Merge ~ahasenack/ubuntu/+source/bind9:groovy-bind9-9.16.3 into ubuntu/+source/bind9:debian/sid
- Git
- lp:~ahasenack/ubuntu/+source/bind9
- groovy-bind9-9.16.3
- Merge into debian/sid
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | Andreas Hasenack | ||||
Approved revision: | d87a6445a374c56cd285bdda9b0b57b7e3caf348 | ||||
Merge reported by: | Andreas Hasenack | ||||
Merged at revision: | d87a6445a374c56cd285bdda9b0b57b7e3caf348 | ||||
Proposed branch: | ~ahasenack/ubuntu/+source/bind9:groovy-bind9-9.16.3 | ||||
Merge into: | ubuntu/+source/bind9:debian/sid | ||||
Diff against target: |
1101 lines (+940/-14) 8 files modified
debian/NEWS (+24/-0) debian/bind9-dnsutils.install (+0/-2) debian/bind9.apport (+24/-0) debian/changelog (+886/-0) debian/control (+3/-4) debian/rules (+2/-3) debian/tests/control (+1/-1) debian/tests/simpletest (+0/-4) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Christian Ehrhardt (community) | Approve | ||
Canonical Server Core Reviewers | Pending | ||
Review via email: mp+385184@code.launchpad.net |
Commit message
Description of the change
Merge from debian, dropping some delta.
We had two i386-related bits of delta:
- d/t/control: change the dep8 test dependency to be on the real
bind9-
and
- d/control: make bind9-dnsutils multi-arch foreign as another step
towards fixing LP #1864761
The latter was the first one I tried back then, and didn't work, then I did the d/t/control change and bind9 migrated. I now revisited these and turns out the multi-arch fix was not needed (and was even on the wrong package), and I dropped it. Current bileto run shows bind9 i386 passing:
Andreas Hasenack (ahasenack) wrote : | # |
Tagging and uploading d87a6445a374c56
$ git push pkg upload/
Enumerating objects: 55, done.
Counting objects: 100% (55/55), done.
Delta compression using up to 4 threads
Compressing objects: 100% (44/44), done.
Writing objects: 100% (46/46), 13.53 KiB | 728.00 KiB/s, done.
Total 46 (delta 29), reused 3 (delta 2)
To ssh://git.
* [new tag] upload/
$ dput ubuntu ../bind9_
Checking signature on .changes
gpg: ../bind9_
Checking signature on .dsc
gpg: ../bind9_
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading bind9_9.
Uploading bind9_9.
Uploading bind9_9.
Uploading bind9_9.
Uploading bind9_9.
Successfully uploaded packages.
Andreas Hasenack (ahasenack) wrote : | # |
This migrated.
Preview Diff
1 | diff --git a/debian/NEWS b/debian/NEWS |
2 | new file mode 100644 |
3 | index 0000000..c9348a4 |
4 | --- /dev/null |
5 | +++ b/debian/NEWS |
6 | @@ -0,0 +1,24 @@ |
7 | +bind9 (1:9.16.0-1ubuntu1) focal; urgency=medium |
8 | + |
9 | + Some packages like isc-dhcp do not build with bind 9.14 or higher, so a new |
10 | + source package bind9-libs version 9.11 was created for that purpose, |
11 | + providing only libraries and header files. The bind9 9.16.x packages do not |
12 | + provide development libraries or headers. See commit |
13 | + https://salsa.debian.org/dns-team/bind9-libs/commit/40cab7029d for more |
14 | + details. udebs used in the debian-installer are also being provided by |
15 | + bind9-libs. |
16 | + |
17 | + Another package which doesn't build with the newer bind9 package is |
18 | + bind-dyndb-ldap. It will build using the libraries from bind9-libs, but |
19 | + since this is a server plugin, it won't work with the newer server. |
20 | + |
21 | + Native pkcs#11 support via softhsm2 is no longer being built for this |
22 | + package. This was first introduced in 1:9.10.3.dfsg.P4-8 (see |
23 | + https://bugs.launchpad.net/bugs/1565392) for FreeIPA. Ubuntu Focal no longer |
24 | + ships FreeIPA, and Debian also dropped the native pkcs#11 support. |
25 | + |
26 | + There are no development libraries or header files in this bind9 9.16.x |
27 | + packaging at the moment. This may change later, see |
28 | + https://gitlab.isc.org/isc-projects/bind9/merge_requests/3089#note_111229 |
29 | + |
30 | + -- Andreas Hasenack <andreas@canonical.com> Sat, 22 Feb 2020 17:40:38 -0300 |
31 | diff --git a/debian/bind9-dnsutils.install b/debian/bind9-dnsutils.install |
32 | index 90e4fba..5e6b7d9 100644 |
33 | --- a/debian/bind9-dnsutils.install |
34 | +++ b/debian/bind9-dnsutils.install |
35 | @@ -1,12 +1,10 @@ |
36 | usr/bin/delv |
37 | usr/bin/dig |
38 | -usr/bin/dnstap-read |
39 | usr/bin/mdig |
40 | usr/bin/nslookup |
41 | usr/bin/nsupdate |
42 | usr/share/man/man1/delv.1 |
43 | usr/share/man/man1/dig.1 |
44 | -usr/share/man/man1/dnstap-read.1 |
45 | usr/share/man/man1/mdig.1 |
46 | usr/share/man/man1/nslookup.1 |
47 | usr/share/man/man1/nsupdate.1 |
48 | diff --git a/debian/bind9.apport b/debian/bind9.apport |
49 | new file mode 100644 |
50 | index 0000000..b3baa8b |
51 | --- /dev/null |
52 | +++ b/debian/bind9.apport |
53 | @@ -0,0 +1,24 @@ |
54 | +'''apport hook for bind9 |
55 | + |
56 | +(c) 2010 Andres Rodriguez. |
57 | +Author: Andres Rodriguez <andreserl@ubuntu.com> |
58 | + |
59 | +This program is free software; you can redistribute it and/or modify it |
60 | +under the terms of the GNU General Public License as published by the |
61 | +Free Software Foundation; either version 2 of the License, or (at your |
62 | +option) any later version. See http://www.gnu.org/copyleft/gpl.html for |
63 | +the full text of the license. |
64 | +''' |
65 | + |
66 | +from apport.hookutils import * |
67 | +import re |
68 | + |
69 | +def add_info(report, ui): |
70 | + |
71 | + # getting syslog stuff |
72 | + report['SyslogBind9'] = recent_syslog(re.compile(r'named\[')) |
73 | + |
74 | + # Attaching related packages info |
75 | + attach_related_packages(report, ['bind9utils', 'apparmor']) |
76 | + |
77 | + attach_mac_events(report, '/usr/sbin/named') |
78 | diff --git a/debian/changelog b/debian/changelog |
79 | index e46f896..0c393e8 100644 |
80 | --- a/debian/changelog |
81 | +++ b/debian/changelog |
82 | @@ -1,9 +1,113 @@ |
83 | +bind9 (1:9.16.3-1ubuntu1) groovy; urgency=medium |
84 | + |
85 | + * Merge with Debian unstable. Remaining changes: |
86 | + - Don't build dnstap as it depends on universe packages: |
87 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
88 | + protobuf-c-compiler (universe packages) |
89 | + + d/dnsutils.install: don't install dnstap |
90 | + + d/libdns1104.symbols: don't include dnstap symbols |
91 | + + d/rules: don't build dnstap nor install dnstap.proto |
92 | + - Add back apport: |
93 | + + d/bind9.apport: add back old bind9 apport hook, but without calling |
94 | + attach_conffiles() since that is already done by apport itself, with |
95 | + confirmation from the user. |
96 | + + d/control, d/rules: buil-depends on dh-apport and use it |
97 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
98 | + network egress access that is not available in the Ubuntu autopkgtest |
99 | + farm. |
100 | + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging |
101 | + - d/t/control: change the dep8 test dependency to be on the real |
