lp:ubuntu/hardy-security/bind9

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

38. By Marc Deslauriers on 2012-10-05

* SECURITY UPDATE: denial of service via specific combinations of RDATA
  - bin/named/query.c: fix logic
  - Patch backported from 9.8.3-P4
  - CVE-2012-5166

37. By Marc Deslauriers on 2012-09-13

* SECURITY UPDATE: denial of service via large crafted resource record
  - check length in lib/dns/include/dns/rdata.h,
    lib/dns/{master,rdata,rdataslab}.c.
  - Patch backported from 9.6-ESV-R7-P3
  - CVE-2012-4244

36. By Marc Deslauriers on 2012-06-04

* SECURITY UPDATE: ghost domain names attack
  - lib/dns/rbtdb.c: Restrict the TTL of NS RRset to no more than that
    of the old NS RRset when replacing it.
  - Patch backported from 9.6-ESV-R6.
  - CVE-2012-1033
* SECURITY UPDATE: denial of service via zero length rdata handling
  - lib/dns/rdata.c,lib/dns/rdataslab.c: use sentinel pointer for
    duplicate rdata.
  - Patch backported from 9.6-ESV-R7-P1.
  - CVE-2012-1667

35. By Marc Deslauriers on 2011-11-16

* SECURITY UPDATE: denial of service via specially crafted packet
  - bin/named/query.c,lib/dns/rbtdb.c: correctly handle cache lookups
    that return RRSIG data associated with nonexistent records.
  - Patch backported from 9.4-ESV-R5-P1.
  - CVE-2011-4313

34. By Marc Deslauriers on 2011-07-05

* SECURITY UPDATE: denial of service via specially crafted packet
  - lib/dns/include/dns/rdataset.h, lib/dns/{masterdump,message,ncache,
    nsec3,rbtdb,rdataset,resolver,validator}.c: Use an rdataset attribute
    flag to indicate negative-cache records rather than using rrtype 0.
  - Patch backported from 9.6-ESV-R4-P3.
  - CVE-2011-2464

33. By Marc Deslauriers on 2011-05-27

* SECURITY UPDATE: denial of service via multiple trust anchors for a
  single zone
  - lib/dns/validator.c: fix arguments to dns_keytable_findnextkeynode().
  - Upstream change 2869.
  - CVE-2010-3762
* SECURITY UPDATE: denial of service via off-by-one
  - lib/dns/ncache.c: correctly validate length.
  - Patch backported from 9.4-ESV-R4-P1.
  - CVE-2011-1910
* Added tests for previous security update to test suite and backport
  DNS_DBFIND_ADDITIONALOK so they work.

32. By Marc Deslauriers on 2010-11-26

* SECURITY UPDATE: denial of service via ncache entry and a rrsig for the
  same type
  - lib/dns/rbtdb.c: properly mark existing RRSIG records as stale.
  - CVE-2010-3613
* SECURITY UPDATE: answers incorrectly marked as insecure during key
  algorithm rollover
  - lib/dns/include/dns/types.h, lib/dns/validator.c: improve logic.
  - CVE-2010-3614

31. By Marc Deslauriers on 2010-01-19

* SECURITY UPDATE: incorrect cache update from additional section
  - bin/named/query.c, lib/dns/include/dns/types.h,
    lib/dns/{resolver.c,validator.c}: further fixes backported from
    9.4.3-P5
  - CVE-2009-4022
* SECURITY UPDATE: incorrect caching of bogus NXDOMAIN responses
  - bin/named/query.c, lib/dns/include/dns/types.h,
    lib/dns/{resolver.c,validator.c}: fixes backported from 9.4.3-P5
  - CVE-2010-0097

30. By Marc Deslauriers on 2009-12-04

* SECURITY UPDATE: incorrect cache update from additional section
  - bin/named/query.c, lib/dns/{include/dns/types.h,masterdump.c,
    rbtdb.c,resolver.c,validator.c}: handle the additional section
    properly. lib/dns/api, version: increment versions.
  - debian/*: increment to libdns36, add libdns35 metapackage so
    upgrade-manager won't hold the bind9 upgrade back.
  - CVE-2009-4022

29. By Kees Cook on 2009-07-28

* SECURITY UPDATE: server can exit on malicious update packet.
  - bin/named/update.c: backported upstream fix.
  - CVE-2009-0696