Ubuntu
bind9 package

Merge ~ahasenack/ubuntu/+source/bind9:groovy-bind9166-merge into ubuntu/+source/bind9:debian/sid

Proposed by Andreas Hasenack on 2020-08-24

Status:	Merged
Approved by:	Andreas Hasenack on 2020-08-25
Approved revision:	a88677cb2ea1f4a29b2f19f365733adfc1050060
Merge reported by:	Sergio Durigan Junior
Merged at revision:	ba594cd23e9f3245fc649c794562e1a9b0446be6
Proposed branch:	~ahasenack/ubuntu/+source/bind9:groovy-bind9166-merge
Merge into:	ubuntu/+source/bind9:debian/sid
Diff against target:	1201 lines (+1027/-14) 8 files modified debian/NEWS (+24/-0) debian/bind9-dnsutils.install (+0/-2) debian/bind9.apport (+24/-0) debian/changelog (+973/-0) debian/control (+3/-4) debian/rules (+2/-3) debian/tests/control (+1/-1) debian/tests/simpletest (+0/-4)
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Sergio Durigan Junior (community)	2020-08-24	Approve on 2020-08-25
Canonical Server Core Reviewers	2020-08-24	Pending
Review via email: mp+389741@code.launchpad.net

Description of the change

Merge from debian, new upstream version. It's a security update.

Was able to drop one bit of delta fixed upstream. From the previous merge[1], the other bits of delta forwarded to debian weren't acted upon yet by debian:

https://salsa.debian.org/dns-team/bind9/-/merge_requests/12

and

https://salsa.debian.org/dns-team/bind9/-/merge_requests/13

PPA with proposed and all arches except riscv64: https://launchpad.net/~ahasenack/+archive/ubuntu/bind-9166/

DEP8 tests are trivial and I ran them locally on amd64:
autopkgtest [15:41:18]: test simpletest: -----------------------]
autopkgtest [15:41:18]: test simpletest: - - - - - - - - - - results - - - - - - - - - -
simpletest PASS
autopkgtest [15:41:18]: @@@@@@@@@@@@@@@@@@@@ summary
simpletest PASS

The migration test is more complete as it triggers the tests in other packages too, but I didn't create a bileto ticket for this because it's FF week and that would take a very long time, and we need to get this in anyway, so any issues that arise during migration will have to be dealt with anyway.

1. https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/386925

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2020-08-24:

I'll review this one.

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2020-08-25:

* Changelog:
  - [√] old content and logical tag match as expected
  - [√] changelog entry correct version and targeted codename
  - [√] changelog entries correct
  - [√] update-maintainer has been run

* Actual changes:
  - [√] no upstream changes to consider
  - [√] no further upstream version to consider
  - [√] debian changes look safe

* Old Delta:
  - [-] dropped changes are ok to be dropped
  - [√] nothing else to drop
  - [√] changes forwarded upstream/debian (if appropriate)

* New Delta:
  - [√] no new patches added
  - [-] patches match what was proposed upstream
  - [-] patches correctly included in debian/patches/series
  - [-] patches have correct DEP3 metadata

* Build/Test:
  - [√] build is ok
  - [√] verified PPA package installs/uninstalls
  - [√] autopkgtest against the PPA package passes
  - [√] sanity checks test fine

I'm approving this MP. My only suggestion would be to mention (in the MP's description) which bit of delta you were able to drop; otherwise, everything looks great.

review: Approve

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-08-25:

Right, sorry, I dropped this bit:

commit fa69ece2a6775876dd35d669793768787bf4ae43 (tag: logical/1%9.16.4-1ubuntu2, tag: ahasenack/logical/1%9.16.4-1ubuntu2)
Author: Andreas Hasenack <email address hidden>
Date: Mon Jul 6 18:05:03 2020 +0000

- d/not-installed: list dnstap-read.1 manpage, which is being
installed by the makefile even when dnstap is disabled.

diff --git a/debian/not-installed b/debian/not-installed
new file mode 100644
index 00000000000..323f59b360a
--- /dev/null
+++ b/debian/not-installed
@@ -0,0 +1,2 @@
+# see https://gitlab.isc.org/isc-projects/bind9/-/issues/2008
+usr/share/man/man1/dnstap-read.1

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-08-25:

Gotta love git range-diff :)

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-08-25:

Hm, I see I didn't push that drop, I'm sorry. Pushing now, please take another quick look.

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-08-25:

The ppa had it, see its d/changelog: https://launchpad.net/~ahasenack/+archive/ubuntu/bind-9166/+packages

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-08-25:

range-diff command suggestion:

git range-diff old/debian..logical/1%9.16.4-1ubuntu2 new/debian..groovy-bind9166-merge

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-08-25:

> The ppa had it, see its d/changelog:
> https://launchpad.net/~ahasenack/+archive/ubuntu/bind-9166/+packages

Ugh, I meant, the ppa had the *drop*

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2020-08-25:

Ah, thanks! So my hunch was correct, but I should have told you to include the drop in the changelog ;-). Anyway, I looked at it again (thanks for updating it!), and it looks fine for me now.