102 | + bind9-dnsutils package, and not the transitional one (LP #1864761) |
103 | + - d/rules: change deprecated --with-libjson-c configure argument to |
104 | + --with-json-c |
105 | + * Dropped: |
106 | + - d/control: make bind9-dnsutils multi-arch foreign as another step |
107 | + towards fixing LP #1864761 |
108 | + [The correct fix was to change the dep8 dependency to be on the real |
109 | + package, and not the transitional one] |
110 | + - SECURITY UPDATE: BIND does not sufficiently limit the number of fetches |
111 | + performed when processing referrals |
112 | + + debian/patches/CVE-2020-8616.patch: further limit the number of |
113 | + queries that can be triggered from a request in lib/dns/adb.c, |
114 | + lib/dns/include/dns/adb.h, lib/dns/resolver.c. |
115 | + + CVE-2020-8616 |
116 | + [Fixed upstream] |
117 | + - SECURITY UPDATE: A logic error in code which checks TSIG validity can |
118 | + be used to trigger an assertion failure in tsig.c |
119 | + + debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG |
120 | + BADTIME response in lib/dns/tsig.c. |
121 | + + CVE-2020-8617 |
122 | + [Fixed upstream] |
123 | + |
124 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 02 Jun 2020 17:37:44 -0300 |
125 | + |
126 | bind9 (1:9.16.3-1) unstable; urgency=medium |
127 | |
128 | * New upstream version 9.16.3 |
129 | |
130 | -- Ondřej Surý <ondrej@debian.org> Tue, 19 May 2020 14:14:35 +0200 |
131 | |
132 | +bind9 (1:9.16.2-3ubuntu1) groovy; urgency=medium |
133 | + |
134 | + * Merge with Debian unstable. Remaining changes: |
135 | + - Don't build dnstap as it depends on universe packages: |
136 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
137 | + protobuf-c-compiler (universe packages) |
138 | + + d/dnsutils.install: don't install dnstap |
139 | + + d/libdns1104.symbols: don't include dnstap symbols |
140 | + + d/rules: don't build dnstap nor install dnstap.proto |
141 | + - Add back apport: |
142 | + + d/bind9.apport: add back old bind9 apport hook, but without calling |
143 | + attach_conffiles() since that is already done by apport itself, with |
144 | + confirmation from the user. |
145 | + + d/control, d/rules: buil-depends on dh-apport and use it |
146 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
147 | + network egress access that is not available in the Ubuntu autopkgtest |
148 | + farm. |
149 | + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging |
150 | + - d/t/control: change the dep8 test dependency to be on the real |
151 | + bind9-dnsutils package, and not the transitional one (LP #1864761) |
152 | + - d/control: make bind9-dnsutils multi-arch foreign as another step |
153 | + towards fixing LP #1864761 |
154 | + - d/rules: change deprecated --with-libjson-c configure argument to |
155 | + --with-json-c |
156 | + - SECURITY UPDATE: BIND does not sufficiently limit the number of fetches |
157 | + performed when processing referrals |
158 | + + debian/patches/CVE-2020-8616.patch: further limit the number of |
159 | + queries that can be triggered from a request in lib/dns/adb.c, |
160 | + lib/dns/include/dns/adb.h, lib/dns/resolver.c. |
161 | + + CVE-2020-8616 |
162 | + - SECURITY UPDATE: A logic error in code which checks TSIG validity can |
163 | + be used to trigger an assertion failure in tsig.c |
164 | + + debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG |
165 | + BADTIME response in lib/dns/tsig.c. |
166 | + + CVE-2020-8617 |
167 | + * Dropped: |
168 | + - use iproute2 instead of net-tools (LP #1850699): |
169 | + + d/control: replace net-tools depends with iproute2 |
170 | + + d/bind9.init: use ip instead of ifconfig |
171 | + [In 1:9.16.1-2] |
172 | + - d/control: Enable readline-like support in dnsutils (nslookup and nsupdate) |
173 | + via libedit-dev (libreadline has a license conflict with bind) |
174 | + [In 1:9.16.1-2] |
175 | + - d/control: drop hardcoded python3 dependency |
176 | + (LP #1856211, Closes #946643) |
177 | + [In 1:9.16.1-2] |
178 | + - d/extras/apparmor.d/usr.sbin.named: |
179 | + + Add flags=(attach_disconnected) to AppArmor profile |
180 | + + AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ |
181 | + (Closes: #928398) |
182 | + [In 1:9.16.1-2] |
183 | + - d/rules: fix typo in the apparmor profile installation |
184 | + [In 1:9.16.1-2] |
185 | + - d/control: create transitional packages for dnsutils, bind9utils |
186 | + [In 1:9.16.1-2] |
187 | + - d/p/fix-rebinding-protection.patch: fix rebinding protection bug |
188 | + when using forwarder setups (LP #1873046) |
189 | + [Fixed upstream] |
190 | + |
191 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 22 May 2020 09:52:13 -0300 |
192 | + |
193 | bind9 (1:9.16.2-3) unstable; urgency=medium |
194 | |
195 | [ Simon Deziel ] |
196 | @@ -54,6 +158,106 @@ bind9 (1:9.16.1-1) experimental; urgency=medium |
197 | |
198 | -- Ondřej Surý <ondrej@debian.org> Fri, 20 Mar 2020 13:59:34 +0100 |
199 | |
200 | +bind9 (1:9.16.1-0ubuntu3) groovy; urgency=medium |
201 | + |
202 | + * SECURITY UPDATE: BIND does not sufficiently limit the number of fetches |
203 | + performed when processing referrals |
204 | + - debian/patches/CVE-2020-8616.patch: further limit the number of |
205 | + queries that can be triggered from a request in lib/dns/adb.c, |
206 | + lib/dns/include/dns/adb.h, lib/dns/resolver.c. |
207 | + - CVE-2020-8616 |
208 | + * SECURITY UPDATE: A logic error in code which checks TSIG validity can |
209 | + be used to trigger an assertion failure in tsig.c |
210 | + - debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG |
211 | + BADTIME response in lib/dns/tsig.c. |
212 | + - CVE-2020-8617 |
213 | + |
214 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 19 May 2020 09:03:32 -0400 |
215 | + |
216 | +bind9 (1:9.16.1-0ubuntu2) focal; urgency=medium |
217 | + |
218 | + * d/p/fix-rebinding-protection.patch: fix rebinding protection bug |
219 | + when using forwarder setups (LP: #1873046) |
220 | + |
221 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 15 Apr 2020 14:59:51 -0300 |
222 | + |
223 | +bind9 (1:9.16.1-0ubuntu1) focal; urgency=medium |
224 | + |
225 | + * New upstream release: 19.16.1 (LP: #1868272) |
226 | + - drop d/p/bind-v9.16.0-tcp_quota_fix.patch, fixed upstream |
227 | + - drop d/p/Fix-dns_client_addtrustedkey.patch, fixed upstream |
228 | + * d/rules: change deprecated --with-libjson-c configure argument to |
229 | + --with-json-c |
230 | + |
231 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 24 Mar 2020 11:44:46 -0300 |
232 | + |
233 | +bind9 (1:9.16.0-1ubuntu5) focal; urgency=medium |
234 | + |
235 | + * d/control, d/rules: enable GeoIP2 support, since libmaxminddb is now |
236 | + in main (LP: #1866875) |
237 | + |
238 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 16 Mar 2020 16:17:47 -0300 |
239 | + |
240 | +bind9 (1:9.16.0-1ubuntu4) focal; urgency=medium |
