Merge ~rafaeldtinoco/ubuntu/+source/bind9:eoan-bind9-merge into ubuntu/+source/bind9:debian/sid
- Git
- lp:~rafaeldtinoco/ubuntu/+source/bind9
- eoan-bind9-merge
- Merge into debian/sid
Status: | Merged | ||||||||
---|---|---|---|---|---|---|---|---|---|
Approved by: | Andreas Hasenack | ||||||||
Approved revision: | 250b74170dc6263037104e3be555696c69146418 | ||||||||
Merge reported by: | Andreas Hasenack | ||||||||
Merged at revision: | 250b74170dc6263037104e3be555696c69146418 | ||||||||
Proposed branch: | ~rafaeldtinoco/ubuntu/+source/bind9:eoan-bind9-merge | ||||||||
Merge into: | ubuntu/+source/bind9:debian/sid | ||||||||
Diff against target: |
953 lines (+646/-83) 10 files modified
debian/bind9.install (+0/-2) debian/changelog (+574/-0) debian/control (+2/-5) debian/dnsutils.install (+0/-2) debian/libdns1104.symbols (+0/-66) debian/patches/enable-udp-in-host-command.diff (+26/-0) debian/patches/fix-shutdown-race.diff (+41/-0) debian/patches/series (+2/-0) debian/rules (+1/-4) debian/tests/simpletest (+0/-4) |
||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack | Approve | ||
Canonical Server Core Reviewers | Pending | ||
Canonical Server | Pending | ||
Review via email: mp+369410@code.launchpad.net |
Commit message
Description of the change
- 62ffcaf... by Rafael David Tinoco
-
reconstruct-
changelog
Andreas Hasenack (ahasenack) wrote : | # |
Tagged and uploaded:
$ git push pkg upload/
Enumerating objects: 56, done.
Counting objects: 100% (56/56), done.
Delta compression using up to 2 threads
Compressing objects: 100% (41/41), done.
Writing objects: 100% (44/44), 12.36 KiB | 744.00 KiB/s, done.
Total 44 (delta 30), reused 6 (delta 3)
To ssh://git.
* [new tag] upload/
$ dput ubuntu ../bind9_
Checking signature on .changes
gpg: ../bind9_
Checking signature on .dsc
gpg: ../bind9_
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading bind9_9.
Uploading bind9_9.
Uploading bind9_9.
Uploading bind9_9.
Uploading bind9_9.
Successfully uploaded packages.
Andreas Hasenack (ahasenack) wrote : | # |
This migrated already.
Preview Diff
1 | diff --git a/debian/bind9.install b/debian/bind9.install |
2 | index 26d595e..fd7f0f5 100644 |
3 | --- a/debian/bind9.install |
4 | +++ b/debian/bind9.install |
5 | @@ -16,7 +16,6 @@ usr/sbin/genrandom |
6 | usr/sbin/isc-hmac-fixup |
7 | usr/sbin/named |
8 | usr/sbin/named-journalprint |
9 | -usr/sbin/named-nzd2nzf |
10 | usr/sbin/named-pkcs11 |
11 | usr/sbin/nsec3hash |
12 | usr/sbin/tsig-keygen |
13 | @@ -32,7 +31,6 @@ usr/share/man/man8/dnssec-importkey.8 |
14 | usr/share/man/man8/genrandom.8 |
15 | usr/share/man/man8/isc-hmac-fixup.8 |
16 | usr/share/man/man8/named-journalprint.8 |
17 | -usr/share/man/man8/named-nzd2nzf.8 |
18 | usr/share/man/man8/named.8 |
19 | usr/share/man/man8/nsec3hash.8 |
20 | usr/share/man/man8/tsig-keygen.8 |
21 | diff --git a/debian/changelog b/debian/changelog |
22 | index fb0505e..5bd1782 100644 |
23 | --- a/debian/changelog |
24 | +++ b/debian/changelog |
25 | @@ -1,3 +1,28 @@ |
26 | +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu1) eoan; urgency=medium |
27 | + |
28 | + * Merge with Debian unstable. Remaining changes: |
29 | + - Build without lmdb support as that package is in Universe |
30 | + - Don't build dnstap as it depends on universe packages: |
31 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
32 | + protobuf-c-compiler (universe packages) |
33 | + + d/dnsutils.install: don't install dnstap |
34 | + + d/libdns1104.symbols: don't include dnstap symbols |
35 | + + d/rules: don't build dnstap nor install dnstap.proto |
36 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
37 | + option (LP #1804648) |
38 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
39 | + close to a query timeout (LP #1797926) |
40 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
41 | + network egress access that is not available in the Ubuntu autopkgtest |
42 | + farm. |
43 | + * Dropped: |
44 | + - SECURITY UPDATE: DoS via malformed packets |
45 | + + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c |
46 | + + CVE-2019-6471 |
47 | + [Fixed in 1:9.11.5.P4+dfsg-5.1] |
48 | + |
49 | + -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Thu, 27 Jun 2019 14:54:25 +0000 |
50 | + |
51 | bind9 (1:9.11.5.P4+dfsg-5.1) unstable; urgency=high |
52 | |
53 | * Non-maintainer upload. |
54 | @@ -6,6 +31,29 @@ bind9 (1:9.11.5.P4+dfsg-5.1) unstable; urgency=high |
55 | |
56 | -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jun 2019 11:24:31 +0200 |
57 | |
58 | +bind9 (1:9.11.5.P4+dfsg-5ubuntu1) eoan; urgency=medium |
59 | + |
60 | + * Merge with Debian unstable. Remaining changes: |
61 | + - Build without lmdb support as that package is in Universe |
62 | + - Don't build dnstap as it depends on universe packages: |
63 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
64 | + protobuf-c-compiler (universe packages) |
65 | + + d/dnsutils.install: don't install dnstap |
66 | + + d/libdns1104.symbols: don't include dnstap symbols |
67 | + + d/rules: don't build dnstap nor install dnstap.proto |
68 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
69 | + option (LP #1804648) |
70 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
71 | + close to a query timeout (LP #1797926) |
72 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
73 | + network egress access that is not available in the Ubuntu autopkgtest |
74 | + farm. |
75 | + - SECURITY UPDATE: DoS via malformed packets |
76 | + + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c |
77 | + + CVE-2019-6471 |
78 | + |
79 | + -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Fri, 21 Jun 2019 18:06:22 +0000 |
80 | + |
81 | bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium |
82 | |
83 | * AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ. |
