Merge ~ahasenack/ubuntu/+source/bind9:groovy-bind9166-merge into ubuntu/+source/bind9:debian/sid
- Git
- lp:~ahasenack/ubuntu/+source/bind9
- groovy-bind9166-merge
- Merge into debian/sid
Status: | Merged |
---|---|
Approved by: | Andreas Hasenack |
Approved revision: | a88677cb2ea1f4a29b2f19f365733adfc1050060 |
Merge reported by: | Sergio Durigan Junior |
Merged at revision: | ba594cd23e9f3245fc649c794562e1a9b0446be6 |
Proposed branch: | ~ahasenack/ubuntu/+source/bind9:groovy-bind9166-merge |
Merge into: | ubuntu/+source/bind9:debian/sid |
Diff against target: |
1201 lines (+1027/-14) 8 files modified
debian/NEWS (+24/-0) debian/bind9-dnsutils.install (+0/-2) debian/bind9.apport (+24/-0) debian/changelog (+973/-0) debian/control (+3/-4) debian/rules (+2/-3) debian/tests/control (+1/-1) debian/tests/simpletest (+0/-4) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Sergio Durigan Junior (community) | Approve | ||
Canonical Server Core Reviewers | Pending | ||
Review via email: mp+389741@code.launchpad.net |
Commit message
Description of the change
Merge from debian, new upstream version. It's a security update.
Was able to drop one bit of delta fixed upstream. From the previous merge[1], the other bits of delta forwarded to debian weren't acted upon yet by debian:
https:/
and
https:/
PPA with proposed and all arches except riscv64: https:/
DEP8 tests are trivial and I ran them locally on amd64:
autopkgtest [15:41:18]: test simpletest: -------
autopkgtest [15:41:18]: test simpletest: - - - - - - - - - - results - - - - - - - - - -
simpletest PASS
autopkgtest [15:41:18]: @@@@@@@
simpletest PASS
The migration test is more complete as it triggers the tests in other packages too, but I didn't create a bileto ticket for this because it's FF week and that would take a very long time, and we need to get this in anyway, so any issues that arise during migration will have to be dealt with anyway.
1. https:/
Sergio Durigan Junior (sergiodj) wrote : | # |
Sergio Durigan Junior (sergiodj) wrote : | # |
* Changelog:
- [√] old content and logical tag match as expected
- [√] changelog entry correct version and targeted codename
- [√] changelog entries correct
- [√] update-maintainer has been run
* Actual changes:
- [√] no upstream changes to consider
- [√] no further upstream version to consider
- [√] debian changes look safe
* Old Delta:
- [-] dropped changes are ok to be dropped
- [√] nothing else to drop
- [√] changes forwarded upstream/debian (if appropriate)
* New Delta:
- [√] no new patches added
- [-] patches match what was proposed upstream
- [-] patches correctly included in debian/
- [-] patches have correct DEP3 metadata
* Build/Test:
- [√] build is ok
- [√] verified PPA package installs/uninstalls
- [√] autopkgtest against the PPA package passes
- [√] sanity checks test fine
I'm approving this MP. My only suggestion would be to mention (in the MP's description) which bit of delta you were able to drop; otherwise, everything looks great.
Andreas Hasenack (ahasenack) wrote : | # |
Right, sorry, I dropped this bit:
commit fa69ece2a677587
Author: Andreas Hasenack <email address hidden>
Date: Mon Jul 6 18:05:03 2020 +0000
- d/not-installed: list dnstap-read.1 manpage, which is being
installed by the makefile even when dnstap is disabled.
diff --git a/debian/
new file mode 100644
index 00000000000.
--- /dev/null
+++ b/debian/
@@ -0,0 +1,2 @@
+# see https:/
+usr/share/
Andreas Hasenack (ahasenack) wrote : | # |
Gotta love git range-diff :)
Andreas Hasenack (ahasenack) wrote : | # |
Hm, I see I didn't push that drop, I'm sorry. Pushing now, please take another quick look.
Andreas Hasenack (ahasenack) wrote : | # |
The ppa had it, see its d/changelog: https:/
Andreas Hasenack (ahasenack) wrote : | # |
range-diff command suggestion:
git range-diff old/debian.
Andreas Hasenack (ahasenack) wrote : | # |
> The ppa had it, see its d/changelog:
> https:/
Ugh, I meant, the ppa had the *drop*
Sergio Durigan Junior (sergiodj) wrote : | # |
Ah, thanks! So my hunch was correct, but I should have told you to include the drop in the changelog ;-). Anyway, I looked at it again (thanks for updating it!), and it looks fine for me now.
Andreas Hasenack (ahasenack) wrote : | # |
Thanks, feel free to hit me in the head next sprint :)
Andreas Hasenack (ahasenack) wrote : | # |
Tagging and uploading ba594cd23e9f324
$ git push pkg upload/
Enumerating objects: 53, done.
Counting objects: 100% (53/53), done.
Delta compression using up to 4 threads
Compressing objects: 100% (41/41), done.
Writing objects: 100% (44/44), 13.09 KiB | 273.00 KiB/s, done.
Total 44 (delta 29), reused 6 (delta 3)
To ssh://git.
* [new tag] upload/
$ dput ubuntu ../bind9_
Checking signature on .changes
gpg: ../bind9_
Checking signature on .dsc
gpg: ../bind9_
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading bind9_9.
Uploading bind9_9.
Uploading bind9_9.
Uploading bind9_9.
Uploading bind9_9.
Successfully uploaded packages.
Preview Diff
1 | diff --git a/debian/NEWS b/debian/NEWS |
2 | new file mode 100644 |
3 | index 0000000..c9348a4 |
4 | --- /dev/null |
5 | +++ b/debian/NEWS |
6 | @@ -0,0 +1,24 @@ |
7 | +bind9 (1:9.16.0-1ubuntu1) focal; urgency=medium |
8 | + |
9 | + Some packages like isc-dhcp do not build with bind 9.14 or higher, so a new |
10 | + source package bind9-libs version 9.11 was created for that purpose, |
11 | + providing only libraries and header files. The bind9 9.16.x packages do not |
12 | + provide development libraries or headers. See commit |
13 | + https://salsa.debian.org/dns-team/bind9-libs/commit/40cab7029d for more |
14 | + details. udebs used in the debian-installer are also being provided by |
15 | + bind9-libs. |
16 | + |
17 | + Another package which doesn't build with the newer bind9 package is |
18 | + bind-dyndb-ldap. It will build using the libraries from bind9-libs, but |
19 | + since this is a server plugin, it won't work with the newer server. |
20 | + |
21 | + Native pkcs#11 support via softhsm2 is no longer being built for this |
22 | + package. This was first introduced in 1:9.10.3.dfsg.P4-8 (see |
23 | + https://bugs.launchpad.net/bugs/1565392) for FreeIPA. Ubuntu Focal no longer |
24 | + ships FreeIPA, and Debian also dropped the native pkcs#11 support. |
25 | + |
26 | + There are no development libraries or header files in this bind9 9.16.x |
27 | + packaging at the moment. This may change later, see |
28 | + https://gitlab.isc.org/isc-projects/bind9/merge_requests/3089#note_111229 |
29 | + |
30 | + -- Andreas Hasenack <andreas@canonical.com> Sat, 22 Feb 2020 17:40:38 -0300 |
31 | diff --git a/debian/bind9-dnsutils.install b/debian/bind9-dnsutils.install |
32 | index 90e4fba..5e6b7d9 100644 |
33 | --- a/debian/bind9-dnsutils.install |
34 | +++ b/debian/bind9-dnsutils.install |
35 | @@ -1,12 +1,10 @@ |
36 | usr/bin/delv |
37 | usr/bin/dig |
38 | -usr/bin/dnstap-read |
39 | usr/bin/mdig |
40 | usr/bin/nslookup |
41 | usr/bin/nsupdate |
42 | usr/share/man/man1/delv.1 |
43 | usr/share/man/man1/dig.1 |
44 | -usr/share/man/man1/dnstap-read.1 |
45 | usr/share/man/man1/mdig.1 |
46 | usr/share/man/man1/nslookup.1 |
47 | usr/share/man/man1/nsupdate.1 |
48 | diff --git a/debian/bind9.apport b/debian/bind9.apport |
49 | new file mode 100644 |
50 | index 0000000..b3baa8b |
51 | --- /dev/null |
52 | +++ b/debian/bind9.apport |
53 | @@ -0,0 +1,24 @@ |
54 | +'''apport hook for bind9 |
55 | + |
56 | +(c) 2010 Andres Rodriguez. |
57 | +Author: Andres Rodriguez <andreserl@ubuntu.com> |
58 | + |
59 | +This program is free software; you can redistribute it and/or modify it |
60 | +under the terms of the GNU General Public License as published by the |
61 | +Free Software Foundation; either version 2 of the License, or (at your |
