-
bind9 (1:9.11.5.P4+dfsg-5.1+deb10u7) buster-security; urgency=high
* CVE-2021-25220: The rules for acceptance of records into the cache
have been tightened to prevent the possibility of poisoning if
forwarders send records outside the configured bailiwick.
-- Ondřej Surý <email address hidden> Mon, 14 Mar 2022 15:21:48 +0100
-
bind9 (1:9.11.5.P4+dfsg-5.1+deb10u5) buster-security; urgency=high
* CVE-2021-25214: A malformed incoming IXFR transfer could trigger
an assertion failure in ``named``, causing it to quit abnormally.
* CVE-2021-25215: ``named`` crashed when a DNAME record placed in
the ANSWER section during DNAME chasing turned out to be the final
answer to a client query.
* CVE-2021-25216: Compile with system provided SPNEGO
* Ensure all resources are properly cleaned up when a call to
gss_accept_sec_context() fails.
-- Ondřej Surý <email address hidden> Thu, 29 Apr 2021 12:42:26 +0200
-
bind9 (1:9.11.5.P4+dfsg-5.1+deb10u3) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
* Buffer overflow in GSSAPI security policy negotiation (CVE-2020-8625)
-- Salvatore Bonaccorso <email address hidden> Mon, 15 Feb 2021 08:51:28 +0100
-
bind9 (1:9.11.5.P4+dfsg-5.1+deb10u2) buster-security; urgency=high
[ Salvatore Bonaccorso ]
* [CVE-2020-8622] Properly handle malformed truncated responses to TSIG
queries
* [CVE-2020-8623] Fix crash in pk11_numbits() with crafted packet when
native-pkcs11 is used
* Wait more than 1 second for NSEC3 chain changes
* [CVE-2020-8624] Fix processing of "update-policy" rules of type
"subdomain" (Closes: #966497)
[ Ondřej Surý ]
* [CVE-2020-8619]: It was possible to trigger a INSIST when a zone with
interior (non-leaf) wildcard label
-- Salvatore Bonaccorso <email address hidden> Tue, 25 Aug 2020 10:10:23 +0200
-
bind9 (1:9.11.5.P4+dfsg-5.1+deb10u1) buster-security; urgency=high
* [CVE-2019-6477]: TCP-pipelined queries can bypass tcp-clients limit.
(Closes: #945171)
* [CVE-2020-8616]: Fix NXNSATTACK amplification attack on BIND 9
* [CVE-2020-8617]: Fix assertion failure in TSIG processing code
-- Ondřej Surý <email address hidden> Mon, 18 May 2020 10:02:41 +0200
-
bind9 (1:9.11.5.P4+dfsg-5.1) unstable; urgency=high
* Non-maintainer upload.
* move item_out test inside lock in dns_dispatch_getnext() (CVE-2019-6471)
(Closes: #930746)
-- Salvatore Bonaccorso <email address hidden> Fri, 21 Jun 2019 11:24:31 +0200
-
bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium
* AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ.
Thanks to Steven Monai (Closes: 928398)
-- Bernhard Schmidt <email address hidden> Fri, 03 May 2019 19:44:57 +0200
-
bind9 (1:9.11.5.P4+dfsg-3) unstable; urgency=medium
* More fixes to the AppArmor policy for Samba AD DLZ
- allow access to /dev/urandom
- allow locking for dns.keytab
- fix path to smb.conf
-- Bernhard Schmidt <email address hidden> Mon, 22 Apr 2019 22:31:06 +0200
-
bind9 (1:9.11.5.P4+dfsg-1) unstable; urgency=high
[ Bernhard Schmidt ]
* New upstream version 9.11.5.P4+dfsg
- CVE-2018-5744: A specially crafted packet can cause named to leak memory
- CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over
to an unsupported key algorithm when using managed-keys
- CVE-2019-6465: Controls for zone transfers might not be properly applied
to Dynamically Loadable Zones (DLZs) if the zones are writable.
* d/watch: Do not use beta or RC versions
* d/libdns1104.symbols: fix symbols-file-contains-debian-revision for dnstap
symbols
[ Ondřej Surý ]
* Add new upstream GPG signing-key
-- Bernhard Schmidt <email address hidden> Fri, 22 Feb 2019 17:54:10 +0100
-
bind9 (1:9.11.5.P1+dfsg-2) unstable; urgency=medium
[ Dominik George ]
* Support dyndb modules with apparmor. (Closes: #900879)
[ Bernhard Schmidt ]
* apparmor-policy: permit locking of the allow-new-zones database
(Closes: #922065)
* apparmor-policy: allow access to Samba DLZ files (Closes: #920530)
-- Bernhard Schmidt <email address hidden> Tue, 12 Feb 2019 00:34:21 +0100
-
bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium
* New upstream version 9.11.5.P1+dfsg
-- Ondřej Surý <email address hidden> Tue, 18 Dec 2018 13:59:25 +0000
-
bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium
* Use <email address hidden> as Maintainer address
* New upstream version 9.11.5+dfsg
* Add EXTENSIONS= to version file programmatically, not with the patch
* Rebase patches for BIND 9.11.5
* Adjust package names for new SONAMEs
-- Ondřej Surý <email address hidden> Mon, 22 Oct 2018 10:30:28 +0000
-
bind9 (1:9.11.4.P2+dfsg-3) unstable; urgency=medium
* Also avoid OpenSSL 1.1.1 in udebs.
