Merge ~ahasenack/ubuntu/+source/bind9:eoan-bind-merge-9.11.5.p4-4 into ubuntu/+source/bind9:debian/sid
- Git
- lp:~ahasenack/ubuntu/+source/bind9
- eoan-bind-merge-9.11.5.p4-4
- Merge into debian/sid
Status: | Merged |
---|---|
Approved by: | Andreas Hasenack |
Approved revision: | 5de12ebea9dd344d915139824440352427b67fde |
Merge reported by: | Andreas Hasenack |
Merged at revision: | 5de12ebea9dd344d915139824440352427b67fde |
Proposed branch: | ~ahasenack/ubuntu/+source/bind9:eoan-bind-merge-9.11.5.p4-4 |
Merge into: | ubuntu/+source/bind9:debian/sid |
Diff against target: |
882 lines (+589/-83) 10 files modified
debian/bind9.install (+0/-2) debian/changelog (+517/-0) debian/control (+2/-5) debian/dnsutils.install (+0/-2) debian/libdns1104.symbols (+0/-66) debian/patches/enable-udp-in-host-command.diff (+26/-0) debian/patches/fix-shutdown-race.diff (+41/-0) debian/patches/series (+2/-0) debian/rules (+1/-4) debian/tests/simpletest (+0/-4) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Christian Ehrhardt (community) | Approve | ||
Canonical Server | Pending | ||
Review via email: mp+366871@code.launchpad.net |
Commit message
Description of the change
Merge from debian.
Was able to drop from the delta:
- security updates
- eddsa support change
d/p/enable-
In 1:9.11.5.P4+dfsg-1, debian removed the debian revision from the dnstap symbols, so that made our delta change accordingly because we are removing those symbols, since we don't build that support. You will see this change in the git range-diff.
Usual tags are pushed.
range-diff command you might want to use:
git range-diff old/debian.
PPA with a test build: sudo add-apt-repository ppa:ahasenack/
https:/
Andreas Hasenack (ahasenack) wrote : | # |
Thanks, tagged and uploaded:
$ git push pkg upload/
Enumerating objects: 60, done.
Counting objects: 100% (60/60), done.
Delta compression using up to 4 threads
Compressing objects: 100% (47/47), done.
Writing objects: 100% (48/48), 11.99 KiB | 454.00 KiB/s, done.
Total 48 (delta 32), reused 1 (delta 1)
To ssh://git.
* [new tag] upload/
$ dput ubuntu ../bind9_
Checking signature on .changes
gpg: ../bind9_
Checking signature on .dsc
gpg: ../bind9_
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading bind9_9.
Uploading bind9_9.
Uploading bind9_9.
Uploading bind9_9.
Successfully uploaded packages.
Andreas Hasenack (ahasenack) wrote : | # |
This migrated already.
Preview Diff
1 | diff --git a/debian/bind9.install b/debian/bind9.install |
2 | index 26d595e..fd7f0f5 100644 |
3 | --- a/debian/bind9.install |
4 | +++ b/debian/bind9.install |
5 | @@ -16,7 +16,6 @@ usr/sbin/genrandom |
6 | usr/sbin/isc-hmac-fixup |
7 | usr/sbin/named |
8 | usr/sbin/named-journalprint |
9 | -usr/sbin/named-nzd2nzf |
10 | usr/sbin/named-pkcs11 |
11 | usr/sbin/nsec3hash |
12 | usr/sbin/tsig-keygen |
13 | @@ -32,7 +31,6 @@ usr/share/man/man8/dnssec-importkey.8 |
14 | usr/share/man/man8/genrandom.8 |
15 | usr/share/man/man8/isc-hmac-fixup.8 |
16 | usr/share/man/man8/named-journalprint.8 |
17 | -usr/share/man/man8/named-nzd2nzf.8 |
18 | usr/share/man/man8/named.8 |
19 | usr/share/man/man8/nsec3hash.8 |
20 | usr/share/man/man8/tsig-keygen.8 |
21 | diff --git a/debian/changelog b/debian/changelog |
22 | index 0f9e775..568200c 100644 |
23 | --- a/debian/changelog |
24 | +++ b/debian/changelog |
25 | @@ -1,3 +1,57 @@ |
26 | +bind9 (1:9.11.5.P4+dfsg-4ubuntu1) eoan; urgency=medium |
27 | + |
28 | + * Merge with Debian unstable. Remaining changes: |
29 | + - Build without lmdb support as that package is in Universe |
30 | + - Don't build dnstap as it depends on universe packages: |
31 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
32 | + protobuf-c-compiler (universe packages) |
33 | + + d/dnsutils.install: don't install dnstap |
34 | + + d/libdns1104.symbols: don't include dnstap symbols |
35 | + + d/rules: don't build dnstap nor install dnstap.proto |
36 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
37 | + option (LP #1804648) |
38 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
39 | + close to a query timeout (LP #1797926) |
40 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
41 | + network egress access that is not available in the Ubuntu autopkgtest |
42 | + farm. |
43 | + * Dropped: |
44 | + - SECURITY UPDATE: memory leak via specially crafted packet |
45 | + + debian/patches/CVE-2018-5744.patch: silently drop additional keytag |
46 | + options in bin/named/client.c. |
47 | + + CVE-2018-5744 |
48 | + [Fixed upstream in 9.11.5-P2] |
49 | + - SECURITY UPDATE: assertion failure when a trust anchor rolls over to an |
50 | + unsupported key algorithm when using managed-keys |
51 | + + debian/patches/CVE-2018-5745.patch: properly handle situations when |
52 | + the key tag cannot be computed in lib/dns/include/dst/dst.h, |
53 | + lib/dns/zone.c. |
54 | + + CVE-2018-5745 |
55 | + [Fixed upstream in 9.11.5-P2] |
56 | + - SECURITY UPDATE: Controls for zone transfers may not be properly |
57 | + applied to Dynamically Loadable Zones (DLZs) if the zones are writable |
58 | + + debian/patches/CVE-2019-6465.patch: handle zone transfers marked in |
59 | + the zone table as a DLZ zone bin/named/xfrout.c. |
60 | + + CVE-2019-6465 |
61 | + [Fixed upstream in 9.11.5-P3] |
62 | + - SECURITY UPDATE: limiting simultaneous TCP clients is ineffective |
63 | + + debian/patches/CVE-2018-5743.patch: add reference counting in |
64 | + bin/named/client.c, bin/named/include/named/client.h, |
