Ubuntu
bind9 package

Merge ~ahasenack/ubuntu/+source/bind9:groovy-bind-9166-3-merge into ubuntu/+source/bind9:debian/sid

Proposed by Andreas Hasenack on 2020-09-15

Status:	Merged
Approved by:	Andreas Hasenack on 2020-09-16
Approved revision:	c031cd2b77032956bc2eb25f7fc35cb9e69a7c9b
Merge reported by:	Christian Ehrhardt 
Merged at revision:	c031cd2b77032956bc2eb25f7fc35cb9e69a7c9b
Proposed branch:	~ahasenack/ubuntu/+source/bind9:groovy-bind-9166-3-merge
Merge into:	ubuntu/+source/bind9:debian/sid
Diff against target:	1233 lines (+1052/-14) 8 files modified debian/NEWS (+24/-0) debian/bind9-dnsutils.install (+0/-2) debian/bind9.apport (+24/-0) debian/changelog (+998/-0) debian/control (+3/-4) debian/rules (+2/-3) debian/tests/control (+1/-1) debian/tests/simpletest (+0/-4)
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Christian Ehrhardt  (community)	2020-09-15	Approve on 2020-09-16
Canonical Server	2020-09-15	Pending
Review via email: mp+390746@code.launchpad.net

Description of the change

Quick merge from debian to grab to assertion fixes from upstream, and a systemd service change to restart the daemon if it fails.

Of these, *maybe* the systemd change qualifies for an FFe? But I think not.

PPA with proposed and all arches enabled: https://launchpad.net/~ahasenack/+archive/ubuntu/bind-9116-3-merge (still building)

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-09-15:

DEP passes, but it's really a simple test:

autopkgtest [11:33:13]: test simpletest: - - - - - - - - - - results - - - - - - - - - -
simpletest PASS
autopkgtest [11:33:14]: @@@@@@@@@@@@@@@@@@@@ summary
simpletest PASS

;)

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-09-15:

To install from the ppa, you will have to enable proposed, as bind9 in the ppa built with the new glibc already.

A quick test is to run systemctl status bind9, then sudo kill <bind9-pid>, and run status again. The daemon from the previous package will remain dead, and the one from the new package will be automatically restarted.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-16:

Actually just two changes:

4 * Add upstream patches to fix some rare conditions (Closes: #969448)
=> OK

7 * Set Restart=on-failure in systemd unit

There was unfortunately no bug referencedthat discussed this, but still so many other services do that and also systemd has rate limiting for restarts.
Bind9 is not known to fatally run into problems when restarted - and having it back up sounds good fur such a core service right.
This should be safe without FFe IMHO.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-16:

    ++ - d/not-installed: list dnstap-read.1 manpage, which is being
    ++ installed by the makefile even when dnstap is disabled.
    ++ [Fixed upstream]

That must be disabled a bit longer then, since we didn't change upstream code right?
The build shows no complains about it anymore - so ok

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-16:

The changelog looks good and
$ git range-diff pkg/import/1%9.16.6-2..pkg/upload/1%9.16.6-2ubuntu1 pkg/import/1%9.16.6-3..ahasenack/groovy-bind-9166-3-merge

Agrees on this being otherwise delta retained as-is.

review: Approve

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-09-16:

> Actually just two changes:
>
> 4 * Add upstream patches to fix some rare conditions (Closes: #969448)
> => OK
>
> 7 * Set Restart=on-failure in systemd unit
>
>
> There was unfortunately no bug referencedthat discussed this, but still so
> many other services do that and also systemd has rate limiting for restarts.
> Bind9 is not known to fatally run into problems when restarted - and having it
> back up sounds good fur such a core service right.
> This should be safe without FFe IMHO.

The restart was discussed in tha debian bug, actually. Since bind9 died because of the assertion error, they wondered if restart on-failure shouldn't be set by default:

"""
> It happened again. In the meantime I had added the line
>
> Restart=on-failure
>
> to the [Service] section of /lib/systemd/system/named.service, so the
> name server was automatically restarted.

I wonder whether we should just do this in general. Crashes can and do
happen, no software is error free.

Bernhard
"""

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-09-16:

> ++ - d/not-installed: list dnstap-read.1 manpage, which is being
> ++ installed by the makefile even when dnstap is disabled.
> ++ [Fixed upstream]
>
> That must be disabled a bit longer then, since we didn't change upstream code
> right?
> The build shows no complains about it anymore - so ok

I dropped d/not-installed in 1:9.16.6-2ubuntu1

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-09-16:

Tagging and uploading c031cd2b77032956bc2eb25f7fc35cb9e69a7c9b

$ git push pkg upload/1%9.16.6-3ubuntu1
Enumerating objects: 52, done.
Counting objects: 100% (52/52), done.
Delta compression using up to 4 threads
Compressing objects: 100% (40/40), done.
Writing objects: 100% (43/43), 12.91 KiB | 322.00 KiB/s, done.
Total 43 (delta 29), reused 6 (delta 3)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/bind9
* [new tag] upload/1%9.16.6-3ubuntu1 -> upload/1%9.16.6-3ubuntu1

$ dput ubuntu ../bind9_9.16.6-3ubuntu1_source.changes
Checking signature on .changes
gpg: ../bind9_9.16.6-3ubuntu1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../bind9_9.16.6-3ubuntu1.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading bind9_9.16.6-3ubuntu1.dsc: done.
  Uploading bind9_9.16.6-3ubuntu1.debian.tar.xz: done.
  Uploading bind9_9.16.6-3ubuntu1_source.buildinfo: done.
  Uploading bind9_9.16.6-3ubuntu1_source.changes: done.
Successfully uploaded packages.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-22:

merged
bind9 | 1:9.16.6-3ubuntu1 | groovy | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Andreas Hasenack