62 | +option) any later version. See http://www.gnu.org/copyleft/gpl.html for |
63 | +the full text of the license. |
64 | +''' |
65 | + |
66 | +from apport.hookutils import * |
67 | +import re |
68 | + |
69 | +def add_info(report, ui): |
70 | + |
71 | + # getting syslog stuff |
72 | + report['SyslogBind9'] = recent_syslog(re.compile(r'named\[')) |
73 | + |
74 | + # Attaching related packages info |
75 | + attach_related_packages(report, ['bind9utils', 'apparmor']) |
76 | + |
77 | + attach_mac_events(report, '/usr/sbin/named') |
78 | diff --git a/debian/changelog b/debian/changelog |
79 | index 72404e2..6b51469 100644 |
80 | --- a/debian/changelog |
81 | +++ b/debian/changelog |
82 | @@ -1,3 +1,32 @@ |
83 | +bind9 (1:9.16.6-2ubuntu1) groovy; urgency=medium |
84 | + |
85 | + * Merge with Debian unstable. Remaining changes: |
86 | + - Don't build dnstap as it depends on universe packages: |
87 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
88 | + protobuf-c-compiler (universe packages) |
89 | + + d/dnsutils.install: don't install dnstap |
90 | + + d/libdns1104.symbols: don't include dnstap symbols |
91 | + + d/rules: don't build dnstap nor install dnstap.proto |
92 | + - Add back apport: |
93 | + + d/bind9.apport: add back old bind9 apport hook, but without calling |
94 | + attach_conffiles() since that is already done by apport itself, with |
95 | + confirmation from the user. |
96 | + + d/control, d/rules: buil-depends on dh-apport and use it |
97 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
98 | + network egress access that is not available in the Ubuntu autopkgtest |
99 | + farm. |
100 | + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging |
101 | + - d/t/control: change the dep8 test dependency to be on the real |
102 | + bind9-dnsutils package, and not the transitional one (LP #1864761) |
103 | + - d/rules: change deprecated --with-libjson-c configure argument to |
104 | + --with-json-c |
105 | + * Dropped: |
106 | + - d/not-installed: list dnstap-read.1 manpage, which is being |
107 | + installed by the makefile even when dnstap is disabled. |
108 | + [Fixed upstream] |
109 | + |
110 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 24 Aug 2020 10:57:08 -0300 |
111 | + |
112 | bind9 (1:9.16.6-2) unstable; urgency=medium |
113 | |
114 | * Move Build-Depends for documentation to Build-Depends-Indep, this |
115 | @@ -20,6 +49,51 @@ bind9 (1:9.16.5-1) unstable; urgency=medium |
116 | |
117 | -- Ondřej Surý <ondrej@debian.org> Thu, 16 Jul 2020 00:29:57 +0200 |
118 | |
119 | +bind9 (1:9.16.4-1ubuntu2) groovy; urgency=medium |
120 | + |
121 | + * No change rebuild against new json-c ABI. |
122 | + |
123 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 28 Jul 2020 17:42:17 +0100 |
124 | + |
125 | +bind9 (1:9.16.4-1ubuntu1) groovy; urgency=medium |
126 | + |
127 | + * Merge with Debian unstable. Remaining changes: |
128 | + - Don't build dnstap as it depends on universe packages: |
129 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
130 | + protobuf-c-compiler (universe packages) |
131 | + + d/dnsutils.install: don't install dnstap |
132 | + + d/libdns1104.symbols: don't include dnstap symbols |
133 | + + d/rules: don't build dnstap nor install dnstap.proto |
134 | + - Add back apport: |
135 | + + d/bind9.apport: add back old bind9 apport hook, but without calling |
136 | + attach_conffiles() since that is already done by apport itself, with |
137 | + confirmation from the user. |
138 | + + d/control, d/rules: buil-depends on dh-apport and use it |
139 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
140 | + network egress access that is not available in the Ubuntu autopkgtest |
141 | + farm. |
142 | + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging |
143 | + - d/t/control: change the dep8 test dependency to be on the real |
144 | + bind9-dnsutils package, and not the transitional one (LP #1864761) |
145 | + - d/rules: change deprecated --with-libjson-c configure argument to |
146 | + --with-json-c |
147 | + * Dropped: |
148 | + - SECURITY UPDATE: assertion when attempting to fill oversized TCP buffer |
149 | + + debian/patches/CVE-2020-8618.patch: add fix to lib/ns/client.c, |
150 | + lib/ns/include/ns/client.h, lib/ns/xfrout.c. |
151 | + + CVE-2020-8618 |
152 | + [Fixed upstream] |
153 | + - SECURITY UPDATE: INSIST failure when a zone with an interior wildcard |
154 | + label was queried in a certain pattern |
155 | + + debian/patches/CVE-2020-8619.patch: add fix to lib/dns/rbtdb.c. |
156 | + + CVE-2020-8619 |
157 | + [Fixed upstream] |
158 | + * Added changes: |
159 | + - d/not-installed: list dnstap-read.1 manpage, which is being |
160 | + installed by the makefile even when dnstap is disabled. |
161 | + |
162 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 06 Jul 2020 15:22:36 -0300 |
163 | + |
164 | bind9 (1:9.16.4-1) unstable; urgency=medium |
165 | |
166 | * New upstream version 9.16.4 |
167 | @@ -27,12 +101,129 @@ bind9 (1:9.16.4-1) unstable; urgency=medium |
168 | |
169 | -- Ondřej Surý <ondrej@debian.org> Wed, 17 Jun 2020 09:27:29 +0200 |
170 | |
171 | +bind9 (1:9.16.3-1ubuntu2) groovy; urgency=medium |
172 | + |
173 | + * SECURITY UPDATE: assertion when attempting to fill oversized TCP buffer |
174 | + - debian/patches/CVE-2020-8618.patch: add fix to lib/ns/client.c, |
175 | + lib/ns/include/ns/client.h, lib/ns/xfrout.c. |
176 | + - CVE-2020-8618 |
177 | + * SECURITY UPDATE: INSIST failure when a zone with an interior wildcard |
178 | + label was queried in a certain pattern |
179 | + - debian/patches/CVE-2020-8619.patch: add fix to lib/dns/rbtdb.c. |
180 | + - CVE-2020-8619 |
181 | + |
182 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Jun 2020 08:29:47 -0400 |
183 | + |
184 | +bind9 (1:9.16.3-1ubuntu1) groovy; urgency=medium |
185 | + |
186 | + * Merge with Debian unstable. Remaining changes: |
187 | + - Don't build dnstap as it depends on universe packages: |
188 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
189 | + protobuf-c-compiler (universe packages) |
190 | + + d/dnsutils.install: don't install dnstap |
191 | + + d/libdns1104.symbols: don't include dnstap symbols |
192 | + + d/rules: don't build dnstap nor install dnstap.proto |
193 | + - Add back apport: |
194 | + + d/bind9.apport: add back old bind9 apport hook, but without calling |
195 | + attach_conffiles() since that is already done by apport itself, with |
196 | + confirmation from the user. |
197 | + + d/control, d/rules: buil-depends on dh-apport and use it |
198 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
199 | + network egress access that is not available in the Ubuntu autopkgtest |
200 | + farm. |
201 | + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging |
202 | + - d/t/control: change the dep8 test dependency to be on the real |
203 | + bind9-dnsutils package, and not the transitional one (LP #1864761) |
204 | + - d/rules: change deprecated --with-libjson-c configure argument to |
205 | + --with-json-c |
206 | + * Dropped: |
207 | + - d/control: make bind9-dnsutils multi-arch foreign as another step |
208 | + towards fixing LP #1864761 |
209 | + [The correct fix was to change the dep8 dependency to be on the real |
210 | + package, and not the transitional one] |
211 | + - SECURITY UPDATE: BIND does not sufficiently limit the number of fetches |
212 | + performed when processing referrals |
213 | + + debian/patches/CVE-2020-8616.patch: further limit the number of |
214 | + queries that can be triggered from a request in lib/dns/adb.c, |
215 | + lib/dns/include/dns/adb.h, lib/dns/resolver.c. |
216 | + + CVE-2020-8616 |
217 | + [Fixed upstream] |
218 | + - SECURITY UPDATE: A logic error in code which checks TSIG validity can |
219 | + be used to trigger an assertion failure in tsig.c |