84 | @@ -13,6 +61,69 @@ bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium |
85 | |
86 | -- Bernhard Schmidt <berni@debian.org> Fri, 03 May 2019 19:44:57 +0200 |
87 | |
88 | +bind9 (1:9.11.5.P4+dfsg-4ubuntu2) eoan; urgency=medium |
89 | + |
90 | + * SECURITY UPDATE: DoS via malformed packets |
91 | + - debian/patches/CVE-2019-6471.patch: fix race condition in |
92 | + lib/dns/dispatch.c. |
93 | + - CVE-2019-6471 |
94 | + |
95 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Jun 2019 08:15:00 -0400 |
96 | + |
97 | +bind9 (1:9.11.5.P4+dfsg-4ubuntu1) eoan; urgency=medium |
98 | + |
99 | + * Merge with Debian unstable. Remaining changes: |
100 | + - Build without lmdb support as that package is in Universe |
101 | + - Don't build dnstap as it depends on universe packages: |
102 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
103 | + protobuf-c-compiler (universe packages) |
104 | + + d/dnsutils.install: don't install dnstap |
105 | + + d/libdns1104.symbols: don't include dnstap symbols |
106 | + + d/rules: don't build dnstap nor install dnstap.proto |
107 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
108 | + option (LP #1804648) |
109 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
110 | + close to a query timeout (LP #1797926) |
111 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
112 | + network egress access that is not available in the Ubuntu autopkgtest |
113 | + farm. |
114 | + * Dropped: |
115 | + - SECURITY UPDATE: memory leak via specially crafted packet |
116 | + + debian/patches/CVE-2018-5744.patch: silently drop additional keytag |
117 | + options in bin/named/client.c. |
118 | + + CVE-2018-5744 |
119 | + [Fixed upstream in 9.11.5-P2] |
120 | + - SECURITY UPDATE: assertion failure when a trust anchor rolls over to an |
121 | + unsupported key algorithm when using managed-keys |
122 | + + debian/patches/CVE-2018-5745.patch: properly handle situations when |
123 | + the key tag cannot be computed in lib/dns/include/dst/dst.h, |
124 | + lib/dns/zone.c. |
125 | + + CVE-2018-5745 |
126 | + [Fixed upstream in 9.11.5-P2] |
127 | + - SECURITY UPDATE: Controls for zone transfers may not be properly |
128 | + applied to Dynamically Loadable Zones (DLZs) if the zones are writable |
129 | + + debian/patches/CVE-2019-6465.patch: handle zone transfers marked in |
130 | + the zone table as a DLZ zone bin/named/xfrout.c. |
131 | + + CVE-2019-6465 |
132 | + [Fixed upstream in 9.11.5-P3] |
133 | + - SECURITY UPDATE: limiting simultaneous TCP clients is ineffective |
134 | + + debian/patches/CVE-2018-5743.patch: add reference counting in |
135 | + bin/named/client.c, bin/named/include/named/client.h, |
136 | + bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c, |
137 | + lib/isc/include/isc/quota.h, lib/isc/quota.c, |
138 | + lib/isc/win32/libisc.def.in. |
139 | + + debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic |
140 | + operations with isc_refcount reference counting in |
141 | + bin/named/client.c, bin/named/include/named/interfacemgr.h, |
142 | + bin/named/interfacemgr.c. |
143 | + + debian/libisc1100.symbols: added new symbols. |
144 | + + CVE-2018-5743 |
145 | + [Fixed in 1:9.11.5.P4+dfsg-4] |
146 | + - d/rules: add back EdDSA support (LP #1825712) |
147 | + [Fixed in 1:9.11.5.P4+dfsg-4] |
148 | + |
149 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 02 May 2019 13:35:59 -0300 |
150 | + |
151 | bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium |
152 | |
153 | [ Bernhard Schmidt ] |
154 | @@ -85,12 +196,114 @@ bind9 (1:9.11.5.P1+dfsg-2) unstable; urgency=medium |
155 | |
156 | -- Bernhard Schmidt <berni@debian.org> Tue, 12 Feb 2019 00:34:21 +0100 |
157 | |
158 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu4) eoan; urgency=medium |
159 | + |
160 | + * d/rules: add back EdDSA support (LP: #1825712) |
161 | + |
162 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Apr 2019 14:04:37 +0000 |
163 | + |
164 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu3) eoan; urgency=medium |
165 | + |
166 | + * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective |
167 | + - debian/patches/CVE-2018-5743.patch: add reference counting in |
168 | + bin/named/client.c, bin/named/include/named/client.h, |
169 | + bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c, |
170 | + lib/isc/include/isc/quota.h, lib/isc/quota.c, |
171 | + lib/isc/win32/libisc.def.in. |
172 | + - debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic |
173 | + operations with isc_refcount reference counting in |
174 | + bin/named/client.c, bin/named/include/named/interfacemgr.h, |
175 | + bin/named/interfacemgr.c. |
176 | + - debian/libisc1100.symbols: added new symbols. |
177 | + - CVE-2018-5743 |
178 | + |
179 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 24 Apr 2019 05:00:07 -0400 |
180 | + |
181 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu2) disco; urgency=medium |
182 | + |
183 | + * SECURITY UPDATE: memory leak via specially crafted packet |
184 | + - debian/patches/CVE-2018-5744.patch: silently drop additional keytag |
185 | + options in bin/named/client.c. |
186 | + - CVE-2018-5744 |
187 | + * SECURITY UPDATE: assertion failure when a trust anchor rolls over to an |
188 | + unsupported key algorithm when using managed-keys |
189 | + - debian/patches/CVE-2018-5745.patch: properly handle situations when |
190 | + the key tag cannot be computed in lib/dns/include/dst/dst.h, |
191 | + lib/dns/zone.c. |
192 | + - CVE-2018-5745 |
193 | + * SECURITY UPDATE: Controls for zone transfers may not be properly |
194 | + applied to Dynamically Loadable Zones (DLZs) if the zones are writable |
195 | + - debian/patches/CVE-2019-6465.patch: handle zone transfers marked in |
196 | + the zone table as a DLZ zone bin/named/xfrout.c. |
197 | + - CVE-2019-6465 |