241 | + |
242 | + * d/p/bind-v9.16.0-tcp_quota_fix.patch: fix error in handling TCP |
243 | + client quota limits (LP: #1866378) |
244 | + * d/p/Fix-dns_client_addtrustedkey.patch: fix buffer size in |
245 | + dns_client_addtrustedkey (LP: #1866384) |
246 | + |
247 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 06 Mar 2020 15:12:56 -0300 |
248 | + |
249 | +bind9 (1:9.16.0-1ubuntu3) focal; urgency=medium |
250 | + |
251 | + * d/control: make bind9-dnsutils multi-arch foreign as another step |
252 | + towards fixing LP: #1864761 |
253 | + |
254 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 20:19:40 -0300 |
255 | + |
256 | +bind9 (1:9.16.0-1ubuntu2) focal; urgency=medium |
257 | + |
258 | + * d/t/control: change the dep8 test dependency to be on the real |
259 | + bind9-dnsutils package, and not the transitional one (LP: #1864761) |
260 | + |
261 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 14:16:04 -0300 |
262 | + |
263 | +bind9 (1:9.16.0-1ubuntu1) focal; urgency=medium |
264 | + |
265 | + * Merge with Debian unstable. Remaining changes: |
266 | + - Don't build dnstap as it depends on universe packages: |
267 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
268 | + protobuf-c-compiler (universe packages) |
269 | + + d/dnsutils.install: don't install dnstap |
270 | + + d/libdns1104.symbols: don't include dnstap symbols |
271 | + + d/rules: don't build dnstap nor install dnstap.proto |
272 | + - Add back apport: |
273 | + + d/bind9.apport: add back old bind9 apport hook, but without calling |
274 | + attach_conffiles() since that is already done by apport itself, with |
275 | + confirmation from the user. |
276 | + + d/control, d/rules: buil-depends on dh-apport and use it |
277 | + - d/control, d/rules: go back to old geoip support, since |
278 | + libmaxminddb (for GeoIP2) is in universe |
279 | + * Added back from sid packaging: |
280 | + - d/t/control, d/t/simpletest: bring back the dep8 test from |
281 | + debian/sid, with our delta to not query external hosts |
282 | + - use iproute2 instead of net-tools (LP #1850699): |
283 | + + d/control: replace net-tools depends with iproute2 |
284 | + + d/bind9.init: use ip instead of ifconfig |
285 | + - d/control: drop hardcoded python3 dependency |
286 | + (LP #1856211, Closes #946643) |
287 | + - d/extras/apparmor.d/usr.sbin.named: |
288 | + + Add flags=(attach_disconnected) to AppArmor profile |
289 | + + AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ |
290 | + (Closes: #928398) |
291 | + - d/rules: fix typo in the apparmor profile installation |
292 | + * Added: |
293 | + - d/control: create transitional packages for dnsutils, bind9utils |
294 | + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging |
295 | + - d/control: Enable readline-like support in dnsutils (nslookup and nsupdate) |
296 | + via libedit-dev (libreadline has a license conflict with bind) |
297 | + |
298 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 24 Feb 2020 11:51:37 -0300 |
299 | + |
300 | bind9 (1:9.16.0-1) experimental; urgency=medium |
301 | |
302 | * Change the branch to 9.16 |
303 | @@ -345,6 +549,462 @@ bind (1:9.12.0+dfsg-1~exp0) experimental; urgency=medium |
304 | |
305 | -- Ondřej Surý <ondrej@debian.org> Wed, 24 Jan 2018 09:18:13 +0000 |
306 | |
307 | +bind9 (1:9.11.14+dfsg-3ubuntu1) focal; urgency=medium |
308 | + |
309 | + * Merge with Debian unstable. Remaining changes: |
310 | + - Don't build dnstap as it depends on universe packages: |
311 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
312 | + protobuf-c-compiler (universe packages) |
313 | + + d/dnsutils.install: don't install dnstap |
314 | + + d/libdns1104.symbols: don't include dnstap symbols |
315 | + + d/rules: don't build dnstap nor install dnstap.proto |
316 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
317 | + network egress access that is not available in the Ubuntu autopkgtest |
318 | + farm. |
319 | + - Add back apport: |
320 | + + d/bind9.apport: add back old bind9 apport hook, but without calling |
321 | + attach_conffiles() since that is already done by apport itself, with |
322 | + confirmation from the user. |
323 | + + d/control, d/rules: buil-depends on dh-apport and use it |
324 | + - d/control, d/rules: go back to old geoip support, since |
325 | + libmaxminddb (for GeoIP2) is in universe |
326 | + * Dropped: |
327 | + - use iproute2 instead of net-tools (LP #1850699): |
328 | + + d/control: replace net-tools depends with iproute2 |
329 | + + d/bind9.init: use ip instead of ifconfig |
330 | + [In 1:9.11.14+dfsg-2] |
331 | + - d/control: drop hardcoded python3 dependency in bind9utils, |
332 | + dh-python injects the correct one via ${python3:Depends} |
333 | + (LP #1856211, Closes #946643) |
334 | + [In 1:9.11.14+dfsg-1] |
335 | + |
336 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 27 Jan 2020 11:47:26 -0300 |
337 | + |
338 | +bind9 (1:9.11.14+dfsg-1ubuntu1) focal; urgency=medium |
339 | + |
340 | + * Merge with Debian unstable. Remaining changes: |
341 | + - Don't build dnstap as it depends on universe packages: |
342 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
343 | + protobuf-c-compiler (universe packages) |
344 | + + d/dnsutils.install: don't install dnstap |
345 | + + d/libdns1104.symbols: don't include dnstap symbols |
346 | + + d/rules: don't build dnstap nor install dnstap.proto |
347 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
348 | + network egress access that is not available in the Ubuntu autopkgtest |
349 | + farm. |
350 | + - use iproute2 instead of net-tools (LP #1850699): |
351 | + + d/control: replace net-tools depends with iproute2 |
352 | + + d/bind9.init: use ip instead of ifconfig |
353 | + [Updated to also check the exit status of the command] |
354 | + - d/control: drop hardcoded python3 dependency in bind9utils, |
355 | + dh-python injects the correct one via ${python3:Depends} |
356 | + (LP #1856211, Closes: #946643) |
357 | + * Dropped: |
358 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
359 | + option (LP #1804648) |
360 | + [Fixed upstream in 9.11.6rc1] |
361 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
362 | + close to a query timeout (LP #1797926) |
363 | + [Fixed upstream in 9.11.6rc1] |
364 | + - SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single |
365 | + connection |
366 | + + debian/patches/CVE-2019-6477.patch: limit number of clients in |
367 | + bin/named/client.c, bin/named/include/named/client.h. |
368 | + + CVE-2019-6477 |
369 | + [Fixed upstream in 9.11.13] |
370 | + * Added: |
371 | + - Add back apport: |
372 | + + d/bind9.apport: add back old bind9 apport hook, but without calling |
373 | + attach_conffiles() since that is already done by apport itself, with |
374 | + confirmation from the user. |
375 | + + d/control, d/rules: buil-depends on dh-apport and use it |
376 | + - d/control, d/rules: go back to old geoip support, since |
