Merge ~rafaeldtinoco/ubuntu/+source/bind9:eoan-bind9-merge into ubuntu/+source/bind9:debian/sid

Proposed by Rafael David Tinoco on 2019-06-27
Status: Merged
Approved by: Andreas Hasenack on 2019-06-27
Approved revision: 250b74170dc6263037104e3be555696c69146418
Merge reported by: Andreas Hasenack
Merged at revision: 250b74170dc6263037104e3be555696c69146418
Proposed branch: ~rafaeldtinoco/ubuntu/+source/bind9:eoan-bind9-merge
Merge into: ubuntu/+source/bind9:debian/sid
Diff against target: 953 lines (+646/-83)
10 files modified
debian/bind9.install (+0/-2)
debian/changelog (+574/-0)
debian/control (+2/-5)
debian/dnsutils.install (+0/-2)
debian/libdns1104.symbols (+0/-66)
debian/patches/enable-udp-in-host-command.diff (+26/-0)
debian/patches/fix-shutdown-race.diff (+41/-0)
debian/patches/series (+2/-0)
debian/rules (+1/-4)
debian/tests/simpletest (+0/-4)
Reviewer Review Type Date Requested Status
Andreas Hasenack 2019-06-27 Approve on 2019-06-27
Canonical Server Core Reviewers 2019-06-27 Pending
Canonical Server Team 2019-06-27 Pending
Review via email: mp+369410@code.launchpad.net
To post a comment you must log in.
62ffcaf... by Rafael David Tinoco on 2019-06-27

reconstruct-changelog

Andreas Hasenack (ahasenack) wrote :

+1

review: Approve
Andreas Hasenack (ahasenack) wrote :

Tagged and uploaded:

$ git push pkg upload/1%9.11.5.P4+dfsg-5.1ubuntu1
Enumerating objects: 56, done.
Counting objects: 100% (56/56), done.
Delta compression using up to 2 threads
Compressing objects: 100% (41/41), done.
Writing objects: 100% (44/44), 12.36 KiB | 744.00 KiB/s, done.
Total 44 (delta 30), reused 6 (delta 3)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/bind9
 * [new tag] upload/1%9.11.5.P4+dfsg-5.1ubuntu1 -> upload/1%9.11.5.P4+dfsg-5.1ubuntu1

$ dput ubuntu ../bind9_9.11.5.P4+dfsg-5.1ubuntu1_source.changes
Checking signature on .changes
gpg: ../bind9_9.11.5.P4+dfsg-5.1ubuntu1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../bind9_9.11.5.P4+dfsg-5.1ubuntu1.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading bind9_9.11.5.P4+dfsg-5.1ubuntu1.dsc: done.
  Uploading bind9_9.11.5.P4+dfsg.orig.tar.xz: done.
  Uploading bind9_9.11.5.P4+dfsg-5.1ubuntu1.debian.tar.xz: done.
  Uploading bind9_9.11.5.P4+dfsg-5.1ubuntu1_source.buildinfo: done.
  Uploading bind9_9.11.5.P4+dfsg-5.1ubuntu1_source.changes: done.
Successfully uploaded packages.

Andreas Hasenack (ahasenack) wrote :

This migrated already.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/bind9.install b/debian/bind9.install
2index 26d595e..fd7f0f5 100644
3--- a/debian/bind9.install
4+++ b/debian/bind9.install
5@@ -16,7 +16,6 @@ usr/sbin/genrandom
6 usr/sbin/isc-hmac-fixup
7 usr/sbin/named
8 usr/sbin/named-journalprint
9-usr/sbin/named-nzd2nzf
10 usr/sbin/named-pkcs11
11 usr/sbin/nsec3hash
12 usr/sbin/tsig-keygen
13@@ -32,7 +31,6 @@ usr/share/man/man8/dnssec-importkey.8
14 usr/share/man/man8/genrandom.8
15 usr/share/man/man8/isc-hmac-fixup.8
16 usr/share/man/man8/named-journalprint.8
17-usr/share/man/man8/named-nzd2nzf.8
18 usr/share/man/man8/named.8
19 usr/share/man/man8/nsec3hash.8
20 usr/share/man/man8/tsig-keygen.8
21diff --git a/debian/changelog b/debian/changelog
22index fb0505e..5bd1782 100644
23--- a/debian/changelog
24+++ b/debian/changelog
25@@ -1,3 +1,28 @@
26+bind9 (1:9.11.5.P4+dfsg-5.1ubuntu1) eoan; urgency=medium
27+
28+ * Merge with Debian unstable. Remaining changes:
29+ - Build without lmdb support as that package is in Universe
30+ - Don't build dnstap as it depends on universe packages:
31+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
32+ protobuf-c-compiler (universe packages)
33+ + d/dnsutils.install: don't install dnstap
34+ + d/libdns1104.symbols: don't include dnstap symbols
35+ + d/rules: don't build dnstap nor install dnstap.proto
36+ - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
37+ option (LP #1804648)
38+ - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
39+ close to a query timeout (LP #1797926)
40+ - d/t/simpletest: drop the internetsociety.org test as it requires
41+ network egress access that is not available in the Ubuntu autopkgtest
42+ farm.
43+ * Dropped:
44+ - SECURITY UPDATE: DoS via malformed packets
45+ + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c
46+ + CVE-2019-6471
47+ [Fixed in 1:9.11.5.P4+dfsg-5.1]
48+
49+ -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Thu, 27 Jun 2019 14:54:25 +0000
50+
51 bind9 (1:9.11.5.P4+dfsg-5.1) unstable; urgency=high
52
53 * Non-maintainer upload.