198 | + |
199 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 22 Feb 2019 10:52:30 +0100 |
200 | + |
201 | +bind9 (1:9.11.5.P1+dfsg-1ubuntu1) disco; urgency=medium |
202 | + |
203 | + * Merge with Debian unstable. Remaining changes: |
204 | + - Build without lmdb support as that package is in Universe |
205 | + - Don't build dnstap as it depends on universe packages: |
206 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
207 | + protobuf-c-compiler (universe packages) |
208 | + + d/dnsutils.install: don't install dnstap |
209 | + + d/libdns1104.symbols: don't include dnstap symbols |
210 | + + d/rules: don't build dnstap nor install dnstap.proto |
211 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
212 | + option (LP #1804648) |
213 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
214 | + close to a query timeout (LP #1797926) |
215 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
216 | + network egress access that is not available in the Ubuntu autopkgtest |
217 | + farm. |
218 | + |
219 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Jan 2019 18:59:25 -0200 |
220 | + |
221 | bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium |
222 | |
223 | * New upstream version 9.11.5.P1+dfsg |
224 | |
225 | -- Ondřej Surý <ondrej@debian.org> Tue, 18 Dec 2018 13:59:25 +0000 |
226 | |
227 | +bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium |
228 | + |
229 | + * Merge with Debian unstable. Remaining changes: |
230 | + - Build without lmdb support as that package is in Universe |
231 | + - Don't build dnstap as it depends on universe packages: |
232 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
233 | + protobuf-c-compiler (universe packages) |
234 | + + d/dnsutils.install: don't install dnstap |
235 | + + d/libdns1104.symbols: don't include dnstap symbols |
236 | + + d/rules: don't build dnstap nor install dnstap.proto |
237 | + * Dropped: |
238 | + - SECURITY UPDATE: denial of service crash when deny-answer-aliases |
239 | + option is used |
240 | + + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could |
241 | + trigger a crash if deny-answer-aliases was set |
242 | + + debian/patches/CVE-2018-5740-2.patch: add tests |
243 | + + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set |
244 | + chainingp correctly, add test |
245 | + + CVE-2018-5740 |
246 | + [Fixed in new upstream version 9.11.5] |
247 | + - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the |
248 | + line (Closes: #904983) |
249 | + [Fixed in 1:9.11.4+dfsg-4] |
250 | + - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440) |
251 | + [Fixed in 1:9.11.4.P1+dfsg-1] |
252 | + - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol |
253 | + (it depends on OpenSSL version) (Closes: #897643) |
254 | + [Fixed in 1:9.11.4.P1+dfsg-1] |
255 | + * Added: |
256 | + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line |
257 | + option (LP: #1804648) |
258 | + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted |
259 | + close to a query timeout (LP: #1797926) |
260 | + - d/t/simpletest: drop the internetsociety.org test as it requires |
261 | + network egress access that is not available in the Ubuntu autopkgtest |
262 | + farm. |
263 | + |
264 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 13 Dec 2018 19:40:23 -0200 |
265 | + |
266 | bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium |
267 | |
268 | * Use team+dns@tracker.debian.org as Maintainer address |
269 | @@ -152,6 +365,55 @@ bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium |
270 | |
271 | -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200 |
272 | |
273 | +bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high |
274 | + |
275 | + * No change rebuild against openssl 1.1.1 with TLS 1.3 support. |
276 | + |
277 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 29 Sep 2018 01:36:45 +0100 |
278 | + |
279 | +bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium |
280 | + |
281 | + * SECURITY UPDATE: denial of service crash when deny-answer-aliases |
282 | + option is used |
283 | + - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could |
284 | + trigger a crash if deny-answer-aliases was set |
285 | + - debian/patches/CVE-2018-5740-2.patch: add tests |
286 | + - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set |
287 | + chainingp correctly, add test |
288 | + - CVE-2018-5740 |
289 | + |
290 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Sep 2018 11:11:05 +0200 |
291 | + |
292 | +bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium |
293 | + |
294 | + * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol |
295 | + (it depends on OpenSSL version) (Closes: #897643) |
296 | + |
297 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 18 Sep 2018 10:39:12 +0200 |
298 | + |
299 | +bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium |
300 | + |
301 | + * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11 |
302 | + crashing on startup. (LP: #1769440) |
303 | + |
304 | + -- Karl Stenerud <karl.stenerud@canonical.com> Thu, 30 Aug 2018 07:11:39 -0700 |
305 | + |
306 | +bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium |
307 | + |
308 | + * Merge with Debian unstable. Remaining changes: |
309 | + - Build without lmdb support as that package is in Universe |
310 | + * Added: |
311 | + - Don't build dnstap as it depends on universe packages: |
312 | + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and |
313 | + protobuf-c-compiler (universe packages) |
314 | + + d/dnsutils.install: don't install dnstap |
315 | + + d/libdns1102.symbols: don't include dnstap symbols |
316 | + + d/rules: don't build dnstap |
317 | + - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the |
318 | + line (Closes: #904983) |
319 | + |