377 | + libmaxminddb (for GeoIP2) is in universe |
378 | + |
379 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 15 Jan 2020 14:07:05 -0300 |
380 | + |
381 | +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu5) focal; urgency=medium |
382 | + |
383 | + * d/control: drop hardcoded python3 dependency in bind9utils, |
384 | + dh-python injects the correct one via ${python3:Depends} |
385 | + (LP: #1856211, Closes: #946643) |
386 | + |
387 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 12 Dec 2019 14:40:20 -0300 |
388 | + |
389 | +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu4) focal; urgency=medium |
390 | + |
391 | + * SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single |
392 | + connection |
393 | + - debian/patches/CVE-2019-6477.patch: limit number of clients in |
394 | + bin/named/client.c, bin/named/include/named/client.h. |
395 | + - CVE-2019-6477 |
396 | + |
397 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Nov 2019 07:50:24 -0500 |
398 | + |
399 | +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu3) focal; urgency=medium |
400 | + |
401 | + * use iproute2 instead of net-tools (LP: #1850699): |
402 | + - d/control: replace net-tools depends with iproute2 |
403 | + - d/bind9.init: use ip instead of ifconfig |
404 | + * d/bind9.install, d/control, d/rules: re-enable lmdb, which is now |
405 | + in main. |
406 | + |
407 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 08 Nov 2019 10:15:01 -0300 |
408 | + |
409 | +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu2) eoan; urgency=medium |
410 | + |
411 | + * Rebuild against new libjson-c4. |
412 | + |
413 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Sat, 29 Jun 2019 13:45:33 +0200 |
414 | + |
415 | +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu1) eoan; urgency=medium |
416 | + |
417 | + * Merge with Debian unstable. Remaining changes: |
418 | + - Build without lmdb support as that package is in Universe |
419 | + - Don't build dnstap as it depends on universe packages: |
420 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
421 | + protobuf-c-compiler (universe packages) |
422 | + + d/dnsutils.install: don't install dnstap |
423 | + + d/libdns1104.symbols: don't include dnstap symbols |
424 | + + d/rules: don't build dnstap nor install dnstap.proto |
425 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
426 | + option (LP #1804648) |
427 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
428 | + close to a query timeout (LP #1797926) |
429 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
430 | + network egress access that is not available in the Ubuntu autopkgtest |
431 | + farm. |
432 | + * Dropped: |
433 | + - SECURITY UPDATE: DoS via malformed packets |
434 | + + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c |
435 | + + CVE-2019-6471 |
436 | + [Fixed in 1:9.11.5.P4+dfsg-5.1] |
437 | + |
438 | + -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Thu, 27 Jun 2019 14:54:25 +0000 |
439 | + |
440 | +bind9 (1:9.11.5.P4+dfsg-5ubuntu1) eoan; urgency=medium |
441 | + |
442 | + * Merge with Debian unstable. Remaining changes: |
443 | + - Build without lmdb support as that package is in Universe |
444 | + - Don't build dnstap as it depends on universe packages: |
445 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
446 | + protobuf-c-compiler (universe packages) |
447 | + + d/dnsutils.install: don't install dnstap |
448 | + + d/libdns1104.symbols: don't include dnstap symbols |
449 | + + d/rules: don't build dnstap nor install dnstap.proto |
450 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
451 | + option (LP #1804648) |
452 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
453 | + close to a query timeout (LP #1797926) |
454 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
455 | + network egress access that is not available in the Ubuntu autopkgtest |
456 | + farm. |
457 | + - SECURITY UPDATE: DoS via malformed packets |
458 | + + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c |
459 | + + CVE-2019-6471 |
460 | + |
461 | + -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Fri, 21 Jun 2019 18:06:22 +0000 |
462 | + |
463 | +bind9 (1:9.11.5.P4+dfsg-4ubuntu2) eoan; urgency=medium |
464 | + |
465 | + * SECURITY UPDATE: DoS via malformed packets |
466 | + - debian/patches/CVE-2019-6471.patch: fix race condition in |
467 | + lib/dns/dispatch.c. |
468 | + - CVE-2019-6471 |
469 | + |
470 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Jun 2019 08:15:00 -0400 |
471 | + |
472 | +bind9 (1:9.11.5.P4+dfsg-4ubuntu1) eoan; urgency=medium |
473 | + |
474 | + * Merge with Debian unstable. Remaining changes: |
475 | + - Build without lmdb support as that package is in Universe |
476 | + - Don't build dnstap as it depends on universe packages: |
477 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
478 | + protobuf-c-compiler (universe packages) |
479 | + + d/dnsutils.install: don't install dnstap |
480 | + + d/libdns1104.symbols: don't include dnstap symbols |
481 | + + d/rules: don't build dnstap nor install dnstap.proto |
482 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
483 | + option (LP #1804648) |
484 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
485 | + close to a query timeout (LP #1797926) |
486 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
487 | + network egress access that is not available in the Ubuntu autopkgtest |
488 | + farm. |
489 | + * Dropped: |
490 | + - SECURITY UPDATE: memory leak via specially crafted packet |
491 | + + debian/patches/CVE-2018-5744.patch: silently drop additional keytag |
492 | + options in bin/named/client.c. |
493 | + + CVE-2018-5744 |
494 | + [Fixed upstream in 9.11.5-P2] |
495 | + - SECURITY UPDATE: assertion failure when a trust anchor rolls over to an |
496 | + unsupported key algorithm when using managed-keys |
497 | + + debian/patches/CVE-2018-5745.patch: properly handle situations when |
498 | + the key tag cannot be computed in lib/dns/include/dst/dst.h, |
499 | + lib/dns/zone.c. |
500 | + + CVE-2018-5745 |
501 | + [Fixed upstream in 9.11.5-P2] |
502 | + - SECURITY UPDATE: Controls for zone transfers may not be properly |
503 | + applied to Dynamically Loadable Zones (DLZs) if the zones are writable |
504 | + + debian/patches/CVE-2019-6465.patch: handle zone transfers marked in |
505 | + the zone table as a DLZ zone bin/named/xfrout.c. |
506 | + + CVE-2019-6465 |
507 | + [Fixed upstream in 9.11.5-P3] |
508 | + - SECURITY UPDATE: limiting simultaneous TCP clients is ineffective |
509 | + + debian/patches/CVE-2018-5743.patch: add reference counting in |
510 | + bin/named/client.c, bin/named/include/named/client.h, |
511 | + bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c, |
512 | + lib/isc/include/isc/quota.h, lib/isc/quota.c, |
513 | + lib/isc/win32/libisc.def.in. |