65 | + bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c, |
66 | + lib/isc/include/isc/quota.h, lib/isc/quota.c, |
67 | + lib/isc/win32/libisc.def.in. |
68 | + + debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic |
69 | + operations with isc_refcount reference counting in |
70 | + bin/named/client.c, bin/named/include/named/interfacemgr.h, |
71 | + bin/named/interfacemgr.c. |
72 | + + debian/libisc1100.symbols: added new symbols. |
73 | + + CVE-2018-5743 |
74 | + [Fixed in 1:9.11.5.P4+dfsg-4] |
75 | + - d/rules: add back EdDSA support (LP #1825712) |
76 | + [Fixed in 1:9.11.5.P4+dfsg-4] |
77 | + |
78 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 02 May 2019 13:35:59 -0300 |
79 | + |
80 | bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium |
81 | |
82 | [ Bernhard Schmidt ] |
83 | @@ -70,12 +124,114 @@ bind9 (1:9.11.5.P1+dfsg-2) unstable; urgency=medium |
84 | |
85 | -- Bernhard Schmidt <berni@debian.org> Tue, 12 Feb 2019 00:34:21 +0100 |
86 | |
87 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu4) eoan; urgency=medium |
88 | + |
89 | + * d/rules: add back EdDSA support (LP: #1825712) |
90 | + |
91 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Apr 2019 14:04:37 +0000 |
92 | + |
93 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu3) eoan; urgency=medium |
94 | + |
95 | + * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective |
96 | + - debian/patches/CVE-2018-5743.patch: add reference counting in |
97 | + bin/named/client.c, bin/named/include/named/client.h, |
98 | + bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c, |
99 | + lib/isc/include/isc/quota.h, lib/isc/quota.c, |
100 | + lib/isc/win32/libisc.def.in. |
101 | + - debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic |
102 | + operations with isc_refcount reference counting in |
103 | + bin/named/client.c, bin/named/include/named/interfacemgr.h, |
104 | + bin/named/interfacemgr.c. |
105 | + - debian/libisc1100.symbols: added new symbols. |
106 | + - CVE-2018-5743 |
107 | + |
108 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 24 Apr 2019 05:00:07 -0400 |
109 | + |
110 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu2) disco; urgency=medium |
111 | + |
112 | + * SECURITY UPDATE: memory leak via specially crafted packet |
113 | + - debian/patches/CVE-2018-5744.patch: silently drop additional keytag |
114 | + options in bin/named/client.c. |
115 | + - CVE-2018-5744 |
116 | + * SECURITY UPDATE: assertion failure when a trust anchor rolls over to an |
117 | + unsupported key algorithm when using managed-keys |
118 | + - debian/patches/CVE-2018-5745.patch: properly handle situations when |
119 | + the key tag cannot be computed in lib/dns/include/dst/dst.h, |
120 | + lib/dns/zone.c. |
121 | + - CVE-2018-5745 |
122 | + * SECURITY UPDATE: Controls for zone transfers may not be properly |
123 | + applied to Dynamically Loadable Zones (DLZs) if the zones are writable |
124 | + - debian/patches/CVE-2019-6465.patch: handle zone transfers marked in |
125 | + the zone table as a DLZ zone bin/named/xfrout.c. |
126 | + - CVE-2019-6465 |
127 | + |
128 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 22 Feb 2019 10:52:30 +0100 |
129 | + |
130 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu1) disco; urgency=medium |
131 | + |
132 | + * Merge with Debian unstable. Remaining changes: |
133 | + - Build without lmdb support as that package is in Universe |
134 | + - Don't build dnstap as it depends on universe packages: |
135 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
136 | + protobuf-c-compiler (universe packages) |
137 | + + d/dnsutils.install: don't install dnstap |
138 | + + d/libdns1104.symbols: don't include dnstap symbols |
139 | + + d/rules: don't build dnstap nor install dnstap.proto |
140 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
141 | + option (LP #1804648) |
142 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
143 | + close to a query timeout (LP #1797926) |
144 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
145 | + network egress access that is not available in the Ubuntu autopkgtest |
146 | + farm. |
147 | + |
148 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Jan 2019 18:59:25 -0200 |
149 | + |
150 | bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium |
151 | |
152 | * New upstream version 9.11.5.P1+dfsg |
153 | |
154 | -- Ondřej Surý <ondrej@debian.org> Tue, 18 Dec 2018 13:59:25 +0000 |
155 | |
156 | +bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium |
157 | + |
158 | + * Merge with Debian unstable. Remaining changes: |
159 | + - Build without lmdb support as that package is in Universe |
160 | + - Don't build dnstap as it depends on universe packages: |
161 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
162 | + protobuf-c-compiler (universe packages) |
163 | + + d/dnsutils.install: don't install dnstap |
164 | + + d/libdns1104.symbols: don't include dnstap symbols |
165 | + + d/rules: don't build dnstap nor install dnstap.proto |
166 | + * Dropped: |
167 | + - SECURITY UPDATE: denial of service crash when deny-answer-aliases |
168 | + option is used |
169 | + + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could |
170 | + trigger a crash if deny-answer-aliases was set |
171 | + + debian/patches/CVE-2018-5740-2.patch: add tests |
172 | + + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set |
173 | + chainingp correctly, add test |
174 | + + CVE-2018-5740 |