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-08-25:

Thanks, feel free to hit me in the head next sprint :)

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-08-25:

Tagging and uploading ba594cd23e9f3245fc649c794562e1a9b0446be6

$ git push pkg upload/1%9.16.6-2ubuntu1
Enumerating objects: 53, done.
Counting objects: 100% (53/53), done.
Delta compression using up to 4 threads
Compressing objects: 100% (41/41), done.
Writing objects: 100% (44/44), 13.09 KiB | 273.00 KiB/s, done.
Total 44 (delta 29), reused 6 (delta 3)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/bind9
* [new tag] upload/1%9.16.6-2ubuntu1 -> upload/1%9.16.6-2ubuntu1

$ dput ubuntu ../bind9_9.16.6-2ubuntu1_source.changes
Checking signature on .changes
gpg: ../bind9_9.16.6-2ubuntu1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../bind9_9.16.6-2ubuntu1.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading bind9_9.16.6-2ubuntu1.dsc: done.
  Uploading bind9_9.16.6.orig.tar.xz: done.
  Uploading bind9_9.16.6-2ubuntu1.debian.tar.xz: done.
  Uploading bind9_9.16.6-2ubuntu1_source.buildinfo: done.
  Uploading bind9_9.16.6-2ubuntu1_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Andreas Hasenack

