Merge ~ahasenack/ubuntu/+source/bind9:disco-bind9-9.11.5p1-merge into ubuntu/+source/bind9:debian/sid

Proposed by Andreas Hasenack on 2019-01-17
Status: Merged
Approved by: Christian Ehrhardt  on 2019-01-22
Approved revision: f02ecb4bb174fbbff04a30d965b64aa78c57d611
Merge reported by: Andreas Hasenack
Merged at revision: f02ecb4bb174fbbff04a30d965b64aa78c57d611
Proposed branch: ~ahasenack/ubuntu/+source/bind9:disco-bind9-9.11.5p1-merge
Merge into: ubuntu/+source/bind9:debian/sid
Diff against target: 778 lines (+492/-83)
10 files modified
debian/bind9.install (+0/-2)
debian/changelog (+420/-0)
debian/control (+2/-5)
debian/dnsutils.install (+0/-2)
debian/libdns1104.symbols (+0/-66)
debian/patches/enable-udp-in-host-command.diff (+26/-0)
debian/patches/fix-shutdown-race.diff (+41/-0)
debian/patches/series (+2/-0)
debian/rules (+1/-4)
debian/tests/simpletest (+0/-4)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  2019-01-17 Approve on 2019-01-22
Canonical Server Team 2019-01-17 Pending
Review via email: mp+361928@code.launchpad.net

Description of the change

Merge from debian's 9.11.5P1, which was just an upstream version bump with no further changes. Same here. The patches we added recently and became part of our delta are committed upstream in bind, but didn't make into the 9.11.5P1 cut (I checked their git repo).

Bileto ticket, ppa (still building/running as I write this, I will check its status tomorrow):

https://bileto.ubuntu.com/#/ticket/3603

To post a comment you must log in.
Andreas Hasenack (ahasenack) wrote :

Retriggering tests with proposed

Christian Ehrhardt  (paelzer) wrote :

I now looked at it quite a while, but can't find anything.
Ack it as the straight forward merge carrying all as-is that it is.

The tests OTOH draw a different picture, mostly dependency issues in libdns and libbind.
I wonder if those are 2nd grade issues of libreadline which we see so often recently or a real issue.

I know that you will retrigger these tests with all_proposed to check if they are succeeding, under that condition ack to the MP.

review: Approve
Andreas Hasenack (ahasenack) wrote :

DEP8 is green after the all-proposed dep8 re-run. Tagging and uploading.

Andreas Hasenack (ahasenack) wrote :

Tagged and uploaded.

Andreas Hasenack (ahasenack) wrote :

bind9 migrated, setting MP to merged:
 bind9 | 1:9.11.5.P1+dfsg-1ubuntu1 | disco | source, amd64, arm64, armhf, i386, ppc64el, s390x