514 | + + debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic |
515 | + operations with isc_refcount reference counting in |
516 | + bin/named/client.c, bin/named/include/named/interfacemgr.h, |
517 | + bin/named/interfacemgr.c. |
518 | + + debian/libisc1100.symbols: added new symbols. |
519 | + + CVE-2018-5743 |
520 | + [Fixed in 1:9.11.5.P4+dfsg-4] |
521 | + - d/rules: add back EdDSA support (LP #1825712) |
522 | + [Fixed in 1:9.11.5.P4+dfsg-4] |
523 | + |
524 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 02 May 2019 13:35:59 -0300 |
525 | + |
526 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu4) eoan; urgency=medium |
527 | + |
528 | + * d/rules: add back EdDSA support (LP: #1825712) |
529 | + |
530 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Apr 2019 14:04:37 +0000 |
531 | + |
532 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu3) eoan; urgency=medium |
533 | + |
534 | + * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective |
535 | + - debian/patches/CVE-2018-5743.patch: add reference counting in |
536 | + bin/named/client.c, bin/named/include/named/client.h, |
537 | + bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c, |
538 | + lib/isc/include/isc/quota.h, lib/isc/quota.c, |
539 | + lib/isc/win32/libisc.def.in. |
540 | + - debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic |
541 | + operations with isc_refcount reference counting in |
542 | + bin/named/client.c, bin/named/include/named/interfacemgr.h, |
543 | + bin/named/interfacemgr.c. |
544 | + - debian/libisc1100.symbols: added new symbols. |
545 | + - CVE-2018-5743 |
546 | + |
547 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 24 Apr 2019 05:00:07 -0400 |
548 | + |
549 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu2) disco; urgency=medium |
550 | + |
551 | + * SECURITY UPDATE: memory leak via specially crafted packet |
552 | + - debian/patches/CVE-2018-5744.patch: silently drop additional keytag |
553 | + options in bin/named/client.c. |
554 | + - CVE-2018-5744 |
555 | + * SECURITY UPDATE: assertion failure when a trust anchor rolls over to an |
556 | + unsupported key algorithm when using managed-keys |
557 | + - debian/patches/CVE-2018-5745.patch: properly handle situations when |
558 | + the key tag cannot be computed in lib/dns/include/dst/dst.h, |
559 | + lib/dns/zone.c. |
560 | + - CVE-2018-5745 |
561 | + * SECURITY UPDATE: Controls for zone transfers may not be properly |
562 | + applied to Dynamically Loadable Zones (DLZs) if the zones are writable |
563 | + - debian/patches/CVE-2019-6465.patch: handle zone transfers marked in |
564 | + the zone table as a DLZ zone bin/named/xfrout.c. |
565 | + - CVE-2019-6465 |
566 | + |
567 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 22 Feb 2019 10:52:30 +0100 |
568 | + |
569 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu1) disco; urgency=medium |
570 | + |
571 | + * Merge with Debian unstable. Remaining changes: |
572 | + - Build without lmdb support as that package is in Universe |
573 | + - Don't build dnstap as it depends on universe packages: |
574 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
575 | + protobuf-c-compiler (universe packages) |
576 | + + d/dnsutils.install: don't install dnstap |
577 | + + d/libdns1104.symbols: don't include dnstap symbols |
578 | + + d/rules: don't build dnstap nor install dnstap.proto |
579 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
580 | + option (LP #1804648) |
581 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
582 | + close to a query timeout (LP #1797926) |
583 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
584 | + network egress access that is not available in the Ubuntu autopkgtest |
585 | + farm. |
586 | + |
587 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Jan 2019 18:59:25 -0200 |
588 | + |
589 | +bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium |
590 | + |
591 | + * Merge with Debian unstable. Remaining changes: |
592 | + - Build without lmdb support as that package is in Universe |
593 | + - Don't build dnstap as it depends on universe packages: |
594 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
595 | + protobuf-c-compiler (universe packages) |
596 | + + d/dnsutils.install: don't install dnstap |
597 | + + d/libdns1104.symbols: don't include dnstap symbols |
598 | + + d/rules: don't build dnstap nor install dnstap.proto |
599 | + * Dropped: |
600 | + - SECURITY UPDATE: denial of service crash when deny-answer-aliases |
601 | + option is used |
602 | + + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could |
603 | + trigger a crash if deny-answer-aliases was set |
604 | + + debian/patches/CVE-2018-5740-2.patch: add tests |
605 | + + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set |
606 | + chainingp correctly, add test |
607 | + + CVE-2018-5740 |
608 | + [Fixed in new upstream version 9.11.5] |
609 | + - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the |
610 | + line (Closes: #904983) |
611 | + [Fixed in 1:9.11.4+dfsg-4] |
612 | + - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440) |
613 | + [Fixed in 1:9.11.4.P1+dfsg-1] |
614 | + - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol |
615 | + (it depends on OpenSSL version) (Closes: #897643) |
616 | + [Fixed in 1:9.11.4.P1+dfsg-1] |
617 | + * Added: |
618 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
619 | + option (LP: #1804648) |
620 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
621 | + close to a query timeout (LP: #1797926) |
622 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
623 | + network egress access that is not available in the Ubuntu autopkgtest |
624 | + farm. |
625 | + |
626 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 13 Dec 2018 19:40:23 -0200 |
627 | + |
628 | +bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high |
629 | + |
630 | + * No change rebuild against openssl 1.1.1 with TLS 1.3 support. |
631 | + |
632 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 29 Sep 2018 01:36:45 +0100 |
633 | + |
634 | +bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium |
635 | + |
636 | + * SECURITY UPDATE: denial of service crash when deny-answer-aliases |
637 | + option is used |
638 | + - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could |
639 | + trigger a crash if deny-answer-aliases was set |
640 | + - debian/patches/CVE-2018-5740-2.patch: add tests |
641 | + - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set |
642 | + chainingp correctly, add test |
643 | + - CVE-2018-5740 |
644 | + |
645 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Sep 2018 11:11:05 +0200 |
646 | + |
647 | +bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium |
648 | + |
649 | + * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol |
650 | + (it depends on OpenSSL version) (Closes: #897643) |
651 | + |
652 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 18 Sep 2018 10:39:12 +0200 |