git-ubuntu developers

 diff --git a/debian/NEWS b/debian/NEWS
 new file mode 100644
 index 0000000..c9348a4
 --- /dev/null
 +++ b/debian/NEWS
@@ -0,0 +1,24 @@
++bind9 (1:9.16.0-1ubuntu1) focal; urgency=medium
++
++  Some packages like isc-dhcp do not build with bind 9.14 or higher, so a new
++  source package bind9-libs version 9.11 was created for that purpose,
++  providing only libraries and header files. The bind9 9.16.x packages do not
++  provide development libraries or headers. See commit
++  https://salsa.debian.org/dns-team/bind9-libs/commit/40cab7029d for more
++  details. udebs used in the debian-installer are also being provided by
++  bind9-libs.
++
++  Another package which doesn't build with the newer bind9 package is
++  bind-dyndb-ldap. It will build using the libraries from bind9-libs, but
++  since this is a server plugin, it won't work with the newer server.
++
++  Native pkcs#11 support via softhsm2 is no longer being built for this
++  package. This was first introduced in 1:9.10.3.dfsg.P4-8 (see
++  https://bugs.launchpad.net/bugs/1565392) for FreeIPA. Ubuntu Focal no longer
++  ships FreeIPA, and Debian also dropped the native pkcs#11 support.
++
++  There are no development libraries or header files in this bind9 9.16.x
++  packaging at the moment. This may change later, see
++  https://gitlab.isc.org/isc-projects/bind9/merge_requests/3089#note_111229
++
++ -- Andreas Hasenack <andreas@canonical.com>  Sat, 22 Feb 2020 17:40:38 -0300
 diff --git a/debian/bind9-dnsutils.install b/debian/bind9-dnsutils.install
 index 90e4fba..5e6b7d9 100644
 --- a/debian/bind9-dnsutils.install
 +++ b/debian/bind9-dnsutils.install
@@ -1,12 +1,10 @@
  usr/bin/delv
  usr/bin/dig
--usr/bin/dnstap-read
  usr/bin/mdig
  usr/bin/nslookup
  usr/bin/nsupdate
  usr/share/man/man1/delv.1
  usr/share/man/man1/dig.1
--usr/share/man/man1/dnstap-read.1
  usr/share/man/man1/mdig.1
  usr/share/man/man1/nslookup.1
  usr/share/man/man1/nsupdate.1
 diff --git a/debian/bind9.apport b/debian/bind9.apport
 new file mode 100644
 index 0000000..b3baa8b
 --- /dev/null
 +++ b/debian/bind9.apport
@@ -0,0 +1,24 @@
++'''apport hook for bind9
++
++(c) 2010 Andres Rodriguez.
++Author: Andres Rodriguez <andreserl@ubuntu.com>
++
++This program is free software; you can redistribute it and/or modify it
++under the terms of the GNU General Public License as published by the
++Free Software Foundation; either version 2 of the License, or (at your
++option) any later version.  See http://www.gnu.org/copyleft/gpl.html for
++the full text of the license.
++'''
++
++from apport.hookutils import *
++import re
++
++def add_info(report, ui):
++
++    # getting syslog stuff
++    report['SyslogBind9'] = recent_syslog(re.compile(r'named\['))
++
++    # Attaching related packages info
++    attach_related_packages(report, ['bind9utils', 'apparmor'])
++
++    attach_mac_events(report, '/usr/sbin/named')
 diff --git a/debian/changelog b/debian/changelog
 index 72404e2..6b51469 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,32 @@
++bind9 (1:9.16.6-2ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - Add back apport:
++      + d/bind9.apport: add back old bind9 apport hook, but without calling
++        attach_conffiles() since that is already done by apport itself, with
++        confirmation from the user.
++      + d/control, d/rules: buil-depends on dh-apport and use it
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
++    - d/t/control: change the dep8 test dependency to be on the real
++      bind9-dnsutils package, and not the transitional one (LP #1864761)
++    - d/rules: change deprecated --with-libjson-c configure argument to
++      --with-json-c
++  * Dropped:
++    - d/not-installed: list dnstap-read.1 manpage, which is being
++      installed by the makefile even when dnstap is disabled.
++      [Fixed upstream]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 24 Aug 2020 10:57:08 -0300
++
  bind9 (1:9.16.6-2) unstable; urgency=medium
    * Move Build-Depends for documentation to Build-Depends-Indep, this
@@ -20,6 +49,51 @@ bind9 (1:9.16.5-1) unstable; urgency=medium
   -- Ondřej Surý <ondrej@debian.org>  Thu, 16 Jul 2020 00:29:57 +0200
++bind9 (1:9.16.4-1ubuntu2) groovy; urgency=medium
++
++  * No change rebuild against new json-c ABI.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 28 Jul 2020 17:42:17 +0100
++
++bind9 (1:9.16.4-1ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - Add back apport:
++      + d/bind9.apport: add back old bind9 apport hook, but without calling
++        attach_conffiles() since that is already done by apport itself, with
++        confirmation from the user.
++      + d/control, d/rules: buil-depends on dh-apport and use it
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
++    - d/t/control: change the dep8 test dependency to be on the real
++      bind9-dnsutils package, and not the transitional one (LP #1864761)
++    - d/rules: change deprecated --with-libjson-c configure argument to
++      --with-json-c
++  * Dropped:
++    - SECURITY UPDATE: assertion when attempting to fill oversized TCP buffer
++      + debian/patches/CVE-2020-8618.patch: add fix to lib/ns/client.c,
++        lib/ns/include/ns/client.h, lib/ns/xfrout.c.
++      + CVE-2020-8618
++      [Fixed upstream]
++    - SECURITY UPDATE: INSIST failure when a zone with an interior wildcard
++      label was queried in a certain pattern
++      + debian/patches/CVE-2020-8619.patch: add fix to lib/dns/rbtdb.c.
++      + CVE-2020-8619
++      [Fixed upstream]
++  * Added changes:
++    - d/not-installed: list dnstap-read.1 manpage, which is being
++      installed by the makefile even when dnstap is disabled.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 06 Jul 2020 15:22:36 -0300
++
  bind9 (1:9.16.4-1) unstable; urgency=medium
    * New upstream version 9.16.4
@@ -27,12 +101,129 @@ bind9 (1:9.16.4-1) unstable; urgency=medium
   -- Ondřej Surý <ondrej@debian.org>  Wed, 17 Jun 2020 09:27:29 +0200
++bind9 (1:9.16.3-1ubuntu2) groovy; urgency=medium
++
++  * SECURITY UPDATE: assertion when attempting to fill oversized TCP buffer
++    - debian/patches/CVE-2020-8618.patch: add fix to lib/ns/client.c,
++      lib/ns/include/ns/client.h, lib/ns/xfrout.c.
++    - CVE-2020-8618
++  * SECURITY UPDATE: INSIST failure when a zone with an interior wildcard
++    label was queried in a certain pattern
++    - debian/patches/CVE-2020-8619.patch: add fix to lib/dns/rbtdb.c.
++    - CVE-2020-8619
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 18 Jun 2020 08:29:47 -0400
++
++bind9 (1:9.16.3-1ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - Add back apport:
++      + d/bind9.apport: add back old bind9 apport hook, but without calling
++        attach_conffiles() since that is already done by apport itself, with
++        confirmation from the user.
++      + d/control, d/rules: buil-depends on dh-apport and use it
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
++    - d/t/control: change the dep8 test dependency to be on the real
++      bind9-dnsutils package, and not the transitional one (LP #1864761)
++    - d/rules: change deprecated --with-libjson-c configure argument to
++      --with-json-c
++  * Dropped:
++    - d/control: make bind9-dnsutils multi-arch foreign as another step
++      towards fixing LP #1864761
++      [The correct fix was to change the dep8 dependency to be on the real
++      package, and not the transitional one]
++    - SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
