-
5c31639...
by
Salvatore Bonaccorso
on 2018-01-15
-
Import patches-applied version 1:9.9.5.dfsg-9+deb8u15 to applied/debian/jessie
Imported using git-ubuntu import.
Changelog parent: f96568ecd9b4819f3ac1f0a4e451b8f2973b5191
Unapplied parent: 5e8d11342406507af33697c7b59f65547d11dfbb
New changelog entries:
* Non-maintainer upload by the Security Team.
* Addresses could be referenced after being freed in resolver.c, causing an
assertion failure. (CVE-2017-3145)
-
5e8d113...
by
Salvatore Bonaccorso
on 2018-01-15
-
Import patches-unapplied version 1:9.9.5.dfsg-9+deb8u15 to debian/jessie
Imported using git-ubuntu import.
Changelog parent: 05aeb72e8f361d6c3356d0c3b873887eafe9890f
New changelog entries:
* Non-maintainer upload by the Security Team.
* Addresses could be referenced after being freed in resolver.c, causing an
assertion failure. (CVE-2017-3145)
-
f96568e...
by
Ondřej Surý
on 2017-08-28
-
Import patches-applied version 1:9.9.5.dfsg-9+deb8u14 to applied/debian/jessie
Imported using git-ubuntu import.
Changelog parent: 4b73d21975c3933dd219a7b33caae0654b11f463
Unapplied parent: 05aeb72e8f361d6c3356d0c3b873887eafe9890f
New changelog entries:
[ Bernhard Schmidt ]
* Import upcoming DNSSEC KSK-2017 from 9.10.5
[ Ondřej Surý ]
* Non-maintainer upload.
* Non-maintainer upload by the Security Team.
* Add patch to fix regression introduced by patch for CVE-2017-3042.
closes: #868952
-
05aeb72...
by
Ondřej Surý
on 2017-08-28
-
Import patches-unapplied version 1:9.9.5.dfsg-9+deb8u14 to debian/jessie
Imported using git-ubuntu import.
Changelog parent: b64fbad6583af4374de7adeebdd87162ae8c8080
New changelog entries:
[ Bernhard Schmidt ]
* Import upcoming DNSSEC KSK-2017 from 9.10.5
[ Ondřej Surý ]
* Non-maintainer upload.
* Non-maintainer upload by the Security Team.
* Add patch to fix regression introduced by patch for CVE-2017-3042.
closes: #868952
-
4b73d21...
by
Yves-Alexis Perez
on 2017-06-30
-
Import patches-applied version 1:9.9.5.dfsg-9+deb8u12 to applied/debian/jessie
Imported using git-ubuntu import.
Changelog parent: cb2c64ea4866322eff82a42752172ce4e3886f17
Unapplied parent: b64fbad6583af4374de7adeebdd87162ae8c8080
New changelog entries:
* Non-maintainer upload by the Security Team.
* Add patch to fix CVE-2017-3042 and CVE-2017-3043
CVE-2017-3042: error in TSIG authentication can permit unauthorized zone
transfers. An attacker may be able to circumvent TSIG authentication of
AXFR and Notify requests.
CVE-2017-3043: error in TSIG authentication can permit unauthorized
dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
signature for a dynamic update.
* Non-maintainer upload by the Security Team.
* Dns64 with "break-dnssec yes;" can result in a assertion failure.
(CVE-2017-3136) (Closes: #860224)
* Prerequisite for CVE-2017-3137 cherry-picked from upstream change #4190.
If not cherry-picking this change the fix for CVE-2017-3137 can cause an
assertion failure to appear in name.c.
* Some chaining (CNAME or DNAME) responses to upstream queries could trigger
assertion failures (CVE-2017-3137) (Closes: #860225)
* Reimplement: Some chaining (CNAME or DNAME) responses to upstream queries
could trigger assertion failures. (CVE-2017-3137)
* Fix regression introduced when handling CNAME to referral below the
current domain
* 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138)
(Closes: #860226)
-
b64fbad...
by
Yves-Alexis Perez
on 2017-06-30
-
Import patches-unapplied version 1:9.9.5.dfsg-9+deb8u12 to debian/jessie
Imported using git-ubuntu import.
Changelog parent: 3efb040483086f45ca4e332c856e06755b522153
New changelog entries:
* Non-maintainer upload by the Security Team.
* Add patch to fix CVE-2017-3042 and CVE-2017-3043
CVE-2017-3042: error in TSIG authentication can permit unauthorized zone
transfers. An attacker may be able to circumvent TSIG authentication of
AXFR and Notify requests.