653 | + |
654 | +bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium |
655 | + |
656 | + * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11 |
657 | + crashing on startup. (LP: #1769440) |
658 | + |
659 | + -- Karl Stenerud <karl.stenerud@canonical.com> Thu, 30 Aug 2018 07:11:39 -0700 |
660 | + |
661 | +bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium |
662 | + |
663 | + * Merge with Debian unstable. Remaining changes: |
664 | + - Build without lmdb support as that package is in Universe |
665 | + * Added: |
666 | + - Don't build dnstap as it depends on universe packages: |
667 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
668 | + protobuf-c-compiler (universe packages) |
669 | + + d/dnsutils.install: don't install dnstap |
670 | + + d/libdns1102.symbols: don't include dnstap symbols |
671 | + + d/rules: don't build dnstap |
672 | + - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the |
673 | + line (Closes: #904983) |
674 | + |
675 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 30 Jul 2018 10:56:04 -0300 |
676 | + |
677 | +bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium |
678 | + |
679 | + * Merge with Debian unstable (LP: #1777935). Remaining changes: |
680 | + - Build without lmdb support as that package is in Universe |
681 | + * Drop: |
682 | + - SECURITY UPDATE: improperly permits recursive query service |
683 | + + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling |
684 | + in bin/named/server.c. |
685 | + + CVE-2018-5738 |
686 | + [Applied in Debian's 1:9.11.3+dfsg-2] |
687 | + |
688 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 20 Jun 2018 17:42:16 -0300 |
689 | + |
690 | +bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium |
691 | + |
692 | + * SECURITY UPDATE: improperly permits recursive query service |
693 | + - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling |
694 | + in bin/named/server.c. |
695 | + - CVE-2018-5738 |
696 | + |
697 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Jun 2018 09:41:51 -0400 |
698 | + |
699 | +bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low |
700 | + |
701 | + * New upstream release. (LP: #1763572) |
702 | + - fix a crash when configured with ipa-dns-install |
703 | + * Merge from Debian unstable. Remaining changes: |
704 | + - Build without lmdb support as that package is in Universe |
705 | + |
706 | + -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Apr 2018 07:40:47 +0300 |
707 | + |
708 | +bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium |
709 | + |
710 | + * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating |
711 | + DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews |
712 | + <marka@isc.org>. (LP: #1755439) |
713 | + |
714 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300 |
715 | + |
716 | +bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium |
717 | + |
718 | + * Fix apparmor profile filename (LP: #1754981) |
719 | + |
720 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300 |
721 | + |
722 | +bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high |
723 | + |
724 | + * No change rebuild against openssl1.1. |
725 | + |
726 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:14:22 +0000 |
727 | + |
728 | +bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium |
729 | + |
730 | + * Build without lmdb support as that package is in Universe (LP: #1746296) |
731 | + - d/control: remove Build-Depends on liblmdb-dev |
732 | + - d/rules: configure --without-lmdb |
733 | + - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires |
734 | + lmdb. |
735 | + |
736 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 30 Jan 2018 15:21:23 -0200 |
737 | + |
738 | +bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium |
739 | + |
740 | + * Merge with Debian unstable (LP: #1744930). |
741 | + * Drop: |
742 | + - Add RemainAfterExit to bind9-resolvconf unit configuration file |
743 | + (LP #1536181). |
744 | + [fixed in 1:9.10.6+dfsg-4] |
745 | + - rules: Fix path to libsofthsm2.so. (LP #1685780) |
746 | + [adopted in 1:9.10.6+dfsg-5] |
747 | + - d/p/CVE-2016-8864-regression-test.patch: tests for the regression |
748 | + introduced with the CVE-2016-8864.patch and fixed in |
749 | + CVE-2016-8864-regression.patch. |
750 | + [applied upstream] |
751 | + - d/p/CVE-2016-8864-regression2-test.patch: tests for the second |
752 | + regression (RT #44318) introduced with the CVE-2016-8864.patch |
753 | + and fixed in CVE-2016-8864-regression2.patch. |
754 | + [applied upstream] |
755 | + - d/control, d/rules: add json support for the statistics channels. |
756 | + (LP #1669193) |
757 | + [adopted in 1:9.10.6+dfsg-5] |
758 | + * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing |
759 | + listing the python ply module as a dependency (Closes: #888463) |
760 | + |
761 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Jan 2018 11:20:33 -0200 |
762 | + |
763 | bind9 (1:9.11.2.P1-1) unstable; urgency=medium |
764 | |
765 | * New upstream version 9.11.2-P1 |
766 | @@ -520,6 +1180,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium |
767 | |
768 | -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000 |
769 | |
770 | +bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium |
771 | + |
772 | + * Merge with Debian unstable (LP: #1712920). Remaining changes: |
773 | + - Add RemainAfterExit to bind9-resolvconf unit configuration file |
774 | + (LP #1536181). |
775 | + - rules: Fix path to libsofthsm2.so. (LP #1685780) |
776 | + - d/p/CVE-2016-8864-regression-test.patch: tests for the regression |
777 | + introduced with the CVE-2016-8864.patch and fixed in |
778 | + CVE-2016-8864-regression.patch. |
779 | + - d/p/CVE-2016-8864-regression2-test.patch: tests for the second |
780 | + regression (RT #44318) introduced with the CVE-2016-8864.patch |
781 | + and fixed in CVE-2016-8864-regression2.patch. |
782 | + - d/control, d/rules: add json support for the statistics channels. |
783 | + (LP #1669193) |
784 | + |
785 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Aug 2017 18:28:00 -0300 |
786 | + |
787 | +bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium |
788 | + |
789 | + * Non-maintainer upload. |
790 | + * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794) |
791 | + |
792 | + -- Bernhard Schmidt <berni@debian.org> Fri, 11 Aug 2017 19:10:07 +0200 |
793 | + |
794 | +bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium |
795 | + |
796 | + * Merge with Debian unstable (LP: #1701687). Remaining changes: |
797 | + - Add RemainAfterExit to bind9-resolvconf unit configuration file |
798 | + (LP #1536181). |
799 | + - rules: Fix path to libsofthsm2.so. (LP #1685780) |
800 | + * Drop: |
801 | + - SECURITY UPDATE: denial of service via assertion failure |
802 | + + debian/patches/CVE-2016-2776.patch: properly handle lengths in |
803 | + lib/dns/message.c. |
