Ubuntu
bind9 package

Merge ~ahasenack/ubuntu/+source/bind9:eoan-bind-merge-9.11.5.p4-4 into ubuntu/+source/bind9:debian/sid

  1. Git
  2. lp:~ahasenack/ubuntu/+source/bind9
  3. eoan-bind-merge-9.11.5.p4-4
  4. Merge into debian/sid
Proposed by Andreas Hasenack
Status: Merged
Approved by: Andreas Hasenack
Approved revision: 5de12ebea9dd344d915139824440352427b67fde
Merge reported by: Andreas Hasenack
Merged at revision: 5de12ebea9dd344d915139824440352427b67fde
Proposed branch: ~ahasenack/ubuntu/+source/bind9:eoan-bind-merge-9.11.5.p4-4
Merge into: ubuntu/+source/bind9:debian/sid
Diff against target: 882 lines (+589/-83)
10 files modified
debian/bind9.install (+0/-2)
debian/changelog (+517/-0)
debian/control (+2/-5)
debian/dnsutils.install (+0/-2)
debian/libdns1104.symbols (+0/-66)
debian/patches/enable-udp-in-host-command.diff (+26/-0)
debian/patches/fix-shutdown-race.diff (+41/-0)
debian/patches/series (+2/-0)
debian/rules (+1/-4)
debian/tests/simpletest (+0/-4)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+366871@code.launchpad.net

Description of the change

Merge from debian.

Was able to drop from the delta:
- security updates
- eddsa support change

d/p/enable-udp-in-host-command.diff and d/p/fix-shutdown-race.diff are committed upstream, just not in the series we are shipping, so we still have to carry these.

In 1:9.11.5.P4+dfsg-1, debian removed the debian revision from the dnstap symbols, so that made our delta change accordingly because we are removing those symbols, since we don't build that support. You will see this change in the git range-diff.

Usual tags are pushed.

range-diff command you might want to use:
git range-diff old/debian..logical/1%9.11.5.P1+dfsg-1ubuntu4 new/debian..eoan-bind-merge-9.11.5.p4-4

PPA with a test build: sudo add-apt-repository ppa:ahasenack/bind9-merge-9.11.5.p4-4
https://launchpad.net/~ahasenack/+archive/ubuntu/bind9-merge-9.11.5.p4-4/

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Yep a straight forward merge with a lot dropped.
Commits, Changelog and remaining changes LGTM.

The changes we picked up from Debian by that seem non conflicting with our Delta.

I played a bit with the PPA, in particular with the -export packages that I never noticed before. But all seems to work just fine.

+1

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, tagged and uploaded:

$ git push pkg upload/1%9.11.5.P4+dfsg-4ubuntu1
Enumerating objects: 60, done.
Counting objects: 100% (60/60), done.
Delta compression using up to 4 threads
Compressing objects: 100% (47/47), done.
Writing objects: 100% (48/48), 11.99 KiB | 454.00 KiB/s, done.
Total 48 (delta 32), reused 1 (delta 1)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/bind9
 * [new tag] upload/1%9.11.5.P4+dfsg-4ubuntu1 -> upload/1%9.11.5.P4+dfsg-4ubuntu1