54@@ -6,6 +31,29 @@ bind9 (1:9.11.5.P4+dfsg-5.1) unstable; urgency=high
55
56 -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jun 2019 11:24:31 +0200
57
58+bind9 (1:9.11.5.P4+dfsg-5ubuntu1) eoan; urgency=medium
59+
60+ * Merge with Debian unstable. Remaining changes:
61+ - Build without lmdb support as that package is in Universe
62+ - Don't build dnstap as it depends on universe packages:
63+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
64+ protobuf-c-compiler (universe packages)
65+ + d/dnsutils.install: don't install dnstap
66+ + d/libdns1104.symbols: don't include dnstap symbols
67+ + d/rules: don't build dnstap nor install dnstap.proto
68+ - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
69+ option (LP #1804648)
70+ - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
71+ close to a query timeout (LP #1797926)
72+ - d/t/simpletest: drop the internetsociety.org test as it requires
73+ network egress access that is not available in the Ubuntu autopkgtest
74+ farm.
75+ - SECURITY UPDATE: DoS via malformed packets
76+ + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c
77+ + CVE-2019-6471
78+
79+ -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Fri, 21 Jun 2019 18:06:22 +0000
80+
81 bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium
82
83 * AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ.
84@@ -13,6 +61,69 @@ bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium
85
86 -- Bernhard Schmidt <berni@debian.org> Fri, 03 May 2019 19:44:57 +0200
87
88+bind9 (1:9.11.5.P4+dfsg-4ubuntu2) eoan; urgency=medium
89+
90+ * SECURITY UPDATE: DoS via malformed packets
91+ - debian/patches/CVE-2019-6471.patch: fix race condition in
92+ lib/dns/dispatch.c.
93+ - CVE-2019-6471
94+
95+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Jun 2019 08:15:00 -0400
96+
97+bind9 (1:9.11.5.P4+dfsg-4ubuntu1) eoan; urgency=medium
98+
99+ * Merge with Debian unstable. Remaining changes:
100+ - Build without lmdb support as that package is in Universe
101+ - Don't build dnstap as it depends on universe packages:
102+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
103+ protobuf-c-compiler (universe packages)
104+ + d/dnsutils.install: don't install dnstap
105+ + d/libdns1104.symbols: don't include dnstap symbols
106+ + d/rules: don't build dnstap nor install dnstap.proto
107+ - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
108+ option (LP #1804648)
109+ - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
110+ close to a query timeout (LP #1797926)
111+ - d/t/simpletest: drop the internetsociety.org test as it requires
112+ network egress access that is not available in the Ubuntu autopkgtest
113+ farm.
114+ * Dropped:
115+ - SECURITY UPDATE: memory leak via specially crafted packet
116+ + debian/patches/CVE-2018-5744.patch: silently drop additional keytag
117+ options in bin/named/client.c.
118+ + CVE-2018-5744
119+ [Fixed upstream in 9.11.5-P2]
120+ - SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
121+ unsupported key algorithm when using managed-keys
122+ + debian/patches/CVE-2018-5745.patch: properly handle situations when
123+ the key tag cannot be computed in lib/dns/include/dst/dst.h,
124+ lib/dns/zone.c.
125+ + CVE-2018-5745
126+ [Fixed upstream in 9.11.5-P2]
127+ - SECURITY UPDATE: Controls for zone transfers may not be properly
128+ applied to Dynamically Loadable Zones (DLZs) if the zones are writable
129+ + debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
130+ the zone table as a DLZ zone bin/named/xfrout.c.
131+ + CVE-2019-6465
132+ [Fixed upstream in 9.11.5-P3]
133+ - SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
134+ + debian/patches/CVE-2018-5743.patch: add reference counting in
135+ bin/named/client.c, bin/named/include/named/client.h,
136+ bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
137+ lib/isc/include/isc/quota.h, lib/isc/quota.c,
138+ lib/isc/win32/libisc.def.in.
139+ + debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
140+ operations with isc_refcount reference counting in
141+ bin/named/client.c, bin/named/include/named/interfacemgr.h,
142+ bin/named/interfacemgr.c.
143+ + debian/libisc1100.symbols: added new symbols.
144+ + CVE-2018-5743
145+ [Fixed in 1:9.11.5.P4+dfsg-4]
146+ - d/rules: add back EdDSA support (LP #1825712)
147+ [Fixed in 1:9.11.5.P4+dfsg-4]
148+
149+ -- Andreas Hasenack <andreas@canonical.com> Thu, 02 May 2019 13:35:59 -0300
150+
151 bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium
152
153 [ Bernhard Schmidt ]
154@@ -85,12 +196,114 @@ bind9 (1:9.11.5.P1+dfsg-2) unstable; urgency=medium
155
156 -- Bernhard Schmidt <berni@debian.org> Tue, 12 Feb 2019 00:34:21 +0100
157
158+bind9 (1:9.11.5.P1+dfsg-1ubuntu4) eoan; urgency=medium
159+
160+ * d/rules: add back EdDSA support (LP: #1825712)
161+
162+ -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Apr 2019 14:04:37 +0000
163+
164+bind9 (1:9.11.5.P1+dfsg-1ubuntu3) eoan; urgency=medium
165+
166+ * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
167+ - debian/patches/CVE-2018-5743.patch: add reference counting in
168+ bin/named/client.c, bin/named/include/named/client.h,
169+ bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
170+ lib/isc/include/isc/quota.h, lib/isc/quota.c,
171+ lib/isc/win32/libisc.def.in.