804 | + + CVE-2016-2776 |
805 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
806 | + - SECURITY UPDATE: assertion failure via class mismatch |
807 | + + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY |
808 | + records in lib/dns/resolver.c. |
809 | + + CVE-2016-9131 |
810 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
811 | + - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information |
812 | + + debian/patches/CVE-2016-9147.patch: fix logic when records are |
813 | + returned without the requested data in lib/dns/resolver.c. |
814 | + + CVE-2016-9147 |
815 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
816 | + - SECURITY UPDATE: assertion failure via unusually-formed DS record |
817 | + + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in |
818 | + lib/dns/message.c, lib/dns/resolver.c. |
819 | + + CVE-2016-9444 |
820 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
821 | + - SECURITY UPDATE: regression in CVE-2016-8864 |
822 | + + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in |
823 | + responses in lib/dns/resolver.c, added tests to |
824 | + bin/tests/system/dname/ns2/example.db, |
825 | + bin/tests/system/dname/tests.sh. |
826 | + + No CVE number |
827 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12] |
828 | + - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing |
829 | + a NULL pointer |
830 | + + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz |
831 | + combination in bin/named/query.c, lib/dns/message.c, |
832 | + lib/dns/rdataset.c. |
833 | + + CVE-2017-3135 |
834 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12] |
835 | + - SECURITY UPDATE: regression in CVE-2016-8864 |
836 | + + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME |
837 | + was still being cached when it should have been in lib/dns/resolver.c, |
838 | + added tests to bin/tests/system/dname/ans3/ans.pl, |
839 | + bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. |
840 | + + No CVE number |
841 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12] |
842 | + - SECURITY UPDATE: Denial of Service due to an error handling |
843 | + synthesized records when using DNS64 with "break-dnssec yes;" |
844 | + + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() |
845 | + called. |
846 | + + CVE-2017-3136 |
847 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] |
848 | + - SECURITY UPDATE: Denial of Service due to resolver terminating when |
849 | + processing a response packet containing a CNAME or DNAME |
850 | + + debian/patches/CVE-2017-3137.patch: don't expect a specific |
851 | + ordering of answer components; add testcases. |
852 | + + CVE-2017-3137 |
853 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files] |
854 | + - SECURITY UPDATE: Denial of Service when receiving a null command on |
855 | + the control channel |
856 | + + debian/patches/CVE-2017-3138.patch: don't throw an assert if no |
857 | + command token is given; add testcase. |
858 | + + CVE-2017-3138 |
859 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] |
860 | + - SECURITY UPDATE: TSIG authentication issues |
861 | + + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in |
862 | + lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. |
863 | + + CVE-2017-3142 |
864 | + + CVE-2017-3143 |
865 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4] |
866 | + * d/p/CVE-2016-8864-regression-test.patch: tests for the regression |
867 | + introduced with the CVE-2016-8864.patch and fixed in |
868 | + CVE-2016-8864-regression.patch. |
869 | + * d/p/CVE-2016-8864-regression2-test.patch: tests for the second |
870 | + regression (RT #44318) introduced with the CVE-2016-8864.patch |
871 | + and fixed in CVE-2016-8864-regression2.patch. |
872 | + * d/control, d/rules: add json support for the statistics channels. |
873 | + (LP: #1669193) |
874 | + |
875 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 11 Aug 2017 17:12:09 -0300 |
876 | + |
877 | +bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium |
878 | + |
879 | + * Non-maintainer upload. |
880 | + * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG |
881 | + signed TCP message sequences where not all the messages contain TSIG |
882 | + records. These may be used in AXFR and IXFR responses. |
883 | + (Closes: #868952) |
884 | + |
885 | + -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jul 2017 22:28:32 +0200 |
886 | + |
887 | +bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high |
888 | + |
889 | + * Non-maintainer upload. |
890 | + |
891 | + [ Yves-Alexis Perez ] |
892 | + * debian/patches: |
893 | + - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses |
894 | + CVE-2017-3142: error in TSIG authentication can permit unauthorized zone |
895 | + transfers. An attacker may be able to circumvent TSIG authentication of |
896 | + AXFR and Notify requests. |
897 | + CVE-2017-3143: error in TSIG authentication can permit unauthorized |
898 | + dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) |
899 | + signature for a dynamic update. |
900 | + (Closes: #866564) |
901 | + |
902 | + -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jul 2017 22:13:21 +0200 |
903 | + |
904 | bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium |
905 | |
906 | [ Bernhard Schmidt ] |
907 | @@ -626,6 +1420,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium |
908 | |
909 | -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000 |
910 | |
911 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium |
912 | + |
913 | + * SECURITY UPDATE: TSIG authentication issues |
914 | + - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in |
915 | + lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. |
916 | + - CVE-2017-3142 |
917 | + - CVE-2017-3143 |
918 | + |
919 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jul 2017 09:48:13 -0400 |
920 | + |
921 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium |
922 | + |
923 | + * rules: Fix path to libsofthsm2.so. (LP: #1685780) |
924 | + |
925 | + -- Timo Aaltonen <tjaalton@debian.org> Mon, 24 Apr 2017 15:01:30 +0300 |
926 | + |
927 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium |
928 | + |
929 | + * SECURITY UPDATE: Denial of Service due to an error handling |
930 | + synthesized records when using DNS64 with "break-dnssec yes;" |
931 | + - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() |
932 | + called. |
933 | + - CVE-2017-3136 |
934 | + * SECURITY UPDATE: Denial of Service due to resolver terminating when |
935 | + processing a response packet containing a CNAME or DNAME |
936 | + - debian/patches/CVE-2017-3137.patch: don't expect a specific |
937 | + ordering of answer components; add testcases. |
938 | + - CVE-2017-3137 |
939 | + * SECURITY UPDATE: Denial of Service when receiving a null command on |
940 | + the control channel |
941 | + - debian/patches/CVE-2017-3138.patch: don't throw an assert if no |