$ dput ubuntu ../bind9_9.11.5.P4+dfsg-4ubuntu1_source.changes
Checking signature on .changes
gpg: ../bind9_9.11.5.P4+dfsg-4ubuntu1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../bind9_9.11.5.P4+dfsg-4ubuntu1.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading bind9_9.11.5.P4+dfsg-4ubuntu1.dsc: done.
  Uploading bind9_9.11.5.P4+dfsg-4ubuntu1.debian.tar.xz: done.
  Uploading bind9_9.11.5.P4+dfsg-4ubuntu1_source.buildinfo: done.
  Uploading bind9_9.11.5.P4+dfsg-4ubuntu1_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This migrated already.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/bind9.install b/debian/bind9.install
index 26d595e..fd7f0f5 100644
--- a/debian/bind9.install
+++ b/debian/bind9.install
@@ -16,7 +16,6 @@ usr/sbin/genrandom
16usr/sbin/isc-hmac-fixup16usr/sbin/isc-hmac-fixup
17usr/sbin/named17usr/sbin/named
18usr/sbin/named-journalprint18usr/sbin/named-journalprint
19usr/sbin/named-nzd2nzf
20usr/sbin/named-pkcs1119usr/sbin/named-pkcs11
21usr/sbin/nsec3hash20usr/sbin/nsec3hash
22usr/sbin/tsig-keygen21usr/sbin/tsig-keygen
@@ -32,7 +31,6 @@ usr/share/man/man8/dnssec-importkey.8
32usr/share/man/man8/genrandom.831usr/share/man/man8/genrandom.8
33usr/share/man/man8/isc-hmac-fixup.832usr/share/man/man8/isc-hmac-fixup.8
34usr/share/man/man8/named-journalprint.833usr/share/man/man8/named-journalprint.8
35usr/share/man/man8/named-nzd2nzf.8
36usr/share/man/man8/named.834usr/share/man/man8/named.8
37usr/share/man/man8/nsec3hash.835usr/share/man/man8/nsec3hash.8
38usr/share/man/man8/tsig-keygen.836usr/share/man/man8/tsig-keygen.8
diff --git a/debian/changelog b/debian/changelog
index 0f9e775..568200c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,57 @@
1bind9 (1:9.11.5.P4+dfsg-4ubuntu1) eoan; urgency=medium
2
3 * Merge with Debian unstable. Remaining changes:
4 - Build without lmdb support as that package is in Universe
5 - Don't build dnstap as it depends on universe packages:
6 + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
7 protobuf-c-compiler (universe packages)
8 + d/dnsutils.install: don't install dnstap
9 + d/libdns1104.symbols: don't include dnstap symbols
10 + d/rules: don't build dnstap nor install dnstap.proto
11 - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
12 option (LP #1804648)
13 - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
14 close to a query timeout (LP #1797926)
15 - d/t/simpletest: drop the internetsociety.org test as it requires
16 network egress access that is not available in the Ubuntu autopkgtest
17 farm.
18 * Dropped:
19 - SECURITY UPDATE: memory leak via specially crafted packet
20 + debian/patches/CVE-2018-5744.patch: silently drop additional keytag
21 options in bin/named/client.c.
22 + CVE-2018-5744
23 [Fixed upstream in 9.11.5-P2]
24 - SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
25 unsupported key algorithm when using managed-keys
26 + debian/patches/CVE-2018-5745.patch: properly handle situations when
27 the key tag cannot be computed in lib/dns/include/dst/dst.h,
28 lib/dns/zone.c.
29 + CVE-2018-5745
30 [Fixed upstream in 9.11.5-P2]
31 - SECURITY UPDATE: Controls for zone transfers may not be properly
32 applied to Dynamically Loadable Zones (DLZs) if the zones are writable
33 + debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
34 the zone table as a DLZ zone bin/named/xfrout.c.
35 + CVE-2019-6465
36 [Fixed upstream in 9.11.5-P3]
37 - SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
38 + debian/patches/CVE-2018-5743.patch: add reference counting in
39 bin/named/client.c, bin/named/include/named/client.h,
40 bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
41 lib/isc/include/isc/quota.h, lib/isc/quota.c,
42 lib/isc/win32/libisc.def.in.
43 + debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
44 operations with isc_refcount reference counting in
45 bin/named/client.c, bin/named/include/named/interfacemgr.h,
46 bin/named/interfacemgr.c.
47 + debian/libisc1100.symbols: added new symbols.
48 + CVE-2018-5743
49 [Fixed in 1:9.11.5.P4+dfsg-4]
50 - d/rules: add back EdDSA support (LP #1825712)
51 [Fixed in 1:9.11.5.P4+dfsg-4]
52
53 -- Andreas Hasenack <andreas@canonical.com> Thu, 02 May 2019 13:35:59 -0300
54
1bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium55bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium
256
3 [ Bernhard Schmidt ]57 [ Bernhard Schmidt ]
@@ -70,12 +124,114 @@ bind9 (1:9.11.5.P1+dfsg-2) unstable; urgency=medium
70124
71 -- Bernhard Schmidt <berni@debian.org> Tue, 12 Feb 2019 00:34:21 +0100125 -- Bernhard Schmidt <berni@debian.org> Tue, 12 Feb 2019 00:34:21 +0100
72126
127bind9 (1:9.11.5.P1+dfsg-1ubuntu4) eoan; urgency=medium
128
129 * d/rules: add back EdDSA support (LP: #1825712)
130
131 -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Apr 2019 14:04:37 +0000
132
133bind9 (1:9.11.5.P1+dfsg-1ubuntu3) eoan; urgency=medium
134
135 * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
136 - debian/patches/CVE-2018-5743.patch: add reference counting in
137 bin/named/client.c, bin/named/include/named/client.h,
138 bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
139 lib/isc/include/isc/quota.h, lib/isc/quota.c,
140 lib/isc/win32/libisc.def.in.
141 - debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
142 operations with isc_refcount reference counting in
143 bin/named/client.c, bin/named/include/named/interfacemgr.h,
144 bin/named/interfacemgr.c.
145 - debian/libisc1100.symbols: added new symbols.
146 - CVE-2018-5743
147
148 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 24 Apr 2019 05:00:07 -0400
149
150bind9 (1:9.11.5.P1+dfsg-1ubuntu2) disco; urgency=medium
151
152 * SECURITY UPDATE: memory leak via specially crafted packet
153 - debian/patches/CVE-2018-5744.patch: silently drop additional keytag