320 | + -- Andreas Hasenack <andreas@canonical.com> Mon, 30 Jul 2018 10:56:04 -0300 |
321 | + |
322 | bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium |
323 | |
324 | * Enable IDN support for dig+host using libidn2 (Closes: #459010) |
325 | @@ -182,6 +444,19 @@ bind9 (1:9.11.4+dfsg-1) unstable; urgency=medium |
326 | |
327 | -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000 |
328 | |
329 | +bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium |
330 | + |
331 | + * Merge with Debian unstable (LP: #1777935). Remaining changes: |
332 | + - Build without lmdb support as that package is in Universe |
333 | + * Drop: |
334 | + - SECURITY UPDATE: improperly permits recursive query service |
335 | + + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling |
336 | + in bin/named/server.c. |
337 | + + CVE-2018-5738 |
338 | + [Applied in Debian's 1:9.11.3+dfsg-2] |
339 | + |
340 | + -- Andreas Hasenack <andreas@canonical.com> Wed, 20 Jun 2018 17:42:16 -0300 |
341 | + |
342 | bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium |
343 | |
344 | * [CVE-2018-5738]: Add upstream fix to close the default open recursion |
345 | @@ -190,6 +465,24 @@ bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium |
346 | |
347 | -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000 |
348 | |
349 | +bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium |
350 | + |
351 | + * SECURITY UPDATE: improperly permits recursive query service |
352 | + - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling |
353 | + in bin/named/server.c. |
354 | + - CVE-2018-5738 |
355 | + |
356 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Jun 2018 09:41:51 -0400 |
357 | + |
358 | +bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low |
359 | + |
360 | + * New upstream release. (LP: #1763572) |
361 | + - fix a crash when configured with ipa-dns-install |
362 | + * Merge from Debian unstable. Remaining changes: |
363 | + - Build without lmdb support as that package is in Universe |
364 | + |
365 | + -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Apr 2018 07:40:47 +0300 |
366 | + |
367 | bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium |
368 | |
369 | [ Bernhard Schmidt ] |
370 | @@ -214,6 +507,61 @@ bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium |
371 | |
372 | -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100 |
373 | |
374 | +bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium |
375 | + |
376 | + * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating |
377 | + DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews |
378 | + <marka@isc.org>. (LP: #1755439) |
379 | + |
380 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300 |
381 | + |
382 | +bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium |
383 | + |
384 | + * Fix apparmor profile filename (LP: #1754981) |
385 | + |
386 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300 |
387 | + |
388 | +bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high |
389 | + |
390 | + * No change rebuild against openssl1.1. |
391 | + |
392 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:14:22 +0000 |
393 | + |
394 | +bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium |
395 | + |
396 | + * Build without lmdb support as that package is in Universe (LP: #1746296) |
397 | + - d/control: remove Build-Depends on liblmdb-dev |
398 | + - d/rules: configure --without-lmdb |
399 | + - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires |
400 | + lmdb. |
401 | + |
402 | + -- Andreas Hasenack <andreas@canonical.com> Tue, 30 Jan 2018 15:21:23 -0200 |
403 | + |
404 | +bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium |
405 | + |
406 | + * Merge with Debian unstable (LP: #1744930). |
407 | + * Drop: |
408 | + - Add RemainAfterExit to bind9-resolvconf unit configuration file |
409 | + (LP #1536181). |
410 | + [fixed in 1:9.10.6+dfsg-4] |
411 | + - rules: Fix path to libsofthsm2.so. (LP #1685780) |
412 | + [adopted in 1:9.10.6+dfsg-5] |
413 | + - d/p/CVE-2016-8864-regression-test.patch: tests for the regression |
414 | + introduced with the CVE-2016-8864.patch and fixed in |
415 | + CVE-2016-8864-regression.patch. |
416 | + [applied upstream] |
417 | + - d/p/CVE-2016-8864-regression2-test.patch: tests for the second |
418 | + regression (RT #44318) introduced with the CVE-2016-8864.patch |
419 | + and fixed in CVE-2016-8864-regression2.patch. |
420 | + [applied upstream] |
421 | + - d/control, d/rules: add json support for the statistics channels. |
422 | + (LP #1669193) |
423 | + [adopted in 1:9.10.6+dfsg-5] |
424 | + * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing |
425 | + listing the python ply module as a dependency (Closes: #888463) |
426 | + |
427 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Jan 2018 11:20:33 -0200 |
428 | + |
429 | bind9 (1:9.11.2.P1-1) unstable; urgency=medium |
430 | |
431 | * New upstream version 9.11.2-P1 |
432 | @@ -389,6 +737,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium |
433 | |
434 | -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000 |
435 | |
436 | +bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium |
437 | + |
438 | + * Merge with Debian unstable (LP: #1712920). Remaining changes: |
439 | + - Add RemainAfterExit to bind9-resolvconf unit configuration file |
440 | + (LP #1536181). |
441 | + - rules: Fix path to libsofthsm2.so. (LP #1685780) |
442 | + - d/p/CVE-2016-8864-regression-test.patch: tests for the regression |
443 | + introduced with the CVE-2016-8864.patch and fixed in |
444 | + CVE-2016-8864-regression.patch. |
445 | + - d/p/CVE-2016-8864-regression2-test.patch: tests for the second |
446 | + regression (RT #44318) introduced with the CVE-2016-8864.patch |
447 | + and fixed in CVE-2016-8864-regression2.patch. |