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/bind9.install b/debian/bind9.install
2index 26d595e..fd7f0f5 100644
3--- a/debian/bind9.install
4+++ b/debian/bind9.install
5@@ -16,7 +16,6 @@ usr/sbin/genrandom
6 usr/sbin/isc-hmac-fixup
7 usr/sbin/named
8 usr/sbin/named-journalprint
9-usr/sbin/named-nzd2nzf
10 usr/sbin/named-pkcs11
11 usr/sbin/nsec3hash
12 usr/sbin/tsig-keygen
13@@ -32,7 +31,6 @@ usr/share/man/man8/dnssec-importkey.8
14 usr/share/man/man8/genrandom.8
15 usr/share/man/man8/isc-hmac-fixup.8
16 usr/share/man/man8/named-journalprint.8
17-usr/share/man/man8/named-nzd2nzf.8
18 usr/share/man/man8/named.8
19 usr/share/man/man8/nsec3hash.8
20 usr/share/man/man8/tsig-keygen.8
21diff --git a/debian/changelog b/debian/changelog
22index 1cf4a21..279b742 100644
23--- a/debian/changelog
24+++ b/debian/changelog
25@@ -1,9 +1,68 @@
26+bind9 (1:9.11.5.P1+dfsg-1ubuntu1) disco; urgency=medium
27+
28+ * Merge with Debian unstable. Remaining changes:
29+ - Build without lmdb support as that package is in Universe
30+ - Don't build dnstap as it depends on universe packages:
31+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
32+ protobuf-c-compiler (universe packages)
33+ + d/dnsutils.install: don't install dnstap
34+ + d/libdns1104.symbols: don't include dnstap symbols
35+ + d/rules: don't build dnstap nor install dnstap.proto
36+ - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
37+ option (LP #1804648)
38+ - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
39+ close to a query timeout (LP #1797926)
40+ - d/t/simpletest: drop the internetsociety.org test as it requires
41+ network egress access that is not available in the Ubuntu autopkgtest
42+ farm.
43+
44+ -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Jan 2019 18:59:25 -0200
45+
46 bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium
47
48 * New upstream version 9.11.5.P1+dfsg
49
50 -- Ondřej Surý <ondrej@debian.org> Tue, 18 Dec 2018 13:59:25 +0000
51
52+bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium
53+
54+ * Merge with Debian unstable. Remaining changes:
55+ - Build without lmdb support as that package is in Universe
56+ - Don't build dnstap as it depends on universe packages:
57+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
58+ protobuf-c-compiler (universe packages)
59+ + d/dnsutils.install: don't install dnstap
60+ + d/libdns1104.symbols: don't include dnstap symbols
61+ + d/rules: don't build dnstap nor install dnstap.proto
62+ * Dropped:
63+ - SECURITY UPDATE: denial of service crash when deny-answer-aliases
64+ option is used
65+ + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
66+ trigger a crash if deny-answer-aliases was set
67+ + debian/patches/CVE-2018-5740-2.patch: add tests
68+ + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
69+ chainingp correctly, add test
70+ + CVE-2018-5740
71+ [Fixed in new upstream version 9.11.5]
72+ - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
73+ line (Closes: #904983)
74+ [Fixed in 1:9.11.4+dfsg-4]
75+ - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440)
76+ [Fixed in 1:9.11.4.P1+dfsg-1]
77+ - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
78+ (it depends on OpenSSL version) (Closes: #897643)
79+ [Fixed in 1:9.11.4.P1+dfsg-1]
80+ * Added:
81+ - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
82+ option (LP: #1804648)
83+ - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
84+ close to a query timeout (LP: #1797926)
85+ - d/t/simpletest: drop the internetsociety.org test as it requires
86+ network egress access that is not available in the Ubuntu autopkgtest
87+ farm.
88+
89+ -- Andreas Hasenack <andreas@canonical.com> Thu, 13 Dec 2018 19:40:23 -0200
90+
91 bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium
92
93 * Use team+dns@tracker.debian.org as Maintainer address
94@@ -65,6 +124,55 @@ bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium
95
96 -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200
97
98+bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high
99+
100+ * No change rebuild against openssl 1.1.1 with TLS 1.3 support.
101+
102+ -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 29 Sep 2018 01:36:45 +0100
103+
104+bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium
105+
106+ * SECURITY UPDATE: denial of service crash when deny-answer-aliases
107+ option is used
108+ - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
109+ trigger a crash if deny-answer-aliases was set
110+ - debian/patches/CVE-2018-5740-2.patch: add tests
