Merge bind9 from Debian unstable for kinetic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
bind9 (Ubuntu) |
Fix Released
|
Undecided
|
Sergio Durigan Junior |
Bug Description
Upstream: 9.18.2
Debian: 1:9.18.2-1
Ubuntu: 1:9.18.1-1ubuntu1
Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle.
### New Debian Changes ###
bind9 (1:9.18.2-1) unstable; urgency=medium
* Drop libldap2-dev from Build-Depends (Closes: #1008021)
* New upstream version 9.18.2
* Add runtime dependency on libuv1 >= 1.40.0 (Closes: #1009889)
-- Ondřej Surý <email address hidden> Tue, 26 Apr 2022 11:03:35 +0200
bind9 (1:9.18.1-1) unstable; urgency=high
* New upstream version 9.18.1
* CVE-2021-25220: The rules for acceptance of records into the cache
have been tightened to prevent the possibility of poisoning if
forwarders send records outside the configured bailiwick.
* CVE-2022-0396: TCP connections with 'keep-response-
could leave the TCP sockets in the 'CLOSE_WAIT' state when the client
did not properly shut down the connection.
* CVE-2022-0635: Lookups involving a DNAME could trigger an assertion
failure when 'synth-from-dnssec' was enabled (which is the default)
* CVE-2022-0667: When chasing DS records, a timed out or artificially
delayed fetch could cause 'named' to crash while resuming a DS lookup.
-- Ondřej Surý <email address hidden> Mon, 14 Mar 2022 15:29:31 +0100
bind9 (1:9.18.0-2) unstable; urgency=medium
* Add patch to use detected L1 cache-line size instead of hard-coded
value, this should fix architectures with 128-byte L1 cache.
-- Ondřej Surý <email address hidden> Thu, 27 Jan 2022 13:16:04 +0100
bind9 (1:9.18.0-1) unstable; urgency=medium
* Bump the upstream version in debian/ to 9.18
* New upstream version 9.18.0
-- Ondřej Surý <email address hidden> Wed, 26 Jan 2022 12:31:55 +0100
bind9 (1:9.18.
* New upstream version 9.18.0~0+git28350c
+ Pull the 9.18.0 pre-release git to have the L1 cache line
fix (Closes: #1004271)
* Fix the typo when backing up and restoring configure{,.ac}
(Closes: #903586)
* Remove some prehistoring conffile no longer in use
(Closes: #942377)
* Pick UTC date for release_date variable (Closes: #1000893)
-- Ondřej Surý <email address hidden> Mon, 24 Jan 2022 16:00:49 +0100
bind9 (1:9.17.22-1) unstable; urgency=medium
* New upstream version 9.17.22
-- Ondřej Surý <email address hidden> Wed, 19 Jan 2022 18:38:13 +0100
bind9 (1:9.17.21-1) unstable; urgency=medium
* New upstream version 9.17.21
-- Ondřej Surý <email address hidden> Wed, 15 Dec 2021 15:22:46 +0100
bind9 (1:9.17.20-3) unstable; urgency=medium
* Retain bind9-resolvcon
-- Ondřej Surý <email address hidden> Thu, 25 Nov 2021 10:10:50 +0100
bind9 (1:9.17.20-2) unstable; urgency=medium
* Tighten the dependencies on bind9-libs for the utils too
(Closes: #1000354)
-- Ondřej Surý <email address hidden> Mon, 22 Nov 2021 08:58:22 +0100
bind9 (1:9.17.20-1) unstable; urgency=medium
* New upstream version 9.17.20
* Remove the sphinx-patch, the role has been fixed upstream
-- Ondřej Surý <email address hidden> Thu, 18 Nov 2021 07:49:14 +0100
bind9 (1:9.17.19-3) unstable; urgency=medium
* Remove the .so libraries from excluded files
-- Ondřej Surý <email address hidden> Fri, 12 Nov 2021 14:24:13 +0100
bind9 (1:9.17.19-2) unstable; urgency=medium
* Add libjemalloc-dev to Build-Depends
* Sync the packaging between BIND 9.16 and BIND 9.17 branches
* Don't install static libraries to bind9-dev, they are not built
-- Ondřej Surý <email address hidden> Tue, 09 Nov 2021 10:42:43 +0100
bind9 (1:9.17.19-1) unstable; urgency=medium
* New upstream version 9.17.19
### Old Ubuntu Delta ###
bind9 (1:9.18.1-1ubuntu1) jammy; urgency=medium
* Merge with Debian unstable (LP: #1965981). Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
+ d/control, d/rules: build-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
- d/NEWS: mention some of the relevant changes in 9.18.0 packaging
or functionality that may affect usability.