175 | + [Fixed in new upstream version 9.11.5] |
176 | + - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the |
177 | + line (Closes: #904983) |
178 | + [Fixed in 1:9.11.4+dfsg-4] |
179 | + - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440) |
180 | + [Fixed in 1:9.11.4.P1+dfsg-1] |
181 | + - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol |
182 | + (it depends on OpenSSL version) (Closes: #897643) |
183 | + [Fixed in 1:9.11.4.P1+dfsg-1] |
184 | + * Added: |
185 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
186 | + option (LP: #1804648) |
187 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
188 | + close to a query timeout (LP: #1797926) |
189 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
190 | + network egress access that is not available in the Ubuntu autopkgtest |
191 | + farm. |
192 | + |
193 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 13 Dec 2018 19:40:23 -0200 |
194 | + |
195 | bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium |
196 | |
197 | * Use team+dns@tracker.debian.org as Maintainer address |
198 | @@ -137,6 +293,55 @@ bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium |
199 | |
200 | -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200 |
201 | |
202 | +bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high |
203 | + |
204 | + * No change rebuild against openssl 1.1.1 with TLS 1.3 support. |
205 | + |
206 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 29 Sep 2018 01:36:45 +0100 |
207 | + |
208 | +bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium |
209 | + |
210 | + * SECURITY UPDATE: denial of service crash when deny-answer-aliases |
211 | + option is used |
212 | + - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could |
213 | + trigger a crash if deny-answer-aliases was set |
214 | + - debian/patches/CVE-2018-5740-2.patch: add tests |
215 | + - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set |
216 | + chainingp correctly, add test |
217 | + - CVE-2018-5740 |
218 | + |
219 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Sep 2018 11:11:05 +0200 |
220 | + |
221 | +bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium |
222 | + |
223 | + * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol |
224 | + (it depends on OpenSSL version) (Closes: #897643) |
225 | + |
226 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 18 Sep 2018 10:39:12 +0200 |
227 | + |
228 | +bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium |
229 | + |
230 | + * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11 |
231 | + crashing on startup. (LP: #1769440) |
232 | + |
233 | + -- Karl Stenerud <karl.stenerud@canonical.com> Thu, 30 Aug 2018 07:11:39 -0700 |
234 | + |
235 | +bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium |
236 | + |
237 | + * Merge with Debian unstable. Remaining changes: |
238 | + - Build without lmdb support as that package is in Universe |
239 | + * Added: |
240 | + - Don't build dnstap as it depends on universe packages: |
241 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
242 | + protobuf-c-compiler (universe packages) |
243 | + + d/dnsutils.install: don't install dnstap |
244 | + + d/libdns1102.symbols: don't include dnstap symbols |
245 | + + d/rules: don't build dnstap |
246 | + - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the |
247 | + line (Closes: #904983) |
248 | + |
249 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 30 Jul 2018 10:56:04 -0300 |
250 | + |
251 | bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium |
252 | |
253 | * Enable IDN support for dig+host using libidn2 (Closes: #459010) |
254 | @@ -167,6 +372,19 @@ bind9 (1:9.11.4+dfsg-1) unstable; urgency=medium |
255 | |
256 | -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000 |
257 | |
258 | +bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium |
259 | + |
260 | + * Merge with Debian unstable (LP: #1777935). Remaining changes: |
261 | + - Build without lmdb support as that package is in Universe |
262 | + * Drop: |
263 | + - SECURITY UPDATE: improperly permits recursive query service |
264 | + + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling |
265 | + in bin/named/server.c. |
266 | + + CVE-2018-5738 |
267 | + [Applied in Debian's 1:9.11.3+dfsg-2] |
268 | + |
269 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 20 Jun 2018 17:42:16 -0300 |
270 | + |
271 | bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium |
272 | |
273 | * [CVE-2018-5738]: Add upstream fix to close the default open recursion |
274 | @@ -175,6 +393,24 @@ bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium |
275 | |
276 | -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000 |
277 | |
278 | +bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium |
279 | + |
280 | + * SECURITY UPDATE: improperly permits recursive query service |
281 | + - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling |
282 | + in bin/named/server.c. |
283 | + - CVE-2018-5738 |
284 | + |
285 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Jun 2018 09:41:51 -0400 |
286 | + |
287 | +bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low |
288 | + |
289 | + * New upstream release. (LP: #1763572) |
290 | + - fix a crash when configured with ipa-dns-install |
291 | + * Merge from Debian unstable. Remaining changes: |
292 | + - Build without lmdb support as that package is in Universe |
293 | + |
294 | + -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Apr 2018 07:40:47 +0300 |