Thanks to KiBi for the hint
* autopkgtest: Make an external query and check for DNSSEC
-- Bernhard Schmidt <email address hidden> Wed, 26 Sep 2018 11:21:35 +0200
-
bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium
* Brown-paper-bag release :-(
* Fix missing colon in AppArmor profile (Closes: #904983)
-- Bernhard Schmidt <email address hidden> Mon, 30 Jul 2018 16:28:21 +0200
-
bind9 (1:9.11.4+dfsg-2) unstable; urgency=medium
* Enable dnstap support (Courtesy of Richard James Salts) (Closes: #890483)
* Remove auth-nxdomain no; from named.conf.options (Closes: #896889)
-- Ondřej Surý <email address hidden> Mon, 16 Jul 2018 18:49:50 +0000
-
bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
* [CVE-2018-5738]: Add upstream fix to close the default open recursion
(Closes: #901483)
* Change the maintainer address (Closes: #899959)
-- Ondřej Surý <email address hidden> Thu, 14 Jun 2018 13:01:47 +0000
-
bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
[ Bernhard Schmidt ]
* New upstream version 9.11.3+dfsg
(Closes: #867570, #888463)
- Refresh patches
- Drop stdatomic.h patches applied upstream
* Follow SONAME bump of libdns
* Follow SONAME bump of libisc
* Add missing symbols for libisccfg160
* Add python3-distutils Build-Dependency
* Drop Priority: standard for library packages
* Fix apparmor profile name (Closes: #893005)
Thanks to Andreas Hasenack
* Update bind9-host description (Closes: #729561)
* Add flags=(attach_disconnected) to AppArmor profile to prepare
to use more systemd hardening options, see #863841
* Add myself to Uploaders
[ Ondřej Surý ]
* Update Vcs-* links to salsa.d.o
-- Bernhard Schmidt <email address hidden> Fri, 23 Mar 2018 00:09:58 +0100
-
bind9 (1:9.11.2.P1-1) unstable; urgency=medium
* New upstream version 9.11.2-P1
* Refresh patches for new release
-- Ondřej Surý <email address hidden> Wed, 17 Jan 2018 06:06:04 +0000
-
bind9 (1:9.11.2+dfsg-5) unstable; urgency=medium
* Remove duplicate invoke-rc.d start invocation (Closes: #883575)
* Don't fail in postrm when /var/lib/bind cannot be removed (Closes: #882999)
* Use dh-apparmor for profile management
* apparmor-profile: allow changing thread name (Closes: #883228)
* Bump debhelper compat level to 10
* Bump Standards-Version to 4.1.2, no changes necessary
-- Bernhard Schmidt <email address hidden> Sun, 10 Dec 2017 20:23:12 +0100
-
bind9 (1:9.11.2+dfsg-4) unstable; urgency=medium
* Team upload.
* Fix symlinks in libbind-export-dev to point to /lib (Closes: #883536)
-- Bernhard Schmidt <email address hidden> Tue, 05 Dec 2017 00:09:25 +0100
-
bind9 (1:9.10.6+dfsg-5) unstable; urgency=medium
[ Chris Lamb ]
* Make the build reproducible (Closes: #828012)
[ Micah Cowan ]
* Try not to be fragile to varying value of LIBS make var. (Closes: #833307)
[ Ondřej Surý ]
* Update the softhsm2.so non-MA path (Closes: #860722)
* Enable JSON output in the statistics channel (Closes: #860722)
* Merge NMUs' changelogs (Closes: #880077)
* Use /dev/urandom to avoid blocking in the server process. (Closes: #854243)
-- Ondřej Surý <email address hidden> Thu, 02 Nov 2017 10:31:01 +0000
-
bind9 (1:9.10.6+dfsg-4) unstable; urgency=medium
[ Michael Biebl ]
* Improve bind9-resolvconf.service (Closes: #826353)
[ Ondřej Surý ]
* Add insserv.conf.d configuration (Closes: #650538)
* Change bind9-resolvconf.server to Type=oneshot + RemainAfterExit=yes (Closes: #832040)
* Only add static and development symlinks for *-export.{a,so} libraries (Closes: #857522)
* Update Vcs-* fields to standard variants
* Rebuild with newer debhelper (Closes: #879542)
-- Ondřej Surý <email address hidden> Mon, 23 Oct 2017 07:02:50 +0000
-
bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium
* Non-maintainer upload.
* Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)
-- Bernhard Schmidt <email address hidden> Fri, 11 Aug 2017 19:10:07 +0200
-
bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
* Non-maintainer upload.
* Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
signed TCP message sequences where not all the messages contain TSIG
records. These may be used in AXFR and IXFR responses.
(Closes: #868952)
-- Salvatore Bonaccorso <email address hidden> Fri, 21 Jul 2017 22:28:32 +0200
-
bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
* Non-maintainer upload.
[ Yves-Alexis Perez ]
* debian/patches:
- debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
transfers. An attacker may be able to circumvent TSIG authentication of
AXFR and Notify requests.
CVE-2017-3143: error in TSIG authentication can permit unauthorized
dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
signature for a dynamic update.
(Closes: #866564)
-- Salvatore Bonaccorso <email address hidden> Sun, 16 Jul 2017 22:13:21 +0200
-
bind9 (1:9.10.3.dfsg.P4-12.3) unstable; urgency=high
* Non-maintainer upload.
* Dns64 with "break-dnssec yes;" can result in a assertion failure
(CVE-2017-3136) (Closes: #860224)
* Some chaining (CNAME or DNAME) responses to upstream queries could trigger
assertion failures (CVE-2017-3137) (Closes: #860225)
* 'rndc ""' could trigger a assertion failure in named (CVE-2017-3138)
(Closes: #860226)
-- Salvatore Bonaccorso <email address hidden> Sun, 07 May 2017 15:22:46 +0200