220 | + + debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG |
221 | + BADTIME response in lib/dns/tsig.c. |
222 | + + CVE-2020-8617 |
223 | + [Fixed upstream] |
224 | + |
225 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 02 Jun 2020 17:37:44 -0300 |
226 | + |
227 | bind9 (1:9.16.3-1) unstable; urgency=medium |
228 | |
229 | * New upstream version 9.16.3 |
230 | |
231 | -- Ondřej Surý <ondrej@debian.org> Tue, 19 May 2020 14:14:35 +0200 |
232 | |
233 | +bind9 (1:9.16.2-3ubuntu1) groovy; urgency=medium |
234 | + |
235 | + * Merge with Debian unstable. Remaining changes: |
236 | + - Don't build dnstap as it depends on universe packages: |
237 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
238 | + protobuf-c-compiler (universe packages) |
239 | + + d/dnsutils.install: don't install dnstap |
240 | + + d/libdns1104.symbols: don't include dnstap symbols |
241 | + + d/rules: don't build dnstap nor install dnstap.proto |
242 | + - Add back apport: |
243 | + + d/bind9.apport: add back old bind9 apport hook, but without calling |
244 | + attach_conffiles() since that is already done by apport itself, with |
245 | + confirmation from the user. |
246 | + + d/control, d/rules: buil-depends on dh-apport and use it |
247 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
248 | + network egress access that is not available in the Ubuntu autopkgtest |
249 | + farm. |
250 | + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging |
251 | + - d/t/control: change the dep8 test dependency to be on the real |
252 | + bind9-dnsutils package, and not the transitional one (LP #1864761) |
253 | + - d/control: make bind9-dnsutils multi-arch foreign as another step |
254 | + towards fixing LP #1864761 |
255 | + - d/rules: change deprecated --with-libjson-c configure argument to |
256 | + --with-json-c |
257 | + - SECURITY UPDATE: BIND does not sufficiently limit the number of fetches |
258 | + performed when processing referrals |
259 | + + debian/patches/CVE-2020-8616.patch: further limit the number of |
260 | + queries that can be triggered from a request in lib/dns/adb.c, |
261 | + lib/dns/include/dns/adb.h, lib/dns/resolver.c. |
262 | + + CVE-2020-8616 |
263 | + - SECURITY UPDATE: A logic error in code which checks TSIG validity can |
264 | + be used to trigger an assertion failure in tsig.c |
265 | + + debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG |
266 | + BADTIME response in lib/dns/tsig.c. |
267 | + + CVE-2020-8617 |
268 | + * Dropped: |
269 | + - use iproute2 instead of net-tools (LP #1850699): |
270 | + + d/control: replace net-tools depends with iproute2 |
271 | + + d/bind9.init: use ip instead of ifconfig |
272 | + [In 1:9.16.1-2] |
273 | + - d/control: Enable readline-like support in dnsutils (nslookup and nsupdate) |
274 | + via libedit-dev (libreadline has a license conflict with bind) |
275 | + [In 1:9.16.1-2] |
276 | + - d/control: drop hardcoded python3 dependency |
277 | + (LP #1856211, Closes #946643) |
278 | + [In 1:9.16.1-2] |
279 | + - d/extras/apparmor.d/usr.sbin.named: |
280 | + + Add flags=(attach_disconnected) to AppArmor profile |
281 | + + AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ |
282 | + (Closes: #928398) |
283 | + [In 1:9.16.1-2] |
284 | + - d/rules: fix typo in the apparmor profile installation |
285 | + [In 1:9.16.1-2] |
286 | + - d/control: create transitional packages for dnsutils, bind9utils |
287 | + [In 1:9.16.1-2] |
288 | + - d/p/fix-rebinding-protection.patch: fix rebinding protection bug |
289 | + when using forwarder setups (LP #1873046) |
290 | + [Fixed upstream] |
291 | + |
292 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 22 May 2020 09:52:13 -0300 |
293 | + |
294 | bind9 (1:9.16.2-3) unstable; urgency=medium |
295 | |
296 | [ Simon Deziel ] |
297 | @@ -83,6 +274,106 @@ bind9 (1:9.16.1-1) experimental; urgency=medium |
298 | |
299 | -- Ondřej Surý <ondrej@debian.org> Fri, 20 Mar 2020 13:59:34 +0100 |
300 | |
301 | +bind9 (1:9.16.1-0ubuntu3) groovy; urgency=medium |
302 | + |
303 | + * SECURITY UPDATE: BIND does not sufficiently limit the number of fetches |
304 | + performed when processing referrals |
305 | + - debian/patches/CVE-2020-8616.patch: further limit the number of |
306 | + queries that can be triggered from a request in lib/dns/adb.c, |
307 | + lib/dns/include/dns/adb.h, lib/dns/resolver.c. |
308 | + - CVE-2020-8616 |
309 | + * SECURITY UPDATE: A logic error in code which checks TSIG validity can |
310 | + be used to trigger an assertion failure in tsig.c |
311 | + - debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG |
312 | + BADTIME response in lib/dns/tsig.c. |
313 | + - CVE-2020-8617 |
314 | + |
315 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 19 May 2020 09:03:32 -0400 |
316 | + |
317 | +bind9 (1:9.16.1-0ubuntu2) focal; urgency=medium |
318 | + |
319 | + * d/p/fix-rebinding-protection.patch: fix rebinding protection bug |
320 | + when using forwarder setups (LP: #1873046) |
321 | + |
322 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 15 Apr 2020 14:59:51 -0300 |
323 | + |
324 | +bind9 (1:9.16.1-0ubuntu1) focal; urgency=medium |
325 | + |
326 | + * New upstream release: 19.16.1 (LP: #1868272) |
327 | + - drop d/p/bind-v9.16.0-tcp_quota_fix.patch, fixed upstream |
328 | + - drop d/p/Fix-dns_client_addtrustedkey.patch, fixed upstream |
329 | + * d/rules: change deprecated --with-libjson-c configure argument to |
330 | + --with-json-c |
331 | + |
332 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 24 Mar 2020 11:44:46 -0300 |
333 | + |
334 | +bind9 (1:9.16.0-1ubuntu5) focal; urgency=medium |
335 | + |
336 | + * d/control, d/rules: enable GeoIP2 support, since libmaxminddb is now |
337 | + in main (LP: #1866875) |
338 | + |
339 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 16 Mar 2020 16:17:47 -0300 |
340 | + |
341 | +bind9 (1:9.16.0-1ubuntu4) focal; urgency=medium |
342 | + |
343 | + * d/p/bind-v9.16.0-tcp_quota_fix.patch: fix error in handling TCP |
344 | + client quota limits (LP: #1866378) |
345 | + * d/p/Fix-dns_client_addtrustedkey.patch: fix buffer size in |
346 | + dns_client_addtrustedkey (LP: #1866384) |
347 | + |
348 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 06 Mar 2020 15:12:56 -0300 |
349 | + |
350 | +bind9 (1:9.16.0-1ubuntu3) focal; urgency=medium |
351 | + |
352 | + * d/control: make bind9-dnsutils multi-arch foreign as another step |
353 | + towards fixing LP: #1864761 |
354 | + |
355 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 20:19:40 -0300 |
356 | + |
357 | +bind9 (1:9.16.0-1ubuntu2) focal; urgency=medium |
358 | + |
359 | + * d/t/control: change the dep8 test dependency to be on the real |
360 | + bind9-dnsutils package, and not the transitional one (LP: #1864761) |
361 | + |
362 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 14:16:04 -0300 |
363 | + |
364 | +bind9 (1:9.16.0-1ubuntu1) focal; urgency=medium |
365 | + |
366 | + * Merge with Debian unstable. Remaining changes: |
367 | + - Don't build dnstap as it depends on universe packages: |
368 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
369 | + protobuf-c-compiler (universe packages) |
370 | + + d/dnsutils.install: don't install dnstap |
371 | + + d/libdns1104.symbols: don't include dnstap symbols |
372 | + + d/rules: don't build dnstap nor install dnstap.proto |
373 | + - Add back apport: |
374 | + + d/bind9.apport: add back old bind9 apport hook, but without calling |
375 | + attach_conffiles() since that is already done by apport itself, with |
376 | + confirmation from the user. |
377 | + + d/control, d/rules: buil-depends on dh-apport and use it |
378 | + - d/control, d/rules: go back to old geoip support, since |
379 | + libmaxminddb (for GeoIP2) is in universe |
380 | + * Added back from sid packaging: |