295 | + |
296 | bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium |
297 | |
298 | [ Bernhard Schmidt ] |
299 | @@ -199,6 +435,61 @@ bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium |
300 | |
301 | -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100 |
302 | |
303 | +bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium |
304 | + |
305 | + * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating |
306 | + DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews |
307 | + <marka@isc.org>. (LP: #1755439) |
308 | + |
309 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300 |
310 | + |
311 | +bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium |
312 | + |
313 | + * Fix apparmor profile filename (LP: #1754981) |
314 | + |
315 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300 |
316 | + |
317 | +bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high |
318 | + |
319 | + * No change rebuild against openssl1.1. |
320 | + |
321 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:14:22 +0000 |
322 | + |
323 | +bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium |
324 | + |
325 | + * Build without lmdb support as that package is in Universe (LP: #1746296) |
326 | + - d/control: remove Build-Depends on liblmdb-dev |
327 | + - d/rules: configure --without-lmdb |
328 | + - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires |
329 | + lmdb. |
330 | + |
331 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 30 Jan 2018 15:21:23 -0200 |
332 | + |
333 | +bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium |
334 | + |
335 | + * Merge with Debian unstable (LP: #1744930). |
336 | + * Drop: |
337 | + - Add RemainAfterExit to bind9-resolvconf unit configuration file |
338 | + (LP #1536181). |
339 | + [fixed in 1:9.10.6+dfsg-4] |
340 | + - rules: Fix path to libsofthsm2.so. (LP #1685780) |
341 | + [adopted in 1:9.10.6+dfsg-5] |
342 | + - d/p/CVE-2016-8864-regression-test.patch: tests for the regression |
343 | + introduced with the CVE-2016-8864.patch and fixed in |
344 | + CVE-2016-8864-regression.patch. |
345 | + [applied upstream] |
346 | + - d/p/CVE-2016-8864-regression2-test.patch: tests for the second |
347 | + regression (RT #44318) introduced with the CVE-2016-8864.patch |
348 | + and fixed in CVE-2016-8864-regression2.patch. |
349 | + [applied upstream] |
350 | + - d/control, d/rules: add json support for the statistics channels. |
351 | + (LP #1669193) |
352 | + [adopted in 1:9.10.6+dfsg-5] |
353 | + * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing |
354 | + listing the python ply module as a dependency (Closes: #888463) |
355 | + |
356 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Jan 2018 11:20:33 -0200 |
357 | + |
358 | bind9 (1:9.11.2.P1-1) unstable; urgency=medium |
359 | |
360 | * New upstream version 9.11.2-P1 |
361 | @@ -374,6 +665,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium |
362 | |
363 | -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000 |
364 | |
365 | +bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium |
366 | + |
367 | + * Merge with Debian unstable (LP: #1712920). Remaining changes: |
368 | + - Add RemainAfterExit to bind9-resolvconf unit configuration file |
369 | + (LP #1536181). |
370 | + - rules: Fix path to libsofthsm2.so. (LP #1685780) |
371 | + - d/p/CVE-2016-8864-regression-test.patch: tests for the regression |
372 | + introduced with the CVE-2016-8864.patch and fixed in |
373 | + CVE-2016-8864-regression.patch. |
374 | + - d/p/CVE-2016-8864-regression2-test.patch: tests for the second |
375 | + regression (RT #44318) introduced with the CVE-2016-8864.patch |
376 | + and fixed in CVE-2016-8864-regression2.patch. |
377 | + - d/control, d/rules: add json support for the statistics channels. |
378 | + (LP #1669193) |
379 | + |
380 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Aug 2017 18:28:00 -0300 |
381 | + |
382 | +bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium |
383 | + |
384 | + * Non-maintainer upload. |
385 | + * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794) |
386 | + |
387 | + -- Bernhard Schmidt <berni@debian.org> Fri, 11 Aug 2017 19:10:07 +0200 |
388 | + |
389 | +bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium |
390 | + |
391 | + * Merge with Debian unstable (LP: #1701687). Remaining changes: |
392 | + - Add RemainAfterExit to bind9-resolvconf unit configuration file |
393 | + (LP #1536181). |
394 | + - rules: Fix path to libsofthsm2.so. (LP #1685780) |
395 | + * Drop: |
396 | + - SECURITY UPDATE: denial of service via assertion failure |
397 | + + debian/patches/CVE-2016-2776.patch: properly handle lengths in |
398 | + lib/dns/message.c. |
399 | + + CVE-2016-2776 |
400 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
401 | + - SECURITY UPDATE: assertion failure via class mismatch |
402 | + + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY |
403 | + records in lib/dns/resolver.c. |
404 | + + CVE-2016-9131 |
405 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
406 | + - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information |
407 | + + debian/patches/CVE-2016-9147.patch: fix logic when records are |
408 | + returned without the requested data in lib/dns/resolver.c. |
409 | + + CVE-2016-9147 |
410 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
411 | + - SECURITY UPDATE: assertion failure via unusually-formed DS record |