git-ubuntu developers

 diff --git a/debian/NEWS b/debian/NEWS
 new file mode 100644
 index 0000000..c9348a4
 --- /dev/null
 +++ b/debian/NEWS
@@ -0,0 +1,24 @@
++bind9 (1:9.16.0-1ubuntu1) focal; urgency=medium
++
++  Some packages like isc-dhcp do not build with bind 9.14 or higher, so a new
++  source package bind9-libs version 9.11 was created for that purpose,
++  providing only libraries and header files. The bind9 9.16.x packages do not
++  provide development libraries or headers. See commit
++  https://salsa.debian.org/dns-team/bind9-libs/commit/40cab7029d for more
++  details. udebs used in the debian-installer are also being provided by
++  bind9-libs.
++
++  Another package which doesn't build with the newer bind9 package is
++  bind-dyndb-ldap. It will build using the libraries from bind9-libs, but
++  since this is a server plugin, it won't work with the newer server.
++
++  Native pkcs#11 support via softhsm2 is no longer being built for this
++  package. This was first introduced in 1:9.10.3.dfsg.P4-8 (see
++  https://bugs.launchpad.net/bugs/1565392) for FreeIPA. Ubuntu Focal no longer
++  ships FreeIPA, and Debian also dropped the native pkcs#11 support.
++
++  There are no development libraries or header files in this bind9 9.16.x
++  packaging at the moment. This may change later, see
++  https://gitlab.isc.org/isc-projects/bind9/merge_requests/3089#note_111229
++
++ -- Andreas Hasenack <andreas@canonical.com>  Sat, 22 Feb 2020 17:40:38 -0300
 diff --git a/debian/bind9-dnsutils.install b/debian/bind9-dnsutils.install
 index 90e4fba..5e6b7d9 100644
 --- a/debian/bind9-dnsutils.install
 +++ b/debian/bind9-dnsutils.install
@@ -1,12 +1,10 @@
  usr/bin/delv
  usr/bin/dig
--usr/bin/dnstap-read
  usr/bin/mdig
  usr/bin/nslookup
  usr/bin/nsupdate
  usr/share/man/man1/delv.1
  usr/share/man/man1/dig.1
--usr/share/man/man1/dnstap-read.1
  usr/share/man/man1/mdig.1
  usr/share/man/man1/nslookup.1
  usr/share/man/man1/nsupdate.1
 diff --git a/debian/bind9.apport b/debian/bind9.apport
 new file mode 100644
 index 0000000..b3baa8b
 --- /dev/null
 +++ b/debian/bind9.apport
@@ -0,0 +1,24 @@
++'''apport hook for bind9
++
++(c) 2010 Andres Rodriguez.
++Author: Andres Rodriguez <andreserl@ubuntu.com>
++
++This program is free software; you can redistribute it and/or modify it
++under the terms of the GNU General Public License as published by the
++Free Software Foundation; either version 2 of the License, or (at your
++option) any later version.  See http://www.gnu.org/copyleft/gpl.html for
++the full text of the license.
++'''
++
++from apport.hookutils import *
++import re
++
++def add_info(report, ui):
++
++    # getting syslog stuff
++    report['SyslogBind9'] = recent_syslog(re.compile(r'named\['))
++
++    # Attaching related packages info
++    attach_related_packages(report, ['bind9utils', 'apparmor'])
++
++    attach_mac_events(report, '/usr/sbin/named')
 diff --git a/debian/changelog b/debian/changelog
 index 6abe704..d6c8a66 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,28 @@
++bind9 (1:9.16.6-3ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - Add back apport:
++      + d/bind9.apport: add back old bind9 apport hook, but without calling
++        attach_conffiles() since that is already done by apport itself, with
++        confirmation from the user.
++      + d/control, d/rules: buil-depends on dh-apport and use it
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
++    - d/t/control: change the dep8 test dependency to be on the real
++      bind9-dnsutils package, and not the transitional one (LP #1864761)
++    - d/rules: change deprecated --with-libjson-c configure argument to
++      --with-json-c
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 15 Sep 2020 10:46:52 -0300
++
  bind9 (1:9.16.6-3) unstable; urgency=medium
    [ Ondřej Surý ]
@@ -8,6 +33,35 @@ bind9 (1:9.16.6-3) unstable; urgency=medium
   -- Bernhard Schmidt <berni@debian.org>  Tue, 15 Sep 2020 00:26:14 +0200
++bind9 (1:9.16.6-2ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - Add back apport:
++      + d/bind9.apport: add back old bind9 apport hook, but without calling
++        attach_conffiles() since that is already done by apport itself, with
++        confirmation from the user.
++      + d/control, d/rules: buil-depends on dh-apport and use it
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
++    - d/t/control: change the dep8 test dependency to be on the real
++      bind9-dnsutils package, and not the transitional one (LP #1864761)
++    - d/rules: change deprecated --with-libjson-c configure argument to
++      --with-json-c
++  * Dropped:
++    - d/not-installed: list dnstap-read.1 manpage, which is being
++      installed by the makefile even when dnstap is disabled.
++      [Fixed upstream]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 24 Aug 2020 10:57:08 -0300
++
  bind9 (1:9.16.6-2) unstable; urgency=medium
    * Move Build-Depends for documentation to Build-Depends-Indep, this
@@ -30,6 +84,51 @@ bind9 (1:9.16.5-1) unstable; urgency=medium
   -- Ondřej Surý <ondrej@debian.org>  Thu, 16 Jul 2020 00:29:57 +0200
++bind9 (1:9.16.4-1ubuntu2) groovy; urgency=medium
++
++  * No change rebuild against new json-c ABI.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 28 Jul 2020 17:42:17 +0100
++
++bind9 (1:9.16.4-1ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - Add back apport:
++      + d/bind9.apport: add back old bind9 apport hook, but without calling
++        attach_conffiles() since that is already done by apport itself, with
++        confirmation from the user.
++      + d/control, d/rules: buil-depends on dh-apport and use it
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
++    - d/t/control: change the dep8 test dependency to be on the real
++      bind9-dnsutils package, and not the transitional one (LP #1864761)
++    - d/rules: change deprecated --with-libjson-c configure argument to
++      --with-json-c
++  * Dropped:
++    - SECURITY UPDATE: assertion when attempting to fill oversized TCP buffer
++      + debian/patches/CVE-2020-8618.patch: add fix to lib/ns/client.c,
++        lib/ns/include/ns/client.h, lib/ns/xfrout.c.
++      + CVE-2020-8618
++      [Fixed upstream]
++    - SECURITY UPDATE: INSIST failure when a zone with an interior wildcard
++      label was queried in a certain pattern
++      + debian/patches/CVE-2020-8619.patch: add fix to lib/dns/rbtdb.c.
++      + CVE-2020-8619
++      [Fixed upstream]
++  * Added changes:
++    - d/not-installed: list dnstap-read.1 manpage, which is being
++      installed by the makefile even when dnstap is disabled.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 06 Jul 2020 15:22:36 -0300