381 | + - d/t/control, d/t/simpletest: bring back the dep8 test from |
382 | + debian/sid, with our delta to not query external hosts |
383 | + - use iproute2 instead of net-tools (LP #1850699): |
384 | + + d/control: replace net-tools depends with iproute2 |
385 | + + d/bind9.init: use ip instead of ifconfig |
386 | + - d/control: drop hardcoded python3 dependency |
387 | + (LP #1856211, Closes #946643) |
388 | + - d/extras/apparmor.d/usr.sbin.named: |
389 | + + Add flags=(attach_disconnected) to AppArmor profile |
390 | + + AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ |
391 | + (Closes: #928398) |
392 | + - d/rules: fix typo in the apparmor profile installation |
393 | + * Added: |
394 | + - d/control: create transitional packages for dnsutils, bind9utils |
395 | + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging |
396 | + - d/control: Enable readline-like support in dnsutils (nslookup and nsupdate) |
397 | + via libedit-dev (libreadline has a license conflict with bind) |
398 | + |
399 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 24 Feb 2020 11:51:37 -0300 |
400 | + |
401 | bind9 (1:9.16.0-1) experimental; urgency=medium |
402 | |
403 | * Change the branch to 9.16 |
404 | @@ -374,6 +665,462 @@ bind (1:9.12.0+dfsg-1~exp0) experimental; urgency=medium |
405 | |
406 | -- Ondřej Surý <ondrej@debian.org> Wed, 24 Jan 2018 09:18:13 +0000 |
407 | |
408 | +bind9 (1:9.11.14+dfsg-3ubuntu1) focal; urgency=medium |
409 | + |
410 | + * Merge with Debian unstable. Remaining changes: |
411 | + - Don't build dnstap as it depends on universe packages: |
412 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
413 | + protobuf-c-compiler (universe packages) |
414 | + + d/dnsutils.install: don't install dnstap |
415 | + + d/libdns1104.symbols: don't include dnstap symbols |
416 | + + d/rules: don't build dnstap nor install dnstap.proto |
417 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
418 | + network egress access that is not available in the Ubuntu autopkgtest |
419 | + farm. |
420 | + - Add back apport: |
421 | + + d/bind9.apport: add back old bind9 apport hook, but without calling |
422 | + attach_conffiles() since that is already done by apport itself, with |
423 | + confirmation from the user. |
424 | + + d/control, d/rules: buil-depends on dh-apport and use it |
425 | + - d/control, d/rules: go back to old geoip support, since |
426 | + libmaxminddb (for GeoIP2) is in universe |
427 | + * Dropped: |
428 | + - use iproute2 instead of net-tools (LP #1850699): |
429 | + + d/control: replace net-tools depends with iproute2 |
430 | + + d/bind9.init: use ip instead of ifconfig |
431 | + [In 1:9.11.14+dfsg-2] |
432 | + - d/control: drop hardcoded python3 dependency in bind9utils, |
433 | + dh-python injects the correct one via ${python3:Depends} |
434 | + (LP #1856211, Closes #946643) |
435 | + [In 1:9.11.14+dfsg-1] |
436 | + |
437 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 27 Jan 2020 11:47:26 -0300 |
438 | + |
439 | +bind9 (1:9.11.14+dfsg-1ubuntu1) focal; urgency=medium |
440 | + |
441 | + * Merge with Debian unstable. Remaining changes: |
442 | + - Don't build dnstap as it depends on universe packages: |
443 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
444 | + protobuf-c-compiler (universe packages) |
445 | + + d/dnsutils.install: don't install dnstap |
446 | + + d/libdns1104.symbols: don't include dnstap symbols |
447 | + + d/rules: don't build dnstap nor install dnstap.proto |
448 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
449 | + network egress access that is not available in the Ubuntu autopkgtest |
450 | + farm. |
451 | + - use iproute2 instead of net-tools (LP #1850699): |
452 | + + d/control: replace net-tools depends with iproute2 |
453 | + + d/bind9.init: use ip instead of ifconfig |
454 | + [Updated to also check the exit status of the command] |
455 | + - d/control: drop hardcoded python3 dependency in bind9utils, |
456 | + dh-python injects the correct one via ${python3:Depends} |
457 | + (LP #1856211, Closes: #946643) |
458 | + * Dropped: |
459 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
460 | + option (LP #1804648) |
461 | + [Fixed upstream in 9.11.6rc1] |
462 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
463 | + close to a query timeout (LP #1797926) |
464 | + [Fixed upstream in 9.11.6rc1] |
465 | + - SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single |
466 | + connection |
467 | + + debian/patches/CVE-2019-6477.patch: limit number of clients in |
468 | + bin/named/client.c, bin/named/include/named/client.h. |
469 | + + CVE-2019-6477 |
470 | + [Fixed upstream in 9.11.13] |
471 | + * Added: |
472 | + - Add back apport: |
473 | + + d/bind9.apport: add back old bind9 apport hook, but without calling |
474 | + attach_conffiles() since that is already done by apport itself, with |
475 | + confirmation from the user. |
476 | + + d/control, d/rules: buil-depends on dh-apport and use it |
477 | + - d/control, d/rules: go back to old geoip support, since |
478 | + libmaxminddb (for GeoIP2) is in universe |
479 | + |
480 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 15 Jan 2020 14:07:05 -0300 |
481 | + |
482 | +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu5) focal; urgency=medium |
483 | + |
484 | + * d/control: drop hardcoded python3 dependency in bind9utils, |
485 | + dh-python injects the correct one via ${python3:Depends} |
486 | + (LP: #1856211, Closes: #946643) |
487 | + |
488 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 12 Dec 2019 14:40:20 -0300 |
489 | + |
490 | +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu4) focal; urgency=medium |
491 | + |
492 | + * SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single |
493 | + connection |
494 | + - debian/patches/CVE-2019-6477.patch: limit number of clients in |
495 | + bin/named/client.c, bin/named/include/named/client.h. |
496 | + - CVE-2019-6477 |
497 | + |
498 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Nov 2019 07:50:24 -0500 |
499 | + |
500 | +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu3) focal; urgency=medium |
501 | + |
502 | + * use iproute2 instead of net-tools (LP: #1850699): |
503 | + - d/control: replace net-tools depends with iproute2 |
504 | + - d/bind9.init: use ip instead of ifconfig |
505 | + * d/bind9.install, d/control, d/rules: re-enable lmdb, which is now |
506 | + in main. |
507 | + |
508 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 08 Nov 2019 10:15:01 -0300 |
509 | + |
510 | +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu2) eoan; urgency=medium |
511 | + |
512 | + * Rebuild against new libjson-c4. |
513 | + |
514 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Sat, 29 Jun 2019 13:45:33 +0200 |
515 | + |
516 | +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu1) eoan; urgency=medium |
517 | + |
518 | + * Merge with Debian unstable. Remaining changes: |
519 | + - Build without lmdb support as that package is in Universe |
520 | + - Don't build dnstap as it depends on universe packages: |
521 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
522 | + protobuf-c-compiler (universe packages) |
523 | + + d/dnsutils.install: don't install dnstap |
524 | + + d/libdns1104.symbols: don't include dnstap symbols |
525 | + + d/rules: don't build dnstap nor install dnstap.proto |
526 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
527 | + option (LP #1804648) |
528 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
529 | + close to a query timeout (LP #1797926) |
530 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
531 | + network egress access that is not available in the Ubuntu autopkgtest |
532 | + farm. |
533 | + * Dropped: |
534 | + - SECURITY UPDATE: DoS via malformed packets |