154 options in bin/named/client.c.
155 - CVE-2018-5744
156 * SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
157 unsupported key algorithm when using managed-keys
158 - debian/patches/CVE-2018-5745.patch: properly handle situations when
159 the key tag cannot be computed in lib/dns/include/dst/dst.h,
160 lib/dns/zone.c.
161 - CVE-2018-5745
162 * SECURITY UPDATE: Controls for zone transfers may not be properly
163 applied to Dynamically Loadable Zones (DLZs) if the zones are writable
164 - debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
165 the zone table as a DLZ zone bin/named/xfrout.c.
166 - CVE-2019-6465
167
168 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 22 Feb 2019 10:52:30 +0100
169
170bind9 (1:9.11.5.P1+dfsg-1ubuntu1) disco; urgency=medium
171
172 * Merge with Debian unstable. Remaining changes:
173 - Build without lmdb support as that package is in Universe
174 - Don't build dnstap as it depends on universe packages:
175 + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
176 protobuf-c-compiler (universe packages)
177 + d/dnsutils.install: don't install dnstap
178 + d/libdns1104.symbols: don't include dnstap symbols
179 + d/rules: don't build dnstap nor install dnstap.proto
180 - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
181 option (LP #1804648)
182 - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
183 close to a query timeout (LP #1797926)
184 - d/t/simpletest: drop the internetsociety.org test as it requires
185 network egress access that is not available in the Ubuntu autopkgtest
186 farm.
187
188 -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Jan 2019 18:59:25 -0200
189
73bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium190bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium
74191
75 * New upstream version 9.11.5.P1+dfsg192 * New upstream version 9.11.5.P1+dfsg
76193
77 -- Ondřej Surý <ondrej@debian.org> Tue, 18 Dec 2018 13:59:25 +0000194 -- Ondřej Surý <ondrej@debian.org> Tue, 18 Dec 2018 13:59:25 +0000
78195
196bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium
197
198 * Merge with Debian unstable. Remaining changes:
199 - Build without lmdb support as that package is in Universe
200 - Don't build dnstap as it depends on universe packages:
201 + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
202 protobuf-c-compiler (universe packages)
203 + d/dnsutils.install: don't install dnstap
204 + d/libdns1104.symbols: don't include dnstap symbols
205 + d/rules: don't build dnstap nor install dnstap.proto
206 * Dropped:
207 - SECURITY UPDATE: denial of service crash when deny-answer-aliases
208 option is used
209 + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
210 trigger a crash if deny-answer-aliases was set
211 + debian/patches/CVE-2018-5740-2.patch: add tests
212 + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
213 chainingp correctly, add test
214 + CVE-2018-5740
215 [Fixed in new upstream version 9.11.5]
216 - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
217 line (Closes: #904983)
218 [Fixed in 1:9.11.4+dfsg-4]
219 - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440)
220 [Fixed in 1:9.11.4.P1+dfsg-1]
221 - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
222 (it depends on OpenSSL version) (Closes: #897643)
223 [Fixed in 1:9.11.4.P1+dfsg-1]
224 * Added:
225 - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
226 option (LP: #1804648)
227 - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
228 close to a query timeout (LP: #1797926)
229 - d/t/simpletest: drop the internetsociety.org test as it requires
230 network egress access that is not available in the Ubuntu autopkgtest
231 farm.
232
233 -- Andreas Hasenack <andreas@canonical.com> Thu, 13 Dec 2018 19:40:23 -0200
234
79bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium235bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium
80236
81 * Use team+dns@tracker.debian.org as Maintainer address237 * Use team+dns@tracker.debian.org as Maintainer address
@@ -137,6 +293,55 @@ bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium
137293
138 -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200294 -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200
139295
296bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high
297
298 * No change rebuild against openssl 1.1.1 with TLS 1.3 support.
299
300 -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 29 Sep 2018 01:36:45 +0100
301
302bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium
303
304 * SECURITY UPDATE: denial of service crash when deny-answer-aliases
305 option is used
306 - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
307 trigger a crash if deny-answer-aliases was set
308 - debian/patches/CVE-2018-5740-2.patch: add tests
309 - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
310 chainingp correctly, add test
311 - CVE-2018-5740
312
313 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Sep 2018 11:11:05 +0200
314
315bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium
316
317 * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
318 (it depends on OpenSSL version) (Closes: #897643)
319
320 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 18 Sep 2018 10:39:12 +0200
321
322bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium
323
324 * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11
325 crashing on startup. (LP: #1769440)
326
327 -- Karl Stenerud <karl.stenerud@canonical.com> Thu, 30 Aug 2018 07:11:39 -0700
328
329bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium
330
331 * Merge with Debian unstable. Remaining changes:
332 - Build without lmdb support as that package is in Universe
333 * Added:
334 - Don't build dnstap as it depends on universe packages:
335 + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