111+ - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
112+ chainingp correctly, add test
113+ - CVE-2018-5740
114+
115+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Sep 2018 11:11:05 +0200
116+
117+bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium
118+
119+ * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
120+ (it depends on OpenSSL version) (Closes: #897643)
121+
122+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 18 Sep 2018 10:39:12 +0200
123+
124+bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium
125+
126+ * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11
127+ crashing on startup. (LP: #1769440)
128+
129+ -- Karl Stenerud <karl.stenerud@canonical.com> Thu, 30 Aug 2018 07:11:39 -0700
130+
131+bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium
132+
133+ * Merge with Debian unstable. Remaining changes:
134+ - Build without lmdb support as that package is in Universe
135+ * Added:
136+ - Don't build dnstap as it depends on universe packages:
137+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
138+ protobuf-c-compiler (universe packages)
139+ + d/dnsutils.install: don't install dnstap
140+ + d/libdns1102.symbols: don't include dnstap symbols
141+ + d/rules: don't build dnstap
142+ - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
143+ line (Closes: #904983)
144+
145+ -- Andreas Hasenack <andreas@canonical.com> Mon, 30 Jul 2018 10:56:04 -0300
146+
147 bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium
148
149 * Enable IDN support for dig+host using libidn2 (Closes: #459010)
150@@ -95,6 +203,19 @@ bind9 (1:9.11.4+dfsg-1) unstable; urgency=medium
151
152 -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000
153
154+bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium
155+
156+ * Merge with Debian unstable (LP: #1777935). Remaining changes:
157+ - Build without lmdb support as that package is in Universe
158+ * Drop:
159+ - SECURITY UPDATE: improperly permits recursive query service
160+ + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
161+ in bin/named/server.c.
162+ + CVE-2018-5738
163+ [Applied in Debian's 1:9.11.3+dfsg-2]
164+
165+ -- Andreas Hasenack <andreas@canonical.com> Wed, 20 Jun 2018 17:42:16 -0300
166+
167 bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
168
169 * [CVE-2018-5738]: Add upstream fix to close the default open recursion
170@@ -103,6 +224,24 @@ bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
171
172 -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000
173
174+bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium
175+
176+ * SECURITY UPDATE: improperly permits recursive query service
177+ - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
178+ in bin/named/server.c.
179+ - CVE-2018-5738
180+
181+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Jun 2018 09:41:51 -0400
182+
183+bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low
184+
185+ * New upstream release. (LP: #1763572)
186+ - fix a crash when configured with ipa-dns-install
187+ * Merge from Debian unstable. Remaining changes:
188+ - Build without lmdb support as that package is in Universe
189+
190+ -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Apr 2018 07:40:47 +0300
191+
192 bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
193
194 [ Bernhard Schmidt ]
195@@ -127,6 +266,61 @@ bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
196
197 -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100
198
199+bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium
200+
201+ * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating
202+ DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews
203+ <marka@isc.org>. (LP: #1755439)
204+
205+ -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300
206+
207+bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium
208+
209+ * Fix apparmor profile filename (LP: #1754981)
210+
211+ -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300
212+
213+bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high
214+
215+ * No change rebuild against openssl1.1.
216+
217+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:14:22 +0000
218+
219+bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium
220+
221+ * Build without lmdb support as that package is in Universe (LP: #1746296)
222+ - d/control: remove Build-Depends on liblmdb-dev
223+ - d/rules: configure --without-lmdb
224+ - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires
225+ lmdb.
226+
227+ -- Andreas Hasenack <andreas@canonical.com> Tue, 30 Jan 2018 15:21:23 -0200
228+