535 | + + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c |
536 | + + CVE-2019-6471 |
537 | + [Fixed in 1:9.11.5.P4+dfsg-5.1] |
538 | + |
539 | + -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Thu, 27 Jun 2019 14:54:25 +0000 |
540 | + |
541 | +bind9 (1:9.11.5.P4+dfsg-5ubuntu1) eoan; urgency=medium |
542 | + |
543 | + * Merge with Debian unstable. Remaining changes: |
544 | + - Build without lmdb support as that package is in Universe |
545 | + - Don't build dnstap as it depends on universe packages: |
546 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
547 | + protobuf-c-compiler (universe packages) |
548 | + + d/dnsutils.install: don't install dnstap |
549 | + + d/libdns1104.symbols: don't include dnstap symbols |
550 | + + d/rules: don't build dnstap nor install dnstap.proto |
551 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
552 | + option (LP #1804648) |
553 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
554 | + close to a query timeout (LP #1797926) |
555 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
556 | + network egress access that is not available in the Ubuntu autopkgtest |
557 | + farm. |
558 | + - SECURITY UPDATE: DoS via malformed packets |
559 | + + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c |
560 | + + CVE-2019-6471 |
561 | + |
562 | + -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Fri, 21 Jun 2019 18:06:22 +0000 |
563 | + |
564 | +bind9 (1:9.11.5.P4+dfsg-4ubuntu2) eoan; urgency=medium |
565 | + |
566 | + * SECURITY UPDATE: DoS via malformed packets |
567 | + - debian/patches/CVE-2019-6471.patch: fix race condition in |
568 | + lib/dns/dispatch.c. |
569 | + - CVE-2019-6471 |
570 | + |
571 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Jun 2019 08:15:00 -0400 |
572 | + |
573 | +bind9 (1:9.11.5.P4+dfsg-4ubuntu1) eoan; urgency=medium |
574 | + |
575 | + * Merge with Debian unstable. Remaining changes: |
576 | + - Build without lmdb support as that package is in Universe |
577 | + - Don't build dnstap as it depends on universe packages: |
578 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
579 | + protobuf-c-compiler (universe packages) |
580 | + + d/dnsutils.install: don't install dnstap |
581 | + + d/libdns1104.symbols: don't include dnstap symbols |
582 | + + d/rules: don't build dnstap nor install dnstap.proto |
583 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
584 | + option (LP #1804648) |
585 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
586 | + close to a query timeout (LP #1797926) |
587 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
588 | + network egress access that is not available in the Ubuntu autopkgtest |
589 | + farm. |
590 | + * Dropped: |
591 | + - SECURITY UPDATE: memory leak via specially crafted packet |
592 | + + debian/patches/CVE-2018-5744.patch: silently drop additional keytag |
593 | + options in bin/named/client.c. |
594 | + + CVE-2018-5744 |
595 | + [Fixed upstream in 9.11.5-P2] |
596 | + - SECURITY UPDATE: assertion failure when a trust anchor rolls over to an |
597 | + unsupported key algorithm when using managed-keys |
598 | + + debian/patches/CVE-2018-5745.patch: properly handle situations when |
599 | + the key tag cannot be computed in lib/dns/include/dst/dst.h, |
600 | + lib/dns/zone.c. |
601 | + + CVE-2018-5745 |
602 | + [Fixed upstream in 9.11.5-P2] |
603 | + - SECURITY UPDATE: Controls for zone transfers may not be properly |
604 | + applied to Dynamically Loadable Zones (DLZs) if the zones are writable |
605 | + + debian/patches/CVE-2019-6465.patch: handle zone transfers marked in |
606 | + the zone table as a DLZ zone bin/named/xfrout.c. |
607 | + + CVE-2019-6465 |
608 | + [Fixed upstream in 9.11.5-P3] |
609 | + - SECURITY UPDATE: limiting simultaneous TCP clients is ineffective |
610 | + + debian/patches/CVE-2018-5743.patch: add reference counting in |
611 | + bin/named/client.c, bin/named/include/named/client.h, |
612 | + bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c, |
613 | + lib/isc/include/isc/quota.h, lib/isc/quota.c, |
614 | + lib/isc/win32/libisc.def.in. |
615 | + + debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic |
616 | + operations with isc_refcount reference counting in |
617 | + bin/named/client.c, bin/named/include/named/interfacemgr.h, |
618 | + bin/named/interfacemgr.c. |
619 | + + debian/libisc1100.symbols: added new symbols. |
620 | + + CVE-2018-5743 |
621 | + [Fixed in 1:9.11.5.P4+dfsg-4] |
622 | + - d/rules: add back EdDSA support (LP #1825712) |
623 | + [Fixed in 1:9.11.5.P4+dfsg-4] |
624 | + |
625 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 02 May 2019 13:35:59 -0300 |
626 | + |
627 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu4) eoan; urgency=medium |
628 | + |
629 | + * d/rules: add back EdDSA support (LP: #1825712) |
630 | + |
631 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Apr 2019 14:04:37 +0000 |
632 | + |
633 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu3) eoan; urgency=medium |
634 | + |
635 | + * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective |
636 | + - debian/patches/CVE-2018-5743.patch: add reference counting in |
637 | + bin/named/client.c, bin/named/include/named/client.h, |
638 | + bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c, |
639 | + lib/isc/include/isc/quota.h, lib/isc/quota.c, |
640 | + lib/isc/win32/libisc.def.in. |
641 | + - debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic |
642 | + operations with isc_refcount reference counting in |
643 | + bin/named/client.c, bin/named/include/named/interfacemgr.h, |
644 | + bin/named/interfacemgr.c. |
645 | + - debian/libisc1100.symbols: added new symbols. |
646 | + - CVE-2018-5743 |
647 | + |
648 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 24 Apr 2019 05:00:07 -0400 |
649 | + |
650 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu2) disco; urgency=medium |
651 | + |
652 | + * SECURITY UPDATE: memory leak via specially crafted packet |
653 | + - debian/patches/CVE-2018-5744.patch: silently drop additional keytag |
654 | + options in bin/named/client.c. |
655 | + - CVE-2018-5744 |
656 | + * SECURITY UPDATE: assertion failure when a trust anchor rolls over to an |
657 | + unsupported key algorithm when using managed-keys |
658 | + - debian/patches/CVE-2018-5745.patch: properly handle situations when |
659 | + the key tag cannot be computed in lib/dns/include/dst/dst.h, |
660 | + lib/dns/zone.c. |
661 | + - CVE-2018-5745 |
662 | + * SECURITY UPDATE: Controls for zone transfers may not be properly |
663 | + applied to Dynamically Loadable Zones (DLZs) if the zones are writable |
664 | + - debian/patches/CVE-2019-6465.patch: handle zone transfers marked in |
665 | + the zone table as a DLZ zone bin/named/xfrout.c. |
666 | + - CVE-2019-6465 |
667 | + |
668 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 22 Feb 2019 10:52:30 +0100 |
669 | + |
670 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu1) disco; urgency=medium |
671 | + |
672 | + * Merge with Debian unstable. Remaining changes: |
673 | + - Build without lmdb support as that package is in Universe |
674 | + - Don't build dnstap as it depends on universe packages: |
675 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
676 | + protobuf-c-compiler (universe packages) |
677 | + + d/dnsutils.install: don't install dnstap |
678 | + + d/libdns1104.symbols: don't include dnstap symbols |
679 | + + d/rules: don't build dnstap nor install dnstap.proto |
680 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
681 | + option (LP #1804648) |
682 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
683 | + close to a query timeout (LP #1797926) |
684 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
