-Update: 2018-12-06
676+
677+---
678+ bin/dig/dighost.c | 5 +++++
679+ 1 file changed, 5 insertions(+)
680+diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
681+index 39abb9d0fd..17e0328228 100644
682+--- a/bin/dig/dighost.c
683++++ b/bin/dig/dighost.c
684+@@ -3240,6 +3240,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
685+
686+ INSIST(!free_now);
687+
688++ if (cancel_now) {
689++ UNLOCK_LOOKUP;
690++ return;
691++ }
692++
693+ if ((query != NULL) && (query->lookup->current_query != NULL) &&
694+ ISC_LINK_LINKED(query->lookup->current_query, link) &&
695+ (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
696+--
697+2.18.1
698diff --git a/debian/patches/series b/debian/patches/series
699index 348be41..75144c4 100644
700--- a/debian/patches/series
701+++ b/debian/patches/series
702@@ -8,3 +8,5 @@
703 80_reproducible_build.diff
704 Add_--install-layout=deb_to_setup.py_call.patch
705 skip-rtld-deepbind-for-dyndb.diff
706+enable-udp-in-host-command.diff
707+fix-shutdown-race.diff
708diff --git a/debian/rules b/debian/rules
709index 7edd414..1a22081 100755
710--- a/debian/rules
711+++ b/debian/rules
712@@ -91,7 +91,7 @@ override_dh_auto_configure:
713 --with-gssapi=/usr \
714 --with-libidn2 \
715 --with-libjson=/usr \
716- --with-lmdb=/usr \
717+ --without-lmdb \
718 --with-gnu-ld \
719 --with-geoip=/usr \
720 --with-atf=no \
721@@ -101,7 +101,6 @@ override_dh_auto_configure:
722 --enable-native-pkcs11 \
723 --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \
724 --with-randomdev=/dev/urandom \
725- --enable-dnstap \
726 --with-eddsa=no \
727 $(EXTRA_FEATURES)
728 dh_auto_configure -B build-udeb -- \
729@@ -128,8 +127,6 @@ override_dh_auto_configure:
730 # no need to build these targets here
731 sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile
732 sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile
733- cp lib/dns/dnstap.proto build/lib/dns
734- cp lib/dns-pkcs11/dnstap.proto build/lib/dns-pkcs11
735
736 override_dh_auto_build:
737 dh_auto_build -B build
738diff --git a/debian/tests/simpletest b/debian/tests/simpletest
739index 468a7c5..34b0b25 100755
740--- a/debian/tests/simpletest
741+++ b/debian/tests/simpletest
742@@ -10,10 +10,6 @@ setup() {
743 run() {
744 # Make a query against a local zone
745 dig -x 127.0.0.1 @127.0.0.1
746-
747- # Make a query against an external nameserver and check for DNSSEC validation
748- echo "Checking for DNSSEC validation status of internetsociety.org"
749- dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY'
750 }
751
752 teardown() {

Subscribers

People subscribed via source and target branches