229+bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium
230+
231+ * Merge with Debian unstable (LP: #1744930).
232+ * Drop:
233+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
234+ (LP #1536181).
235+ [fixed in 1:9.10.6+dfsg-4]
236+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
237+ [adopted in 1:9.10.6+dfsg-5]
238+ - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
239+ introduced with the CVE-2016-8864.patch and fixed in
240+ CVE-2016-8864-regression.patch.
241+ [applied upstream]
242+ - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
243+ regression (RT #44318) introduced with the CVE-2016-8864.patch
244+ and fixed in CVE-2016-8864-regression2.patch.
245+ [applied upstream]
246+ - d/control, d/rules: add json support for the statistics channels.
247+ (LP #1669193)
248+ [adopted in 1:9.10.6+dfsg-5]
249+ * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing
250+ listing the python ply module as a dependency (Closes: #888463)
251+
252+ -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Jan 2018 11:20:33 -0200
253+
254 bind9 (1:9.11.2.P1-1) unstable; urgency=medium
255
256 * New upstream version 9.11.2-P1
257@@ -302,6 +496,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium
258
259 -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000
260
261+bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium
262+
263+ * Merge with Debian unstable (LP: #1712920). Remaining changes:
264+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
265+ (LP #1536181).
266+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
267+ - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
268+ introduced with the CVE-2016-8864.patch and fixed in
269+ CVE-2016-8864-regression.patch.
270+ - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
271+ regression (RT #44318) introduced with the CVE-2016-8864.patch
272+ and fixed in CVE-2016-8864-regression2.patch.
273+ - d/control, d/rules: add json support for the statistics channels.
274+ (LP #1669193)
275+
276+ -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Aug 2017 18:28:00 -0300
277+
278+bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium
279+
280+ * Non-maintainer upload.
281+ * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)
282+
283+ -- Bernhard Schmidt <berni@debian.org> Fri, 11 Aug 2017 19:10:07 +0200
284+
285+bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium
286+
287+ * Merge with Debian unstable (LP: #1701687). Remaining changes:
288+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
289+ (LP #1536181).
290+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
291+ * Drop:
292+ - SECURITY UPDATE: denial of service via assertion failure
293+ + debian/patches/CVE-2016-2776.patch: properly handle lengths in
294+ lib/dns/message.c.
295+ + CVE-2016-2776
296+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
297+ - SECURITY UPDATE: assertion failure via class mismatch
298+ + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
299+ records in lib/dns/resolver.c.
300+ + CVE-2016-9131
301+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
302+ - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
303+ + debian/patches/CVE-2016-9147.patch: fix logic when records are
304+ returned without the requested data in lib/dns/resolver.c.
305+ + CVE-2016-9147
306+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
307+ - SECURITY UPDATE: assertion failure via unusually-formed DS record
308+ + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
309+ lib/dns/message.c, lib/dns/resolver.c.
310+ + CVE-2016-9444
311+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
312+ - SECURITY UPDATE: regression in CVE-2016-8864
313+ + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
314+ responses in lib/dns/resolver.c, added tests to
315+ bin/tests/system/dname/ns2/example.db,
316+ bin/tests/system/dname/tests.sh.
317+ + No CVE number
318+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
319+ - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
320+ a NULL pointer
321+ + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
322+ combination in bin/named/query.c, lib/dns/message.c,
323+ lib/dns/rdataset.c.
324+ + CVE-2017-3135
325+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
326+ - SECURITY UPDATE: regression in CVE-2016-8864
327+ + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
328+ was still being cached when it should have been in lib/dns/resolver.c,
329+ added tests to bin/tests/system/dname/ans3/ans.pl,
330+ bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
331+ + No CVE number