CVE-2017-3043: error in TSIG authentication can permit unauthorized
dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
signature for a dynamic update.
* Non-maintainer upload by the Security Team.
* Dns64 with "break-dnssec yes;" can result in a assertion failure.
(CVE-2017-3136) (Closes: #860224)
* Prerequisite for CVE-2017-3137 cherry-picked from upstream change #4190.
If not cherry-picking this change the fix for CVE-2017-3137 can cause an
assertion failure to appear in name.c.
* Some chaining (CNAME or DNAME) responses to upstream queries could trigger
assertion failures (CVE-2017-3137) (Closes: #860225)
* Reimplement: Some chaining (CNAME or DNAME) responses to upstream queries
could trigger assertion failures. (CVE-2017-3137)
* Fix regression introduced when handling CNAME to referral below the
current domain
* 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138)
(Closes: #860226)
-
cb2c64e...
by
Michael Gilbert <email address hidden>
on 2017-02-26
-
Import patches-applied version 1:9.9.5.dfsg-9+deb8u10 to applied/debian/jessie
Imported using git-ubuntu import.
Changelog parent: ad9062c4f370b28e4838a1e96980f9846ff0b433
Unapplied parent: 3efb040483086f45ca4e332c856e06755b522153
New changelog entries:
* Fix regression caused by the fix for CVE-2016-8864 (closes: #855540).
* Fix CVE-2017-3135: a malicously crafted query can cause named to crash if
both DNS64 and RPZ are being used (closes: #855520).
* Apply patches from ISC.
* CVE-2016-9131: Assertion failure related to caching of TKEY records
in upstream DNS responses.
* CVE-2016-9147: Processing of RRSIG records in upstream DNS response
without corresponding signed data could lead to an assertion failure.
* CVE-2016-9444: Missing RRSIG records in the authority section of
upstream responses could lead to an assertion failure.
* RT #43779: Fix handling of CNAME/DNAME responses. (Regression due
to the CVE-2016-8864 fix.)
-
3efb040...
by
Michael Gilbert <email address hidden>
on 2017-02-26
-
Import patches-unapplied version 1:9.9.5.dfsg-9+deb8u10 to debian/jessie
Imported using git-ubuntu import.
Changelog parent: c21ec95d9fd1921fe3d91626f4fc3e1495ca2f34
New changelog entries:
* Fix regression caused by the fix for CVE-2016-8864 (closes: #855540).
* Fix CVE-2017-3135: a malicously crafted query can cause named to crash if
both DNS64 and RPZ are being used (closes: #855520).
* Apply patches from ISC.
* CVE-2016-9131: Assertion failure related to caching of TKEY records
in upstream DNS responses.
* CVE-2016-9147: Processing of RRSIG records in upstream DNS response
without corresponding signed data could lead to an assertion failure.
* CVE-2016-9444: Missing RRSIG records in the authority section of
upstream responses could lead to an assertion failure.
* RT #43779: Fix handling of CNAME/DNAME responses. (Regression due
to the CVE-2016-8864 fix.)
-
ad9062c...
by
Florian Weimer
on 2016-11-01
-
Import patches-applied version 1:9.9.5.dfsg-9+deb8u8 to applied/debian/jessie
Imported using git-ubuntu import.
Changelog parent: 6018cb79278627cf8a43fcb9cf28cd5865ef6eae
Unapplied parent: c21ec95d9fd1921fe3d91626f4fc3e1495ca2f34
New changelog entries:
* CVE-2016-8864: Fix assertion failure in DNAME processing with patch
provided by ISC.
* CVE-2016-2775: lwresd crash with long query name.
Backport of upstream commit 38cc2d14e218e536e0102fa70deef99461354232.
Closes: #831796.
* CVE-2016-2776: assertion failure due to unspecified crafted query.
Fix based on 43139-9-9.patch from ISC. Closes: #839010.
-
c21ec95...
by
Florian Weimer
on 2016-11-01
-
Import patches-unapplied version 1:9.9.5.dfsg-9+deb8u8 to debian/jessie
Imported using git-ubuntu import.
Changelog parent: 8daddbc7b2d4e14c745ccb8265a5dfe32709c901
New changelog entries:
* CVE-2016-8864: Fix assertion failure in DNAME processing with patch
provided by ISC.
* CVE-2016-2775: lwresd crash with long query name.
Backport of upstream commit 38cc2d14e218e536e0102fa70deef99461354232.
Closes: #831796.
* CVE-2016-2776: assertion failure due to unspecified crafted query.
Fix based on 43139-9-9.patch from ISC. Closes: #839010.