++
  bind9 (1:9.16.4-1) unstable; urgency=medium
    * New upstream version 9.16.4
@@ -37,12 +136,129 @@ bind9 (1:9.16.4-1) unstable; urgency=medium
   -- Ondřej Surý <ondrej@debian.org>  Wed, 17 Jun 2020 09:27:29 +0200
++bind9 (1:9.16.3-1ubuntu2) groovy; urgency=medium
++
++  * SECURITY UPDATE: assertion when attempting to fill oversized TCP buffer
++    - debian/patches/CVE-2020-8618.patch: add fix to lib/ns/client.c,
++      lib/ns/include/ns/client.h, lib/ns/xfrout.c.
++    - CVE-2020-8618
++  * SECURITY UPDATE: INSIST failure when a zone with an interior wildcard
++    label was queried in a certain pattern
++    - debian/patches/CVE-2020-8619.patch: add fix to lib/dns/rbtdb.c.
++    - CVE-2020-8619
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 18 Jun 2020 08:29:47 -0400
++
++bind9 (1:9.16.3-1ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - Add back apport:
++      + d/bind9.apport: add back old bind9 apport hook, but without calling
++        attach_conffiles() since that is already done by apport itself, with
++        confirmation from the user.
++      + d/control, d/rules: buil-depends on dh-apport and use it
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
++    - d/t/control: change the dep8 test dependency to be on the real
++      bind9-dnsutils package, and not the transitional one (LP #1864761)
++    - d/rules: change deprecated --with-libjson-c configure argument to
++      --with-json-c
++  * Dropped:
++    - d/control: make bind9-dnsutils multi-arch foreign as another step
++      towards fixing LP #1864761
++      [The correct fix was to change the dep8 dependency to be on the real
++      package, and not the transitional one]
++    - SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
++      performed when processing referrals
++      + debian/patches/CVE-2020-8616.patch: further limit the number of
++        queries that can be triggered from a request in lib/dns/adb.c,
++        lib/dns/include/dns/adb.h, lib/dns/resolver.c.
++      + CVE-2020-8616
++      [Fixed upstream]
++    - SECURITY UPDATE: A logic error in code which checks TSIG validity can
++      be used to trigger an assertion failure in tsig.c
++      + debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
++        BADTIME response in lib/dns/tsig.c.
++      + CVE-2020-8617
++      [Fixed upstream]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 02 Jun 2020 17:37:44 -0300
++
  bind9 (1:9.16.3-1) unstable; urgency=medium
    * New upstream version 9.16.3
   -- Ondřej Surý <ondrej@debian.org>  Tue, 19 May 2020 14:14:35 +0200
++bind9 (1:9.16.2-3ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - Add back apport:
++      + d/bind9.apport: add back old bind9 apport hook, but without calling
++        attach_conffiles() since that is already done by apport itself, with
++        confirmation from the user.
++      + d/control, d/rules: buil-depends on dh-apport and use it
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
++    - d/t/control: change the dep8 test dependency to be on the real
++      bind9-dnsutils package, and not the transitional one (LP #1864761)
++    - d/control: make bind9-dnsutils multi-arch foreign as another step
++      towards fixing LP #1864761
++    - d/rules: change deprecated --with-libjson-c configure argument to
++      --with-json-c
++    - SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
++      performed when processing referrals
++      + debian/patches/CVE-2020-8616.patch: further limit the number of
++        queries that can be triggered from a request in lib/dns/adb.c,
++        lib/dns/include/dns/adb.h, lib/dns/resolver.c.
++      + CVE-2020-8616
++    - SECURITY UPDATE: A logic error in code which checks TSIG validity can
++      be used to trigger an assertion failure in tsig.c
++      + debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
++        BADTIME response in lib/dns/tsig.c.
++      + CVE-2020-8617
++  * Dropped:
++    - use iproute2 instead of net-tools (LP #1850699):
++      + d/control: replace net-tools depends with iproute2
++      + d/bind9.init: use ip instead of ifconfig
++      [In 1:9.16.1-2]
++    - d/control: Enable readline-like support in dnsutils (nslookup and nsupdate)
++      via libedit-dev (libreadline has a license conflict with bind)
++      [In 1:9.16.1-2]
++    - d/control: drop hardcoded python3 dependency
++      (LP #1856211, Closes #946643)
++      [In 1:9.16.1-2]
++    - d/extras/apparmor.d/usr.sbin.named:
++      + Add flags=(attach_disconnected) to AppArmor profile
++      + AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ
++        (Closes: #928398)
++      [In 1:9.16.1-2]
++    - d/rules: fix typo in the apparmor profile installation
++      [In 1:9.16.1-2]
++    - d/control: create transitional packages for dnsutils, bind9utils
++      [In 1:9.16.1-2]
++    - d/p/fix-rebinding-protection.patch: fix rebinding protection bug
++      when using forwarder setups (LP #1873046)
++      [Fixed upstream]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 22 May 2020 09:52:13 -0300
++
  bind9 (1:9.16.2-3) unstable; urgency=medium
    [ Simon Deziel ]
@@ -93,6 +309,106 @@ bind9 (1:9.16.1-1) experimental; urgency=medium
   -- Ondřej Surý <ondrej@debian.org>  Fri, 20 Mar 2020 13:59:34 +0100
++bind9 (1:9.16.1-0ubuntu3) groovy; urgency=medium
++
++  * SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
++    performed when processing referrals
++    - debian/patches/CVE-2020-8616.patch: further limit the number of
++      queries that can be triggered from a request in lib/dns/adb.c,
++      lib/dns/include/dns/adb.h, lib/dns/resolver.c.
++    - CVE-2020-8616
++  * SECURITY UPDATE: A logic error in code which checks TSIG validity can
++    be used to trigger an assertion failure in tsig.c
++    - debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
++      BADTIME response in lib/dns/tsig.c.
++    - CVE-2020-8617
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 19 May 2020 09:03:32 -0400
++
++bind9 (1:9.16.1-0ubuntu2) focal; urgency=medium
++
++  * d/p/fix-rebinding-protection.patch: fix rebinding protection bug
++    when using forwarder setups (LP: #1873046)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 15 Apr 2020 14:59:51 -0300
++
++bind9 (1:9.16.1-0ubuntu1) focal; urgency=medium
++
++  * New upstream release: 19.16.1 (LP: #1868272)
++    - drop d/p/bind-v9.16.0-tcp_quota_fix.patch, fixed upstream
++    - drop d/p/Fix-dns_client_addtrustedkey.patch, fixed upstream
++  * d/rules: change deprecated --with-libjson-c configure argument to
++    --with-json-c
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 24 Mar 2020 11:44:46 -0300