332+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
333+ - SECURITY UPDATE: Denial of Service due to an error handling
334+ synthesized records when using DNS64 with "break-dnssec yes;"
335+ + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
336+ called.
337+ + CVE-2017-3136
338+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
339+ - SECURITY UPDATE: Denial of Service due to resolver terminating when
340+ processing a response packet containing a CNAME or DNAME
341+ + debian/patches/CVE-2017-3137.patch: don't expect a specific
342+ ordering of answer components; add testcases.
343+ + CVE-2017-3137
344+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
345+ - SECURITY UPDATE: Denial of Service when receiving a null command on
346+ the control channel
347+ + debian/patches/CVE-2017-3138.patch: don't throw an assert if no
348+ command token is given; add testcase.
349+ + CVE-2017-3138
350+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
351+ - SECURITY UPDATE: TSIG authentication issues
352+ + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
353+ lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
354+ + CVE-2017-3142
355+ + CVE-2017-3143
356+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4]
357+ * d/p/CVE-2016-8864-regression-test.patch: tests for the regression
358+ introduced with the CVE-2016-8864.patch and fixed in
359+ CVE-2016-8864-regression.patch.
360+ * d/p/CVE-2016-8864-regression2-test.patch: tests for the second
361+ regression (RT #44318) introduced with the CVE-2016-8864.patch
362+ and fixed in CVE-2016-8864-regression2.patch.
363+ * d/control, d/rules: add json support for the statistics channels.
364+ (LP: #1669193)
365+
366+ -- Andreas Hasenack <andreas@canonical.com> Fri, 11 Aug 2017 17:12:09 -0300
367+
368+bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
369+
370+ * Non-maintainer upload.
371+ * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
372+ signed TCP message sequences where not all the messages contain TSIG
373+ records. These may be used in AXFR and IXFR responses.
374+ (Closes: #868952)
375+
376+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jul 2017 22:28:32 +0200
377+
378+bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
379+
380+ * Non-maintainer upload.
381+
382+ [ Yves-Alexis Perez ]
383+ * debian/patches:
384+ - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
385+ CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
386+ transfers. An attacker may be able to circumvent TSIG authentication of
387+ AXFR and Notify requests.
388+ CVE-2017-3143: error in TSIG authentication can permit unauthorized
389+ dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
390+ signature for a dynamic update.
391+ (Closes: #866564)
392+
393+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jul 2017 22:13:21 +0200
394+
395 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium
396
397 [ Bernhard Schmidt ]
398@@ -408,6 +736,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium
399
400 -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000
401
402+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium
403+
404+ * SECURITY UPDATE: TSIG authentication issues
405+ - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
406+ lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
407+ - CVE-2017-3142
408+ - CVE-2017-3143
409+
410+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jul 2017 09:48:13 -0400
411+
412+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium
413+
414+ * rules: Fix path to libsofthsm2.so. (LP: #1685780)
415+
416+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 24 Apr 2017 15:01:30 +0300
417+
418+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium
419+
420+ * SECURITY UPDATE: Denial of Service due to an error handling
421+ synthesized records when using DNS64 with "break-dnssec yes;"
422+ - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
423+ called.
424+ - CVE-2017-3136
425+ * SECURITY UPDATE: Denial of Service due to resolver terminating when
426+ processing a response packet containing a CNAME or DNAME
427+ - debian/patches/CVE-2017-3137.patch: don't expect a specific
428+ ordering of answer components; add testcases.
429+ - CVE-2017-3137
430+ * SECURITY UPDATE: Denial of Service when receiving a null command on
431+ the control channel
432+ - debian/patches/CVE-2017-3138.patch: don't throw an assert if no
433+ command token is given; add testcase.
434+ - CVE-2017-3138
435+
436+ -- Steve Beattie <sbeattie@ubuntu.com> Wed, 12 Apr 2017 01:32:15 -0700
437+