412 | + + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in |
413 | + lib/dns/message.c, lib/dns/resolver.c. |
414 | + + CVE-2016-9444 |
415 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
416 | + - SECURITY UPDATE: regression in CVE-2016-8864 |
417 | + + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in |
418 | + responses in lib/dns/resolver.c, added tests to |
419 | + bin/tests/system/dname/ns2/example.db, |
420 | + bin/tests/system/dname/tests.sh. |
421 | + + No CVE number |
422 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12] |
423 | + - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing |
424 | + a NULL pointer |
425 | + + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz |
426 | + combination in bin/named/query.c, lib/dns/message.c, |
427 | + lib/dns/rdataset.c. |
428 | + + CVE-2017-3135 |
429 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12] |
430 | + - SECURITY UPDATE: regression in CVE-2016-8864 |
431 | + + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME |
432 | + was still being cached when it should have been in lib/dns/resolver.c, |
433 | + added tests to bin/tests/system/dname/ans3/ans.pl, |
434 | + bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. |
435 | + + No CVE number |
436 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12] |
437 | + - SECURITY UPDATE: Denial of Service due to an error handling |
438 | + synthesized records when using DNS64 with "break-dnssec yes;" |
439 | + + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() |
440 | + called. |
441 | + + CVE-2017-3136 |
442 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] |
443 | + - SECURITY UPDATE: Denial of Service due to resolver terminating when |
444 | + processing a response packet containing a CNAME or DNAME |
445 | + + debian/patches/CVE-2017-3137.patch: don't expect a specific |
446 | + ordering of answer components; add testcases. |
447 | + + CVE-2017-3137 |
448 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files] |
449 | + - SECURITY UPDATE: Denial of Service when receiving a null command on |
450 | + the control channel |
451 | + + debian/patches/CVE-2017-3138.patch: don't throw an assert if no |
452 | + command token is given; add testcase. |
453 | + + CVE-2017-3138 |
454 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] |
455 | + - SECURITY UPDATE: TSIG authentication issues |
456 | + + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in |
457 | + lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. |
458 | + + CVE-2017-3142 |
459 | + + CVE-2017-3143 |
460 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4] |
461 | + * d/p/CVE-2016-8864-regression-test.patch: tests for the regression |
462 | + introduced with the CVE-2016-8864.patch and fixed in |
463 | + CVE-2016-8864-regression.patch. |
464 | + * d/p/CVE-2016-8864-regression2-test.patch: tests for the second |
465 | + regression (RT #44318) introduced with the CVE-2016-8864.patch |
466 | + and fixed in CVE-2016-8864-regression2.patch. |
467 | + * d/control, d/rules: add json support for the statistics channels. |
468 | + (LP: #1669193) |
469 | + |
470 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 11 Aug 2017 17:12:09 -0300 |
471 | + |
472 | +bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium |
473 | + |
474 | + * Non-maintainer upload. |
475 | + * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG |
476 | + signed TCP message sequences where not all the messages contain TSIG |
477 | + records. These may be used in AXFR and IXFR responses. |
478 | + (Closes: #868952) |
479 | + |
480 | + -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jul 2017 22:28:32 +0200 |
481 | + |
482 | +bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high |
483 | + |
484 | + * Non-maintainer upload. |
485 | + |
486 | + [ Yves-Alexis Perez ] |
487 | + * debian/patches: |
488 | + - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses |
489 | + CVE-2017-3142: error in TSIG authentication can permit unauthorized zone |
490 | + transfers. An attacker may be able to circumvent TSIG authentication of |
491 | + AXFR and Notify requests. |
492 | + CVE-2017-3143: error in TSIG authentication can permit unauthorized |
493 | + dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) |
494 | + signature for a dynamic update. |
495 | + (Closes: #866564) |
496 | + |
497 | + -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jul 2017 22:13:21 +0200 |
498 | + |
499 | bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium |
500 | |
501 | [ Bernhard Schmidt ] |
502 | @@ -480,6 +905,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium |
503 | |
504 | -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000 |
505 | |
506 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium |
507 | + |
508 | + * SECURITY UPDATE: TSIG authentication issues |
509 | + - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in |
510 | + lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. |
511 | + - CVE-2017-3142 |
512 | + - CVE-2017-3143 |
513 | + |
514 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jul 2017 09:48:13 -0400 |
515 | + |
516 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium |
517 | + |
518 | + * rules: Fix path to libsofthsm2.so. (LP: #1685780) |
519 | + |
520 | + -- Timo Aaltonen <tjaalton@debian.org> Mon, 24 Apr 2017 15:01:30 +0300 |
521 | + |
522 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium |
523 | + |