172+ - debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
173+ operations with isc_refcount reference counting in
174+ bin/named/client.c, bin/named/include/named/interfacemgr.h,
175+ bin/named/interfacemgr.c.
176+ - debian/libisc1100.symbols: added new symbols.
177+ - CVE-2018-5743
178+
179+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 24 Apr 2019 05:00:07 -0400
180+
181+bind9 (1:9.11.5.P1+dfsg-1ubuntu2) disco; urgency=medium
182+
183+ * SECURITY UPDATE: memory leak via specially crafted packet
184+ - debian/patches/CVE-2018-5744.patch: silently drop additional keytag
185+ options in bin/named/client.c.
186+ - CVE-2018-5744
187+ * SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
188+ unsupported key algorithm when using managed-keys
189+ - debian/patches/CVE-2018-5745.patch: properly handle situations when
190+ the key tag cannot be computed in lib/dns/include/dst/dst.h,
191+ lib/dns/zone.c.
192+ - CVE-2018-5745
193+ * SECURITY UPDATE: Controls for zone transfers may not be properly
194+ applied to Dynamically Loadable Zones (DLZs) if the zones are writable
195+ - debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
196+ the zone table as a DLZ zone bin/named/xfrout.c.
197+ - CVE-2019-6465
198+
199+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 22 Feb 2019 10:52:30 +0100
200+
201+bind9 (1:9.11.5.P1+dfsg-1ubuntu1) disco; urgency=medium
202+
203+ * Merge with Debian unstable. Remaining changes:
204+ - Build without lmdb support as that package is in Universe
205+ - Don't build dnstap as it depends on universe packages:
206+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
207+ protobuf-c-compiler (universe packages)
208+ + d/dnsutils.install: don't install dnstap
209+ + d/libdns1104.symbols: don't include dnstap symbols
210+ + d/rules: don't build dnstap nor install dnstap.proto
211+ - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
212+ option (LP #1804648)
213+ - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
214+ close to a query timeout (LP #1797926)
215+ - d/t/simpletest: drop the internetsociety.org test as it requires
216+ network egress access that is not available in the Ubuntu autopkgtest
217+ farm.
218+
219+ -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Jan 2019 18:59:25 -0200
220+
221 bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium
222
223 * New upstream version 9.11.5.P1+dfsg
224
225 -- Ondřej Surý <ondrej@debian.org> Tue, 18 Dec 2018 13:59:25 +0000
226
227+bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium
228+
229+ * Merge with Debian unstable. Remaining changes:
230+ - Build without lmdb support as that package is in Universe
231+ - Don't build dnstap as it depends on universe packages:
232+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
233+ protobuf-c-compiler (universe packages)
234+ + d/dnsutils.install: don't install dnstap
235+ + d/libdns1104.symbols: don't include dnstap symbols
236+ + d/rules: don't build dnstap nor install dnstap.proto
237+ * Dropped:
238+ - SECURITY UPDATE: denial of service crash when deny-answer-aliases
239+ option is used
240+ + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
241+ trigger a crash if deny-answer-aliases was set
242+ + debian/patches/CVE-2018-5740-2.patch: add tests
243+ + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
244+ chainingp correctly, add test
245+ + CVE-2018-5740
246+ [Fixed in new upstream version 9.11.5]
247+ - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
248+ line (Closes: #904983)
249+ [Fixed in 1:9.11.4+dfsg-4]
250+ - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440)
251+ [Fixed in 1:9.11.4.P1+dfsg-1]
252+ - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
253+ (it depends on OpenSSL version) (Closes: #897643)
254+ [Fixed in 1:9.11.4.P1+dfsg-1]
255+ * Added:
256+ - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
257+ option (LP: #1804648)
258+ - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
259+ close to a query timeout (LP: #1797926)
260+ - d/t/simpletest: drop the internetsociety.org test as it requires
261+ network egress access that is not available in the Ubuntu autopkgtest
262+ farm.
263+
264+ -- Andreas Hasenack <andreas@canonical.com> Thu, 13 Dec 2018 19:40:23 -0200
265+
266 bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium
267
268 * Use team+dns@tracker.debian.org as Maintainer address
269@@ -152,6 +365,55 @@ bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium
270
271 -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200
272
273+bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high
274+
275+ * No change rebuild against openssl 1.1.1 with TLS 1.3 support.