++      performed when processing referrals
++      + debian/patches/CVE-2020-8616.patch: further limit the number of
++        queries that can be triggered from a request in lib/dns/adb.c,
++        lib/dns/include/dns/adb.h, lib/dns/resolver.c.
++      + CVE-2020-8616
++      [Fixed upstream]
++    - SECURITY UPDATE: A logic error in code which checks TSIG validity can
++      be used to trigger an assertion failure in tsig.c
++      + debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
++        BADTIME response in lib/dns/tsig.c.
++      + CVE-2020-8617
++      [Fixed upstream]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 02 Jun 2020 17:37:44 -0300
++
  bind9 (1:9.16.3-1) unstable; urgency=medium
    * New upstream version 9.16.3
   -- Ondřej Surý <ondrej@debian.org>  Tue, 19 May 2020 14:14:35 +0200
++bind9 (1:9.16.2-3ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - Add back apport:
++      + d/bind9.apport: add back old bind9 apport hook, but without calling
++        attach_conffiles() since that is already done by apport itself, with
++        confirmation from the user.
++      + d/control, d/rules: buil-depends on dh-apport and use it
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
++    - d/t/control: change the dep8 test dependency to be on the real
++      bind9-dnsutils package, and not the transitional one (LP #1864761)
++    - d/control: make bind9-dnsutils multi-arch foreign as another step
++      towards fixing LP #1864761
++    - d/rules: change deprecated --with-libjson-c configure argument to
++      --with-json-c
++    - SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
++      performed when processing referrals
++      + debian/patches/CVE-2020-8616.patch: further limit the number of
++        queries that can be triggered from a request in lib/dns/adb.c,
++        lib/dns/include/dns/adb.h, lib/dns/resolver.c.
++      + CVE-2020-8616
++    - SECURITY UPDATE: A logic error in code which checks TSIG validity can
++      be used to trigger an assertion failure in tsig.c
++      + debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
++        BADTIME response in lib/dns/tsig.c.
++      + CVE-2020-8617
++  * Dropped:
++    - use iproute2 instead of net-tools (LP #1850699):
++      + d/control: replace net-tools depends with iproute2
++      + d/bind9.init: use ip instead of ifconfig
++      [In 1:9.16.1-2]
++    - d/control: Enable readline-like support in dnsutils (nslookup and nsupdate)
++      via libedit-dev (libreadline has a license conflict with bind)
++      [In 1:9.16.1-2]
++    - d/control: drop hardcoded python3 dependency
++      (LP #1856211, Closes #946643)
++      [In 1:9.16.1-2]
++    - d/extras/apparmor.d/usr.sbin.named:
++      + Add flags=(attach_disconnected) to AppArmor profile
++      + AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ
++        (Closes: #928398)
++      [In 1:9.16.1-2]
++    - d/rules: fix typo in the apparmor profile installation
++      [In 1:9.16.1-2]
++    - d/control: create transitional packages for dnsutils, bind9utils
++      [In 1:9.16.1-2]
++    - d/p/fix-rebinding-protection.patch: fix rebinding protection bug
++      when using forwarder setups (LP #1873046)
++      [Fixed upstream]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 22 May 2020 09:52:13 -0300
++
  bind9 (1:9.16.2-3) unstable; urgency=medium
    [ Simon Deziel ]
@@ -83,6 +274,106 @@ bind9 (1:9.16.1-1) experimental; urgency=medium
   -- Ondřej Surý <ondrej@debian.org>  Fri, 20 Mar 2020 13:59:34 +0100
++bind9 (1:9.16.1-0ubuntu3) groovy; urgency=medium
++
++  * SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
++    performed when processing referrals
++    - debian/patches/CVE-2020-8616.patch: further limit the number of
++      queries that can be triggered from a request in lib/dns/adb.c,
++      lib/dns/include/dns/adb.h, lib/dns/resolver.c.
++    - CVE-2020-8616
++  * SECURITY UPDATE: A logic error in code which checks TSIG validity can
++    be used to trigger an assertion failure in tsig.c
++    - debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
++      BADTIME response in lib/dns/tsig.c.
++    - CVE-2020-8617
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 19 May 2020 09:03:32 -0400
++
++bind9 (1:9.16.1-0ubuntu2) focal; urgency=medium
++
++  * d/p/fix-rebinding-protection.patch: fix rebinding protection bug
++    when using forwarder setups (LP: #1873046)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 15 Apr 2020 14:59:51 -0300
++
++bind9 (1:9.16.1-0ubuntu1) focal; urgency=medium
++
++  * New upstream release: 19.16.1 (LP: #1868272)
++    - drop d/p/bind-v9.16.0-tcp_quota_fix.patch, fixed upstream
++    - drop d/p/Fix-dns_client_addtrustedkey.patch, fixed upstream
++  * d/rules: change deprecated --with-libjson-c configure argument to
++    --with-json-c
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 24 Mar 2020 11:44:46 -0300
++
++bind9 (1:9.16.0-1ubuntu5) focal; urgency=medium
++
++  * d/control, d/rules: enable GeoIP2 support, since libmaxminddb is now
++    in main (LP: #1866875)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 16 Mar 2020 16:17:47 -0300
++
++bind9 (1:9.16.0-1ubuntu4) focal; urgency=medium
++
++  * d/p/bind-v9.16.0-tcp_quota_fix.patch: fix error in handling TCP
++    client quota limits (LP: #1866378)
++  * d/p/Fix-dns_client_addtrustedkey.patch: fix buffer size in
++    dns_client_addtrustedkey (LP: #1866384)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 06 Mar 2020 15:12:56 -0300
++
++bind9 (1:9.16.0-1ubuntu3) focal; urgency=medium
++
++  * d/control: make bind9-dnsutils multi-arch foreign as another step
++    towards fixing LP: #1864761
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 26 Feb 2020 20:19:40 -0300
++
++bind9 (1:9.16.0-1ubuntu2) focal; urgency=medium
++
++  * d/t/control: change the dep8 test dependency to be on the real
++    bind9-dnsutils package, and not the transitional one (LP: #1864761)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 26 Feb 2020 14:16:04 -0300
++
++bind9 (1:9.16.0-1ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - Add back apport:
++      + d/bind9.apport: add back old bind9 apport hook, but without calling
++        attach_conffiles() since that is already done by apport itself, with
++        confirmation from the user.
++      + d/control, d/rules: buil-depends on dh-apport and use it
++    - d/control, d/rules: go back to old geoip support, since
++      libmaxminddb (for GeoIP2) is in universe
++  * Added back from sid packaging:
++    - d/t/control, d/t/simpletest: bring back the dep8 test from
++      debian/sid, with our delta to not query external hosts
++    - use iproute2 instead of net-tools (LP #1850699):
++      + d/control: replace net-tools depends with iproute2
++      + d/bind9.init: use ip instead of ifconfig
++    - d/control: drop hardcoded python3 dependency
++      (LP #1856211, Closes #946643)
++    - d/extras/apparmor.d/usr.sbin.named:
++      + Add flags=(attach_disconnected) to AppArmor profile
++      + AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ
++        (Closes: #928398)
++    - d/rules: fix typo in the apparmor profile installation
++  * Added:
++    - d/control: create transitional packages for dnsutils, bind9utils
++    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
++    - d/control: Enable readline-like support in dnsutils (nslookup and nsupdate)
++      via libedit-dev (libreadline has a license conflict with bind)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 24 Feb 2020 11:51:37 -0300