++
++bind9 (1:9.16.0-1ubuntu5) focal; urgency=medium
++
++  * d/control, d/rules: enable GeoIP2 support, since libmaxminddb is now
++    in main (LP: #1866875)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 16 Mar 2020 16:17:47 -0300
++
++bind9 (1:9.16.0-1ubuntu4) focal; urgency=medium
++
++  * d/p/bind-v9.16.0-tcp_quota_fix.patch: fix error in handling TCP
++    client quota limits (LP: #1866378)
++  * d/p/Fix-dns_client_addtrustedkey.patch: fix buffer size in
++    dns_client_addtrustedkey (LP: #1866384)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 06 Mar 2020 15:12:56 -0300
++
++bind9 (1:9.16.0-1ubuntu3) focal; urgency=medium
++
++  * d/control: make bind9-dnsutils multi-arch foreign as another step
++    towards fixing LP: #1864761
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 26 Feb 2020 20:19:40 -0300
++
++bind9 (1:9.16.0-1ubuntu2) focal; urgency=medium
++
++  * d/t/control: change the dep8 test dependency to be on the real
++    bind9-dnsutils package, and not the transitional one (LP: #1864761)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 26 Feb 2020 14:16:04 -0300
++
++bind9 (1:9.16.0-1ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - Add back apport:
++      + d/bind9.apport: add back old bind9 apport hook, but without calling
++        attach_conffiles() since that is already done by apport itself, with
++        confirmation from the user.
++      + d/control, d/rules: buil-depends on dh-apport and use it
++    - d/control, d/rules: go back to old geoip support, since
++      libmaxminddb (for GeoIP2) is in universe
++  * Added back from sid packaging:
++    - d/t/control, d/t/simpletest: bring back the dep8 test from
++      debian/sid, with our delta to not query external hosts
++    - use iproute2 instead of net-tools (LP #1850699):
++      + d/control: replace net-tools depends with iproute2
++      + d/bind9.init: use ip instead of ifconfig
++    - d/control: drop hardcoded python3 dependency
++      (LP #1856211, Closes #946643)
++    - d/extras/apparmor.d/usr.sbin.named:
++      + Add flags=(attach_disconnected) to AppArmor profile
++      + AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ
++        (Closes: #928398)
++    - d/rules: fix typo in the apparmor profile installation
++  * Added:
++    - d/control: create transitional packages for dnsutils, bind9utils
++    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
++    - d/control: Enable readline-like support in dnsutils (nslookup and nsupdate)
++      via libedit-dev (libreadline has a license conflict with bind)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 24 Feb 2020 11:51:37 -0300
++
  bind9 (1:9.16.0-1) experimental; urgency=medium
    * Change the branch to 9.16
@@ -384,6 +700,462 @@ bind (1:9.12.0+dfsg-1~exp0) experimental; urgency=medium
   -- Ondřej Surý <ondrej@debian.org>  Wed, 24 Jan 2018 09:18:13 +0000
++bind9 (1:9.11.14+dfsg-3ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++    - Add back apport:
++      + d/bind9.apport: add back old bind9 apport hook, but without calling
++        attach_conffiles() since that is already done by apport itself, with
++        confirmation from the user.
++      + d/control, d/rules: buil-depends on dh-apport and use it
++    - d/control, d/rules: go back to old geoip support, since
++      libmaxminddb (for GeoIP2) is in universe
++  * Dropped:
++    - use iproute2 instead of net-tools (LP #1850699):
++      + d/control: replace net-tools depends with iproute2
++      + d/bind9.init: use ip instead of ifconfig
++      [In 1:9.11.14+dfsg-2]
++    - d/control: drop hardcoded python3 dependency in bind9utils,
++      dh-python injects the correct one via ${python3:Depends}
++      (LP #1856211, Closes #946643)
++      [In 1:9.11.14+dfsg-1]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 27 Jan 2020 11:47:26 -0300
++
++bind9 (1:9.11.14+dfsg-1ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++    - use iproute2 instead of net-tools (LP #1850699):
++      + d/control: replace net-tools depends with iproute2
++      + d/bind9.init: use ip instead of ifconfig
++        [Updated to also check the exit status of the command]
++    - d/control: drop hardcoded python3 dependency in bind9utils,
++      dh-python injects the correct one via ${python3:Depends}
++      (LP #1856211, Closes: #946643)
++  * Dropped:
++    - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
++      option (LP #1804648)
++      [Fixed upstream in 9.11.6rc1]
++    - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
++      close to a query timeout (LP #1797926)
++      [Fixed upstream in 9.11.6rc1]
++    - SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single
++      connection
++      + debian/patches/CVE-2019-6477.patch: limit number of clients in
++        bin/named/client.c, bin/named/include/named/client.h.
++      + CVE-2019-6477
++      [Fixed upstream in 9.11.13]
++  * Added:
++    - Add back apport:
++      + d/bind9.apport: add back old bind9 apport hook, but without calling
++        attach_conffiles() since that is already done by apport itself, with
++        confirmation from the user.
++      + d/control, d/rules: buil-depends on dh-apport and use it
++    - d/control, d/rules: go back to old geoip support, since
++      libmaxminddb (for GeoIP2) is in universe
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 15 Jan 2020 14:07:05 -0300
++
++bind9 (1:9.11.5.P4+dfsg-5.1ubuntu5) focal; urgency=medium
++
++  * d/control: drop hardcoded python3 dependency in bind9utils,
++    dh-python injects the correct one via ${python3:Depends}
++    (LP: #1856211, Closes: #946643)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 12 Dec 2019 14:40:20 -0300
++
++bind9 (1:9.11.5.P4+dfsg-5.1ubuntu4) focal; urgency=medium
++
++  * SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single
++    connection
++    - debian/patches/CVE-2019-6477.patch: limit number of clients in
++      bin/named/client.c, bin/named/include/named/client.h.
++    - CVE-2019-6477
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 21 Nov 2019 07:50:24 -0500
++
++bind9 (1:9.11.5.P4+dfsg-5.1ubuntu3) focal; urgency=medium
++
++  * use iproute2 instead of net-tools (LP: #1850699):
++    - d/control: replace net-tools depends with iproute2
++    - d/bind9.init: use ip instead of ifconfig
++  * d/bind9.install, d/control, d/rules: re-enable lmdb, which is now
++    in main.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 08 Nov 2019 10:15:01 -0300
++
++bind9 (1:9.11.5.P4+dfsg-5.1ubuntu2) eoan; urgency=medium
++
++  * Rebuild against new libjson-c4.