448 | + - d/control, d/rules: add json support for the statistics channels. |
449 | + (LP #1669193) |
450 | + |
451 | + -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Aug 2017 18:28:00 -0300 |
452 | + |
453 | +bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium |
454 | + |
455 | + * Non-maintainer upload. |
456 | + * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794) |
457 | + |
458 | + -- Bernhard Schmidt <berni@debian.org> Fri, 11 Aug 2017 19:10:07 +0200 |
459 | + |
460 | +bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium |
461 | + |
462 | + * Merge with Debian unstable (LP: #1701687). Remaining changes: |
463 | + - Add RemainAfterExit to bind9-resolvconf unit configuration file |
464 | + (LP #1536181). |
465 | + - rules: Fix path to libsofthsm2.so. (LP #1685780) |
466 | + * Drop: |
467 | + - SECURITY UPDATE: denial of service via assertion failure |
468 | + + debian/patches/CVE-2016-2776.patch: properly handle lengths in |
469 | + lib/dns/message.c. |
470 | + + CVE-2016-2776 |
471 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
472 | + - SECURITY UPDATE: assertion failure via class mismatch |
473 | + + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY |
474 | + records in lib/dns/resolver.c. |
475 | + + CVE-2016-9131 |
476 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
477 | + - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information |
478 | + + debian/patches/CVE-2016-9147.patch: fix logic when records are |
479 | + returned without the requested data in lib/dns/resolver.c. |
480 | + + CVE-2016-9147 |
481 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
482 | + - SECURITY UPDATE: assertion failure via unusually-formed DS record |
483 | + + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in |
484 | + lib/dns/message.c, lib/dns/resolver.c. |
485 | + + CVE-2016-9444 |
486 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] |
487 | + - SECURITY UPDATE: regression in CVE-2016-8864 |
488 | + + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in |
489 | + responses in lib/dns/resolver.c, added tests to |
490 | + bin/tests/system/dname/ns2/example.db, |
491 | + bin/tests/system/dname/tests.sh. |
492 | + + No CVE number |
493 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12] |
494 | + - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing |
495 | + a NULL pointer |
496 | + + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz |
497 | + combination in bin/named/query.c, lib/dns/message.c, |
498 | + lib/dns/rdataset.c. |
499 | + + CVE-2017-3135 |
500 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12] |
501 | + - SECURITY UPDATE: regression in CVE-2016-8864 |
502 | + + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME |
503 | + was still being cached when it should have been in lib/dns/resolver.c, |
504 | + added tests to bin/tests/system/dname/ans3/ans.pl, |
505 | + bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. |
506 | + + No CVE number |
507 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12] |
508 | + - SECURITY UPDATE: Denial of Service due to an error handling |
509 | + synthesized records when using DNS64 with "break-dnssec yes;" |
510 | + + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() |
511 | + called. |
512 | + + CVE-2017-3136 |
513 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] |
514 | + - SECURITY UPDATE: Denial of Service due to resolver terminating when |
515 | + processing a response packet containing a CNAME or DNAME |
516 | + + debian/patches/CVE-2017-3137.patch: don't expect a specific |
517 | + ordering of answer components; add testcases. |
518 | + + CVE-2017-3137 |
519 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files] |
520 | + - SECURITY UPDATE: Denial of Service when receiving a null command on |
521 | + the control channel |
522 | + + debian/patches/CVE-2017-3138.patch: don't throw an assert if no |
523 | + command token is given; add testcase. |
524 | + + CVE-2017-3138 |
525 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] |
526 | + - SECURITY UPDATE: TSIG authentication issues |
527 | + + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in |
528 | + lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. |
529 | + + CVE-2017-3142 |
530 | + + CVE-2017-3143 |
531 | + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4] |
532 | + * d/p/CVE-2016-8864-regression-test.patch: tests for the regression |
533 | + introduced with the CVE-2016-8864.patch and fixed in |
534 | + CVE-2016-8864-regression.patch. |
535 | + * d/p/CVE-2016-8864-regression2-test.patch: tests for the second |
536 | + regression (RT #44318) introduced with the CVE-2016-8864.patch |
537 | + and fixed in CVE-2016-8864-regression2.patch. |
538 | + * d/control, d/rules: add json support for the statistics channels. |
539 | + (LP: #1669193) |
540 | + |
541 | + -- Andreas Hasenack <andreas@canonical.com> Fri, 11 Aug 2017 17:12:09 -0300 |
542 | + |
543 | +bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium |
544 | + |
545 | + * Non-maintainer upload. |
546 | + * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG |
547 | + signed TCP message sequences where not all the messages contain TSIG |
548 | + records. These may be used in AXFR and IXFR responses. |
549 | + (Closes: #868952) |
550 | + |
551 | + -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jul 2017 22:28:32 +0200 |
552 | + |
553 | +bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high |
554 | + |
555 | + * Non-maintainer upload. |
556 | + |
557 | + [ Yves-Alexis Perez ] |
558 | + * debian/patches: |
559 | + - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses |
560 | + CVE-2017-3142: error in TSIG authentication can permit unauthorized zone |
561 | + transfers. An attacker may be able to circumvent TSIG authentication of |