942 | + command token is given; add testcase. |
943 | + - CVE-2017-3138 |
944 | + |
945 | + -- Steve Beattie <sbeattie@ubuntu.com> Wed, 12 Apr 2017 01:32:15 -0700 |
946 | + |
947 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium |
948 | + |
949 | + * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing |
950 | + a NULL pointer |
951 | + - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz |
952 | + combination in bin/named/query.c, lib/dns/message.c, |
953 | + lib/dns/rdataset.c. |
954 | + - CVE-2017-3135 |
955 | + * SECURITY UPDATE: regression in CVE-2016-8864 |
956 | + - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME |
957 | + was still being cached when it should have been in lib/dns/resolver.c, |
958 | + added tests to bin/tests/system/dname/ans3/ans.pl, |
959 | + bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. |
960 | + - No CVE number |
961 | + |
962 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Feb 2017 09:37:39 -0500 |
963 | + |
964 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium |
965 | + |
966 | + * SECURITY UPDATE: assertion failure via class mismatch |
967 | + - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY |
968 | + records in lib/dns/resolver.c. |
969 | + - CVE-2016-9131 |
970 | + * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information |
971 | + - debian/patches/CVE-2016-9147.patch: fix logic when records are |
972 | + returned without the requested data in lib/dns/resolver.c. |
973 | + - CVE-2016-9147 |
974 | + * SECURITY UPDATE: assertion failure via unusually-formed DS record |
975 | + - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in |
976 | + lib/dns/message.c, lib/dns/resolver.c. |
977 | + - CVE-2016-9444 |
978 | + * SECURITY UPDATE: regression in CVE-2016-8864 |
979 | + - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in |
980 | + responses in lib/dns/resolver.c, added tests to |
981 | + bin/tests/system/dname/ns2/example.db, |
982 | + bin/tests/system/dname/tests.sh. |
983 | + - No CVE number |
984 | + |
985 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jan 2017 09:28:10 -0500 |
986 | + |
987 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium |
988 | + |
989 | + * Add RemainAfterExit to bind9-resolvconf unit configuration file |
990 | + (LP: #1536181). |
991 | + |
992 | + -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Tue, 15 Nov 2016 08:24:58 -0800 |
993 | + |
994 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium |
995 | + |
996 | + * SECURITY UPDATE: denial of service via assertion failure |
997 | + - debian/patches/CVE-2016-2776.patch: properly handle lengths in |
998 | + lib/dns/message.c. |
999 | + - CVE-2016-2776 |
1000 | + |
1001 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2016 14:31:17 -0400 |
1002 | + |
1003 | bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium |
1004 | |
1005 | * Non-maintainer upload. |
1006 | diff --git a/debian/control b/debian/control |
1007 | index f477076..a0c12c5 100644 |
1008 | --- a/debian/control |
1009 | +++ b/debian/control |
1010 | @@ -1,12 +1,14 @@ |
1011 | Source: bind9 |
1012 | Section: net |
1013 | Priority: optional |
1014 | -Maintainer: Debian DNS Team <team+dns@tracker.debian.org> |
1015 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
1016 | +XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org> |
1017 | Uploaders: Ondřej Surý <ondrej@debian.org>, |
1018 | Bernhard Schmidt <berni@debian.org> |
1019 | Build-Depends: bison, |
1020 | debhelper-compat (= 12), |
1021 | dh-apparmor, |
1022 | + dh-apport, |
1023 | dh-exec, |
1024 | dh-python, |
1025 | docbook-xml, |
1026 | @@ -15,20 +17,17 @@ Build-Depends: bison, |
1027 | libcmocka-dev, |
1028 | libdb-dev, |
1029 | libedit-dev, |
1030 | - libfstrm-dev, |
1031 | libidn2-dev, |
1032 | libjson-c-dev, |
1033 | libkrb5-dev, |
1034 | libldap2-dev, |
1035 | liblmdb-dev, |
1036 | libmaxminddb-dev (>= 1.3.0), |
1037 | - libprotobuf-c-dev, |
1038 | libssl-dev, |
1039 | libtool, |
1040 | libuv1-dev, |
1041 | libxml2-dev, |
1042 | pkg-config, |
1043 | - protobuf-c-compiler, |
1044 | python3, |
1045 | python3-ply, |
1046 | zlib1g-dev |
1047 | diff --git a/debian/rules b/debian/rules |
1048 | index 999d14c..33a19cf 100755 |
1049 | --- a/debian/rules |
1050 | +++ b/debian/rules |
1051 | @@ -29,7 +29,7 @@ SED_VERSION_EXTENSIONS := \ |
1052 | sed -e 's,^EXTENSIONS=,EXTENSIONS="$$(dpkg-parsechangelog --file=../debian/changelog | sed -n '/^Version/s/[^-]*//p')-$$(dpkg-vendor --query Vendor)",' |
1053 | |
1054 | %: |
1055 | - dh $@ --with python3 |
1056 | + dh $@ --with python3,apport |
1057 | |
1058 | prepare_version_extensions: |
1059 | if [ ! -f version.bak ]; then \ |
1060 | @@ -60,7 +60,7 @@ override_dh_auto_configure: |
1061 | --with-openssl=/usr \ |
1062 | --with-gssapi=/usr \ |
1063 | --with-libidn2 \ |
1064 | - --with-libjson-c \ |
1065 | + --with-json-c \ |
1066 | --with-lmdb=/usr \ |
1067 | --with-gnu-ld \ |
1068 | --with-maxminddb \ |
1069 | @@ -69,7 +69,6 @@ override_dh_auto_configure: |
1070 | --enable-rrl \ |
1071 | --enable-filter-aaaa \ |
1072 | --disable-native-pkcs11 \ |
1073 | - --enable-dnstap \ |
1074 | $(EXTRA_FEATURES) |
1075 | |
1076 | override_dh_auto_build: |
1077 | diff --git a/debian/tests/control b/debian/tests/control |
1078 | index 3e952eb..35b7572 100644 |
1079 | --- a/debian/tests/control |
1080 | +++ b/debian/tests/control |
1081 | @@ -1,4 +1,4 @@ |
1082 | Tests: simpletest |
1083 | Restrictions: needs-root, isolation-container |
1084 | Depends: bind9, |
1085 | - dnsutils |
1086 | + bind9-dnsutils |
1087 | diff --git a/debian/tests/simpletest b/debian/tests/simpletest |
1088 | index 468a7c5..34b0b25 100644 |
1089 | --- a/debian/tests/simpletest |
1090 | +++ b/debian/tests/simpletest |
1091 | @@ -10,10 +10,6 @@ setup() { |
1092 | run() { |
1093 | # Make a query against a local zone |
1094 | dig -x 127.0.0.1 @127.0.0.1 |
1095 | - |
1096 | - # Make a query against an external nameserver and check for DNSSEC validation |
1097 | - echo "Checking for DNSSEC validation status of internetsociety.org" |
1098 | - dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY' |
1099 | } |
1100 | |
1101 | teardown() { |
Changelog:
- [✓] old content and logical tag match as expected
- [✓] changelog entry correct version and targeted codename
- [✓] changelog entries correct
- [✓] update-maintainer has been run
Actual changes:
- [✓] no major upstream changes to consider
- [✓] no further upstream version to consider
- [✓] debian changes look safe (none other than update to 9.16.3)
Old Delta:
- [✓] dropped changes are ok to be dropped
- [✓] nothing else to drop
Isn't Debian interested to take "--with-json-c" as well?
New Delta:
- [✓] no new patches added
Build/Test:
- [✓] build is ok
- [✓] verified PPA package installs/uninstalls
- [✓] autopkgtest against the PPA package passes
(all but i386 which doesn't matter anymore)