++
  bind9 (1:9.16.0-1) experimental; urgency=medium
    * Change the branch to 9.16
@@ -374,6 +665,462 @@ bind (1:9.12.0+dfsg-1~exp0) experimental; urgency=medium
   -- Ondřej Surý <ondrej@debian.org>  Wed, 24 Jan 2018 09:18:13 +0000
++bind9 (1:9.11.14+dfsg-3ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++    - Add back apport:
++      + d/bind9.apport: add back old bind9 apport hook, but without calling
++        attach_conffiles() since that is already done by apport itself, with
++        confirmation from the user.
++      + d/control, d/rules: buil-depends on dh-apport and use it
++    - d/control, d/rules: go back to old geoip support, since
++      libmaxminddb (for GeoIP2) is in universe
++  * Dropped:
++    - use iproute2 instead of net-tools (LP #1850699):
++      + d/control: replace net-tools depends with iproute2
++      + d/bind9.init: use ip instead of ifconfig
++      [In 1:9.11.14+dfsg-2]
++    - d/control: drop hardcoded python3 dependency in bind9utils,
++      dh-python injects the correct one via ${python3:Depends}
++      (LP #1856211, Closes #946643)
++      [In 1:9.11.14+dfsg-1]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 27 Jan 2020 11:47:26 -0300
++
++bind9 (1:9.11.14+dfsg-1ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++    - use iproute2 instead of net-tools (LP #1850699):
++      + d/control: replace net-tools depends with iproute2
++      + d/bind9.init: use ip instead of ifconfig
++        [Updated to also check the exit status of the command]
++    - d/control: drop hardcoded python3 dependency in bind9utils,
++      dh-python injects the correct one via ${python3:Depends}
++      (LP #1856211, Closes: #946643)
++  * Dropped:
++    - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
++      option (LP #1804648)
++      [Fixed upstream in 9.11.6rc1]
++    - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
++      close to a query timeout (LP #1797926)
++      [Fixed upstream in 9.11.6rc1]
++    - SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single
++      connection
++      + debian/patches/CVE-2019-6477.patch: limit number of clients in
++        bin/named/client.c, bin/named/include/named/client.h.
++      + CVE-2019-6477
++      [Fixed upstream in 9.11.13]
++  * Added:
++    - Add back apport:
++      + d/bind9.apport: add back old bind9 apport hook, but without calling
++        attach_conffiles() since that is already done by apport itself, with
++        confirmation from the user.
++      + d/control, d/rules: buil-depends on dh-apport and use it
++    - d/control, d/rules: go back to old geoip support, since
++      libmaxminddb (for GeoIP2) is in universe
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 15 Jan 2020 14:07:05 -0300
++
++bind9 (1:9.11.5.P4+dfsg-5.1ubuntu5) focal; urgency=medium
++
++  * d/control: drop hardcoded python3 dependency in bind9utils,
++    dh-python injects the correct one via ${python3:Depends}
++    (LP: #1856211, Closes: #946643)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 12 Dec 2019 14:40:20 -0300
++
++bind9 (1:9.11.5.P4+dfsg-5.1ubuntu4) focal; urgency=medium
++
++  * SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single
++    connection
++    - debian/patches/CVE-2019-6477.patch: limit number of clients in
++      bin/named/client.c, bin/named/include/named/client.h.
++    - CVE-2019-6477
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 21 Nov 2019 07:50:24 -0500
++
++bind9 (1:9.11.5.P4+dfsg-5.1ubuntu3) focal; urgency=medium
++
++  * use iproute2 instead of net-tools (LP: #1850699):
++    - d/control: replace net-tools depends with iproute2
++    - d/bind9.init: use ip instead of ifconfig
++  * d/bind9.install, d/control, d/rules: re-enable lmdb, which is now
++    in main.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 08 Nov 2019 10:15:01 -0300
++
++bind9 (1:9.11.5.P4+dfsg-5.1ubuntu2) eoan; urgency=medium
++
++  * Rebuild against new libjson-c4.
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Sat, 29 Jun 2019 13:45:33 +0200
++
++bind9 (1:9.11.5.P4+dfsg-5.1ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Build without lmdb support as that package is in Universe
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
++      option (LP #1804648)
++    - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
++      close to a query timeout (LP #1797926)
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++  * Dropped:
++    - SECURITY UPDATE: DoS via malformed packets
++      + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c
++      + CVE-2019-6471
++        [Fixed in 1:9.11.5.P4+dfsg-5.1]
++
++ -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com>  Thu, 27 Jun 2019 14:54:25 +0000
++
++bind9 (1:9.11.5.P4+dfsg-5ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Build without lmdb support as that package is in Universe
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
++      option (LP #1804648)
++    - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
++      close to a query timeout (LP #1797926)
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++    - SECURITY UPDATE: DoS via malformed packets
++      + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c
++      + CVE-2019-6471
++
++ -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com>  Fri, 21 Jun 2019 18:06:22 +0000
++
++bind9 (1:9.11.5.P4+dfsg-4ubuntu2) eoan; urgency=medium
++
++  * SECURITY UPDATE: DoS via malformed packets
++    - debian/patches/CVE-2019-6471.patch: fix race condition in
++      lib/dns/dispatch.c.
++    - CVE-2019-6471
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 20 Jun 2019 08:15:00 -0400
++
++bind9 (1:9.11.5.P4+dfsg-4ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Build without lmdb support as that package is in Universe
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
++      option (LP #1804648)
++    - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
++      close to a query timeout (LP #1797926)
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++  * Dropped:
++    - SECURITY UPDATE: memory leak via specially crafted packet
++      + debian/patches/CVE-2018-5744.patch: silently drop additional keytag
++        options in bin/named/client.c.
++      + CVE-2018-5744
++      [Fixed upstream in 9.11.5-P2]
++    - SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
++      unsupported key algorithm when using managed-keys
++      + debian/patches/CVE-2018-5745.patch: properly handle situations when
++        the key tag cannot be computed in lib/dns/include/dst/dst.h,
++        lib/dns/zone.c.
++      + CVE-2018-5745
++      [Fixed upstream in 9.11.5-P2]
++    - SECURITY UPDATE: Controls for zone transfers may not be properly
++      applied to Dynamically Loadable Zones (DLZs) if the zones are writable
++      + debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
++        the zone table as a DLZ zone bin/named/xfrout.c.
++      + CVE-2019-6465
++      [Fixed upstream in 9.11.5-P3]
++    - SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
++      + debian/patches/CVE-2018-5743.patch: add reference counting in
++        bin/named/client.c, bin/named/include/named/client.h,
++        bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
++        lib/isc/include/isc/quota.h, lib/isc/quota.c,
++        lib/isc/win32/libisc.def.in.
++      + debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
++        operations with isc_refcount reference counting in
++        bin/named/client.c, bin/named/include/named/interfacemgr.h,