438+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium
439+
440+ * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
441+ a NULL pointer
442+ - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
443+ combination in bin/named/query.c, lib/dns/message.c,
444+ lib/dns/rdataset.c.
445+ - CVE-2017-3135
446+ * SECURITY UPDATE: regression in CVE-2016-8864
447+ - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
448+ was still being cached when it should have been in lib/dns/resolver.c,
449+ added tests to bin/tests/system/dname/ans3/ans.pl,
450+ bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
451+ - No CVE number
452+
453+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Feb 2017 09:37:39 -0500
454+
455+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium
456+
457+ * SECURITY UPDATE: assertion failure via class mismatch
458+ - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
459+ records in lib/dns/resolver.c.
460+ - CVE-2016-9131
461+ * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
462+ - debian/patches/CVE-2016-9147.patch: fix logic when records are
463+ returned without the requested data in lib/dns/resolver.c.
464+ - CVE-2016-9147
465+ * SECURITY UPDATE: assertion failure via unusually-formed DS record
466+ - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
467+ lib/dns/message.c, lib/dns/resolver.c.
468+ - CVE-2016-9444
469+ * SECURITY UPDATE: regression in CVE-2016-8864
470+ - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
471+ responses in lib/dns/resolver.c, added tests to
472+ bin/tests/system/dname/ns2/example.db,
473+ bin/tests/system/dname/tests.sh.
474+ - No CVE number
475+
476+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jan 2017 09:28:10 -0500
477+
478+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium
479+
480+ * Add RemainAfterExit to bind9-resolvconf unit configuration file
481+ (LP: #1536181).
482+
483+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Tue, 15 Nov 2016 08:24:58 -0800
484+
485+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium
486+
487+ * SECURITY UPDATE: denial of service via assertion failure
488+ - debian/patches/CVE-2016-2776.patch: properly handle lengths in
489+ lib/dns/message.c.
490+ - CVE-2016-2776
491+
492+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2016 14:31:17 -0400
493+
494 bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium
495
496 * Non-maintainer upload.
497diff --git a/debian/control b/debian/control
498index 73c2a17..3d7f03d 100644
499--- a/debian/control
500+++ b/debian/control
501@@ -1,7 +1,8 @@
502 Source: bind9
503 Section: net
504 Priority: optional
505-Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
506+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
507+XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
508 Uploaders: LaMont Jones <lamont@debian.org>,
509 Michael Gilbert <mgilbert@debian.org>,
510 Robie Basak <robie.basak@canonical.com>,
511@@ -15,18 +16,14 @@ Build-Depends: bison,
512 dpkg-dev (>= 1.16.1~),
513 libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386],
514 libdb-dev (>>4.6),
515- libfstrm-dev,
516 libgeoip-dev (>= 1.4.6.dfsg-5),
517 libidn2-dev,
518 libjson-c-dev,
519 libkrb5-dev,
520 libldap2-dev,
521- liblmdb-dev,
522- libprotobuf-c-dev,
523 libssl-dev,
524 libtool,
525 libxml2-dev,
526- protobuf-c-compiler,
527 python3,
528 python3-distutils,
529 python3-ply
530diff --git a/debian/dnsutils.install b/debian/dnsutils.install
531index 90e4fba..5e6b7d9 100644
532--- a/debian/dnsutils.install
533+++ b/debian/dnsutils.install
534@@ -1,12 +1,10 @@
535 usr/bin/delv
536 usr/bin/dig
537-usr/bin/dnstap-read
538 usr/bin/mdig
539 usr/bin/nslookup
540 usr/bin/nsupdate
541 usr/share/man/man1/delv.1
542 usr/share/man/man1/dig.1
543-usr/share/man/man1/dnstap-read.1
544 usr/share/man/man1/mdig.1
545 usr/share/man/man1/nslookup.1
546 usr/share/man/man1/nsupdate.1
547diff --git a/debian/libdns1104.symbols b/debian/libdns1104.symbols
548index a3b9f10..7b6020e 100644
549--- a/debian/libdns1104.symbols
550+++ b/debian/libdns1104.symbols
551@@ -358,21 +358,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER#
552 dns_dsdigest_format@Base 1:9.11.3+dfsg
553 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg
554 dns_dsdigest_totext@Base 1:9.11.3+dfsg
555- dns_dt_attach@Base 1:9.11.4+dfsg-2
556- dns_dt_close@Base 1:9.11.4+dfsg-2
557- dns_dt_create@Base 1:9.11.4+dfsg-2
558- dns_dt_datatotext@Base 1:9.11.4+dfsg-2
559- dns_dt_detach@Base 1:9.11.4+dfsg-2
560- dns_dt_getframe@Base 1:9.11.4+dfsg-2
561- dns_dt_getstats@Base 1:9.11.4+dfsg-2