562 | + AXFR and Notify requests. |
563 | + CVE-2017-3143: error in TSIG authentication can permit unauthorized |
564 | + dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) |
565 | + signature for a dynamic update. |
566 | + (Closes: #866564) |
567 | + |
568 | + -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jul 2017 22:13:21 +0200 |
569 | + |
570 | bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium |
571 | |
572 | [ Bernhard Schmidt ] |
573 | @@ -495,6 +977,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium |
574 | |
575 | -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000 |
576 | |
577 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium |
578 | + |
579 | + * SECURITY UPDATE: TSIG authentication issues |
580 | + - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in |
581 | + lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. |
582 | + - CVE-2017-3142 |
583 | + - CVE-2017-3143 |
584 | + |
585 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jul 2017 09:48:13 -0400 |
586 | + |
587 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium |
588 | + |
589 | + * rules: Fix path to libsofthsm2.so. (LP: #1685780) |
590 | + |
591 | + -- Timo Aaltonen <tjaalton@debian.org> Mon, 24 Apr 2017 15:01:30 +0300 |
592 | + |
593 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium |
594 | + |
595 | + * SECURITY UPDATE: Denial of Service due to an error handling |
596 | + synthesized records when using DNS64 with "break-dnssec yes;" |
597 | + - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() |
598 | + called. |
599 | + - CVE-2017-3136 |
600 | + * SECURITY UPDATE: Denial of Service due to resolver terminating when |
601 | + processing a response packet containing a CNAME or DNAME |
602 | + - debian/patches/CVE-2017-3137.patch: don't expect a specific |
603 | + ordering of answer components; add testcases. |
604 | + - CVE-2017-3137 |
605 | + * SECURITY UPDATE: Denial of Service when receiving a null command on |
606 | + the control channel |
607 | + - debian/patches/CVE-2017-3138.patch: don't throw an assert if no |
608 | + command token is given; add testcase. |
609 | + - CVE-2017-3138 |
610 | + |
611 | + -- Steve Beattie <sbeattie@ubuntu.com> Wed, 12 Apr 2017 01:32:15 -0700 |
612 | + |
613 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium |
614 | + |
615 | + * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing |
616 | + a NULL pointer |
617 | + - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz |
618 | + combination in bin/named/query.c, lib/dns/message.c, |
619 | + lib/dns/rdataset.c. |
620 | + - CVE-2017-3135 |
621 | + * SECURITY UPDATE: regression in CVE-2016-8864 |
622 | + - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME |
623 | + was still being cached when it should have been in lib/dns/resolver.c, |
624 | + added tests to bin/tests/system/dname/ans3/ans.pl, |
625 | + bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. |
626 | + - No CVE number |
627 | + |
628 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Feb 2017 09:37:39 -0500 |
629 | + |
630 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium |
631 | + |
632 | + * SECURITY UPDATE: assertion failure via class mismatch |
633 | + - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY |
634 | + records in lib/dns/resolver.c. |
635 | + - CVE-2016-9131 |
636 | + * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information |
637 | + - debian/patches/CVE-2016-9147.patch: fix logic when records are |
638 | + returned without the requested data in lib/dns/resolver.c. |
639 | + - CVE-2016-9147 |
640 | + * SECURITY UPDATE: assertion failure via unusually-formed DS record |
641 | + - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in |
642 | + lib/dns/message.c, lib/dns/resolver.c. |
643 | + - CVE-2016-9444 |
644 | + * SECURITY UPDATE: regression in CVE-2016-8864 |
645 | + - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in |
646 | + responses in lib/dns/resolver.c, added tests to |
647 | + bin/tests/system/dname/ns2/example.db, |
648 | + bin/tests/system/dname/tests.sh. |
649 | + - No CVE number |
650 | + |
651 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jan 2017 09:28:10 -0500 |
652 | + |
653 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium |
654 | + |
655 | + * Add RemainAfterExit to bind9-resolvconf unit configuration file |
656 | + (LP: #1536181). |
657 | + |
658 | + -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Tue, 15 Nov 2016 08:24:58 -0800 |
659 | + |
660 | +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium |
661 | + |
662 | + * SECURITY UPDATE: denial of service via assertion failure |
663 | + - debian/patches/CVE-2016-2776.patch: properly handle lengths in |
664 | + lib/dns/message.c. |
665 | + - CVE-2016-2776 |
666 | + |
667 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2016 14:31:17 -0400 |
668 | + |
669 | bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium |
670 | |
671 | * Non-maintainer upload. |
672 | diff --git a/debian/control b/debian/control |
673 | index 73c2a17..3d7f03d 100644 |
674 | --- a/debian/control |
675 | +++ b/debian/control |
676 | @@ -1,7 +1,8 @@ |
677 | Source: bind9 |
678 | Section: net |
679 | Priority: optional |
680 | -Maintainer: Debian DNS Team <team+dns@tracker.debian.org> |
681 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
682 | +XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org> |
683 | Uploaders: LaMont Jones <lamont@debian.org>, |
684 | Michael Gilbert <mgilbert@debian.org>, |
685 | Robie Basak <robie.basak@canonical.com>, |
686 | @@ -15,18 +16,14 @@ Build-Depends: bison, |
687 | dpkg-dev (>= 1.16.1~), |
688 | libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], |
689 | libdb-dev (>>4.6), |
690 | - libfstrm-dev, |