++        bin/named/interfacemgr.c.
++      + debian/libisc1100.symbols: added new symbols.
++      + CVE-2018-5743
++      [Fixed in 1:9.11.5.P4+dfsg-4]
++    - d/rules: add back EdDSA support (LP #1825712)
++      [Fixed in 1:9.11.5.P4+dfsg-4]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 02 May 2019 13:35:59 -0300
++
++bind9 (1:9.11.5.P1+dfsg-1ubuntu4) eoan; urgency=medium
++
++  * d/rules: add back EdDSA support (LP: #1825712)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 26 Apr 2019 14:04:37 +0000
++
++bind9 (1:9.11.5.P1+dfsg-1ubuntu3) eoan; urgency=medium
++
++  * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
++    - debian/patches/CVE-2018-5743.patch: add reference counting in
++      bin/named/client.c, bin/named/include/named/client.h,
++      bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
++      lib/isc/include/isc/quota.h, lib/isc/quota.c,
++      lib/isc/win32/libisc.def.in.
++    - debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
++      operations with isc_refcount reference counting in
++      bin/named/client.c, bin/named/include/named/interfacemgr.h,
++      bin/named/interfacemgr.c.
++    - debian/libisc1100.symbols: added new symbols.
++    - CVE-2018-5743
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 24 Apr 2019 05:00:07 -0400
++
++bind9 (1:9.11.5.P1+dfsg-1ubuntu2) disco; urgency=medium
++
++  * SECURITY UPDATE: memory leak via specially crafted packet
++    - debian/patches/CVE-2018-5744.patch: silently drop additional keytag
++      options in bin/named/client.c.
++    - CVE-2018-5744
++  * SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
++    unsupported key algorithm when using managed-keys
++    - debian/patches/CVE-2018-5745.patch: properly handle situations when
++      the key tag cannot be computed in lib/dns/include/dst/dst.h,
++      lib/dns/zone.c.
++    - CVE-2018-5745
++  * SECURITY UPDATE: Controls for zone transfers may not be properly
++    applied to Dynamically Loadable Zones (DLZs) if the zones are writable
++    - debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
++      the zone table as a DLZ zone bin/named/xfrout.c.
++    - CVE-2019-6465
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 22 Feb 2019 10:52:30 +0100
++
++bind9 (1:9.11.5.P1+dfsg-1ubuntu1) disco; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Build without lmdb support as that package is in Universe
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
++      option (LP #1804648)
++    - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
++      close to a query timeout (LP #1797926)
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 17 Jan 2019 18:59:25 -0200
++
++bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Build without lmdb support as that package is in Universe
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++  * Dropped:
++    - SECURITY UPDATE: denial of service crash when deny-answer-aliases
++      option is used
++      + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
++        trigger a crash if deny-answer-aliases was set
++      + debian/patches/CVE-2018-5740-2.patch: add tests
++      + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
++        chainingp correctly, add test
++      + CVE-2018-5740
++        [Fixed in new upstream version 9.11.5]
++    - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
++      line (Closes: #904983)
++      [Fixed in 1:9.11.4+dfsg-4]
++    - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440)
++      [Fixed in 1:9.11.4.P1+dfsg-1]
++    - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
++      (it depends on OpenSSL version) (Closes: #897643)
++      [Fixed in 1:9.11.4.P1+dfsg-1]
++  * Added:
++    - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
++      option (LP: #1804648)
++    - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
++      close to a query timeout (LP: #1797926)
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 13 Dec 2018 19:40:23 -0200
++
++bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high
++
++  * No change rebuild against openssl 1.1.1 with TLS 1.3 support.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Sat, 29 Sep 2018 01:36:45 +0100
++
++bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium
++
++  * SECURITY UPDATE: denial of service crash when deny-answer-aliases
++    option is used
++    - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
++      trigger a crash if deny-answer-aliases was set
++    - debian/patches/CVE-2018-5740-2.patch: add tests
++    - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
++      chainingp correctly, add test
++    - CVE-2018-5740
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 20 Sep 2018 11:11:05 +0200
++
++bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium
++
++  * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
++    (it depends on OpenSSL version) (Closes: #897643)
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 18 Sep 2018 10:39:12 +0200
++
++bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium
++
++  * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11
++    crashing on startup. (LP: #1769440)
++
++ -- Karl Stenerud <karl.stenerud@canonical.com>  Thu, 30 Aug 2018 07:11:39 -0700
++
++bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Build without lmdb support as that package is in Universe
++  * Added:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1102.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap
++    - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
++      line (Closes: #904983)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 30 Jul 2018 10:56:04 -0300
++
++bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1777935). Remaining changes:
++    - Build without lmdb support as that package is in Universe
++  * Drop:
++    - SECURITY UPDATE: improperly permits recursive query service
++      + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
++        in bin/named/server.c.
++      + CVE-2018-5738
++      [Applied in Debian's 1:9.11.3+dfsg-2]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 20 Jun 2018 17:42:16 -0300
++
++bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium
++
++  * SECURITY UPDATE: improperly permits recursive query service
++    - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
++      in bin/named/server.c.
++    - CVE-2018-5738
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 11 Jun 2018 09:41:51 -0400
++
++bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low
++
++  * New upstream release. (LP: #1763572)
++    - fix a crash when configured with ipa-dns-install
++  * Merge from Debian unstable.  Remaining changes:
++    - Build without lmdb support as that package is in Universe
++
++ -- Timo Aaltonen <tjaalton@debian.org>  Fri, 13 Apr 2018 07:40:47 +0300
++
++bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium
++
++  * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating
++    DNS records in Microsoft AD using GSSAPI.  Thanks to Mark Andrews
++    <marka@isc.org>. (LP: #1755439)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 16 Mar 2018 09:38:46 -0300
++
++bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium
++
++  * Fix apparmor profile filename (LP: #1754981)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 15 Mar 2018 10:06:57 -0300
++
++bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high
++
++  * No change rebuild against openssl1.1.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 06 Feb 2018 12:14:22 +0000