336 protobuf-c-compiler (universe packages)
337 + d/dnsutils.install: don't install dnstap
338 + d/libdns1102.symbols: don't include dnstap symbols
339 + d/rules: don't build dnstap
340 - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
341 line (Closes: #904983)
342
343 -- Andreas Hasenack <andreas@canonical.com> Mon, 30 Jul 2018 10:56:04 -0300
344
140bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium345bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium
141346
142 * Enable IDN support for dig+host using libidn2 (Closes: #459010)347 * Enable IDN support for dig+host using libidn2 (Closes: #459010)
@@ -167,6 +372,19 @@ bind9 (1:9.11.4+dfsg-1) unstable; urgency=medium
167372
168 -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000373 -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000
169374
375bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium
376
377 * Merge with Debian unstable (LP: #1777935). Remaining changes:
378 - Build without lmdb support as that package is in Universe
379 * Drop:
380 - SECURITY UPDATE: improperly permits recursive query service
381 + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
382 in bin/named/server.c.
383 + CVE-2018-5738
384 [Applied in Debian's 1:9.11.3+dfsg-2]
385
386 -- Andreas Hasenack <andreas@canonical.com> Wed, 20 Jun 2018 17:42:16 -0300
387
170bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium388bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
171389
172 * [CVE-2018-5738]: Add upstream fix to close the default open recursion390 * [CVE-2018-5738]: Add upstream fix to close the default open recursion
@@ -175,6 +393,24 @@ bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
175393
176 -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000394 -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000
177395
396bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium
397
398 * SECURITY UPDATE: improperly permits recursive query service
399 - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
400 in bin/named/server.c.
401 - CVE-2018-5738
402
403 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Jun 2018 09:41:51 -0400
404
405bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low
406
407 * New upstream release. (LP: #1763572)
408 - fix a crash when configured with ipa-dns-install
409 * Merge from Debian unstable. Remaining changes:
410 - Build without lmdb support as that package is in Universe
411
412 -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Apr 2018 07:40:47 +0300
413
178bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium414bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
179415
180 [ Bernhard Schmidt ]416 [ Bernhard Schmidt ]
@@ -199,6 +435,61 @@ bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
199435
200 -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100436 -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100
201437
438bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium
439
440 * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating
441 DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews
442 <marka@isc.org>. (LP: #1755439)
443
444 -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300
445
446bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium
447
448 * Fix apparmor profile filename (LP: #1754981)
449
450 -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300
451
452bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high
453
454 * No change rebuild against openssl1.1.
455
456 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:14:22 +0000
457
458bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium
459
460 * Build without lmdb support as that package is in Universe (LP: #1746296)
461 - d/control: remove Build-Depends on liblmdb-dev
462 - d/rules: configure --without-lmdb
463 - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires
464 lmdb.
465
466 -- Andreas Hasenack <andreas@canonical.com> Tue, 30 Jan 2018 15:21:23 -0200
467
468bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium
469
470 * Merge with Debian unstable (LP: #1744930).
471 * Drop:
472 - Add RemainAfterExit to bind9-resolvconf unit configuration file
473 (LP #1536181).
474 [fixed in 1:9.10.6+dfsg-4]
475 - rules: Fix path to libsofthsm2.so. (LP #1685780)
476 [adopted in 1:9.10.6+dfsg-5]
477 - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
478 introduced with the CVE-2016-8864.patch and fixed in
479 CVE-2016-8864-regression.patch.
480 [applied upstream]
481 - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
482 regression (RT #44318) introduced with the CVE-2016-8864.patch
483 and fixed in CVE-2016-8864-regression2.patch.
484 [applied upstream]
485 - d/control, d/rules: add json support for the statistics channels.
486 (LP #1669193)
487 [adopted in 1:9.10.6+dfsg-5]
488 * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing
489 listing the python ply module as a dependency (Closes: #888463)
490
491 -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Jan 2018 11:20:33 -0200
492
202bind9 (1:9.11.2.P1-1) unstable; urgency=medium493bind9 (1:9.11.2.P1-1) unstable; urgency=medium
203494
204 * New upstream version 9.11.2-P1495 * New upstream version 9.11.2-P1
@@ -374,6 +665,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium
374665
375 -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000666 -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000
376667
668bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium
669
670 * Merge with Debian unstable (LP: #1712920). Remaining changes:
671 - Add RemainAfterExit to bind9-resolvconf unit configuration file
672 (LP #1536181).
673 - rules: Fix path to libsofthsm2.so. (LP #1685780)
674 - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