524 | + * SECURITY UPDATE: Denial of Service due to an error handling |
525 | + synthesized records when using DNS64 with "break-dnssec yes;" |
526 | + - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() |
527 | + called. |
528 | + - CVE-2017-3136 |
529 | + * SECURITY UPDATE: Denial of Service due to resolver terminating when |
530 | + processing a response packet containing a CNAME or DNAME |
531 | + - debian/patches/CVE-2017-3137.patch: don't expect a specific |
532 | + ordering of answer components; add testcases. |
533 | + - CVE-2017-3137 |
534 | + * SECURITY UPDATE: Denial of Service when receiving a null command on |
535 | + the control channel |
536 | + - debian/patches/CVE-2017-3138.patch: don't throw an assert if no |
537 | + command token is given; add testcase. |
538 | + - CVE-2017-3138 |
539 | + |
540 | + -- Steve Beattie <sbeattie@ubuntu.com> Wed, 12 Apr 2017 01:32:15 -0700 |
541 | + |
542 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium |
543 | + |
544 | + * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing |
545 | + a NULL pointer |
546 | + - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz |
547 | + combination in bin/named/query.c, lib/dns/message.c, |
548 | + lib/dns/rdataset.c. |
549 | + - CVE-2017-3135 |
550 | + * SECURITY UPDATE: regression in CVE-2016-8864 |
551 | + - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME |
552 | + was still being cached when it should have been in lib/dns/resolver.c, |
553 | + added tests to bin/tests/system/dname/ans3/ans.pl, |
554 | + bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. |
555 | + - No CVE number |
556 | + |
557 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Feb 2017 09:37:39 -0500 |
558 | + |
559 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium |
560 | + |
561 | + * SECURITY UPDATE: assertion failure via class mismatch |
562 | + - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY |
563 | + records in lib/dns/resolver.c. |
564 | + - CVE-2016-9131 |
565 | + * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information |
566 | + - debian/patches/CVE-2016-9147.patch: fix logic when records are |
567 | + returned without the requested data in lib/dns/resolver.c. |
568 | + - CVE-2016-9147 |
569 | + * SECURITY UPDATE: assertion failure via unusually-formed DS record |
570 | + - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in |
571 | + lib/dns/message.c, lib/dns/resolver.c. |
572 | + - CVE-2016-9444 |
573 | + * SECURITY UPDATE: regression in CVE-2016-8864 |
574 | + - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in |
575 | + responses in lib/dns/resolver.c, added tests to |
576 | + bin/tests/system/dname/ns2/example.db, |
577 | + bin/tests/system/dname/tests.sh. |
578 | + - No CVE number |
579 | + |
580 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jan 2017 09:28:10 -0500 |
581 | + |
582 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium |
583 | + |
584 | + * Add RemainAfterExit to bind9-resolvconf unit configuration file |
585 | + (LP: #1536181). |
586 | + |
587 | + -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Tue, 15 Nov 2016 08:24:58 -0800 |
588 | + |
589 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium |
590 | + |
591 | + * SECURITY UPDATE: denial of service via assertion failure |
592 | + - debian/patches/CVE-2016-2776.patch: properly handle lengths in |
593 | + lib/dns/message.c. |
594 | + - CVE-2016-2776 |
595 | + |
596 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2016 14:31:17 -0400 |
597 | + |
598 | bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium |
599 | |
600 | * Non-maintainer upload. |
601 | diff --git a/debian/control b/debian/control |
602 | index 73c2a17..3d7f03d 100644 |
603 | --- a/debian/control |
604 | +++ b/debian/control |
605 | @@ -1,7 +1,8 @@ |
606 | Source: bind9 |
607 | Section: net |
608 | Priority: optional |
609 | -Maintainer: Debian DNS Team <team+dns@tracker.debian.org> |
610 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
611 | +XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org> |
612 | Uploaders: LaMont Jones <lamont@debian.org>, |
613 | Michael Gilbert <mgilbert@debian.org>, |
614 | Robie Basak <robie.basak@canonical.com>, |
615 | @@ -15,18 +16,14 @@ Build-Depends: bison, |
616 | dpkg-dev (>= 1.16.1~), |
617 | libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], |
618 | libdb-dev (>>4.6), |
619 | - libfstrm-dev, |
620 | libgeoip-dev (>= 1.4.6.dfsg-5), |
621 | libidn2-dev, |
622 | libjson-c-dev, |
623 | libkrb5-dev, |
624 | libldap2-dev, |
625 | - liblmdb-dev, |
626 | - libprotobuf-c-dev, |
627 | libssl-dev, |
628 | libtool, |
629 | libxml2-dev, |
630 | - protobuf-c-compiler, |
631 | python3, |
632 | python3-distutils, |
633 | python3-ply |
634 | diff --git a/debian/dnsutils.install b/debian/dnsutils.install |
635 | index 90e4fba..5e6b7d9 100644 |
636 | --- a/debian/dnsutils.install |
637 | +++ b/debian/dnsutils.install |
638 | @@ -1,12 +1,10 @@ |
639 | usr/bin/delv |
640 | usr/bin/dig |
641 | -usr/bin/dnstap-read |
642 | usr/bin/mdig |
643 | usr/bin/nslookup |
644 | usr/bin/nsupdate |
645 | usr/share/man/man1/delv.1 |
646 | usr/share/man/man1/dig.1 |
647 | -usr/share/man/man1/dnstap-read.1 |
648 | usr/share/man/man1/mdig.1 |
649 | usr/share/man/man1/nslookup.1 |
650 | usr/share/man/man1/nsupdate.1 |
651 | diff --git a/debian/libdns1104.symbols b/debian/libdns1104.symbols |
652 | index d7c98d4..7b6020e 100644 |
653 | --- a/debian/libdns1104.symbols |