276+
277+ -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 29 Sep 2018 01:36:45 +0100
278+
279+bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium
280+
281+ * SECURITY UPDATE: denial of service crash when deny-answer-aliases
282+ option is used
283+ - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
284+ trigger a crash if deny-answer-aliases was set
285+ - debian/patches/CVE-2018-5740-2.patch: add tests
286+ - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
287+ chainingp correctly, add test
288+ - CVE-2018-5740
289+
290+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Sep 2018 11:11:05 +0200
291+
292+bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium
293+
294+ * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
295+ (it depends on OpenSSL version) (Closes: #897643)
296+
297+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 18 Sep 2018 10:39:12 +0200
298+
299+bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium
300+
301+ * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11
302+ crashing on startup. (LP: #1769440)
303+
304+ -- Karl Stenerud <karl.stenerud@canonical.com> Thu, 30 Aug 2018 07:11:39 -0700
305+
306+bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium
307+
308+ * Merge with Debian unstable. Remaining changes:
309+ - Build without lmdb support as that package is in Universe
310+ * Added:
311+ - Don't build dnstap as it depends on universe packages:
312+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
313+ protobuf-c-compiler (universe packages)
314+ + d/dnsutils.install: don't install dnstap
315+ + d/libdns1102.symbols: don't include dnstap symbols
316+ + d/rules: don't build dnstap
317+ - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
318+ line (Closes: #904983)
319+
320+ -- Andreas Hasenack <andreas@canonical.com> Mon, 30 Jul 2018 10:56:04 -0300
321+
322 bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium
323
324 * Enable IDN support for dig+host using libidn2 (Closes: #459010)
325@@ -182,6 +444,19 @@ bind9 (1:9.11.4+dfsg-1) unstable; urgency=medium
326
327 -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000
328
329+bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium
330+
331+ * Merge with Debian unstable (LP: #1777935). Remaining changes:
332+ - Build without lmdb support as that package is in Universe
333+ * Drop:
334+ - SECURITY UPDATE: improperly permits recursive query service
335+ + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
336+ in bin/named/server.c.
337+ + CVE-2018-5738
338+ [Applied in Debian's 1:9.11.3+dfsg-2]
339+
340+ -- Andreas Hasenack <andreas@canonical.com> Wed, 20 Jun 2018 17:42:16 -0300
341+
342 bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
343
344 * [CVE-2018-5738]: Add upstream fix to close the default open recursion
345@@ -190,6 +465,24 @@ bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
346
347 -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000
348
349+bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium
350+
351+ * SECURITY UPDATE: improperly permits recursive query service
352+ - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
353+ in bin/named/server.c.
354+ - CVE-2018-5738
355+
356+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Jun 2018 09:41:51 -0400
357+
358+bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low
359+
360+ * New upstream release. (LP: #1763572)
361+ - fix a crash when configured with ipa-dns-install
362+ * Merge from Debian unstable. Remaining changes:
363+ - Build without lmdb support as that package is in Universe
364+
365+ -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Apr 2018 07:40:47 +0300
366+
367 bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
368
369 [ Bernhard Schmidt ]
370@@ -214,6 +507,61 @@ bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
371
372 -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100
373
374+bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium
375+
376+ * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating
377+ DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews
378+ <marka@isc.org>. (LP: #1755439)
379+
380+ -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300
381+
382+bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium
383+
384+ * Fix apparmor profile filename (LP: #1754981)
385+
386+ -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300
387+
388+bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high
389+
390+ * No change rebuild against openssl1.1.
391+
392+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:14:22 +0000
393+
394+bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium
395+
396+ * Build without lmdb support as that package is in Universe (LP: #1746296)
397+ - d/control: remove Build-Depends on liblmdb-dev
398+ - d/rules: configure --without-lmdb
399+ - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires
400+ lmdb.
401+
402+ -- Andreas Hasenack <andreas@canonical.com> Tue, 30 Jan 2018 15:21:23 -0200
403+
404+bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium
405+
406+ * Merge with Debian unstable (LP: #1744930).
407+ * Drop:
408+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
409+ (LP #1536181).
410+ [fixed in 1:9.10.6+dfsg-4]
411+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
412+ [adopted in 1:9.10.6+dfsg-5]
413+ - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
414+ introduced with the CVE-2016-8864.patch and fixed in
415+ CVE-2016-8864-regression.patch.
416+ [applied upstream]
417+ - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
418+ regression (RT #44318) introduced with the CVE-2016-8864.patch
419+ and fixed in CVE-2016-8864-regression2.patch.
420+ [applied upstream]
421+ - d/control, d/rules: add json support for the statistics channels.
422+ (LP #1669193)
423+ [adopted in 1:9.10.6+dfsg-5]
424+ * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing
425+ listing the python ply module as a dependency (Closes: #888463)
426+
427+ -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Jan 2018 11:20:33 -0200
428+
429 bind9 (1:9.11.2.P1-1) unstable; urgency=medium
430
431 * New upstream version 9.11.2-P1
432@@ -389,6 +737,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium
433
434 -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000
435
436+bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium
437+
438+ * Merge with Debian unstable (LP: #1712920). Remaining changes:
439+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
440+ (LP #1536181).
441+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
442+ - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
443+ introduced with the CVE-2016-8864.patch and fixed in
444+ CVE-2016-8864-regression.patch.
445+ - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
446+ regression (RT #44318) introduced with the CVE-2016-8864.patch
447+ and fixed in CVE-2016-8864-regression2.patch.
448+ - d/control, d/rules: add json support for the statistics channels.
449+ (LP #1669193)
450+
451+ -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Aug 2017 18:28:00 -0300
452+
453+bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium
454+
455+ * Non-maintainer upload.
456+ * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)
457+
458+ -- Bernhard Schmidt <berni@debian.org> Fri, 11 Aug 2017 19:10:07 +0200
459+
460+bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium
461+
462+ * Merge with Debian unstable (LP: #1701687). Remaining changes:
463+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
464+ (LP #1536181).
465+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
466+ * Drop:
467+ - SECURITY UPDATE: denial of service via assertion failure
468+ + debian/patches/CVE-2016-2776.patch: properly handle lengths in
469+ lib/dns/message.c.