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Sat, 29 Jun 2019 13:45:33 +0200
++
++bind9 (1:9.11.5.P4+dfsg-5.1ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Build without lmdb support as that package is in Universe
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
++      option (LP #1804648)
++    - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
++      close to a query timeout (LP #1797926)
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++  * Dropped:
++    - SECURITY UPDATE: DoS via malformed packets
++      + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c
++      + CVE-2019-6471
++        [Fixed in 1:9.11.5.P4+dfsg-5.1]
++
++ -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com>  Thu, 27 Jun 2019 14:54:25 +0000
++
++bind9 (1:9.11.5.P4+dfsg-5ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Build without lmdb support as that package is in Universe
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
++      option (LP #1804648)
++    - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
++      close to a query timeout (LP #1797926)
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++    - SECURITY UPDATE: DoS via malformed packets
++      + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c
++      + CVE-2019-6471
++
++ -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com>  Fri, 21 Jun 2019 18:06:22 +0000
++
++bind9 (1:9.11.5.P4+dfsg-4ubuntu2) eoan; urgency=medium
++
++  * SECURITY UPDATE: DoS via malformed packets
++    - debian/patches/CVE-2019-6471.patch: fix race condition in
++      lib/dns/dispatch.c.
++    - CVE-2019-6471
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 20 Jun 2019 08:15:00 -0400
++
++bind9 (1:9.11.5.P4+dfsg-4ubuntu1) eoan; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Build without lmdb support as that package is in Universe
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
++      option (LP #1804648)
++    - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
++      close to a query timeout (LP #1797926)
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++  * Dropped:
++    - SECURITY UPDATE: memory leak via specially crafted packet
++      + debian/patches/CVE-2018-5744.patch: silently drop additional keytag
++        options in bin/named/client.c.
++      + CVE-2018-5744
++      [Fixed upstream in 9.11.5-P2]
++    - SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
++      unsupported key algorithm when using managed-keys
++      + debian/patches/CVE-2018-5745.patch: properly handle situations when
++        the key tag cannot be computed in lib/dns/include/dst/dst.h,
++        lib/dns/zone.c.
++      + CVE-2018-5745
++      [Fixed upstream in 9.11.5-P2]
++    - SECURITY UPDATE: Controls for zone transfers may not be properly
++      applied to Dynamically Loadable Zones (DLZs) if the zones are writable
++      + debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
++        the zone table as a DLZ zone bin/named/xfrout.c.
++      + CVE-2019-6465
++      [Fixed upstream in 9.11.5-P3]
++    - SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
++      + debian/patches/CVE-2018-5743.patch: add reference counting in
++        bin/named/client.c, bin/named/include/named/client.h,
++        bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
++        lib/isc/include/isc/quota.h, lib/isc/quota.c,
++        lib/isc/win32/libisc.def.in.
++      + debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
++        operations with isc_refcount reference counting in
++        bin/named/client.c, bin/named/include/named/interfacemgr.h,
++        bin/named/interfacemgr.c.
++      + debian/libisc1100.symbols: added new symbols.
++      + CVE-2018-5743
++      [Fixed in 1:9.11.5.P4+dfsg-4]
++    - d/rules: add back EdDSA support (LP #1825712)
++      [Fixed in 1:9.11.5.P4+dfsg-4]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 02 May 2019 13:35:59 -0300
++
++bind9 (1:9.11.5.P1+dfsg-1ubuntu4) eoan; urgency=medium
++
++  * d/rules: add back EdDSA support (LP: #1825712)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 26 Apr 2019 14:04:37 +0000
++
++bind9 (1:9.11.5.P1+dfsg-1ubuntu3) eoan; urgency=medium
++
++  * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
++    - debian/patches/CVE-2018-5743.patch: add reference counting in
++      bin/named/client.c, bin/named/include/named/client.h,
++      bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
++      lib/isc/include/isc/quota.h, lib/isc/quota.c,
++      lib/isc/win32/libisc.def.in.
++    - debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
++      operations with isc_refcount reference counting in
++      bin/named/client.c, bin/named/include/named/interfacemgr.h,
++      bin/named/interfacemgr.c.
++    - debian/libisc1100.symbols: added new symbols.
++    - CVE-2018-5743
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 24 Apr 2019 05:00:07 -0400
++
++bind9 (1:9.11.5.P1+dfsg-1ubuntu2) disco; urgency=medium
++
++  * SECURITY UPDATE: memory leak via specially crafted packet
++    - debian/patches/CVE-2018-5744.patch: silently drop additional keytag
++      options in bin/named/client.c.
++    - CVE-2018-5744
++  * SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
++    unsupported key algorithm when using managed-keys
++    - debian/patches/CVE-2018-5745.patch: properly handle situations when
++      the key tag cannot be computed in lib/dns/include/dst/dst.h,
++      lib/dns/zone.c.
++    - CVE-2018-5745
++  * SECURITY UPDATE: Controls for zone transfers may not be properly
++    applied to Dynamically Loadable Zones (DLZs) if the zones are writable
++    - debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
++      the zone table as a DLZ zone bin/named/xfrout.c.
++    - CVE-2019-6465
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 22 Feb 2019 10:52:30 +0100
++
++bind9 (1:9.11.5.P1+dfsg-1ubuntu1) disco; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Build without lmdb support as that package is in Universe
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++    - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
++      option (LP #1804648)
++    - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
++      close to a query timeout (LP #1797926)
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 17 Jan 2019 18:59:25 -0200
++
++bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Build without lmdb support as that package is in Universe
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1104.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap nor install dnstap.proto
++  * Dropped:
++    - SECURITY UPDATE: denial of service crash when deny-answer-aliases
++      option is used