654 | +++ b/debian/libdns1104.symbols |
655 | @@ -358,21 +358,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER# |
656 | dns_dsdigest_format@Base 1:9.11.3+dfsg |
657 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg |
658 | dns_dsdigest_totext@Base 1:9.11.3+dfsg |
659 | - dns_dt_attach@Base 1:9.11.4.P1 |
660 | - dns_dt_close@Base 1:9.11.4.P1 |
661 | - dns_dt_create@Base 1:9.11.4.P1 |
662 | - dns_dt_datatotext@Base 1:9.11.4.P1 |
663 | - dns_dt_detach@Base 1:9.11.4.P1 |
664 | - dns_dt_getframe@Base 1:9.11.4.P1 |
665 | - dns_dt_getstats@Base 1:9.11.4.P1 |
666 | - dns_dt_open@Base 1:9.11.4.P1 |
667 | - dns_dt_parse@Base 1:9.11.4.P1 |
668 | - dns_dt_reopen@Base 1:9.11.4.P1 |
669 | - dns_dt_send@Base 1:9.11.4.P1 |
670 | - dns_dt_setidentity@Base 1:9.11.4.P1 |
671 | - dns_dt_setversion@Base 1:9.11.4.P1 |
672 | - dns_dt_shutdown@Base 1:9.11.4.P1 |
673 | - dns_dtdata_free@Base 1:9.11.4.P1 |
674 | dns_dumpctx_attach@Base 1:9.11.3+dfsg |
675 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg |
676 | dns_dumpctx_db@Base 1:9.11.3+dfsg |
677 | @@ -1443,24 +1428,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER# |
678 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg |
679 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg |
680 | dns_zt_unmount@Base 1:9.11.3+dfsg |
681 | - dnstap__dnstap__descriptor@Base 1:9.11.4.P1 |
682 | - dnstap__dnstap__free_unpacked@Base 1:9.11.4.P1 |
683 | - dnstap__dnstap__get_packed_size@Base 1:9.11.4.P1 |
684 | - dnstap__dnstap__init@Base 1:9.11.4.P1 |
685 | - dnstap__dnstap__pack@Base 1:9.11.4.P1 |
686 | - dnstap__dnstap__pack_to_buffer@Base 1:9.11.4.P1 |
687 | - dnstap__dnstap__type__descriptor@Base 1:9.11.4.P1 |
688 | - dnstap__dnstap__unpack@Base 1:9.11.4.P1 |
689 | - dnstap__message__descriptor@Base 1:9.11.4.P1 |
690 | - dnstap__message__free_unpacked@Base 1:9.11.4.P1 |
691 | - dnstap__message__get_packed_size@Base 1:9.11.4.P1 |
692 | - dnstap__message__init@Base 1:9.11.4.P1 |
693 | - dnstap__message__pack@Base 1:9.11.4.P1 |
694 | - dnstap__message__pack_to_buffer@Base 1:9.11.4.P1 |
695 | - dnstap__message__type__descriptor@Base 1:9.11.4.P1 |
696 | - dnstap__message__unpack@Base 1:9.11.4.P1 |
697 | - dnstap__socket_family__descriptor@Base 1:9.11.4.P1 |
698 | - dnstap__socket_protocol__descriptor@Base 1:9.11.4.P1 |
699 | dst__entropy_getdata@Base 1:9.11.3+dfsg |
700 | dst__entropy_status@Base 1:9.11.3+dfsg |
701 | dst__gssapi_init@Base 1:9.11.3+dfsg |
702 | @@ -1940,21 +1907,6 @@ libdns.so.1104 libdns1104 #MINVER# |
703 | dns_dsdigest_format@Base 1:9.11.3+dfsg |
704 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg |
705 | dns_dsdigest_totext@Base 1:9.11.3+dfsg |
706 | - dns_dt_attach@Base 1:9.11.4.P1 |
707 | - dns_dt_close@Base 1:9.11.4.P1 |
708 | - dns_dt_create@Base 1:9.11.4.P1 |
709 | - dns_dt_datatotext@Base 1:9.11.4.P1 |
710 | - dns_dt_detach@Base 1:9.11.4.P1 |
711 | - dns_dt_getframe@Base 1:9.11.4.P1 |
712 | - dns_dt_getstats@Base 1:9.11.4.P1 |
713 | - dns_dt_open@Base 1:9.11.4.P1 |
714 | - dns_dt_parse@Base 1:9.11.4.P1 |
715 | - dns_dt_reopen@Base 1:9.11.4.P1 |
716 | - dns_dt_send@Base 1:9.11.4.P1 |
717 | - dns_dt_setidentity@Base 1:9.11.4.P1 |
718 | - dns_dt_setversion@Base 1:9.11.4.P1 |
719 | - dns_dt_shutdown@Base 1:9.11.4.P1 |
720 | - dns_dtdata_free@Base 1:9.11.4.P1 |
721 | dns_dumpctx_attach@Base 1:9.11.3+dfsg |
722 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg |
723 | dns_dumpctx_db@Base 1:9.11.3+dfsg |
724 | @@ -3032,24 +2984,6 @@ libdns.so.1104 libdns1104 #MINVER# |
725 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg |
726 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg |
727 | dns_zt_unmount@Base 1:9.11.3+dfsg |
728 | - dnstap__dnstap__descriptor@Base 1:9.11.4.P1 |
729 | - dnstap__dnstap__free_unpacked@Base 1:9.11.4.P1 |
730 | - dnstap__dnstap__get_packed_size@Base 1:9.11.4.P1 |
731 | - dnstap__dnstap__init@Base 1:9.11.4.P1 |
732 | - dnstap__dnstap__pack@Base 1:9.11.4.P1 |
733 | - dnstap__dnstap__pack_to_buffer@Base 1:9.11.4.P1 |
734 | - dnstap__dnstap__type__descriptor@Base 1:9.11.4.P1 |
735 | - dnstap__dnstap__unpack@Base 1:9.11.4.P1 |
736 | - dnstap__message__descriptor@Base 1:9.11.4.P1 |
737 | - dnstap__message__free_unpacked@Base 1:9.11.4.P1 |
738 | - dnstap__message__get_packed_size@Base 1:9.11.4.P1 |
739 | - dnstap__message__init@Base 1:9.11.4.P1 |
740 | - dnstap__message__pack@Base 1:9.11.4.P1 |
741 | - dnstap__message__pack_to_buffer@Base 1:9.11.4.P1 |
742 | - dnstap__message__type__descriptor@Base 1:9.11.4.P1 |
743 | - dnstap__message__unpack@Base 1:9.11.4.P1 |
744 | - dnstap__socket_family__descriptor@Base 1:9.11.4.P1 |
745 | - dnstap__socket_protocol__descriptor@Base 1:9.11.4.P1 |
746 | dst__entropy_getdata@Base 1:9.11.3+dfsg |
747 | dst__entropy_status@Base 1:9.11.3+dfsg |
748 | dst__gssapi_init@Base 1:9.11.3+dfsg |
749 | diff --git a/debian/patches/enable-udp-in-host-command.diff b/debian/patches/enable-udp-in-host-command.diff |
750 | new file mode 100644 |
751 | index 0000000..5444ae7 |
752 | --- /dev/null |
753 | +++ b/debian/patches/enable-udp-in-host-command.diff |
754 | @@ -0,0 +1,26 @@ |
755 | +Description: Fix parsing of host(1)'s -U command line option |
756 | +Author: Andreas Hasenack <andreas@canonical.com> |
757 | +Bug: https://gitlab.isc.org/isc-projects/bind9/issues/769 |
758 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1804648 |
759 | +Applied-Upstream: https://gitlab.isc.org/isc-projects/bind9/commit/5e2cd91321cdda1707411c4e268d364f03f63935 |