470+ + CVE-2016-2776
471+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
472+ - SECURITY UPDATE: assertion failure via class mismatch
473+ + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
474+ records in lib/dns/resolver.c.
475+ + CVE-2016-9131
476+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
477+ - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
478+ + debian/patches/CVE-2016-9147.patch: fix logic when records are
479+ returned without the requested data in lib/dns/resolver.c.
480+ + CVE-2016-9147
481+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
482+ - SECURITY UPDATE: assertion failure via unusually-formed DS record
483+ + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
484+ lib/dns/message.c, lib/dns/resolver.c.
485+ + CVE-2016-9444
486+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
487+ - SECURITY UPDATE: regression in CVE-2016-8864
488+ + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
489+ responses in lib/dns/resolver.c, added tests to
490+ bin/tests/system/dname/ns2/example.db,
491+ bin/tests/system/dname/tests.sh.
492+ + No CVE number
493+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
494+ - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
495+ a NULL pointer
496+ + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
497+ combination in bin/named/query.c, lib/dns/message.c,
498+ lib/dns/rdataset.c.
499+ + CVE-2017-3135
500+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
501+ - SECURITY UPDATE: regression in CVE-2016-8864
502+ + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
503+ was still being cached when it should have been in lib/dns/resolver.c,
504+ added tests to bin/tests/system/dname/ans3/ans.pl,
505+ bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
506+ + No CVE number
507+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
508+ - SECURITY UPDATE: Denial of Service due to an error handling
509+ synthesized records when using DNS64 with "break-dnssec yes;"
510+ + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
511+ called.
512+ + CVE-2017-3136
513+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
514+ - SECURITY UPDATE: Denial of Service due to resolver terminating when
515+ processing a response packet containing a CNAME or DNAME
516+ + debian/patches/CVE-2017-3137.patch: don't expect a specific
517+ ordering of answer components; add testcases.
518+ + CVE-2017-3137
519+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
520+ - SECURITY UPDATE: Denial of Service when receiving a null command on
521+ the control channel
522+ + debian/patches/CVE-2017-3138.patch: don't throw an assert if no
523+ command token is given; add testcase.
524+ + CVE-2017-3138
525+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
526+ - SECURITY UPDATE: TSIG authentication issues
527+ + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
528+ lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
529+ + CVE-2017-3142
530+ + CVE-2017-3143
531+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4]
532+ * d/p/CVE-2016-8864-regression-test.patch: tests for the regression
533+ introduced with the CVE-2016-8864.patch and fixed in
534+ CVE-2016-8864-regression.patch.
535+ * d/p/CVE-2016-8864-regression2-test.patch: tests for the second
536+ regression (RT #44318) introduced with the CVE-2016-8864.patch
537+ and fixed in CVE-2016-8864-regression2.patch.
538+ * d/control, d/rules: add json support for the statistics channels.
539+ (LP: #1669193)
540+
541+ -- Andreas Hasenack <andreas@canonical.com> Fri, 11 Aug 2017 17:12:09 -0300
542+
543+bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
544+
545+ * Non-maintainer upload.
546+ * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
547+ signed TCP message sequences where not all the messages contain TSIG
548+ records. These may be used in AXFR and IXFR responses.
549+ (Closes: #868952)
550+
551+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jul 2017 22:28:32 +0200
552+
553+bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
554+
555+ * Non-maintainer upload.
556+
557+ [ Yves-Alexis Perez ]
558+ * debian/patches:
559+ - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
560+ CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
561+ transfers. An attacker may be able to circumvent TSIG authentication of
562+ AXFR and Notify requests.
563+ CVE-2017-3143: error in TSIG authentication can permit unauthorized
564+ dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
565+ signature for a dynamic update.
566+ (Closes: #866564)
567+
568+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jul 2017 22:13:21 +0200
569+
570 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium
571
572 [ Bernhard Schmidt ]
573@@ -495,6 +977,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium
574
575 -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000
576
577+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium
578+
579+ * SECURITY UPDATE: TSIG authentication issues
580+ - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
581+ lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
582+ - CVE-2017-3142
583+ - CVE-2017-3143
584+
585+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jul 2017 09:48:13 -0400
586+
587+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium
588+
589+ * rules: Fix path to libsofthsm2.so. (LP: #1685780)
590+
591+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 24 Apr 2017 15:01:30 +0300
592+
593+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium
594+
595+ * SECURITY UPDATE: Denial of Service due to an error handling
596+ synthesized records when using DNS64 with "break-dnssec yes;"
597+ - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
598+ called.
599+ - CVE-2017-3136
600+ * SECURITY UPDATE: Denial of Service due to resolver terminating when
601+ processing a response packet containing a CNAME or DNAME
602+ - debian/patches/CVE-2017-3137.patch: don't expect a specific
603+ ordering of answer components; add testcases.
604+ - CVE-2017-3137
605+ * SECURITY UPDATE: Denial of Service when receiving a null command on
606+ the control channel
607+ - debian/patches/CVE-2017-3138.patch: don't throw an assert if no
608+ command token is given; add testcase.
609+ - CVE-2017-3138
610+
611+ -- Steve Beattie <sbeattie@ubuntu.com> Wed, 12 Apr 2017 01:32:15 -0700
612+
613+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium
614+
615+ * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
616+ a NULL pointer
617+ - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
618+ combination in bin/named/query.c, lib/dns/message.c,
619+ lib/dns/rdataset.c.