562- dns_dt_open@Base 1:9.11.4+dfsg-2
563- dns_dt_parse@Base 1:9.11.4+dfsg-2
564- dns_dt_reopen@Base 1:9.11.4+dfsg-2
565- dns_dt_send@Base 1:9.11.4+dfsg-2
566- dns_dt_setidentity@Base 1:9.11.4+dfsg-2
567- dns_dt_setversion@Base 1:9.11.4+dfsg-2
568- dns_dt_shutdown@Base 1:9.11.4+dfsg-2
569- dns_dtdata_free@Base 1:9.11.4+dfsg-2
570 dns_dumpctx_attach@Base 1:9.11.3+dfsg
571 dns_dumpctx_cancel@Base 1:9.11.3+dfsg
572 dns_dumpctx_db@Base 1:9.11.3+dfsg
573@@ -1443,24 +1428,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER#
574 dns_zt_setviewcommit@Base 1:9.11.3+dfsg
575 dns_zt_setviewrevert@Base 1:9.11.3+dfsg
576 dns_zt_unmount@Base 1:9.11.3+dfsg
577- dnstap__dnstap__descriptor@Base 1:9.11.4+dfsg-2
578- dnstap__dnstap__free_unpacked@Base 1:9.11.4+dfsg-2
579- dnstap__dnstap__get_packed_size@Base 1:9.11.4+dfsg-2
580- dnstap__dnstap__init@Base 1:9.11.4+dfsg-2
581- dnstap__dnstap__pack@Base 1:9.11.4+dfsg-2
582- dnstap__dnstap__pack_to_buffer@Base 1:9.11.4+dfsg-2
583- dnstap__dnstap__type__descriptor@Base 1:9.11.4+dfsg-2
584- dnstap__dnstap__unpack@Base 1:9.11.4+dfsg-2
585- dnstap__message__descriptor@Base 1:9.11.4+dfsg-2
586- dnstap__message__free_unpacked@Base 1:9.11.4+dfsg-2
587- dnstap__message__get_packed_size@Base 1:9.11.4+dfsg-2
588- dnstap__message__init@Base 1:9.11.4+dfsg-2
589- dnstap__message__pack@Base 1:9.11.4+dfsg-2
590- dnstap__message__pack_to_buffer@Base 1:9.11.4+dfsg-2
591- dnstap__message__type__descriptor@Base 1:9.11.4+dfsg-2
592- dnstap__message__unpack@Base 1:9.11.4+dfsg-2
593- dnstap__socket_family__descriptor@Base 1:9.11.4+dfsg-2
594- dnstap__socket_protocol__descriptor@Base 1:9.11.4+dfsg-2
595 dst__entropy_getdata@Base 1:9.11.3+dfsg
596 dst__entropy_status@Base 1:9.11.3+dfsg
597 dst__gssapi_init@Base 1:9.11.3+dfsg
598@@ -1940,21 +1907,6 @@ libdns.so.1104 libdns1104 #MINVER#
599 dns_dsdigest_format@Base 1:9.11.3+dfsg
600 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg
601 dns_dsdigest_totext@Base 1:9.11.3+dfsg
602- dns_dt_attach@Base 1:9.11.4+dfsg-2
603- dns_dt_close@Base 1:9.11.4+dfsg-2
604- dns_dt_create@Base 1:9.11.4+dfsg-2
605- dns_dt_datatotext@Base 1:9.11.4+dfsg-2
606- dns_dt_detach@Base 1:9.11.4+dfsg-2
607- dns_dt_getframe@Base 1:9.11.4+dfsg-2
608- dns_dt_getstats@Base 1:9.11.4+dfsg-2
609- dns_dt_open@Base 1:9.11.4+dfsg-2
610- dns_dt_parse@Base 1:9.11.4+dfsg-2
611- dns_dt_reopen@Base 1:9.11.4+dfsg-2
612- dns_dt_send@Base 1:9.11.4+dfsg-2
613- dns_dt_setidentity@Base 1:9.11.4+dfsg-2
614- dns_dt_setversion@Base 1:9.11.4+dfsg-2
615- dns_dt_shutdown@Base 1:9.11.4+dfsg-2
616- dns_dtdata_free@Base 1:9.11.4+dfsg-2
617 dns_dumpctx_attach@Base 1:9.11.3+dfsg
618 dns_dumpctx_cancel@Base 1:9.11.3+dfsg
619 dns_dumpctx_db@Base 1:9.11.3+dfsg
620@@ -3032,24 +2984,6 @@ libdns.so.1104 libdns1104 #MINVER#
621 dns_zt_setviewcommit@Base 1:9.11.3+dfsg
622 dns_zt_setviewrevert@Base 1:9.11.3+dfsg
623 dns_zt_unmount@Base 1:9.11.3+dfsg
624- dnstap__dnstap__descriptor@Base 1:9.11.4+dfsg-2
625- dnstap__dnstap__free_unpacked@Base 1:9.11.4+dfsg-2
626- dnstap__dnstap__get_packed_size@Base 1:9.11.4+dfsg-2
627- dnstap__dnstap__init@Base 1:9.11.4+dfsg-2
628- dnstap__dnstap__pack@Base 1:9.11.4+dfsg-2
629- dnstap__dnstap__pack_to_buffer@Base 1:9.11.4+dfsg-2
630- dnstap__dnstap__type__descriptor@Base 1:9.11.4+dfsg-2
631- dnstap__dnstap__unpack@Base 1:9.11.4+dfsg-2
632- dnstap__message__descriptor@Base 1:9.11.4+dfsg-2
633- dnstap__message__free_unpacked@Base 1:9.11.4+dfsg-2
634- dnstap__message__get_packed_size@Base 1:9.11.4+dfsg-2
635- dnstap__message__init@Base 1:9.11.4+dfsg-2
636- dnstap__message__pack@Base 1:9.11.4+dfsg-2
637- dnstap__message__pack_to_buffer@Base 1:9.11.4+dfsg-2
638- dnstap__message__type__descriptor@Base 1:9.11.4+dfsg-2
639- dnstap__message__unpack@Base 1:9.11.4+dfsg-2
640- dnstap__socket_family__descriptor@Base 1:9.11.4+dfsg-2
641- dnstap__socket_protocol__descriptor@Base 1:9.11.4+dfsg-2
642 dst__entropy_getdata@Base 1:9.11.3+dfsg
643 dst__entropy_status@Base 1:9.11.3+dfsg
644 dst__gssapi_init@Base 1:9.11.3+dfsg
645diff --git a/debian/patches/enable-udp-in-host-command.diff b/debian/patches/enable-udp-in-host-command.diff
646new file mode 100644
647index 0000000..5444ae7
648--- /dev/null
649+++ b/debian/patches/enable-udp-in-host-command.diff
650@@ -0,0 +1,26 @@
651+Description: Fix parsing of host(1)'s -U command line option
652+Author: Andreas Hasenack <andreas@canonical.com>
653+Bug: https://gitlab.isc.org/isc-projects/bind9/issues/769
654+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1804648
655+Applied-Upstream: https://gitlab.isc.org/isc-projects/bind9/commit/5e2cd91321cdda1707411c4e268d364f03f63935