685 | + network egress access that is not available in the Ubuntu autopkgtest |
686 | + farm. |
687 | + |
688 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Jan 2019 18:59:25 -0200 |
689 | + |
690 | +bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium |
691 | + |
692 | + * Merge with Debian unstable. Remaining changes: |
693 | + - Build without lmdb support as that package is in Universe |
694 | + - Don't build dnstap as it depends on universe packages: |
695 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
696 | + protobuf-c-compiler (universe packages) |
697 | + + d/dnsutils.install: don't install dnstap |
698 | + + d/libdns1104.symbols: don't include dnstap symbols |
699 | + + d/rules: don't build dnstap nor install dnstap.proto |
700 | + * Dropped: |
701 | + - SECURITY UPDATE: denial of service crash when deny-answer-aliases |
702 | + option is used |
703 | + + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could |
704 | + trigger a crash if deny-answer-aliases was set |
705 | + + debian/patches/CVE-2018-5740-2.patch: add tests |
706 | + + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set |
707 | + chainingp correctly, add test |
708 | + + CVE-2018-5740 |
709 | + [Fixed in new upstream version 9.11.5] |
710 | + - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the |
711 | + line (Closes: #904983) |
712 | + [Fixed in 1:9.11.4+dfsg-4] |
713 | + - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440) |
714 | + [Fixed in 1:9.11.4.P1+dfsg-1] |
715 | + - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol |
716 | + (it depends on OpenSSL version) (Closes: #897643) |
717 | + [Fixed in 1:9.11.4.P1+dfsg-1] |
718 | + * Added: |
719 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
720 | + option (LP: #1804648) |
721 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
722 | + close to a query timeout (LP: #1797926) |
723 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
724 | + network egress access that is not available in the Ubuntu autopkgtest |
725 | + farm. |
726 | + |
727 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 13 Dec 2018 19:40:23 -0200 |
728 | + |
729 | +bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high |
730 | + |
731 | + * No change rebuild against openssl 1.1.1 with TLS 1.3 support. |
732 | + |
733 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 29 Sep 2018 01:36:45 +0100 |
734 | + |
735 | +bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium |
736 | + |
737 | + * SECURITY UPDATE: denial of service crash when deny-answer-aliases |
738 | + option is used |
739 | + - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could |
740 | + trigger a crash if deny-answer-aliases was set |
741 | + - debian/patches/CVE-2018-5740-2.patch: add tests |
742 | + - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set |
743 | + chainingp correctly, add test |
744 | + - CVE-2018-5740 |
745 | + |
746 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Sep 2018 11:11:05 +0200 |
747 | + |
748 | +bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium |
749 | + |
750 | + * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol |
751 | + (it depends on OpenSSL version) (Closes: #897643) |
752 | + |
753 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 18 Sep 2018 10:39:12 +0200 |
754 | + |
755 | +bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium |
756 | + |
757 | + * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11 |
758 | + crashing on startup. (LP: #1769440) |
759 | + |
760 | + -- Karl Stenerud <karl.stenerud@canonical.com> Thu, 30 Aug 2018 07:11:39 -0700 |
761 | + |
762 | +bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium |
763 | + |
764 | + * Merge with Debian unstable. Remaining changes: |
765 | + - Build without lmdb support as that package is in Universe |
766 | + * Added: |
767 | + - Don't build dnstap as it depends on universe packages: |
768 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
769 | + protobuf-c-compiler (universe packages) |
770 | + + d/dnsutils.install: don't install dnstap |
771 | + + d/libdns1102.symbols: don't include dnstap symbols |
772 | + + d/rules: don't build dnstap |
773 | + - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the |
774 | + line (Closes: #904983) |
775 | + |
776 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 30 Jul 2018 10:56:04 -0300 |
777 | + |
778 | +bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium |
779 | + |
780 | + * Merge with Debian unstable (LP: #1777935). Remaining changes: |
781 | + - Build without lmdb support as that package is in Universe |
782 | + * Drop: |
783 | + - SECURITY UPDATE: improperly permits recursive query service |
784 | + + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling |
785 | + in bin/named/server.c. |
786 | + + CVE-2018-5738 |
787 | + [Applied in Debian's 1:9.11.3+dfsg-2] |
788 | + |
789 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 20 Jun 2018 17:42:16 -0300 |
790 | + |
791 | +bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium |
792 | + |
793 | + * SECURITY UPDATE: improperly permits recursive query service |
794 | + - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling |
795 | + in bin/named/server.c. |
796 | + - CVE-2018-5738 |
797 | + |
798 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Jun 2018 09:41:51 -0400 |
799 | + |
800 | +bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low |
801 | + |
802 | + * New upstream release. (LP: #1763572) |
803 | + - fix a crash when configured with ipa-dns-install |
804 | + * Merge from Debian unstable. Remaining changes: |
805 | + - Build without lmdb support as that package is in Universe |
806 | + |
807 | + -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Apr 2018 07:40:47 +0300 |
808 | + |
809 | +bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium |
810 | + |
811 | + * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating |
812 | + DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews |
813 | + <marka@isc.org>. (LP: #1755439) |
814 | + |
815 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300 |
816 | + |
817 | +bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium |
818 | + |
819 | + * Fix apparmor profile filename (LP: #1754981) |
820 | + |
821 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300 |
822 | + |
823 | +bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high |
824 | + |
825 | + * No change rebuild against openssl1.1. |
826 | + |
827 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:14:22 +0000 |
828 | + |
829 | +bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium |
830 | + |
831 | + * Build without lmdb support as that package is in Universe (LP: #1746296) |
832 | + - d/control: remove Build-Depends on liblmdb-dev |
833 | + - d/rules: configure --without-lmdb |
834 | + - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires |
835 | + lmdb. |
836 | + |
837 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 30 Jan 2018 15:21:23 -0200 |
838 | + |
839 | +bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium |
840 | + |
841 | + * Merge with Debian unstable (LP: #1744930). |
842 | + * Drop: |
843 | + - Add RemainAfterExit to bind9-resolvconf unit configuration file |
844 | + (LP #1536181). |
845 | + [fixed in 1:9.10.6+dfsg-4] |
846 | + - rules: Fix path to libsofthsm2.so. (LP #1685780) |
847 | + [adopted in 1:9.10.6+dfsg-5] |
848 | + - d/p/CVE-2016-8864-regression-test.patch: tests for the regression |
849 | + introduced with the CVE-2016-8864.patch and fixed in |
850 | + CVE-2016-8864-regression.patch. |
851 | + [applied upstream] |
852 | + - d/p/CVE-2016-8864-regression2-test.patch: tests for the second |
853 | + regression (RT #44318) introduced with the CVE-2016-8864.patch |
854 | + and fixed in CVE-2016-8864-regression2.patch. |