620+ - CVE-2017-3135
621+ * SECURITY UPDATE: regression in CVE-2016-8864
622+ - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
623+ was still being cached when it should have been in lib/dns/resolver.c,
624+ added tests to bin/tests/system/dname/ans3/ans.pl,
625+ bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
626+ - No CVE number
627+
628+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Feb 2017 09:37:39 -0500
629+
630+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium
631+
632+ * SECURITY UPDATE: assertion failure via class mismatch
633+ - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
634+ records in lib/dns/resolver.c.
635+ - CVE-2016-9131
636+ * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
637+ - debian/patches/CVE-2016-9147.patch: fix logic when records are
638+ returned without the requested data in lib/dns/resolver.c.
639+ - CVE-2016-9147
640+ * SECURITY UPDATE: assertion failure via unusually-formed DS record
641+ - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
642+ lib/dns/message.c, lib/dns/resolver.c.
643+ - CVE-2016-9444
644+ * SECURITY UPDATE: regression in CVE-2016-8864
645+ - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
646+ responses in lib/dns/resolver.c, added tests to
647+ bin/tests/system/dname/ns2/example.db,
648+ bin/tests/system/dname/tests.sh.
649+ - No CVE number
650+
651+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jan 2017 09:28:10 -0500
652+
653+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium
654+
655+ * Add RemainAfterExit to bind9-resolvconf unit configuration file
656+ (LP: #1536181).
657+
658+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Tue, 15 Nov 2016 08:24:58 -0800
659+
660+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium
661+
662+ * SECURITY UPDATE: denial of service via assertion failure
663+ - debian/patches/CVE-2016-2776.patch: properly handle lengths in
664+ lib/dns/message.c.
665+ - CVE-2016-2776
666+
667+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2016 14:31:17 -0400
668+
669 bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium
670
671 * Non-maintainer upload.
672diff --git a/debian/control b/debian/control
673index 73c2a17..3d7f03d 100644
674--- a/debian/control
675+++ b/debian/control
676@@ -1,7 +1,8 @@
677 Source: bind9
678 Section: net
679 Priority: optional
680-Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
681+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
682+XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
683 Uploaders: LaMont Jones <lamont@debian.org>,
684 Michael Gilbert <mgilbert@debian.org>,
685 Robie Basak <robie.basak@canonical.com>,
686@@ -15,18 +16,14 @@ Build-Depends: bison,
687 dpkg-dev (>= 1.16.1~),
688 libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386],
689 libdb-dev (>>4.6),
690- libfstrm-dev,
691 libgeoip-dev (>= 1.4.6.dfsg-5),
692 libidn2-dev,
693 libjson-c-dev,
694 libkrb5-dev,
695 libldap2-dev,
696- liblmdb-dev,
697- libprotobuf-c-dev,
698 libssl-dev,
699 libtool,
700 libxml2-dev,
701- protobuf-c-compiler,
702 python3,
703 python3-distutils,
704 python3-ply
705diff --git a/debian/dnsutils.install b/debian/dnsutils.install
706index 90e4fba..5e6b7d9 100644
707--- a/debian/dnsutils.install
708+++ b/debian/dnsutils.install
709@@ -1,12 +1,10 @@
710 usr/bin/delv
711 usr/bin/dig
712-usr/bin/dnstap-read
713 usr/bin/mdig
714 usr/bin/nslookup
715 usr/bin/nsupdate
716 usr/share/man/man1/delv.1
717 usr/share/man/man1/dig.1
718-usr/share/man/man1/dnstap-read.1
719 usr/share/man/man1/mdig.1
720 usr/share/man/man1/nslookup.1
721 usr/share/man/man1/nsupdate.1
722diff --git a/debian/libdns1104.symbols b/debian/libdns1104.symbols
723index d7c98d4..7b6020e 100644
724--- a/debian/libdns1104.symbols
725+++ b/debian/libdns1104.symbols
726@@ -358,21 +358,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER#
727 dns_dsdigest_format@Base 1:9.11.3+dfsg
728 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg
729 dns_dsdigest_totext@Base 1:9.11.3+dfsg
730- dns_dt_attach@Base 1:9.11.4.P1
731- dns_dt_close@Base 1:9.11.4.P1
732- dns_dt_create@Base 1:9.11.4.P1
733- dns_dt_datatotext@Base 1:9.11.4.P1
734- dns_dt_detach@Base 1:9.11.4.P1
735- dns_dt_getframe@Base 1:9.11.4.P1
736- dns_dt_getstats@Base 1:9.11.4.P1
737- dns_dt_open@Base 1:9.11.4.P1
738- dns_dt_parse@Base 1:9.11.4.P1
739- dns_dt_reopen@Base 1:9.11.4.P1
740- dns_dt_send@Base 1:9.11.4.P1