* Dropped changes:
- d/p/0003-
debugging flag from nslookup code (LP: #1961556).
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: cache poisoning via bogus NS records
+ debian/
records into the cache in lib/dns/resolver.c.
+ CVE-2021-25220
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: DoS via specially crafted TCP stream
+ debian/
+ CVE-2022-0396
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: DNAME insist with synth-from-dnssec enabled
+ debian/
+ CVE-2022-0635
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: Assertion failure on delayed DS lookup
+ debian/
+ CVE-2022-0667
[ Incorporated in 9.18.1. ]
* Added changes:
- d/p/lp1964400-
d/
d/
d/
d/
d/
d/
Fix dig error when trying the next server after a TCP connection
failure. This upstream patchset also fixes a crash when using
the 'host' command for numeric lookups (LP: #1964400) and an
infinite hang when passing a non-existent hostname to 'host' (LP:
#1964686).
-- Sergio Durigan Junior <email address hidden> Wed, 23 Mar 2022 13:48:30 -0400
CVE References
Changed in bind9 (Ubuntu): | |
milestone: | none → ubuntu-22.07 |
Changed in bind9 (Ubuntu): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
This bug was fixed in the package bind9 - 1:9.18.4-2ubuntu1
---------------
bind9 (1:9.18.4-2ubuntu1) kinetic; urgency=medium
* Merge with Debian unstable (LP: #1971250)
protobuf- c-compiler (universe packages) symbols: don't include dnstap symbols
attach_ conffiles( ) since that is already done by apport itself, with
confirmation from the user. named.service: use systemd Type=forking to signal daemon init. lp1964686- Add-digdelv- system- test-to- check-that- dig-tries- othe.patch, p/lp1964400- lp1964686- Add-digdelv- system- test-to- check-timed- out-result- fo.patch, p/lp1964400- lp1964686- Add-various- dig-host- tests-for- TCP-UDP- socket- error-. patch, p/lp1964400- lp1964686- After-dig- request- errors- try-to- use-other- servers- wh.patch, p/lp1964400- lp1964686- Fix-an- issue-in- dig-when- retrying- with-the- next-serv. patch, p/lp1964400- lp1964686- Fix-dig- error-when- trying- the-next- server- after-a- TC.patch, p/lp1964400- lp1964686- When-resending- a-UDP-request- insert- the-query- to-the. patch: patches/ CVE-2022- 1183.patch: fix destroying logic in
lib/isc/ netmgr/ netmgr- int.h, lib/isc/ netmgr/ tlsstream. c.
Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
+ d/control, d/rules: build-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
- d/NEWS: mention some of the relevant changes in 9.18.0 packaging
or functionality that may affect usability.
* Dropped changes:
- d/p/lp1964400-
d/
d/
d/
d/
d/
d/
Fix dig error when trying the next server after a TCP connection
failure. This upstream patchset also fixes a crash when using
the "host" command for numeric lookups (LP #1964400) and an
infinite hang when passing a non-existent hostname to "host" (LP
#1964686).
[ Incorporated by upstream. ]
- SECURITY UPDATE: Destroying a TLS session early causes assertion
failure
+ debian/
[ Incorporated by upstream. ]
-- Sergio Durigan Junior <email address hidden> Wed, 20 Jul 2022 05:28:13 -0400