656+Last-Update: 2018-12-06
657+---
658+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
659+--- a/bin/dig/host.c
660++++ b/bin/dig/host.c
661+@@ -158,6 +158,7 @@
662+ " -s a SERVFAIL response should stop query\n"
663+ " -t specifies the query type\n"
664+ " -T enables TCP/IP mode\n"
665++" -U enables UDP mode\n"
666+ " -v enables verbose output\n"
667+ " -V print version number and exit\n"
668+ " -w specifies to wait forever for a reply\n"
669+@@ -657,6 +658,7 @@
670+ case 'N': break;
671+ case 'R': break;
672+ case 'T': break;
673++ case 'U': break;
674+ case 'W': break;
675+ default:
676+ show_usage();
677diff --git a/debian/patches/fix-shutdown-race.diff b/debian/patches/fix-shutdown-race.diff
678new file mode 100644
679index 0000000..f10f51f
680--- /dev/null
681+++ b/debian/patches/fix-shutdown-race.diff
682@@ -0,0 +1,41 @@
683+From f2ca287330110993609fa0443d3bdb17629bd979 Mon Sep 17 00:00:00 2001
684+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
685+Date: Tue, 13 Nov 2018 13:50:47 +0100
686+Subject: [PATCH 1/2] Fix a shutdown race in bin/dig/dighost.c
687+
688+If a tool using the routines defined in bin/dig/dighost.c is sent an
689+interruption signal around the time a connection timeout is scheduled to
690+fire, connect_timeout() may be executed after destroy_libs() detaches
691+from the global task (setting 'global_task' to NULL), which results in a
692+crash upon a UDP retry due to bringup_timer() attempting to create a
693+timer with 'task' set to NULL. Fix by preventing connect_timeout() from
694+attempting a retry when shutdown is in progress.
695+
696+(cherry picked from commit 462175659674a10c0d39c7c328f1a5324ce2e38b)
697+
698+Origin: https://gitlab.isc.org/isc-projects/bind9/merge_requests/1040/diffs
699+Bug: https://gitlab.isc.org/isc-projects/bind9/issues/599
700+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1797926
701+Last-Update: 2018-12-06
702+
703+---
704+ bin/dig/dighost.c | 5 +++++
705+ 1 file changed, 5 insertions(+)
706+diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
707+index 39abb9d0fd..17e0328228 100644
708+--- a/bin/dig/dighost.c
709++++ b/bin/dig/dighost.c
710+@@ -3240,6 +3240,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
711+
712+ INSIST(!free_now);
713+
714++ if (cancel_now) {
715++ UNLOCK_LOOKUP;
716++ return;
717++ }
718++
719+ if ((query != NULL) && (query->lookup->current_query != NULL) &&
720+ ISC_LINK_LINKED(query->lookup->current_query, link) &&
721+ (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
722+--
723+2.18.1
724diff --git a/debian/patches/series b/debian/patches/series
725index 348be41..75144c4 100644
726--- a/debian/patches/series
727+++ b/debian/patches/series
728@@ -8,3 +8,5 @@
729 80_reproducible_build.diff
730 Add_--install-layout=deb_to_setup.py_call.patch
731 skip-rtld-deepbind-for-dyndb.diff
732+enable-udp-in-host-command.diff
733+fix-shutdown-race.diff
734diff --git a/debian/rules b/debian/rules
735index 7edd414..1a22081 100755
736--- a/debian/rules
737+++ b/debian/rules
738@@ -91,7 +91,7 @@ override_dh_auto_configure:
739 --with-gssapi=/usr \
740 --with-libidn2 \
741 --with-libjson=/usr \
742- --with-lmdb=/usr \
743+ --without-lmdb \
744 --with-gnu-ld \
745 --with-geoip=/usr \
746 --with-atf=no \
747@@ -101,7 +101,6 @@ override_dh_auto_configure:
748 --enable-native-pkcs11 \
749 --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \
750 --with-randomdev=/dev/urandom \
751- --enable-dnstap \
752 --with-eddsa=no \
753 $(EXTRA_FEATURES)
754 dh_auto_configure -B build-udeb -- \
755@@ -128,8 +127,6 @@ override_dh_auto_configure:
756 # no need to build these targets here
757 sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile
758 sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile
759- cp lib/dns/dnstap.proto build/lib/dns
760- cp lib/dns-pkcs11/dnstap.proto build/lib/dns-pkcs11
761
762 override_dh_auto_build:
763 dh_auto_build -B build
764diff --git a/debian/tests/simpletest b/debian/tests/simpletest
765index 468a7c5..34b0b25 100755
766--- a/debian/tests/simpletest
767+++ b/debian/tests/simpletest
768@@ -10,10 +10,6 @@ setup() {
769 run() {
770 # Make a query against a local zone
771 dig -x 127.0.0.1 @127.0.0.1
772-
773- # Make a query against an external nameserver and check for DNSSEC validation
774- echo "Checking for DNSSEC validation status of internetsociety.org"
775- dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY'
776 }
777
778 teardown() {

Subscribers

People subscribed via source and target branches