855 | + [applied upstream] |
856 | + - d/control, d/rules: add json support for the statistics channels. |
857 | + (LP #1669193) |
858 | + [adopted in 1:9.10.6+dfsg-5] |
859 | + * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing |
860 | + listing the python ply module as a dependency (Closes: #888463) |
861 | + |
862 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Jan 2018 11:20:33 -0200 |
863 | + |
864 | bind9 (1:9.11.2.P1-1) unstable; urgency=medium |
865 | |
866 | * New upstream version 9.11.2-P1 |
867 | @@ -549,6 +1296,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium |
868 | |
869 | -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000 |
870 | |
871 | +bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium |
872 | + |
873 | + * Merge with Debian unstable (LP: #1712920). Remaining changes: |
874 | + - Add RemainAfterExit to bind9-resolvconf unit configuration file |
875 | + (LP #1536181). |
876 | + - rules: Fix path to libsofthsm2.so. (LP #1685780) |
877 | + - d/p/CVE-2016-8864-regression-test.patch: tests for the regression |
878 | + introduced with the CVE-2016-8864.patch and fixed in |
879 | + CVE-2016-8864-regression.patch. |
880 | + - d/p/CVE-2016-8864-regression2-test.patch: tests for the second |
881 | + regression (RT #44318) introduced with the CVE-2016-8864.patch |
882 | + and fixed in CVE-2016-8864-regression2.patch. |
883 | + - d/control, d/rules: add json support for the statistics channels. |
884 | + (LP #1669193) |
885 | + |
886 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Aug 2017 18:28:00 -0300 |
887 | + |
888 | +bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium |
889 | + |
890 | + * Non-maintainer upload. |
891 | + * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794) |
892 | + |
893 | + -- Bernhard Schmidt <berni@debian.org> Fri, 11 Aug 2017 19:10:07 +0200 |
894 | + |
895 | +bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium |
896 | + |
897 | + * Merge with Debian unstable (LP: #1701687). Remaining changes: |
898 | + - Add RemainAfterExit to bind9-resolvconf unit configuration file |
899 | + (LP #1536181). |
900 | + - rules: Fix path to libsofthsm2.so. (LP #1685780) |
901 | + * Drop: |
902 | + - SECURITY UPDATE: denial of service via assertion failure |
903 | + + debian/patches/CVE-2016-2776.patch: properly handle lengths in |
904 | + lib/dns/message.c. |
905 | + + CVE-2016-2776 |
906 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
907 | + - SECURITY UPDATE: assertion failure via class mismatch |
908 | + + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY |
909 | + records in lib/dns/resolver.c. |
910 | + + CVE-2016-9131 |
911 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
912 | + - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information |
913 | + + debian/patches/CVE-2016-9147.patch: fix logic when records are |
914 | + returned without the requested data in lib/dns/resolver.c. |
915 | + + CVE-2016-9147 |
916 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
917 | + - SECURITY UPDATE: assertion failure via unusually-formed DS record |
918 | + + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in |
919 | + lib/dns/message.c, lib/dns/resolver.c. |
920 | + + CVE-2016-9444 |
921 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
922 | + - SECURITY UPDATE: regression in CVE-2016-8864 |
923 | + + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in |
924 | + responses in lib/dns/resolver.c, added tests to |
925 | + bin/tests/system/dname/ns2/example.db, |
926 | + bin/tests/system/dname/tests.sh. |
927 | + + No CVE number |
928 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12] |
929 | + - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing |
930 | + a NULL pointer |
931 | + + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz |
932 | + combination in bin/named/query.c, lib/dns/message.c, |
933 | + lib/dns/rdataset.c. |
934 | + + CVE-2017-3135 |
935 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12] |
936 | + - SECURITY UPDATE: regression in CVE-2016-8864 |
937 | + + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME |
938 | + was still being cached when it should have been in lib/dns/resolver.c, |
939 | + added tests to bin/tests/system/dname/ans3/ans.pl, |
940 | + bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. |
941 | + + No CVE number |
942 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12] |
943 | + - SECURITY UPDATE: Denial of Service due to an error handling |
944 | + synthesized records when using DNS64 with "break-dnssec yes;" |
945 | + + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() |
946 | + called. |
947 | + + CVE-2017-3136 |
948 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] |
949 | + - SECURITY UPDATE: Denial of Service due to resolver terminating when |
950 | + processing a response packet containing a CNAME or DNAME |
951 | + + debian/patches/CVE-2017-3137.patch: don't expect a specific |
952 | + ordering of answer components; add testcases. |
953 | + + CVE-2017-3137 |
954 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files] |
955 | + - SECURITY UPDATE: Denial of Service when receiving a null command on |
956 | + the control channel |
957 | + + debian/patches/CVE-2017-3138.patch: don't throw an assert if no |
958 | + command token is given; add testcase. |
959 | + + CVE-2017-3138 |
960 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] |
961 | + - SECURITY UPDATE: TSIG authentication issues |
962 | + + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in |
963 | + lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. |
964 | + + CVE-2017-3142 |
965 | + + CVE-2017-3143 |
966 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4] |
967 | + * d/p/CVE-2016-8864-regression-test.patch: tests for the regression |
968 | + introduced with the CVE-2016-8864.patch and fixed in |
969 | + CVE-2016-8864-regression.patch. |
970 | + * d/p/CVE-2016-8864-regression2-test.patch: tests for the second |
971 | + regression (RT #44318) introduced with the CVE-2016-8864.patch |
972 | + and fixed in CVE-2016-8864-regression2.patch. |
973 | + * d/control, d/rules: add json support for the statistics channels. |
974 | + (LP: #1669193) |
975 | + |
976 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 11 Aug 2017 17:12:09 -0300 |
977 | + |
978 | +bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium |
979 | + |
980 | + * Non-maintainer upload. |
981 | + * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG |
982 | + signed TCP message sequences where not all the messages contain TSIG |
983 | + records. These may be used in AXFR and IXFR responses. |
984 | + (Closes: #868952) |
985 | + |
986 | + -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jul 2017 22:28:32 +0200 |
987 | + |
988 | +bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high |
989 | + |
990 | + * Non-maintainer upload. |
991 | + |
992 | + [ Yves-Alexis Perez ] |
993 | + * debian/patches: |
994 | + - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses |
995 | + CVE-2017-3142: error in TSIG authentication can permit unauthorized zone |
996 | + transfers. An attacker may be able to circumvent TSIG authentication of |
997 | + AXFR and Notify requests. |
998 | + CVE-2017-3143: error in TSIG authentication can permit unauthorized |
999 | + dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) |
1000 | + signature for a dynamic update. |
1001 | + (Closes: #866564) |
1002 | + |
1003 | + -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jul 2017 22:13:21 +0200 |
1004 | + |
1005 | bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium |
1006 | |
1007 | [ Bernhard Schmidt ] |
1008 | @@ -655,6 +1536,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium |
1009 | |