++      + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
++        trigger a crash if deny-answer-aliases was set
++      + debian/patches/CVE-2018-5740-2.patch: add tests
++      + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
++        chainingp correctly, add test
++      + CVE-2018-5740
++        [Fixed in new upstream version 9.11.5]
++    - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
++      line (Closes: #904983)
++      [Fixed in 1:9.11.4+dfsg-4]
++    - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440)
++      [Fixed in 1:9.11.4.P1+dfsg-1]
++    - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
++      (it depends on OpenSSL version) (Closes: #897643)
++      [Fixed in 1:9.11.4.P1+dfsg-1]
++  * Added:
++    - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
++      option (LP: #1804648)
++    - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
++      close to a query timeout (LP: #1797926)
++    - d/t/simpletest: drop the internetsociety.org test as it requires
++      network egress access that is not available in the Ubuntu autopkgtest
++      farm.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 13 Dec 2018 19:40:23 -0200
++
++bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high
++
++  * No change rebuild against openssl 1.1.1 with TLS 1.3 support.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Sat, 29 Sep 2018 01:36:45 +0100
++
++bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium
++
++  * SECURITY UPDATE: denial of service crash when deny-answer-aliases
++    option is used
++    - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
++      trigger a crash if deny-answer-aliases was set
++    - debian/patches/CVE-2018-5740-2.patch: add tests
++    - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
++      chainingp correctly, add test
++    - CVE-2018-5740
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 20 Sep 2018 11:11:05 +0200
++
++bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium
++
++  * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
++    (it depends on OpenSSL version) (Closes: #897643)
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 18 Sep 2018 10:39:12 +0200
++
++bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium
++
++  * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11
++    crashing on startup. (LP: #1769440)
++
++ -- Karl Stenerud <karl.stenerud@canonical.com>  Thu, 30 Aug 2018 07:11:39 -0700
++
++bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Build without lmdb support as that package is in Universe
++  * Added:
++    - Don't build dnstap as it depends on universe packages:
++      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
++        protobuf-c-compiler (universe packages)
++      + d/dnsutils.install: don't install dnstap
++      + d/libdns1102.symbols: don't include dnstap symbols
++      + d/rules: don't build dnstap
++    - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
++      line (Closes: #904983)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 30 Jul 2018 10:56:04 -0300
++
++bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1777935). Remaining changes:
++    - Build without lmdb support as that package is in Universe
++  * Drop:
++    - SECURITY UPDATE: improperly permits recursive query service
++      + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
++        in bin/named/server.c.
++      + CVE-2018-5738
++      [Applied in Debian's 1:9.11.3+dfsg-2]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 20 Jun 2018 17:42:16 -0300
++
++bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium
++
++  * SECURITY UPDATE: improperly permits recursive query service
++    - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
++      in bin/named/server.c.
++    - CVE-2018-5738
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 11 Jun 2018 09:41:51 -0400
++
++bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low
++
++  * New upstream release. (LP: #1763572)
++    - fix a crash when configured with ipa-dns-install
++  * Merge from Debian unstable.  Remaining changes:
++    - Build without lmdb support as that package is in Universe
++
++ -- Timo Aaltonen <tjaalton@debian.org>  Fri, 13 Apr 2018 07:40:47 +0300
++
++bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium
++
++  * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating
++    DNS records in Microsoft AD using GSSAPI.  Thanks to Mark Andrews
++    <marka@isc.org>. (LP: #1755439)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 16 Mar 2018 09:38:46 -0300
++
++bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium
++
++  * Fix apparmor profile filename (LP: #1754981)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 15 Mar 2018 10:06:57 -0300
++
++bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high
++
++  * No change rebuild against openssl1.1.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 06 Feb 2018 12:14:22 +0000
++
++bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium
++
++  * Build without lmdb support as that package is in Universe (LP: #1746296)
++    - d/control: remove Build-Depends on liblmdb-dev
++    - d/rules: configure --without-lmdb
++    - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires
++      lmdb.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 30 Jan 2018 15:21:23 -0200
++
++bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1744930).
++  * Drop:
++    - Add RemainAfterExit to bind9-resolvconf unit configuration file
++      (LP #1536181).
++      [fixed in 1:9.10.6+dfsg-4]
++    - rules: Fix path to libsofthsm2.so. (LP #1685780)
++      [adopted in 1:9.10.6+dfsg-5]
++    - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
++      introduced with the CVE-2016-8864.patch and fixed in
++      CVE-2016-8864-regression.patch.
++      [applied upstream]
++    - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
++      regression (RT #44318) introduced with the CVE-2016-8864.patch
++      and fixed in CVE-2016-8864-regression2.patch.
++      [applied upstream]
++    - d/control, d/rules: add json support for the statistics channels.
++      (LP #1669193)
++      [adopted in 1:9.10.6+dfsg-5]
++  * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing
++    listing the python ply module as a dependency (Closes: #888463)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 26 Jan 2018 11:20:33 -0200
++
  bind9 (1:9.11.2.P1-1) unstable; urgency=medium
    * New upstream version 9.11.2-P1
@@ -559,6 +1331,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium
   -- Ondřej Surý <ondrej@debian.org>  Fri, 06 Oct 2017 06:18:21 +0000
++bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium
++
++  * Merge with Debian unstable (LP: #1712920). Remaining changes:
++    - Add RemainAfterExit to bind9-resolvconf unit configuration file
++      (LP #1536181).
++    - rules: Fix path to libsofthsm2.so. (LP #1685780)
++    - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
++      introduced with the CVE-2016-8864.patch and fixed in
++      CVE-2016-8864-regression.patch.
++    - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
++      regression (RT #44318) introduced with the CVE-2016-8864.patch
++      and fixed in CVE-2016-8864-regression2.patch.
++    - d/control, d/rules: add json support for the statistics channels.
++      (LP #1669193)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 24 Aug 2017 18:28:00 -0300
++
++bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium
++
++  * Non-maintainer upload.
++  * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)
++
++ -- Bernhard Schmidt <berni@debian.org>  Fri, 11 Aug 2017 19:10:07 +0200
++
++bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium
++
++  * Merge with Debian unstable (LP: #1701687). Remaining changes:
++    - Add RemainAfterExit to bind9-resolvconf unit configuration file
++      (LP #1536181).
++    - rules: Fix path to libsofthsm2.so. (LP #1685780)
++  * Drop:
++    - SECURITY UPDATE: denial of service via assertion failure
++      + debian/patches/CVE-2016-2776.patch: properly handle lengths in
++        lib/dns/message.c.
++      + CVE-2016-2776
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
++    - SECURITY UPDATE: assertion failure via class mismatch
++      + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
++        records in lib/dns/resolver.c.
++      + CVE-2016-9131
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
++    - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
++      + debian/patches/CVE-2016-9147.patch: fix logic when records are
++        returned without the requested data in lib/dns/resolver.c.
++      + CVE-2016-9147
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
++    - SECURITY UPDATE: assertion failure via unusually-formed DS record
++      + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
++        lib/dns/message.c, lib/dns/resolver.c.
++      + CVE-2016-9444
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
++    - SECURITY UPDATE: regression in CVE-2016-8864
++      + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
++        responses in lib/dns/resolver.c, added tests to
++        bin/tests/system/dname/ns2/example.db,
++        bin/tests/system/dname/tests.sh.
++      + No CVE number
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
++    - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
++      a NULL pointer
++      + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
++        combination in bin/named/query.c, lib/dns/message.c,
++        lib/dns/rdataset.c.
++      + CVE-2017-3135
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
++    - SECURITY UPDATE: regression in CVE-2016-8864
++      + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
++        was still being cached when it should have been in lib/dns/resolver.c,
++        added tests to bin/tests/system/dname/ans3/ans.pl,
++        bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
++      + No CVE number
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
++    - SECURITY UPDATE: Denial of Service due to an error handling
++      synthesized records when using DNS64 with "break-dnssec yes;"
++      + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
++        called.
++      + CVE-2017-3136
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
++    - SECURITY UPDATE: Denial of Service due to resolver terminating when
++      processing a response packet containing a CNAME or DNAME
++      + debian/patches/CVE-2017-3137.patch: don't expect a specific
++        ordering of answer components; add testcases.
++      + CVE-2017-3137
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
++    - SECURITY UPDATE: Denial of Service when receiving a null command on
++      the control channel
++      + debian/patches/CVE-2017-3138.patch: don't throw an assert if no
++        command token is given; add testcase.
++      + CVE-2017-3138
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
++    - SECURITY UPDATE: TSIG authentication issues
++      + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
++        lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
++      + CVE-2017-3142
++      + CVE-2017-3143
++      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4]
++  * d/p/CVE-2016-8864-regression-test.patch: tests for the regression
++    introduced with the CVE-2016-8864.patch and fixed in
++    CVE-2016-8864-regression.patch.
++  * d/p/CVE-2016-8864-regression2-test.patch: tests for the second
++    regression (RT #44318) introduced with the CVE-2016-8864.patch
++    and fixed in CVE-2016-8864-regression2.patch.
++  * d/control, d/rules: add json support for the statistics channels.
++    (LP: #1669193)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 11 Aug 2017 17:12:09 -0300
++
++bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
++
++  * Non-maintainer upload.
++  * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
++    signed TCP message sequences where not all the messages contain TSIG
++    records. These may be used in AXFR and IXFR responses.
++    (Closes: #868952)
++
++ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 21 Jul 2017 22:28:32 +0200
++
++bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
++
++  * Non-maintainer upload.
++
++  [ Yves-Alexis Perez ]
++  * debian/patches:
++    - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
++      CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
++      transfers. An attacker may be able to circumvent TSIG authentication of
++      AXFR and Notify requests.
++      CVE-2017-3143: error in TSIG authentication can permit unauthorized
++      dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
++      signature for a dynamic update.
++      (Closes: #866564)
++
++ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 16 Jul 2017 22:13:21 +0200
++
  bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium
    [ Bernhard Schmidt ]
@@ -665,6 +1571,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium
   -- Michael Gilbert <mgilbert@debian.org>  Thu, 19 Jan 2017 04:03:28 +0000
++bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium
++
++  * SECURITY UPDATE: TSIG authentication issues
++    - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
++      lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