691 | libgeoip-dev (>= 1.4.6.dfsg-5), |
692 | libidn2-dev, |
693 | libjson-c-dev, |
694 | libkrb5-dev, |
695 | libldap2-dev, |
696 | - liblmdb-dev, |
697 | - libprotobuf-c-dev, |
698 | libssl-dev, |
699 | libtool, |
700 | libxml2-dev, |
701 | - protobuf-c-compiler, |
702 | python3, |
703 | python3-distutils, |
704 | python3-ply |
705 | diff --git a/debian/dnsutils.install b/debian/dnsutils.install |
706 | index 90e4fba..5e6b7d9 100644 |
707 | --- a/debian/dnsutils.install |
708 | +++ b/debian/dnsutils.install |
709 | @@ -1,12 +1,10 @@ |
710 | usr/bin/delv |
711 | usr/bin/dig |
712 | -usr/bin/dnstap-read |
713 | usr/bin/mdig |
714 | usr/bin/nslookup |
715 | usr/bin/nsupdate |
716 | usr/share/man/man1/delv.1 |
717 | usr/share/man/man1/dig.1 |
718 | -usr/share/man/man1/dnstap-read.1 |
719 | usr/share/man/man1/mdig.1 |
720 | usr/share/man/man1/nslookup.1 |
721 | usr/share/man/man1/nsupdate.1 |
722 | diff --git a/debian/libdns1104.symbols b/debian/libdns1104.symbols |
723 | index d7c98d4..7b6020e 100644 |
724 | --- a/debian/libdns1104.symbols |
725 | +++ b/debian/libdns1104.symbols |
726 | @@ -358,21 +358,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER# |
727 | dns_dsdigest_format@Base 1:9.11.3+dfsg |
728 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg |
729 | dns_dsdigest_totext@Base 1:9.11.3+dfsg |
730 | - dns_dt_attach@Base 1:9.11.4.P1 |
731 | - dns_dt_close@Base 1:9.11.4.P1 |
732 | - dns_dt_create@Base 1:9.11.4.P1 |
733 | - dns_dt_datatotext@Base 1:9.11.4.P1 |
734 | - dns_dt_detach@Base 1:9.11.4.P1 |
735 | - dns_dt_getframe@Base 1:9.11.4.P1 |
736 | - dns_dt_getstats@Base 1:9.11.4.P1 |
737 | - dns_dt_open@Base 1:9.11.4.P1 |
738 | - dns_dt_parse@Base 1:9.11.4.P1 |
739 | - dns_dt_reopen@Base 1:9.11.4.P1 |
740 | - dns_dt_send@Base 1:9.11.4.P1 |
741 | - dns_dt_setidentity@Base 1:9.11.4.P1 |
742 | - dns_dt_setversion@Base 1:9.11.4.P1 |
743 | - dns_dt_shutdown@Base 1:9.11.4.P1 |
744 | - dns_dtdata_free@Base 1:9.11.4.P1 |
745 | dns_dumpctx_attach@Base 1:9.11.3+dfsg |
746 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg |
747 | dns_dumpctx_db@Base 1:9.11.3+dfsg |
748 | @@ -1443,24 +1428,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER# |
749 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg |
750 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg |
751 | dns_zt_unmount@Base 1:9.11.3+dfsg |
752 | - dnstap__dnstap__descriptor@Base 1:9.11.4.P1 |
753 | - dnstap__dnstap__free_unpacked@Base 1:9.11.4.P1 |
754 | - dnstap__dnstap__get_packed_size@Base 1:9.11.4.P1 |
755 | - dnstap__dnstap__init@Base 1:9.11.4.P1 |
756 | - dnstap__dnstap__pack@Base 1:9.11.4.P1 |
757 | - dnstap__dnstap__pack_to_buffer@Base 1:9.11.4.P1 |
758 | - dnstap__dnstap__type__descriptor@Base 1:9.11.4.P1 |
759 | - dnstap__dnstap__unpack@Base 1:9.11.4.P1 |
760 | - dnstap__message__descriptor@Base 1:9.11.4.P1 |
761 | - dnstap__message__free_unpacked@Base 1:9.11.4.P1 |
762 | - dnstap__message__get_packed_size@Base 1:9.11.4.P1 |
763 | - dnstap__message__init@Base 1:9.11.4.P1 |
764 | - dnstap__message__pack@Base 1:9.11.4.P1 |
765 | - dnstap__message__pack_to_buffer@Base 1:9.11.4.P1 |
766 | - dnstap__message__type__descriptor@Base 1:9.11.4.P1 |
767 | - dnstap__message__unpack@Base 1:9.11.4.P1 |
768 | - dnstap__socket_family__descriptor@Base 1:9.11.4.P1 |
769 | - dnstap__socket_protocol__descriptor@Base 1:9.11.4.P1 |
770 | dst__entropy_getdata@Base 1:9.11.3+dfsg |
771 | dst__entropy_status@Base 1:9.11.3+dfsg |
772 | dst__gssapi_init@Base 1:9.11.3+dfsg |
773 | @@ -1940,21 +1907,6 @@ libdns.so.1104 libdns1104 #MINVER# |
774 | dns_dsdigest_format@Base 1:9.11.3+dfsg |
775 | dns_dsdigest_fromtext@Base 1:9.11.3+dfsg |
776 | dns_dsdigest_totext@Base 1:9.11.3+dfsg |
777 | - dns_dt_attach@Base 1:9.11.4.P1 |
778 | - dns_dt_close@Base 1:9.11.4.P1 |
779 | - dns_dt_create@Base 1:9.11.4.P1 |
780 | - dns_dt_datatotext@Base 1:9.11.4.P1 |
781 | - dns_dt_detach@Base 1:9.11.4.P1 |
782 | - dns_dt_getframe@Base 1:9.11.4.P1 |
783 | - dns_dt_getstats@Base 1:9.11.4.P1 |
784 | - dns_dt_open@Base 1:9.11.4.P1 |
785 | - dns_dt_parse@Base 1:9.11.4.P1 |
786 | - dns_dt_reopen@Base 1:9.11.4.P1 |
787 | - dns_dt_send@Base 1:9.11.4.P1 |
788 | - dns_dt_setidentity@Base 1:9.11.4.P1 |
789 | - dns_dt_setversion@Base 1:9.11.4.P1 |
790 | - dns_dt_shutdown@Base 1:9.11.4.P1 |
791 | - dns_dtdata_free@Base 1:9.11.4.P1 |
792 | dns_dumpctx_attach@Base 1:9.11.3+dfsg |
793 | dns_dumpctx_cancel@Base 1:9.11.3+dfsg |
794 | dns_dumpctx_db@Base 1:9.11.3+dfsg |
795 | @@ -3032,24 +2984,6 @@ libdns.so.1104 libdns1104 #MINVER# |
796 | dns_zt_setviewcommit@Base 1:9.11.3+dfsg |
797 | dns_zt_setviewrevert@Base 1:9.11.3+dfsg |
798 | dns_zt_unmount@Base 1:9.11.3+dfsg |
799 | - dnstap__dnstap__descriptor@Base 1:9.11.4.P1 |
800 | - dnstap__dnstap__free_unpacked@Base 1:9.11.4.P1 |
801 | - dnstap__dnstap__get_packed_size@Base 1:9.11.4.P1 |
802 | - dnstap__dnstap__init@Base 1:9.11.4.P1 |
803 | - dnstap__dnstap__pack@Base 1:9.11.4.P1 |
804 | - dnstap__dnstap__pack_to_buffer@Base 1:9.11.4.P1 |
805 | - dnstap__dnstap__type__descriptor@Base 1:9.11.4.P1 |
806 | - dnstap__dnstap__unpack@Base 1:9.11.4.P1 |
807 | - dnstap__message__descriptor@Base 1:9.11.4.P1 |
808 | - dnstap__message__free_unpacked@Base 1:9.11.4.P1 |
809 | - dnstap__message__get_packed_size@Base 1:9.11.4.P1 |
810 | - dnstap__message__init@Base 1:9.11.4.P1 |
811 | - dnstap__message__pack@Base 1:9.11.4.P1 |
812 | - dnstap__message__pack_to_buffer@Base 1:9.11.4.P1 |
813 | - dnstap__message__type__descriptor@Base 1:9.11.4.P1 |
814 | - dnstap__message__unpack@Base 1:9.11.4.P1 |
815 | - dnstap__socket_family__descriptor@Base 1:9.11.4.P1 |
816 | - dnstap__socket_protocol__descriptor@Base 1:9.11.4.P1 |
817 | dst__entropy_getdata@Base 1:9.11.3+dfsg |
818 | dst__entropy_status@Base 1:9.11.3+dfsg |
819 | dst__gssapi_init@Base 1:9.11.3+dfsg |