741- dns_dt_setidentity@Base 1:9.11.4.P1
742- dns_dt_setversion@Base 1:9.11.4.P1
743- dns_dt_shutdown@Base 1:9.11.4.P1
744- dns_dtdata_free@Base 1:9.11.4.P1
745 dns_dumpctx_attach@Base 1:9.11.3+dfsg
746 dns_dumpctx_cancel@Base 1:9.11.3+dfsg
747 dns_dumpctx_db@Base 1:9.11.3+dfsg
748@@ -1443,24 +1428,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER#
749 dns_zt_setviewcommit@Base 1:9.11.3+dfsg
750 dns_zt_setviewrevert@Base 1:9.11.3+dfsg
751 dns_zt_unmount@Base 1:9.11.3+dfsg
752- dnstap__dnstap__descriptor@Base 1:9.11.4.P1
753- dnstap__dnstap__free_unpacked@Base 1:9.11.4.P1
754- dnstap__dnstap__get_packed_size@Base 1:9.11.4.P1
755- dnstap__dnstap__init@Base 1:9.11.4.P1
756- dnstap__dnstap__pack@Base 1:9.11.4.P1
757- dnstap__dnstap__pack_to_buffer@Base 1:9.11.4.P1
758- dnstap__dnstap__type__descriptor@Base 1:9.11.4.P1
759- dnstap__dnstap__unpack@Base 1:9.11.4.P1
760- dnstap__message__descriptor@Base 1:9.11.4.P1
761- dnstap__message__free_unpacked@Base 1:9.11.4.P1
762- dnstap__message__get_packed_size@Base 1:9.11.4.P1
763- dnstap__message__init@Base 1:9.11.4.P1
764- dnstap__message__pack@Base 1:9.11.4.P1
765- dnstap__message__pack_to_buffer@Base 1:9.11.4.P1
766- dnstap__message__type__descriptor@Base 1:9.11.4.P1
767- dnstap__message__unpack@Base 1:9.11.4.P1
768- dnstap__socket_family__descriptor@Base 1:9.11.4.P1
769- dnstap__socket_protocol__descriptor@Base 1:9.11.4.P1
770 dst__entropy_getdata@Base 1:9.11.3+dfsg
771 dst__entropy_status@Base 1:9.11.3+dfsg
772 dst__gssapi_init@Base 1:9.11.3+dfsg
773@@ -1940,21 +1907,6 @@ libdns.so.1104 libdns1104 #MINVER#
774 dns_dsdigest_format@Base 1:9.11.3+dfsg
775 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg
776 dns_dsdigest_totext@Base 1:9.11.3+dfsg
777- dns_dt_attach@Base 1:9.11.4.P1
778- dns_dt_close@Base 1:9.11.4.P1
779- dns_dt_create@Base 1:9.11.4.P1
780- dns_dt_datatotext@Base 1:9.11.4.P1
781- dns_dt_detach@Base 1:9.11.4.P1
782- dns_dt_getframe@Base 1:9.11.4.P1
783- dns_dt_getstats@Base 1:9.11.4.P1
784- dns_dt_open@Base 1:9.11.4.P1
785- dns_dt_parse@Base 1:9.11.4.P1
786- dns_dt_reopen@Base 1:9.11.4.P1
787- dns_dt_send@Base 1:9.11.4.P1
788- dns_dt_setidentity@Base 1:9.11.4.P1
789- dns_dt_setversion@Base 1:9.11.4.P1
790- dns_dt_shutdown@Base 1:9.11.4.P1
791- dns_dtdata_free@Base 1:9.11.4.P1
792 dns_dumpctx_attach@Base 1:9.11.3+dfsg
793 dns_dumpctx_cancel@Base 1:9.11.3+dfsg
794 dns_dumpctx_db@Base 1:9.11.3+dfsg
795@@ -3032,24 +2984,6 @@ libdns.so.1104 libdns1104 #MINVER#
796 dns_zt_setviewcommit@Base 1:9.11.3+dfsg
797 dns_zt_setviewrevert@Base 1:9.11.3+dfsg
798 dns_zt_unmount@Base 1:9.11.3+dfsg
799- dnstap__dnstap__descriptor@Base 1:9.11.4.P1
800- dnstap__dnstap__free_unpacked@Base 1:9.11.4.P1
801- dnstap__dnstap__get_packed_size@Base 1:9.11.4.P1
802- dnstap__dnstap__init@Base 1:9.11.4.P1
803- dnstap__dnstap__pack@Base 1:9.11.4.P1
804- dnstap__dnstap__pack_to_buffer@Base 1:9.11.4.P1
805- dnstap__dnstap__type__descriptor@Base 1:9.11.4.P1
806- dnstap__dnstap__unpack@Base 1:9.11.4.P1
807- dnstap__message__descriptor@Base 1:9.11.4.P1
808- dnstap__message__free_unpacked@Base 1:9.11.4.P1
809- dnstap__message__get_packed_size@Base 1:9.11.4.P1
810- dnstap__message__init@Base 1:9.11.4.P1
811- dnstap__message__pack@Base 1:9.11.4.P1
812- dnstap__message__pack_to_buffer@Base 1:9.11.4.P1
813- dnstap__message__type__descriptor@Base 1:9.11.4.P1
814- dnstap__message__unpack@Base 1:9.11.4.P1
815- dnstap__socket_family__descriptor@Base 1:9.11.4.P1
816- dnstap__socket_protocol__descriptor@Base 1:9.11.4.P1
817 dst__entropy_getdata@Base 1:9.11.3+dfsg
818 dst__entropy_status@Base 1:9.11.3+dfsg
819 dst__gssapi_init@Base 1:9.11.3+dfsg
820diff --git a/debian/patches/enable-udp-in-host-command.diff b/debian/patches/enable-udp-in-host-command.diff
821new file mode 100644
822index 0000000..5444ae7
823--- /dev/null
824+++ b/debian/patches/enable-udp-in-host-command.diff
825@@ -0,0 +1,26 @@
826+Description: Fix parsing of host(1)'s -U command line option
827+Author: Andreas Hasenack <andreas@canonical.com>
828+Bug: https://gitlab.isc.org/isc-projects/bind9/issues/769
829+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1804648
830+Applied-Upstream: https://gitlab.isc.org/isc-projects/bind9/commit/5e2cd91321cdda1707411c4e268d364f03f63935
831+Last-Update: 2018-12-06
832+---
833+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
834+--- a/bin/dig/host.c
835++++ b/bin/dig/host.c
836+@@ -158,6 +158,7 @@
837+ " -s a SERVFAIL response should stop query\n"