++
++bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium
++
++  * Build without lmdb support as that package is in Universe (LP: #1746296)
++    - d/control: remove Build-Depends on liblmdb-dev
++    - d/rules: configure --without-lmdb
++    - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires
++      lmdb.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 30 Jan 2018 15:21:23 -0200
++
++bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1744930).
++  * Drop:
++    - Add RemainAfterExit to bind9-resolvconf unit configuration file
++      (LP #1536181).
++      [fixed in 1:9.10.6+dfsg-4]
++    - rules: Fix path to libsofthsm2.so. (LP #1685780)
++      [adopted in 1:9.10.6+dfsg-5]
++    - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
++      introduced with the CVE-2016-8864.patch and fixed in
++      CVE-2016-8864-regression.patch.
++      [applied upstream]
++    - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
++      regression (RT #44318) introduced with the CVE-2016-8864.patch
++      and fixed in CVE-2016-8864-regression2.patch.
++      [applied upstream]
++    - d/control, d/rules: add json support for the statistics channels.
++      (LP #1669193)
++      [adopted in 1:9.10.6+dfsg-5]
++  * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing
++    listing the python ply module as a dependency (Closes: #888463)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 26 Jan 2018 11:20:33 -0200
++
  bind9 (1:9.11.2.P1-1) unstable; urgency=medium
    * New upstream version 9.11.2-P1
@@ -549,6 +1296,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium
   -- Ondřej Surý <ondrej@debian.org>  Fri, 06 Oct 2017 06:18:21 +0000
++bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium
++
++  * Merge with Debian unstable (LP: #1712920). Remaining changes:
++    - Add RemainAfterExit to bind9-resolvconf unit configuration file
++      (LP #1536181).
++    - rules: Fix path to libsofthsm2.so. (LP #1685780)
++    - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
++      introduced with the CVE-2016-8864.patch and fixed in
++      CVE-2016-8864-regression.patch.
++    - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
++      regression (RT #44318) introduced with the CVE-2016-8864.patch
++      and fixed in CVE-2016-8864-regression2.patch.
++    - d/control, d/rules: add json support for the statistics channels.
++      (LP #1669193)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 24 Aug 2017 18:28:00 -0300
++
++bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium
++
++  * Non-maintainer upload.
++  * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)
++
++ -- Bernhard Schmidt <berni@debian.org>  Fri, 11 Aug 2017 19:10:07 +0200
++
++bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium
++
++  * Merge with Debian unstable (LP: #1701687). Remaining changes:
++    - Add RemainAfterExit to bind9-resolvconf unit configuration file
++      (LP #1536181).
++    - rules: Fix path to libsofthsm2.so. (LP #1685780)
++  * Drop:
++    - SECURITY UPDATE: denial of service via assertion failure
++      + debian/patches/CVE-2016-2776.patch: properly handle lengths in
++        lib/dns/message.c.
++      + CVE-2016-2776
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
++    - SECURITY UPDATE: assertion failure via class mismatch
++      + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
++        records in lib/dns/resolver.c.
++      + CVE-2016-9131
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
++    - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
++      + debian/patches/CVE-2016-9147.patch: fix logic when records are
++        returned without the requested data in lib/dns/resolver.c.
++      + CVE-2016-9147
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
++    - SECURITY UPDATE: assertion failure via unusually-formed DS record
++      + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
++        lib/dns/message.c, lib/dns/resolver.c.
++      + CVE-2016-9444
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
++    - SECURITY UPDATE: regression in CVE-2016-8864
++      + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
++        responses in lib/dns/resolver.c, added tests to
++        bin/tests/system/dname/ns2/example.db,
++        bin/tests/system/dname/tests.sh.
++      + No CVE number
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
++    - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
++      a NULL pointer
++      + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
++        combination in bin/named/query.c, lib/dns/message.c,
++        lib/dns/rdataset.c.
++      + CVE-2017-3135
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
++    - SECURITY UPDATE: regression in CVE-2016-8864
++      + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
++        was still being cached when it should have been in lib/dns/resolver.c,
++        added tests to bin/tests/system/dname/ans3/ans.pl,
++        bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
++      + No CVE number
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
++    - SECURITY UPDATE: Denial of Service due to an error handling
++      synthesized records when using DNS64 with "break-dnssec yes;"
++      + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
++        called.
++      + CVE-2017-3136
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
++    - SECURITY UPDATE: Denial of Service due to resolver terminating when
++      processing a response packet containing a CNAME or DNAME
++      + debian/patches/CVE-2017-3137.patch: don't expect a specific
++        ordering of answer components; add testcases.
++      + CVE-2017-3137
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
++    - SECURITY UPDATE: Denial of Service when receiving a null command on
++      the control channel
++      + debian/patches/CVE-2017-3138.patch: don't throw an assert if no
++        command token is given; add testcase.
++      + CVE-2017-3138
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
++    - SECURITY UPDATE: TSIG authentication issues
++      + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
++        lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
++      + CVE-2017-3142
++      + CVE-2017-3143
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4]
++  * d/p/CVE-2016-8864-regression-test.patch: tests for the regression
++    introduced with the CVE-2016-8864.patch and fixed in
++    CVE-2016-8864-regression.patch.
++  * d/p/CVE-2016-8864-regression2-test.patch: tests for the second
++    regression (RT #44318) introduced with the CVE-2016-8864.patch
++    and fixed in CVE-2016-8864-regression2.patch.
++  * d/control, d/rules: add json support for the statistics channels.
++    (LP: #1669193)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 11 Aug 2017 17:12:09 -0300
++
++bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
++
++  * Non-maintainer upload.
++  * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
++    signed TCP message sequences where not all the messages contain TSIG
++    records. These may be used in AXFR and IXFR responses.
++    (Closes: #868952)
++
++ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 21 Jul 2017 22:28:32 +0200
++
++bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
++
++  * Non-maintainer upload.
++
++  [ Yves-Alexis Perez ]
++  * debian/patches:
++    - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
++      CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
