-
bind9 (1:9.19.21-1) unstable; urgency=high
[ Helmut Grohne ]
* Drop unused Build-Depends: python3. (Closes: #1063448)
[ Ondřej Surý ]
* New upstream version 9.19.21
- CVE-2023-4408: Parsing large DNS messages may cause excessive CPU
load
- CVE-2023-5517: Querying RFC 1918 reverse zones may cause an assertion
failure when "nxdomain-redirect" is enabled
- CVE-2023-5679: Enabling both DNS64 and serve-stale may cause an
assertion failure during recursive resolution
- CVE-2023-6516: Specific recursive query patterns may lead to an
out-of-memory condition
- CVE-2023-50387: KeyTrap - Extreme CPU consumption in DNSSEC validator
- CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust
CPU resources
-- Ondřej Surý <email address hidden> Mon, 12 Feb 2024 17:04:19 +0100
-
bind9 (1:9.19.19-1) unstable; urgency=medium
[ Ondřej Surý ]
* New upstream version 9.19.19
[ Bernhard Schmidt ]
* Sync 9.18 to 9.19 (Closes: #1056984)
-- Ondřej Surý <email address hidden> Wed, 20 Dec 2023 17:01:32 +0100
-
bind9 (1:9.19.17-1) unstable; urgency=medium
* New upstream version 9.19.17
- CVE-2023-3341: A stack exhaustion flaw in control channel code may
cause named to terminate unexpectedly (Closes: #1052416)
- CVE-2023-4236: named may terminate unexpectedly under high
DNS-over-TLS query load (Closes: #1052417)
-- Ondřej Surý <email address hidden> Wed, 20 Sep 2023 18:13:07 +0200
-
bind9 (1:9.18.16-1) unstable; urgency=medium
* New upstream version 9.18.16
- CVE-2023-2828: The overmem cleaning process has been improved,
to prevent the cache from significantly exceeding the configured
max-cache-size limit.
- CVE-2023-2911: A query that prioritizes stale data over lookup
triggers a fetch to refresh the stale data in cache. If the fetch
is aborted for exceeding the recursion quota, it was possible for
named to enter an infinite callback loop and crash due to stack
overflow. This has been fixed.
-- Ondřej Surý <email address hidden> Wed, 21 Jun 2023 20:43:16 +0200
-
bind9 (1:9.18.13-1) unstable; urgency=medium
* New upstream version 9.18.13
-- Ondřej Surý <email address hidden> Wed, 15 Mar 2023 18:11:29 +0100
-
bind9 (1:9.18.12-1) unstable; urgency=medium
* New upstream version 9.18.12
* Drop libtool-bin from B-D (Closes: #1022968)
-- Ondřej Surý <email address hidden> Fri, 10 Feb 2023 15:15:49 +0100
-
bind9 (1:9.18.11-2) unstable; urgency=medium
* Allow the named to use systemd notify service
-- Ondřej Surý <email address hidden> Thu, 26 Jan 2023 21:13:55 +0100
-
bind9 (1:9.18.11-1) unstable; urgency=medium
* New upstream version 9.18.11
-- Ondřej Surý <email address hidden> Wed, 25 Jan 2023 15:51:35 +0100
-
bind9 (1:9.18.10-2) unstable; urgency=medium
* Backport upstream feature to use sd_notify()
* Use systemd notify for service readyness check (Closes: #994696)
* apparmor.d: Allow named to read all OpenSSL config files.
(Closes: #1025519)
* apparmor.d: Allow named to query for hugepages support.