760 | +Last-Update: 2018-12-06 |
761 | +--- |
762 | +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ |
763 | +--- a/bin/dig/host.c |
764 | ++++ b/bin/dig/host.c |
765 | +@@ -158,6 +158,7 @@ |
766 | + " -s a SERVFAIL response should stop query\n" |
767 | + " -t specifies the query type\n" |
768 | + " -T enables TCP/IP mode\n" |
769 | ++" -U enables UDP mode\n" |
770 | + " -v enables verbose output\n" |
771 | + " -V print version number and exit\n" |
772 | + " -w specifies to wait forever for a reply\n" |
773 | +@@ -657,6 +658,7 @@ |
774 | + case 'N': break; |
775 | + case 'R': break; |
776 | + case 'T': break; |
777 | ++ case 'U': break; |
778 | + case 'W': break; |
779 | + default: |
780 | + show_usage(); |
781 | diff --git a/debian/patches/fix-shutdown-race.diff b/debian/patches/fix-shutdown-race.diff |
782 | new file mode 100644 |
783 | index 0000000..f10f51f |
784 | --- /dev/null |
785 | +++ b/debian/patches/fix-shutdown-race.diff |
786 | @@ -0,0 +1,41 @@ |
787 | +From f2ca287330110993609fa0443d3bdb17629bd979 Mon Sep 17 00:00:00 2001 |
788 | +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org> |
789 | +Date: Tue, 13 Nov 2018 13:50:47 +0100 |
790 | +Subject: [PATCH 1/2] Fix a shutdown race in bin/dig/dighost.c |
791 | + |
792 | +If a tool using the routines defined in bin/dig/dighost.c is sent an |
793 | +interruption signal around the time a connection timeout is scheduled to |
794 | +fire, connect_timeout() may be executed after destroy_libs() detaches |
795 | +from the global task (setting 'global_task' to NULL), which results in a |
796 | +crash upon a UDP retry due to bringup_timer() attempting to create a |
797 | +timer with 'task' set to NULL. Fix by preventing connect_timeout() from |
798 | +attempting a retry when shutdown is in progress. |
799 | + |
800 | +(cherry picked from commit 462175659674a10c0d39c7c328f1a5324ce2e38b) |
801 | + |
802 | +Origin: https://gitlab.isc.org/isc-projects/bind9/merge_requests/1040/diffs |
803 | +Bug: https://gitlab.isc.org/isc-projects/bind9/issues/599 |
804 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1797926 |
805 | +Last-Update: 2018-12-06 |
806 | + |
807 | +--- |
808 | + bin/dig/dighost.c | 5 +++++ |
809 | + 1 file changed, 5 insertions(+) |
810 | +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c |
811 | +index 39abb9d0fd..17e0328228 100644 |
812 | +--- a/bin/dig/dighost.c |
813 | ++++ b/bin/dig/dighost.c |
814 | +@@ -3240,6 +3240,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) { |
815 | + |
816 | + INSIST(!free_now); |
817 | + |
818 | ++ if (cancel_now) { |
819 | ++ UNLOCK_LOOKUP; |
820 | ++ return; |
821 | ++ } |
822 | ++ |
823 | + if ((query != NULL) && (query->lookup->current_query != NULL) && |
824 | + ISC_LINK_LINKED(query->lookup->current_query, link) && |
825 | + (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) { |
826 | +-- |
827 | +2.18.1 |
828 | diff --git a/debian/patches/series b/debian/patches/series |
829 | index b8cde78..01bb163 100644 |
830 | --- a/debian/patches/series |
831 | +++ b/debian/patches/series |
832 | @@ -12,3 +12,5 @@ keymgr-dont-immediately-delete.diff |
833 | 0012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch |
834 | 0013-Replace-atomic-operations-in-bin-named-client.c-with.patch |
835 | 0014-Disable-broken-Ed448-support.patch |
836 | +enable-udp-in-host-command.diff |
837 | +fix-shutdown-race.diff |
838 | diff --git a/debian/rules b/debian/rules |
839 | index c8d745c..717ecb9 100755 |
840 | --- a/debian/rules |
841 | +++ b/debian/rules |
842 | @@ -91,7 +91,7 @@ override_dh_auto_configure: |
843 | --with-gssapi=/usr \ |
844 | --with-libidn2 \ |
845 | --with-libjson=/usr \ |
846 | - --with-lmdb=/usr \ |
847 | + --without-lmdb \ |
848 | --with-gnu-ld \ |
849 | --with-geoip=/usr \ |
850 | --with-atf=no \ |
851 | @@ -101,7 +101,6 @@ override_dh_auto_configure: |
852 | --enable-native-pkcs11 \ |
853 | --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \ |
854 | --with-randomdev=/dev/urandom \ |
855 | - --enable-dnstap \ |
856 | $(EXTRA_FEATURES) |
857 | dh_auto_configure -B build-udeb -- \ |
858 | --sysconfdir=/etc/bind \ |
859 | @@ -126,8 +125,6 @@ override_dh_auto_configure: |
860 | # no need to build these targets here |
861 | sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile |
862 | sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile |
863 | - cp lib/dns/dnstap.proto build/lib/dns |
864 | - cp lib/dns-pkcs11/dnstap.proto build/lib/dns-pkcs11 |
865 | |
866 | override_dh_auto_build: |
867 | dh_auto_build -B build |
868 | diff --git a/debian/tests/simpletest b/debian/tests/simpletest |
869 | index 468a7c5..34b0b25 100755 |
870 | --- a/debian/tests/simpletest |
871 | +++ b/debian/tests/simpletest |
872 | @@ -10,10 +10,6 @@ setup() { |
873 | run() { |
874 | # Make a query against a local zone |
875 | dig -x 127.0.0.1 @127.0.0.1 |
876 | - |
877 | - # Make a query against an external nameserver and check for DNSSEC validation |
878 | - echo "Checking for DNSSEC validation status of internetsociety.org" |
879 | - dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY' |
880 | } |
881 | |
882 | teardown() { |
Yep a straight forward merge with a lot dropped.
Commits, Changelog and remaining changes LGTM.
The changes we picked up from Debian by that seem non conflicting with our Delta.
I played a bit with the PPA, in particular with the -export packages that I never noticed before. But all seems to work just fine.
+1