675 introduced with the CVE-2016-8864.patch and fixed in
676 CVE-2016-8864-regression.patch.
677 - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
678 regression (RT #44318) introduced with the CVE-2016-8864.patch
679 and fixed in CVE-2016-8864-regression2.patch.
680 - d/control, d/rules: add json support for the statistics channels.
681 (LP #1669193)
682
683 -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Aug 2017 18:28:00 -0300
684
685bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium
686
687 * Non-maintainer upload.
688 * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)
689
690 -- Bernhard Schmidt <berni@debian.org> Fri, 11 Aug 2017 19:10:07 +0200
691
692bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium
693
694 * Merge with Debian unstable (LP: #1701687). Remaining changes:
695 - Add RemainAfterExit to bind9-resolvconf unit configuration file
696 (LP #1536181).
697 - rules: Fix path to libsofthsm2.so. (LP #1685780)
698 * Drop:
699 - SECURITY UPDATE: denial of service via assertion failure
700 + debian/patches/CVE-2016-2776.patch: properly handle lengths in
701 lib/dns/message.c.
702 + CVE-2016-2776
703 + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
704 - SECURITY UPDATE: assertion failure via class mismatch
705 + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
706 records in lib/dns/resolver.c.
707 + CVE-2016-9131
708 + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
709 - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
710 + debian/patches/CVE-2016-9147.patch: fix logic when records are
711 returned without the requested data in lib/dns/resolver.c.
712 + CVE-2016-9147
713 + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
714 - SECURITY UPDATE: assertion failure via unusually-formed DS record
715 + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
716 lib/dns/message.c, lib/dns/resolver.c.
717 + CVE-2016-9444
718 + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
719 - SECURITY UPDATE: regression in CVE-2016-8864
720 + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
721 responses in lib/dns/resolver.c, added tests to
722 bin/tests/system/dname/ns2/example.db,
723 bin/tests/system/dname/tests.sh.
724 + No CVE number
725 + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
726 - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
727 a NULL pointer
728 + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
729 combination in bin/named/query.c, lib/dns/message.c,
730 lib/dns/rdataset.c.
731 + CVE-2017-3135
732 + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
733 - SECURITY UPDATE: regression in CVE-2016-8864
734 + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
735 was still being cached when it should have been in lib/dns/resolver.c,
736 added tests to bin/tests/system/dname/ans3/ans.pl,
737 bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
738 + No CVE number
739 + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
740 - SECURITY UPDATE: Denial of Service due to an error handling
741 synthesized records when using DNS64 with "break-dnssec yes;"
742 + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
743 called.
744 + CVE-2017-3136
745 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
746 - SECURITY UPDATE: Denial of Service due to resolver terminating when
747 processing a response packet containing a CNAME or DNAME
748 + debian/patches/CVE-2017-3137.patch: don't expect a specific
749 ordering of answer components; add testcases.
750 + CVE-2017-3137
751 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
752 - SECURITY UPDATE: Denial of Service when receiving a null command on
753 the control channel
754 + debian/patches/CVE-2017-3138.patch: don't throw an assert if no
755 command token is given; add testcase.
756 + CVE-2017-3138
757 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
758 - SECURITY UPDATE: TSIG authentication issues
759 + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
760 lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
761 + CVE-2017-3142
762 + CVE-2017-3143
763 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4]
764 * d/p/CVE-2016-8864-regression-test.patch: tests for the regression
765 introduced with the CVE-2016-8864.patch and fixed in
766 CVE-2016-8864-regression.patch.
767 * d/p/CVE-2016-8864-regression2-test.patch: tests for the second
768 regression (RT #44318) introduced with the CVE-2016-8864.patch
769 and fixed in CVE-2016-8864-regression2.patch.
770 * d/control, d/rules: add json support for the statistics channels.
771 (LP: #1669193)
772
773 -- Andreas Hasenack <andreas@canonical.com> Fri, 11 Aug 2017 17:12:09 -0300
774
775bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
776
777 * Non-maintainer upload.
778 * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
779 signed TCP message sequences where not all the messages contain TSIG
780 records. These may be used in AXFR and IXFR responses.
781 (Closes: #868952)
782
783 -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jul 2017 22:28:32 +0200
784
785bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
786
787 * Non-maintainer upload.
788
789 [ Yves-Alexis Perez ]
790 * debian/patches:
791 - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
792 CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
793 transfers. An attacker may be able to circumvent TSIG authentication of
794 AXFR and Notify requests.
795 CVE-2017-3143: error in TSIG authentication can permit unauthorized
796 dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
797 signature for a dynamic update.
798 (Closes: #866564)
799
800 -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jul 2017 22:13:21 +0200
801
377bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium802bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium
378803
379 [ Bernhard Schmidt ]804 [ Bernhard Schmidt ]
@@ -480,6 +905,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium
480905
481 -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000906 -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000
482907
908bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium
909
910 * SECURITY UPDATE: TSIG authentication issues
911 - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
912 lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
913 - CVE-2017-3142
914 - CVE-2017-3143
915
916 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jul 2017 09:48:13 -0400
917
918bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium
919
920 * rules: Fix path to libsofthsm2.so. (LP: #1685780)
921
922 -- Timo Aaltonen <tjaalton@debian.org> Mon, 24 Apr 2017 15:01:30 +0300
923
924bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium
925
926 * SECURITY UPDATE: Denial of Service due to an error handling
927 synthesized records when using DNS64 with "break-dnssec yes;"
928 - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
929 called.
930 - CVE-2017-3136
931 * SECURITY UPDATE: Denial of Service due to resolver terminating when
932 processing a response packet containing a CNAME or DNAME
933 - debian/patches/CVE-2017-3137.patch: don't expect a specific
934 ordering of answer components; add testcases.
935 - CVE-2017-3137
936 * SECURITY UPDATE: Denial of Service when receiving a null command on
937 the control channel
938 - debian/patches/CVE-2017-3138.patch: don't throw an assert if no
939 command token is given; add testcase.
940 - CVE-2017-3138
941
942 -- Steve Beattie <sbeattie@ubuntu.com> Wed, 12 Apr 2017 01:32:15 -0700
943
944bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium
945
946 * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
947 a NULL pointer
948 - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
949 combination in bin/named/query.c, lib/dns/message.c,
950 lib/dns/rdataset.c.
951 - CVE-2017-3135
952 * SECURITY UPDATE: regression in CVE-2016-8864
953 - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
954 was still being cached when it should have been in lib/dns/resolver.c,
955 added tests to bin/tests/system/dname/ans3/ans.pl,
956 bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
957 - No CVE number
958
959 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Feb 2017 09:37:39 -0500
960
961bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium
962
963 * SECURITY UPDATE: assertion failure via class mismatch
964 - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
965 records in lib/dns/resolver.c.
966 - CVE-2016-9131
967 * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
968 - debian/patches/CVE-2016-9147.patch: fix logic when records are
969 returned without the requested data in lib/dns/resolver.c.
970 - CVE-2016-9147
971 * SECURITY UPDATE: assertion failure via unusually-formed DS record
972 - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
973 lib/dns/message.c, lib/dns/resolver.c.
974 - CVE-2016-9444
975 * SECURITY UPDATE: regression in CVE-2016-8864
976 - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
977 responses in lib/dns/resolver.c, added tests to
978 bin/tests/system/dname/ns2/example.db,
979 bin/tests/system/dname/tests.sh.
980 - No CVE number
981
982 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jan 2017 09:28:10 -0500
983
984bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium
985
986 * Add RemainAfterExit to bind9-resolvconf unit configuration file
987 (LP: #1536181).
988
989 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Tue, 15 Nov 2016 08:24:58 -0800
990
991bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium
992
993 * SECURITY UPDATE: denial of service via assertion failure
994 - debian/patches/CVE-2016-2776.patch: properly handle lengths in
995 lib/dns/message.c.
996 - CVE-2016-2776
997
998 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2016 14:31:17 -0400
999
483bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium1000bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium
4841001
485 * Non-maintainer upload.1002 * Non-maintainer upload.
diff --git a/debian/control b/debian/control
index 73c2a17..3d7f03d 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: bind91Source: bind9
2Section: net2Section: net
3Priority: optional3Priority: optional
4Maintainer: Debian DNS Team <team+dns@tracker.debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
5Uploaders: LaMont Jones <lamont@debian.org>,6Uploaders: LaMont Jones <lamont@debian.org>,
6 Michael Gilbert <mgilbert@debian.org>,7 Michael Gilbert <mgilbert@debian.org>,
7 Robie Basak <robie.basak@canonical.com>,8 Robie Basak <robie.basak@canonical.com>,
@@ -15,18 +16,14 @@ Build-Depends: bison,
15 dpkg-dev (>= 1.16.1~),16 dpkg-dev (>= 1.16.1~),
16 libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386],17 libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386],
17 libdb-dev (>>4.6),18 libdb-dev (>>4.6),
18 libfstrm-dev,
19 libgeoip-dev (>= 1.4.6.dfsg-5),19 libgeoip-dev (>= 1.4.6.dfsg-5),
20 libidn2-dev,20 libidn2-dev,
21 libjson-c-dev,21 libjson-c-dev,
22 libkrb5-dev,22 libkrb5-dev,
23 libldap2-dev,23 libldap2-dev,
24 liblmdb-dev,
25 libprotobuf-c-dev,
26 libssl-dev,24 libssl-dev,
27 libtool,25 libtool,
28 libxml2-dev,26 libxml2-dev,
29 protobuf-c-compiler,
30 python3,27 python3,
31 python3-distutils,28 python3-distutils,
32 python3-ply29 python3-ply
diff --git a/debian/dnsutils.install b/debian/dnsutils.install
index 90e4fba..5e6b7d9 100644
--- a/debian/dnsutils.install
+++ b/debian/dnsutils.install
@@ -1,12 +1,10 @@
1usr/bin/delv1usr/bin/delv
2usr/bin/dig2usr/bin/dig
3usr/bin/dnstap-read
4usr/bin/mdig3usr/bin/mdig