++      transfers. An attacker may be able to circumvent TSIG authentication of
++      AXFR and Notify requests.
++      CVE-2017-3143: error in TSIG authentication can permit unauthorized
++      dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
++      signature for a dynamic update.
++      (Closes: #866564)
++
++ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 16 Jul 2017 22:13:21 +0200
++
  bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium
    [ Bernhard Schmidt ]
@@ -655,6 +1536,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium
   -- Michael Gilbert <mgilbert@debian.org>  Thu, 19 Jan 2017 04:03:28 +0000
++bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium
++
++  * SECURITY UPDATE: TSIG authentication issues
++    - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
++      lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
++    - CVE-2017-3142
++    - CVE-2017-3143
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 03 Jul 2017 09:48:13 -0400
++
++bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium
++
++  * rules: Fix path to libsofthsm2.so. (LP: #1685780)
++
++ -- Timo Aaltonen <tjaalton@debian.org>  Mon, 24 Apr 2017 15:01:30 +0300
++
++bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium
++
++  * SECURITY UPDATE: Denial of Service due to an error handling
++    synthesized records when using DNS64 with "break-dnssec yes;"
++    - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
++      called.
++    - CVE-2017-3136
++  * SECURITY UPDATE: Denial of Service due to resolver terminating when
++    processing a response packet containing a CNAME or DNAME
++    - debian/patches/CVE-2017-3137.patch: don't expect a specific
++      ordering of answer components; add testcases.
++    - CVE-2017-3137
++  * SECURITY UPDATE: Denial of Service when receiving a null command on
++    the control channel
++    - debian/patches/CVE-2017-3138.patch: don't throw an assert if no
++      command token is given; add testcase.
++    - CVE-2017-3138
++
++ -- Steve Beattie <sbeattie@ubuntu.com>  Wed, 12 Apr 2017 01:32:15 -0700
++
++bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium
++
++  * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
++    a NULL pointer
++    - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
++      combination in bin/named/query.c, lib/dns/message.c,
++      lib/dns/rdataset.c.
++    - CVE-2017-3135
++  * SECURITY UPDATE: regression in CVE-2016-8864
++    - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
++      was still being cached when it should have been in lib/dns/resolver.c,
++      added tests to bin/tests/system/dname/ans3/ans.pl,
++      bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
++    - No CVE number
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 15 Feb 2017 09:37:39 -0500
++
++bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium
++
++  * SECURITY UPDATE: assertion failure via class mismatch
++    - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
++      records in lib/dns/resolver.c.
++    - CVE-2016-9131
++  * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
++    - debian/patches/CVE-2016-9147.patch: fix logic when records are
++      returned without the requested data in lib/dns/resolver.c.
++    - CVE-2016-9147
++  * SECURITY UPDATE: assertion failure via unusually-formed DS record
++    - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
++      lib/dns/message.c, lib/dns/resolver.c.
++    - CVE-2016-9444
++  * SECURITY UPDATE: regression in CVE-2016-8864
++    - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
++      responses in lib/dns/resolver.c, added tests to
++      bin/tests/system/dname/ns2/example.db,
++      bin/tests/system/dname/tests.sh.
++    - No CVE number
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 25 Jan 2017 09:28:10 -0500
++
++bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium
++
++  * Add RemainAfterExit to bind9-resolvconf unit configuration file
++    (LP: #1536181).
++
++ -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Tue, 15 Nov 2016 08:24:58 -0800
++
++bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium
++
++  * SECURITY UPDATE: denial of service via assertion failure
++    - debian/patches/CVE-2016-2776.patch: properly handle lengths in
++      lib/dns/message.c.
++    - CVE-2016-2776
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 04 Oct 2016 14:31:17 -0400
++
  bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium
    * Non-maintainer upload.
 diff --git a/debian/control b/debian/control
 index b6f7ecd..adf5ada 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,32 +1,31 @@
  Source: bind9
  Section: net
  Priority: optional
--Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
  Uploaders: Ondřej Surý <ondrej@debian.org>,
             Bernhard Schmidt <berni@debian.org>
  Build-Depends: bison,
                 debhelper-compat (= 12),
                 dh-apparmor,
++               dh-apport,
                 dh-exec,
                 dh-python,
                 libcap2-dev [linux-any],
                 libcmocka-dev,
                 libdb-dev,
                 libedit-dev,
--               libfstrm-dev,
                 libidn2-dev,
                 libjson-c-dev,
                 libkrb5-dev,
                 libldap2-dev,
                 liblmdb-dev,
                 libmaxminddb-dev (>= 1.3.0),
--               libprotobuf-c-dev,
                 libssl-dev,
                 libtool,
                 libuv1-dev,
                 libxml2-dev,
                 pkg-config,
--               protobuf-c-compiler,
                 python3,
                 python3-ply,
                 zlib1g-dev
 diff --git a/debian/rules b/debian/rules
 index 0fca88b..54ed8d6 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -29,7 +29,7 @@ SED_VERSION_EXTENSIONS := \
  	sed -e 's,^EXTENSIONS=,EXTENSIONS="$$(dpkg-parsechangelog --file=../debian/changelog | sed -n '/^Version/s/[^-]*//p')-$$(dpkg-vendor --query Vendor)",'
  %:
--	dh $@ --with python3
++	dh $@ --with python3,apport
  prepare_version_extensions:
  	if [ ! -f version.bak ]; then \
@@ -60,7 +60,7 @@ override_dh_auto_configure:
  		--with-openssl=/usr \
  		--with-gssapi=/usr \
  		--with-libidn2 \
--		--with-libjson-c \
++		--with-json-c \
  		--with-lmdb=/usr \
  		--with-gnu-ld \
  		--with-maxminddb \
@@ -69,7 +69,6 @@ override_dh_auto_configure:
  		--enable-rrl \
  		--enable-filter-aaaa \
  		--disable-native-pkcs11 \
--		--enable-dnstap \
  		$(EXTRA_FEATURES)
  override_dh_auto_build:
 diff --git a/debian/tests/control b/debian/tests/control
 index 3e952eb..35b7572 100644
 --- a/debian/tests/control
 +++ b/debian/tests/control
@@ -1,4 +1,4 @@
  Tests: simpletest
  Restrictions: needs-root, isolation-container
  Depends: bind9,
--         dnsutils
++         bind9-dnsutils
 diff --git a/debian/tests/simpletest b/debian/tests/simpletest
 index 468a7c5..34b0b25 100644
 --- a/debian/tests/simpletest
 +++ b/debian/tests/simpletest
@@ -10,10 +10,6 @@ setup() {
  run() {
  	# Make a query against a local zone
  	dig -x 127.0.0.1 @127.0.0.1
--
--	# Make a query against an external nameserver and check for DNSSEC validation
--	echo "Checking for DNSSEC validation status of internetsociety.org"
--	dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY'
+ }
  teardown() {

Ubuntubind9 package

Merge ~ahasenack/ubuntu/+source/bind9:groovy-bind9166-merge into ubuntu/+source/bind9:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
bind9 package