838+ " -t specifies the query type\n"
839+ " -T enables TCP/IP mode\n"
840++" -U enables UDP mode\n"
841+ " -v enables verbose output\n"
842+ " -V print version number and exit\n"
843+ " -w specifies to wait forever for a reply\n"
844+@@ -657,6 +658,7 @@
845+ case 'N': break;
846+ case 'R': break;
847+ case 'T': break;
848++ case 'U': break;
849+ case 'W': break;
850+ default:
851+ show_usage();
852diff --git a/debian/patches/fix-shutdown-race.diff b/debian/patches/fix-shutdown-race.diff
853new file mode 100644
854index 0000000..f10f51f
855--- /dev/null
856+++ b/debian/patches/fix-shutdown-race.diff
857@@ -0,0 +1,41 @@
858+From f2ca287330110993609fa0443d3bdb17629bd979 Mon Sep 17 00:00:00 2001
859+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
860+Date: Tue, 13 Nov 2018 13:50:47 +0100
861+Subject: [PATCH 1/2] Fix a shutdown race in bin/dig/dighost.c
862+
863+If a tool using the routines defined in bin/dig/dighost.c is sent an
864+interruption signal around the time a connection timeout is scheduled to
865+fire, connect_timeout() may be executed after destroy_libs() detaches
866+from the global task (setting 'global_task' to NULL), which results in a
867+crash upon a UDP retry due to bringup_timer() attempting to create a
868+timer with 'task' set to NULL. Fix by preventing connect_timeout() from
869+attempting a retry when shutdown is in progress.
870+
871+(cherry picked from commit 462175659674a10c0d39c7c328f1a5324ce2e38b)
872+
873+Origin: https://gitlab.isc.org/isc-projects/bind9/merge_requests/1040/diffs
874+Bug: https://gitlab.isc.org/isc-projects/bind9/issues/599
875+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1797926
876+Last-Update: 2018-12-06
877+
878+---
879+ bin/dig/dighost.c | 5 +++++
880+ 1 file changed, 5 insertions(+)
881+diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
882+index 39abb9d0fd..17e0328228 100644
883+--- a/bin/dig/dighost.c
884++++ b/bin/dig/dighost.c
885+@@ -3240,6 +3240,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
886+
887+ INSIST(!free_now);
888+
889++ if (cancel_now) {
890++ UNLOCK_LOOKUP;
891++ return;
892++ }
893++
894+ if ((query != NULL) && (query->lookup->current_query != NULL) &&
895+ ISC_LINK_LINKED(query->lookup->current_query, link) &&
896+ (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
897+--
898+2.18.1
899diff --git a/debian/patches/series b/debian/patches/series
900index c303f7f..11e3421 100644
901--- a/debian/patches/series
902+++ b/debian/patches/series
903@@ -13,3 +13,5 @@ keymgr-dont-immediately-delete.diff
904 0013-Replace-atomic-operations-in-bin-named-client.c-with.patch
905 0014-Disable-broken-Ed448-support.patch
906 0015-move-item_out-test-inside-lock-in-dns_dispatch_getne.patch
907+enable-udp-in-host-command.diff
908+fix-shutdown-race.diff
909diff --git a/debian/rules b/debian/rules
910index c8d745c..717ecb9 100755
911--- a/debian/rules
912+++ b/debian/rules
913@@ -91,7 +91,7 @@ override_dh_auto_configure:
914 --with-gssapi=/usr \
915 --with-libidn2 \
916 --with-libjson=/usr \
917- --with-lmdb=/usr \
918+ --without-lmdb \
919 --with-gnu-ld \
920 --with-geoip=/usr \
921 --with-atf=no \
922@@ -101,7 +101,6 @@ override_dh_auto_configure:
923 --enable-native-pkcs11 \
924 --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \
925 --with-randomdev=/dev/urandom \
926- --enable-dnstap \
927 $(EXTRA_FEATURES)
928 dh_auto_configure -B build-udeb -- \
929 --sysconfdir=/etc/bind \
930@@ -126,8 +125,6 @@ override_dh_auto_configure:
931 # no need to build these targets here
932 sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile
933 sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile
934- cp lib/dns/dnstap.proto build/lib/dns
935- cp lib/dns-pkcs11/dnstap.proto build/lib/dns-pkcs11
936
937 override_dh_auto_build:
938 dh_auto_build -B build
939diff --git a/debian/tests/simpletest b/debian/tests/simpletest
940index 468a7c5..34b0b25 100755
941--- a/debian/tests/simpletest
942+++ b/debian/tests/simpletest
943@@ -10,10 +10,6 @@ setup() {
944 run() {
945 # Make a query against a local zone
946 dig -x 127.0.0.1 @127.0.0.1
947-
948- # Make a query against an external nameserver and check for DNSSEC validation
949- echo "Checking for DNSSEC validation status of internetsociety.org"
950- dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY'
951 }
952
953 teardown() {

Subscribers

People subscribed via source and target branches