5usr/bin/nslookup4usr/bin/nslookup
6usr/bin/nsupdate5usr/bin/nsupdate
7usr/share/man/man1/delv.16usr/share/man/man1/delv.1
8usr/share/man/man1/dig.17usr/share/man/man1/dig.1
9usr/share/man/man1/dnstap-read.1
10usr/share/man/man1/mdig.18usr/share/man/man1/mdig.1
11usr/share/man/man1/nslookup.19usr/share/man/man1/nslookup.1
12usr/share/man/man1/nsupdate.110usr/share/man/man1/nsupdate.1
diff --git a/debian/libdns1104.symbols b/debian/libdns1104.symbols
index d7c98d4..7b6020e 100644
--- a/debian/libdns1104.symbols
+++ b/debian/libdns1104.symbols
@@ -358,21 +358,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER#
358 dns_dsdigest_format@Base 1:9.11.3+dfsg358 dns_dsdigest_format@Base 1:9.11.3+dfsg
359 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg359 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg
360 dns_dsdigest_totext@Base 1:9.11.3+dfsg360 dns_dsdigest_totext@Base 1:9.11.3+dfsg
361 dns_dt_attach@Base 1:9.11.4.P1
362 dns_dt_close@Base 1:9.11.4.P1
363 dns_dt_create@Base 1:9.11.4.P1
364 dns_dt_datatotext@Base 1:9.11.4.P1
365 dns_dt_detach@Base 1:9.11.4.P1
366 dns_dt_getframe@Base 1:9.11.4.P1
367 dns_dt_getstats@Base 1:9.11.4.P1
368 dns_dt_open@Base 1:9.11.4.P1
369 dns_dt_parse@Base 1:9.11.4.P1
370 dns_dt_reopen@Base 1:9.11.4.P1
371 dns_dt_send@Base 1:9.11.4.P1
372 dns_dt_setidentity@Base 1:9.11.4.P1
373 dns_dt_setversion@Base 1:9.11.4.P1
374 dns_dt_shutdown@Base 1:9.11.4.P1
375 dns_dtdata_free@Base 1:9.11.4.P1
376 dns_dumpctx_attach@Base 1:9.11.3+dfsg361 dns_dumpctx_attach@Base 1:9.11.3+dfsg
377 dns_dumpctx_cancel@Base 1:9.11.3+dfsg362 dns_dumpctx_cancel@Base 1:9.11.3+dfsg
378 dns_dumpctx_db@Base 1:9.11.3+dfsg363 dns_dumpctx_db@Base 1:9.11.3+dfsg
@@ -1443,24 +1428,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER#
1443 dns_zt_setviewcommit@Base 1:9.11.3+dfsg1428 dns_zt_setviewcommit@Base 1:9.11.3+dfsg
1444 dns_zt_setviewrevert@Base 1:9.11.3+dfsg1429 dns_zt_setviewrevert@Base 1:9.11.3+dfsg
1445 dns_zt_unmount@Base 1:9.11.3+dfsg1430 dns_zt_unmount@Base 1:9.11.3+dfsg
1446 dnstap__dnstap__descriptor@Base 1:9.11.4.P1
1447 dnstap__dnstap__free_unpacked@Base 1:9.11.4.P1
1448 dnstap__dnstap__get_packed_size@Base 1:9.11.4.P1
1449 dnstap__dnstap__init@Base 1:9.11.4.P1
1450 dnstap__dnstap__pack@Base 1:9.11.4.P1
1451 dnstap__dnstap__pack_to_buffer@Base 1:9.11.4.P1
1452 dnstap__dnstap__type__descriptor@Base 1:9.11.4.P1
1453 dnstap__dnstap__unpack@Base 1:9.11.4.P1
1454 dnstap__message__descriptor@Base 1:9.11.4.P1
1455 dnstap__message__free_unpacked@Base 1:9.11.4.P1
1456 dnstap__message__get_packed_size@Base 1:9.11.4.P1
1457 dnstap__message__init@Base 1:9.11.4.P1
1458 dnstap__message__pack@Base 1:9.11.4.P1
1459 dnstap__message__pack_to_buffer@Base 1:9.11.4.P1
1460 dnstap__message__type__descriptor@Base 1:9.11.4.P1
1461 dnstap__message__unpack@Base 1:9.11.4.P1
1462 dnstap__socket_family__descriptor@Base 1:9.11.4.P1
1463 dnstap__socket_protocol__descriptor@Base 1:9.11.4.P1
1464 dst__entropy_getdata@Base 1:9.11.3+dfsg1431 dst__entropy_getdata@Base 1:9.11.3+dfsg
1465 dst__entropy_status@Base 1:9.11.3+dfsg1432 dst__entropy_status@Base 1:9.11.3+dfsg
1466 dst__gssapi_init@Base 1:9.11.3+dfsg1433 dst__gssapi_init@Base 1:9.11.3+dfsg
@@ -1940,21 +1907,6 @@ libdns.so.1104 libdns1104 #MINVER#
1940 dns_dsdigest_format@Base 1:9.11.3+dfsg1907 dns_dsdigest_format@Base 1:9.11.3+dfsg
1941 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg1908 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg
1942 dns_dsdigest_totext@Base 1:9.11.3+dfsg1909 dns_dsdigest_totext@Base 1:9.11.3+dfsg
1943 dns_dt_attach@Base 1:9.11.4.P1
1944 dns_dt_close@Base 1:9.11.4.P1
1945 dns_dt_create@Base 1:9.11.4.P1
1946 dns_dt_datatotext@Base 1:9.11.4.P1
1947 dns_dt_detach@Base 1:9.11.4.P1
1948 dns_dt_getframe@Base 1:9.11.4.P1
1949 dns_dt_getstats@Base 1:9.11.4.P1
1950 dns_dt_open@Base 1:9.11.4.P1
1951 dns_dt_parse@Base 1:9.11.4.P1
1952 dns_dt_reopen@Base 1:9.11.4.P1
1953 dns_dt_send@Base 1:9.11.4.P1
1954 dns_dt_setidentity@Base 1:9.11.4.P1
1955 dns_dt_setversion@Base 1:9.11.4.P1
1956 dns_dt_shutdown@Base 1:9.11.4.P1
1957 dns_dtdata_free@Base 1:9.11.4.P1
1958 dns_dumpctx_attach@Base 1:9.11.3+dfsg1910 dns_dumpctx_attach@Base 1:9.11.3+dfsg
1959 dns_dumpctx_cancel@Base 1:9.11.3+dfsg1911 dns_dumpctx_cancel@Base 1:9.11.3+dfsg
1960 dns_dumpctx_db@Base 1:9.11.3+dfsg1912 dns_dumpctx_db@Base 1:9.11.3+dfsg
@@ -3032,24 +2984,6 @@ libdns.so.1104 libdns1104 #MINVER#
3032 dns_zt_setviewcommit@Base 1:9.11.3+dfsg2984 dns_zt_setviewcommit@Base 1:9.11.3+dfsg
3033 dns_zt_setviewrevert@Base 1:9.11.3+dfsg2985 dns_zt_setviewrevert@Base 1:9.11.3+dfsg
3034 dns_zt_unmount@Base 1:9.11.3+dfsg2986 dns_zt_unmount@Base 1:9.11.3+dfsg
3035 dnstap__dnstap__descriptor@Base 1:9.11.4.P1
3036 dnstap__dnstap__free_unpacked@Base 1:9.11.4.P1
3037 dnstap__dnstap__get_packed_size@Base 1:9.11.4.P1
3038 dnstap__dnstap__init@Base 1:9.11.4.P1
3039 dnstap__dnstap__pack@Base 1:9.11.4.P1
3040 dnstap__dnstap__pack_to_buffer@Base 1:9.11.4.P1
3041 dnstap__dnstap__type__descriptor@Base 1:9.11.4.P1
3042 dnstap__dnstap__unpack@Base 1:9.11.4.P1
3043 dnstap__message__descriptor@Base 1:9.11.4.P1
3044 dnstap__message__free_unpacked@Base 1:9.11.4.P1
3045 dnstap__message__get_packed_size@Base 1:9.11.4.P1
3046 dnstap__message__init@Base 1:9.11.4.P1
3047 dnstap__message__pack@Base 1:9.11.4.P1
3048 dnstap__message__pack_to_buffer@Base 1:9.11.4.P1
3049 dnstap__message__type__descriptor@Base 1:9.11.4.P1
3050 dnstap__message__unpack@Base 1:9.11.4.P1
3051 dnstap__socket_family__descriptor@Base 1:9.11.4.P1
3052 dnstap__socket_protocol__descriptor@Base 1:9.11.4.P1
3053 dst__entropy_getdata@Base 1:9.11.3+dfsg2987 dst__entropy_getdata@Base 1:9.11.3+dfsg
3054 dst__entropy_status@Base 1:9.11.3+dfsg2988 dst__entropy_status@Base 1:9.11.3+dfsg
3055 dst__gssapi_init@Base 1:9.11.3+dfsg2989 dst__gssapi_init@Base 1:9.11.3+dfsg