820 | diff --git a/debian/patches/enable-udp-in-host-command.diff b/debian/patches/enable-udp-in-host-command.diff |
821 | new file mode 100644 |
822 | index 0000000..5444ae7 |
823 | --- /dev/null |
824 | +++ b/debian/patches/enable-udp-in-host-command.diff |
825 | @@ -0,0 +1,26 @@ |
826 | +Description: Fix parsing of host(1)'s -U command line option |
827 | +Author: Andreas Hasenack <andreas@canonical.com> |
828 | +Bug: https://gitlab.isc.org/isc-projects/bind9/issues/769 |
829 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1804648 |
830 | +Applied-Upstream: https://gitlab.isc.org/isc-projects/bind9/commit/5e2cd91321cdda1707411c4e268d364f03f63935 |
831 | +Last-Update: 2018-12-06 |
832 | +--- |
833 | +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ |
834 | +--- a/bin/dig/host.c |
835 | ++++ b/bin/dig/host.c |
836 | +@@ -158,6 +158,7 @@ |
837 | + " -s a SERVFAIL response should stop query\n" |
838 | + " -t specifies the query type\n" |
839 | + " -T enables TCP/IP mode\n" |
840 | ++" -U enables UDP mode\n" |
841 | + " -v enables verbose output\n" |
842 | + " -V print version number and exit\n" |
843 | + " -w specifies to wait forever for a reply\n" |
844 | +@@ -657,6 +658,7 @@ |
845 | + case 'N': break; |
846 | + case 'R': break; |
847 | + case 'T': break; |
848 | ++ case 'U': break; |
849 | + case 'W': break; |
850 | + default: |
851 | + show_usage(); |
852 | diff --git a/debian/patches/fix-shutdown-race.diff b/debian/patches/fix-shutdown-race.diff |
853 | new file mode 100644 |
854 | index 0000000..f10f51f |
855 | --- /dev/null |
856 | +++ b/debian/patches/fix-shutdown-race.diff |
857 | @@ -0,0 +1,41 @@ |
858 | +From f2ca287330110993609fa0443d3bdb17629bd979 Mon Sep 17 00:00:00 2001 |
859 | +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org> |
860 | +Date: Tue, 13 Nov 2018 13:50:47 +0100 |
861 | +Subject: [PATCH 1/2] Fix a shutdown race in bin/dig/dighost.c |
862 | + |
863 | +If a tool using the routines defined in bin/dig/dighost.c is sent an |
864 | +interruption signal around the time a connection timeout is scheduled to |
865 | +fire, connect_timeout() may be executed after destroy_libs() detaches |
866 | +from the global task (setting 'global_task' to NULL), which results in a |
867 | +crash upon a UDP retry due to bringup_timer() attempting to create a |
868 | +timer with 'task' set to NULL. Fix by preventing connect_timeout() from |
869 | +attempting a retry when shutdown is in progress. |
870 | + |
871 | +(cherry picked from commit 462175659674a10c0d39c7c328f1a5324ce2e38b) |
872 | + |
873 | +Origin: https://gitlab.isc.org/isc-projects/bind9/merge_requests/1040/diffs |
874 | +Bug: https://gitlab.isc.org/isc-projects/bind9/issues/599 |
875 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1797926 |
876 | +Last-Update: 2018-12-06 |
877 | + |
878 | +--- |
879 | + bin/dig/dighost.c | 5 +++++ |
880 | + 1 file changed, 5 insertions(+) |
881 | +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c |
882 | +index 39abb9d0fd..17e0328228 100644 |
883 | +--- a/bin/dig/dighost.c |
884 | ++++ b/bin/dig/dighost.c |
885 | +@@ -3240,6 +3240,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) { |
886 | + |
887 | + INSIST(!free_now); |
888 | + |
889 | ++ if (cancel_now) { |
890 | ++ UNLOCK_LOOKUP; |
891 | ++ return; |
892 | ++ } |
893 | ++ |
894 | + if ((query != NULL) && (query->lookup->current_query != NULL) && |
895 | + ISC_LINK_LINKED(query->lookup->current_query, link) && |
896 | + (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) { |
897 | +-- |
898 | +2.18.1 |
899 | diff --git a/debian/patches/series b/debian/patches/series |
900 | index c303f7f..11e3421 100644 |
901 | --- a/debian/patches/series |
902 | +++ b/debian/patches/series |
903 | @@ -13,3 +13,5 @@ keymgr-dont-immediately-delete.diff |
904 | 0013-Replace-atomic-operations-in-bin-named-client.c-with.patch |
905 | 0014-Disable-broken-Ed448-support.patch |
906 | 0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch |
907 | +enable-udp-in-host-command.diff |
908 | +fix-shutdown-race.diff |
909 | diff --git a/debian/rules b/debian/rules |
910 | index c8d745c..717ecb9 100755 |
911 | --- a/debian/rules |
912 | +++ b/debian/rules |
913 | @@ -91,7 +91,7 @@ override_dh_auto_configure: |
914 | --with-gssapi=/usr \ |
915 | --with-libidn2 \ |
916 | --with-libjson=/usr \ |
917 | - --with-lmdb=/usr \ |
918 | + --without-lmdb \ |
919 | --with-gnu-ld \ |
920 | --with-geoip=/usr \ |
921 | --with-atf=no \ |
922 | @@ -101,7 +101,6 @@ override_dh_auto_configure: |
923 | --enable-native-pkcs11 \ |
924 | --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \ |
925 | --with-randomdev=/dev/urandom \ |
926 | - --enable-dnstap \ |
927 | $(EXTRA_FEATURES) |
928 | dh_auto_configure -B build-udeb -- \ |
929 | --sysconfdir=/etc/bind \ |
930 | @@ -126,8 +125,6 @@ override_dh_auto_configure: |
931 | # no need to build these targets here |
932 | sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile |
933 | sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile |
934 | - cp lib/dns/dnstap.proto build/lib/dns |
935 | - cp lib/dns-pkcs11/dnstap.proto build/lib/dns-pkcs11 |
936 | |
937 | override_dh_auto_build: |
938 | dh_auto_build -B build |
939 | diff --git a/debian/tests/simpletest b/debian/tests/simpletest |
940 | index 468a7c5..34b0b25 100755 |
941 | --- a/debian/tests/simpletest |
942 | +++ b/debian/tests/simpletest |
943 | @@ -10,10 +10,6 @@ setup() { |
944 | run() { |
945 | # Make a query against a local zone |
946 | dig -x 127.0.0.1 @127.0.0.1 |
947 | - |
948 | - # Make a query against an external nameserver and check for DNSSEC validation |
949 | - echo "Checking for DNSSEC validation status of internetsociety.org" |
950 | - dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY' |
951 | } |
952 | |
953 | teardown() { |
+1