1010 | -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000 |
1011 | |
1012 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium |
1013 | + |
1014 | + * SECURITY UPDATE: TSIG authentication issues |
1015 | + - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in |
1016 | + lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. |
1017 | + - CVE-2017-3142 |
1018 | + - CVE-2017-3143 |
1019 | + |
1020 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jul 2017 09:48:13 -0400 |
1021 | + |
1022 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium |
1023 | + |
1024 | + * rules: Fix path to libsofthsm2.so. (LP: #1685780) |
1025 | + |
1026 | + -- Timo Aaltonen <tjaalton@debian.org> Mon, 24 Apr 2017 15:01:30 +0300 |
1027 | + |
1028 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium |
1029 | + |
1030 | + * SECURITY UPDATE: Denial of Service due to an error handling |
1031 | + synthesized records when using DNS64 with "break-dnssec yes;" |
1032 | + - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() |
1033 | + called. |
1034 | + - CVE-2017-3136 |
1035 | + * SECURITY UPDATE: Denial of Service due to resolver terminating when |
1036 | + processing a response packet containing a CNAME or DNAME |
1037 | + - debian/patches/CVE-2017-3137.patch: don't expect a specific |
1038 | + ordering of answer components; add testcases. |
1039 | + - CVE-2017-3137 |
1040 | + * SECURITY UPDATE: Denial of Service when receiving a null command on |
1041 | + the control channel |
1042 | + - debian/patches/CVE-2017-3138.patch: don't throw an assert if no |
1043 | + command token is given; add testcase. |
1044 | + - CVE-2017-3138 |
1045 | + |
1046 | + -- Steve Beattie <sbeattie@ubuntu.com> Wed, 12 Apr 2017 01:32:15 -0700 |
1047 | + |
1048 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium |
1049 | + |
1050 | + * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing |
1051 | + a NULL pointer |
1052 | + - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz |
1053 | + combination in bin/named/query.c, lib/dns/message.c, |
1054 | + lib/dns/rdataset.c. |
1055 | + - CVE-2017-3135 |
1056 | + * SECURITY UPDATE: regression in CVE-2016-8864 |
1057 | + - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME |
1058 | + was still being cached when it should have been in lib/dns/resolver.c, |
1059 | + added tests to bin/tests/system/dname/ans3/ans.pl, |
1060 | + bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. |
1061 | + - No CVE number |
1062 | + |
1063 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Feb 2017 09:37:39 -0500 |
1064 | + |
1065 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium |
1066 | + |
1067 | + * SECURITY UPDATE: assertion failure via class mismatch |
1068 | + - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY |
1069 | + records in lib/dns/resolver.c. |
1070 | + - CVE-2016-9131 |
1071 | + * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information |
1072 | + - debian/patches/CVE-2016-9147.patch: fix logic when records are |
1073 | + returned without the requested data in lib/dns/resolver.c. |
1074 | + - CVE-2016-9147 |
1075 | + * SECURITY UPDATE: assertion failure via unusually-formed DS record |
1076 | + - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in |
1077 | + lib/dns/message.c, lib/dns/resolver.c. |
1078 | + - CVE-2016-9444 |
1079 | + * SECURITY UPDATE: regression in CVE-2016-8864 |
1080 | + - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in |
1081 | + responses in lib/dns/resolver.c, added tests to |
1082 | + bin/tests/system/dname/ns2/example.db, |
1083 | + bin/tests/system/dname/tests.sh. |
1084 | + - No CVE number |
1085 | + |
1086 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jan 2017 09:28:10 -0500 |
1087 | + |
1088 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium |
1089 | + |
1090 | + * Add RemainAfterExit to bind9-resolvconf unit configuration file |
1091 | + (LP: #1536181). |
1092 | + |
1093 | + -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Tue, 15 Nov 2016 08:24:58 -0800 |
1094 | + |
1095 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium |
1096 | + |
1097 | + * SECURITY UPDATE: denial of service via assertion failure |
1098 | + - debian/patches/CVE-2016-2776.patch: properly handle lengths in |
1099 | + lib/dns/message.c. |
1100 | + - CVE-2016-2776 |
1101 | + |
1102 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2016 14:31:17 -0400 |
1103 | + |
1104 | bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium |
1105 | |
1106 | * Non-maintainer upload. |
1107 | diff --git a/debian/control b/debian/control |
1108 | index b6f7ecd..adf5ada 100644 |
1109 | --- a/debian/control |
1110 | +++ b/debian/control |
1111 | @@ -1,32 +1,31 @@ |
1112 | Source: bind9 |
1113 | Section: net |
1114 | Priority: optional |
1115 | -Maintainer: Debian DNS Team <team+dns@tracker.debian.org> |
1116 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
1117 | +XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org> |
1118 | Uploaders: Ondřej Surý <ondrej@debian.org>, |
1119 | Bernhard Schmidt <berni@debian.org> |
1120 | Build-Depends: bison, |
1121 | debhelper-compat (= 12), |
1122 | dh-apparmor, |
1123 | + dh-apport, |
1124 | dh-exec, |
1125 | dh-python, |
1126 | libcap2-dev [linux-any], |
1127 | libcmocka-dev, |
1128 | libdb-dev, |
1129 | libedit-dev, |
1130 | - libfstrm-dev, |
1131 | libidn2-dev, |
1132 | libjson-c-dev, |
1133 | libkrb5-dev, |
1134 | libldap2-dev, |
1135 | liblmdb-dev, |
1136 | libmaxminddb-dev (>= 1.3.0), |
1137 | - libprotobuf-c-dev, |
1138 | libssl-dev, |
1139 | libtool, |
1140 | libuv1-dev, |
1141 | libxml2-dev, |
1142 | pkg-config, |
1143 | - protobuf-c-compiler, |
1144 | python3, |
1145 | python3-ply, |
1146 | zlib1g-dev |
1147 | diff --git a/debian/rules b/debian/rules |
1148 | index 0fca88b..54ed8d6 100755 |
1149 | --- a/debian/rules |
1150 | +++ b/debian/rules |
1151 | @@ -29,7 +29,7 @@ SED_VERSION_EXTENSIONS := \ |
1152 | sed -e 's,^EXTENSIONS=,EXTENSIONS="$$(dpkg-parsechangelog --file=../debian/changelog | sed -n '/^Version/s/[^-]*//p')-$$(dpkg-vendor --query Vendor)",' |
1153 | |
1154 | %: |
1155 | - dh $@ --with python3 |
1156 | + dh $@ --with python3,apport |
1157 | |
1158 | prepare_version_extensions: |
1159 | if [ ! -f version.bak ]; then \ |
1160 | @@ -60,7 +60,7 @@ override_dh_auto_configure: |
1161 | --with-openssl=/usr \ |
1162 | --with-gssapi=/usr \ |
1163 | --with-libidn2 \ |
1164 | - --with-libjson-c \ |
1165 | + --with-json-c \ |
1166 | --with-lmdb=/usr \ |
1167 | --with-gnu-ld \ |
1168 | --with-maxminddb \ |
1169 | @@ -69,7 +69,6 @@ override_dh_auto_configure: |
1170 | --enable-rrl \ |
1171 | --enable-filter-aaaa \ |
1172 | --disable-native-pkcs11 \ |
1173 | - --enable-dnstap \ |
1174 | $(EXTRA_FEATURES) |
1175 | |
1176 | override_dh_auto_build: |
1177 | diff --git a/debian/tests/control b/debian/tests/control |
1178 | index 3e952eb..35b7572 100644 |
1179 | --- a/debian/tests/control |
1180 | +++ b/debian/tests/control |
1181 | @@ -1,4 +1,4 @@ |
1182 | Tests: simpletest |
1183 | Restrictions: needs-root, isolation-container |
1184 | Depends: bind9, |
1185 | - dnsutils |
1186 | + bind9-dnsutils |
1187 | diff --git a/debian/tests/simpletest b/debian/tests/simpletest |
1188 | index 468a7c5..34b0b25 100644 |
1189 | --- a/debian/tests/simpletest |
1190 | +++ b/debian/tests/simpletest |
1191 | @@ -10,10 +10,6 @@ setup() { |
1192 | run() { |
1193 | # Make a query against a local zone |
1194 | dig -x 127.0.0.1 @127.0.0.1 |
1195 | - |
1196 | - # Make a query against an external nameserver and check for DNSSEC validation |
1197 | - echo "Checking for DNSSEC validation status of internetsociety.org" |
1198 | - dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY' |
1199 | } |
1200 | |
1201 | teardown() { |
I'll review this one.