diff --git a/debian/patches/enable-udp-in-host-command.diff b/debian/patches/enable-udp-in-host-command.diff
3056new file mode 1006442990new file mode 100644
index 0000000..5444ae7
--- /dev/null
+++ b/debian/patches/enable-udp-in-host-command.diff
@@ -0,0 +1,26 @@
1Description: Fix parsing of host(1)'s -U command line option
2Author: Andreas Hasenack <andreas@canonical.com>
3Bug: https://gitlab.isc.org/isc-projects/bind9/issues/769
4Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1804648
5Applied-Upstream: https://gitlab.isc.org/isc-projects/bind9/commit/5e2cd91321cdda1707411c4e268d364f03f63935
6Last-Update: 2018-12-06
7---
8This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
9--- a/bin/dig/host.c
10+++ b/bin/dig/host.c
11@@ -158,6 +158,7 @@
12 " -s a SERVFAIL response should stop query\n"
13 " -t specifies the query type\n"
14 " -T enables TCP/IP mode\n"
15+" -U enables UDP mode\n"
16 " -v enables verbose output\n"
17 " -V print version number and exit\n"
18 " -w specifies to wait forever for a reply\n"
19@@ -657,6 +658,7 @@
20 case 'N': break;
21 case 'R': break;
22 case 'T': break;
23+ case 'U': break;
24 case 'W': break;
25 default:
26 show_usage();
diff --git a/debian/patches/fix-shutdown-race.diff b/debian/patches/fix-shutdown-race.diff
0new file mode 10064427new file mode 100644
index 0000000..f10f51f
--- /dev/null
+++ b/debian/patches/fix-shutdown-race.diff
@@ -0,0 +1,41 @@
1From f2ca287330110993609fa0443d3bdb17629bd979 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
3Date: Tue, 13 Nov 2018 13:50:47 +0100
4Subject: [PATCH 1/2] Fix a shutdown race in bin/dig/dighost.c
5
6If a tool using the routines defined in bin/dig/dighost.c is sent an
7interruption signal around the time a connection timeout is scheduled to
8fire, connect_timeout() may be executed after destroy_libs() detaches
9from the global task (setting 'global_task' to NULL), which results in a
10crash upon a UDP retry due to bringup_timer() attempting to create a
11timer with 'task' set to NULL. Fix by preventing connect_timeout() from
12attempting a retry when shutdown is in progress.
13
14(cherry picked from commit 462175659674a10c0d39c7c328f1a5324ce2e38b)
15
16Origin: https://gitlab.isc.org/isc-projects/bind9/merge_requests/1040/diffs
17Bug: https://gitlab.isc.org/isc-projects/bind9/issues/599
18Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1797926
19Last-Update: 2018-12-06
20
21---
22 bin/dig/dighost.c | 5 +++++
23 1 file changed, 5 insertions(+)
24diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
25index 39abb9d0fd..17e0328228 100644
26--- a/bin/dig/dighost.c
27+++ b/bin/dig/dighost.c
28@@ -3240,6 +3240,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
29
30 INSIST(!free_now);
31
32+ if (cancel_now) {
33+ UNLOCK_LOOKUP;
34+ return;
35+ }
36+
37 if ((query != NULL) && (query->lookup->current_query != NULL) &&
38 ISC_LINK_LINKED(query->lookup->current_query, link) &&
39 (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
40--
412.18.1
diff --git a/debian/patches/series b/debian/patches/series
index b8cde78..01bb163 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,5 @@ keymgr-dont-immediately-delete.diff
120012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch120012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch
130013-Replace-atomic-operations-in-bin-named-client.c-with.patch130013-Replace-atomic-operations-in-bin-named-client.c-with.patch
140014-Disable-broken-Ed448-support.patch140014-Disable-broken-Ed448-support.patch
15enable-udp-in-host-command.diff
16fix-shutdown-race.diff
diff --git a/debian/rules b/debian/rules
index c8d745c..717ecb9 100755
--- a/debian/rules
+++ b/debian/rules
@@ -91,7 +91,7 @@ override_dh_auto_configure:
91 --with-gssapi=/usr \91 --with-gssapi=/usr \
92 --with-libidn2 \92 --with-libidn2 \
93 --with-libjson=/usr \93 --with-libjson=/usr \
94 --with-lmdb=/usr \94 --without-lmdb \
95 --with-gnu-ld \95 --with-gnu-ld \
96 --with-geoip=/usr \96 --with-geoip=/usr \
97 --with-atf=no \97 --with-atf=no \
@@ -101,7 +101,6 @@ override_dh_auto_configure:
101 --enable-native-pkcs11 \101 --enable-native-pkcs11 \
102 --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \102 --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \
103 --with-randomdev=/dev/urandom \103 --with-randomdev=/dev/urandom \
104 --enable-dnstap \
105 $(EXTRA_FEATURES)104 $(EXTRA_FEATURES)
106 dh_auto_configure -B build-udeb -- \105 dh_auto_configure -B build-udeb -- \
107 --sysconfdir=/etc/bind \106 --sysconfdir=/etc/bind \
@@ -126,8 +125,6 @@ override_dh_auto_configure:
126 # no need to build these targets here125 # no need to build these targets here
127 sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile126 sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile
128 sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile127 sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile
129 cp lib/dns/dnstap.proto build/lib/dns
130 cp lib/dns-pkcs11/dnstap.proto build/lib/dns-pkcs11
131128
132override_dh_auto_build:129override_dh_auto_build:
133 dh_auto_build -B build130 dh_auto_build -B build
diff --git a/debian/tests/simpletest b/debian/tests/simpletest
index 468a7c5..34b0b25 100755
--- a/debian/tests/simpletest
+++ b/debian/tests/simpletest
@@ -10,10 +10,6 @@ setup() {
10run() {10run() {
11 # Make a query against a local zone11 # Make a query against a local zone
12 dig -x 127.0.0.1 @127.0.0.112 dig -x 127.0.0.1 @127.0.0.1
13
14 # Make a query against an external nameserver and check for DNSSEC validation
15 echo "Checking for DNSSEC validation status of internetsociety.org"
16 dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY'
17}13}
1814
19teardown() {15teardown() {

Subscribers

People subscribed via source and target branches