++    - CVE-2017-3142
++    - CVE-2017-3143
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 03 Jul 2017 09:48:13 -0400
++
++bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium
++
++  * rules: Fix path to libsofthsm2.so. (LP: #1685780)
++
++ -- Timo Aaltonen <tjaalton@debian.org>  Mon, 24 Apr 2017 15:01:30 +0300
++
++bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium
++
++  * SECURITY UPDATE: Denial of Service due to an error handling
++    synthesized records when using DNS64 with "break-dnssec yes;"
++    - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
++      called.
++    - CVE-2017-3136
++  * SECURITY UPDATE: Denial of Service due to resolver terminating when
++    processing a response packet containing a CNAME or DNAME
++    - debian/patches/CVE-2017-3137.patch: don't expect a specific
++      ordering of answer components; add testcases.
++    - CVE-2017-3137
++  * SECURITY UPDATE: Denial of Service when receiving a null command on
++    the control channel
++    - debian/patches/CVE-2017-3138.patch: don't throw an assert if no
++      command token is given; add testcase.
++    - CVE-2017-3138
++
++ -- Steve Beattie <sbeattie@ubuntu.com>  Wed, 12 Apr 2017 01:32:15 -0700
++
++bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium
++
++  * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
++    a NULL pointer
++    - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
++      combination in bin/named/query.c, lib/dns/message.c,
++      lib/dns/rdataset.c.
++    - CVE-2017-3135
++  * SECURITY UPDATE: regression in CVE-2016-8864
++    - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
++      was still being cached when it should have been in lib/dns/resolver.c,
++      added tests to bin/tests/system/dname/ans3/ans.pl,
++      bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
++    - No CVE number
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 15 Feb 2017 09:37:39 -0500
++
++bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium
++
++  * SECURITY UPDATE: assertion failure via class mismatch
++    - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
++      records in lib/dns/resolver.c.
++    - CVE-2016-9131
++  * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
++    - debian/patches/CVE-2016-9147.patch: fix logic when records are
++      returned without the requested data in lib/dns/resolver.c.
++    - CVE-2016-9147
++  * SECURITY UPDATE: assertion failure via unusually-formed DS record
++    - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
++      lib/dns/message.c, lib/dns/resolver.c.
++    - CVE-2016-9444
++  * SECURITY UPDATE: regression in CVE-2016-8864
++    - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
++      responses in lib/dns/resolver.c, added tests to
++      bin/tests/system/dname/ns2/example.db,
++      bin/tests/system/dname/tests.sh.
++    - No CVE number
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 25 Jan 2017 09:28:10 -0500
++
++bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium
++
++  * Add RemainAfterExit to bind9-resolvconf unit configuration file
++    (LP: #1536181).
++
++ -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Tue, 15 Nov 2016 08:24:58 -0800
++
++bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium
++
++  * SECURITY UPDATE: denial of service via assertion failure
++    - debian/patches/CVE-2016-2776.patch: properly handle lengths in
++      lib/dns/message.c.
++    - CVE-2016-2776
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 04 Oct 2016 14:31:17 -0400
++
  bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium
    * Non-maintainer upload.
 diff --git a/debian/control b/debian/control
 index b6f7ecd..adf5ada 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,32 +1,31 @@
  Source: bind9
  Section: net
  Priority: optional
--Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
  Uploaders: Ondřej Surý <ondrej@debian.org>,
             Bernhard Schmidt <berni@debian.org>
  Build-Depends: bison,
                 debhelper-compat (= 12),
                 dh-apparmor,
++               dh-apport,
                 dh-exec,
                 dh-python,
                 libcap2-dev [linux-any],
                 libcmocka-dev,
                 libdb-dev,
                 libedit-dev,
--               libfstrm-dev,
                 libidn2-dev,
                 libjson-c-dev,
                 libkrb5-dev,
                 libldap2-dev,
                 liblmdb-dev,
                 libmaxminddb-dev (>= 1.3.0),
--               libprotobuf-c-dev,
                 libssl-dev,
                 libtool,
                 libuv1-dev,
                 libxml2-dev,
                 pkg-config,
--               protobuf-c-compiler,
                 python3,
                 python3-ply,
                 zlib1g-dev
 diff --git a/debian/rules b/debian/rules
 index 0fca88b..54ed8d6 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -29,7 +29,7 @@ SED_VERSION_EXTENSIONS := \
  	sed -e 's,^EXTENSIONS=,EXTENSIONS="$$(dpkg-parsechangelog --file=../debian/changelog | sed -n '/^Version/s/[^-]*//p')-$$(dpkg-vendor --query Vendor)",'
  %:
--	dh $@ --with python3
++	dh $@ --with python3,apport
  prepare_version_extensions:
  	if [ ! -f version.bak ]; then \
@@ -60,7 +60,7 @@ override_dh_auto_configure:
  		--with-openssl=/usr \
  		--with-gssapi=/usr \
  		--with-libidn2 \
--		--with-libjson-c \
++		--with-json-c \
  		--with-lmdb=/usr \
  		--with-gnu-ld \
  		--with-maxminddb \
@@ -69,7 +69,6 @@ override_dh_auto_configure:
  		--enable-rrl \
  		--enable-filter-aaaa \
  		--disable-native-pkcs11 \
--		--enable-dnstap \
  		$(EXTRA_FEATURES)
  override_dh_auto_build:
 diff --git a/debian/tests/control b/debian/tests/control
 index 3e952eb..35b7572 100644
 --- a/debian/tests/control
 +++ b/debian/tests/control
@@ -1,4 +1,4 @@
  Tests: simpletest
  Restrictions: needs-root, isolation-container
  Depends: bind9,
--         dnsutils
++         bind9-dnsutils
 diff --git a/debian/tests/simpletest b/debian/tests/simpletest
 index 468a7c5..34b0b25 100644
 --- a/debian/tests/simpletest
 +++ b/debian/tests/simpletest
@@ -10,10 +10,6 @@ setup() {
  run() {
  	# Make a query against a local zone
  	dig -x 127.0.0.1 @127.0.0.1
--
--	# Make a query against an external nameserver and check for DNSSEC validation
--	echo "Checking for DNSSEC validation status of internetsociety.org"
--	dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY'
+ }
  teardown() {

Ubuntubind9 package

Merge ~ahasenack/ubuntu/+source/bind9:groovy-bind-9166-3-merge into ubuntu/+source/bind9:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
bind9 package