(Closes: #1020315)
* Fix path to README.Debian (Closes: #1016646)
-- Bernhard Schmidt <email address hidden> Thu, 22 Dec 2022 17:12:17 +0100
-
bind9 (1:9.18.10-1) unstable; urgency=medium
* New upstream version 9.18.10
-- Ondřej Surý <email address hidden> Wed, 21 Dec 2022 18:00:33 +0100
-
bind9 (1:9.18.8-1) unstable; urgency=medium
* New upstream version 9.18.8
-- Ondřej Surý <email address hidden> Wed, 19 Oct 2022 14:58:38 +0200
-
bind9 (1:9.18.7-1) unstable; urgency=medium
* New upstream version 9.18.7
- CVE-2022-2795: Processing large delegations may severely degrade
resolver performance
- CVE-2022-2881: Buffer overread in statistics channel code
- CVE-2022-2906: Memory leaks in code handling Diffie-Hellman key
exchange via TKEY RRs (OpenSSL 3.0.0+ only)
- CVE-2022-3080: BIND 9 resolvers configured to answer from stale
cache with zero stale-answer-client-timeout may terminate unexpectedly
- CVE-2022-38177: Memory leak in ECDSA DNSSEC verification code
- CVE-2022-38178: Memory leaks in EdDSA DNSSEC verification code
-- Ondřej Surý <email address hidden> Wed, 21 Sep 2022 12:48:36 +0200
-
bind9 (1:9.18.6-2) unstable; urgency=medium
* No-change source-only upload
-- Bernhard Schmidt <email address hidden> Mon, 05 Sep 2022 21:30:08 +0200
-
bind9 (1:9.18.6-1) unstable; urgency=medium
* Disable treat-warnings-as-errors in sphinx-build
* New upstream version 9.18.6
-- Ondřej Surý <email address hidden> Thu, 18 Aug 2022 09:39:20 +0200
-
bind9 (1:9.18.4-2) unstable; urgency=medium
[ Simon Deziel ]
* debian/extras/etc/db.0: correct descriptive comment
[ Bernhard Schmidt ]
* Add sleep workaround in tests/simpletests (Closes: #1012059)
-- Ondřej Surý <email address hidden> Tue, 05 Jul 2022 12:58:06 +0200
-
bind9 (1:9.18.3-1) unstable; urgency=medium
* New upstream version 9.18.3
-- Ondřej Surý <email address hidden> Wed, 18 May 2022 16:53:01 +0200
-
bind9 (1:9.18.2-1) unstable; urgency=medium
* Drop libldap2-dev from Build-Depends (Closes: #1008021)
* New upstream version 9.18.2
* Add runtime dependency on libuv1 >= 1.40.0 (Closes: #1009889)
-- Ondřej Surý <email address hidden> Tue, 26 Apr 2022 11:03:35 +0200
-
bind9 (1:9.18.1-1) unstable; urgency=high
* New upstream version 9.18.1
* CVE-2021-25220: The rules for acceptance of records into the cache
have been tightened to prevent the possibility of poisoning if
forwarders send records outside the configured bailiwick.
* CVE-2022-0396: TCP connections with 'keep-response-order' enabled
could leave the TCP sockets in the 'CLOSE_WAIT' state when the client
did not properly shut down the connection.
* CVE-2022-0635: Lookups involving a DNAME could trigger an assertion
failure when 'synth-from-dnssec' was enabled (which is the default)
* CVE-2022-0667: When chasing DS records, a timed out or artificially
delayed fetch could cause 'named' to crash while resuming a DS lookup.
-- Ondřej Surý <email address hidden> Mon, 14 Mar 2022 15:29:31 +0100
-
bind9 (1:9.18.0-2) unstable; urgency=medium
* Add patch to use detected L1 cache-line size instead of hard-coded
value, this should fix architectures with 128-byte L1 cache.
-- Ondřej Surý <email address hidden> Thu, 27 Jan 2022 13:16:04 +0100
-
bind9 (1:9.18.0-1) unstable; urgency=medium
* Bump the upstream version in debian/ to 9.18
* New upstream version 9.18.0
-- Ondřej Surý <email address hidden> Wed, 26 Jan 2022 12:31:55 +0100
-
bind9 (1:9.18.0~0+git28350c-1) unstable; urgency=medium
* New upstream version 9.18.0~0+git28350c
+ Pull the 9.18.0 pre-release git to have the L1 cache line
fix (Closes: #1004271)
* Fix the typo when backing up and restoring configure{,.ac}
(Closes: #903586)
* Remove some prehistoring conffile no longer in use
(Closes: #942377)
* Pick UTC date for release_date variable (Closes: #1000893)
-- Ondřej Surý <email address hidden> Mon, 24 Jan 2022 16:00:49 +0100
-
bind9 (1:9.17.22-1) unstable; urgency=medium
* New upstream version 9.17.22
-- Ondřej Surý <email address hidden> Wed, 19 Jan 2022 18:38:13 +0100
-
bind9 (1:9.17.21-1) unstable; urgency=medium
* New upstream version 9.17.21
-- Ondřej Surý <email address hidden> Wed, 15 Dec 2021 15:22:46 +0100
-
bind9 (1:9.17.20-3) unstable; urgency=medium
* Retain bind9-resolvconf.service alias (Closes: #1000565)
-- Ondřej Surý <email address hidden> Thu, 25 Nov 2021 10:10:50 +0100
-
bind9 (1:9.17.20-2) unstable; urgency=medium
* Tighten the dependencies on bind9-libs for the utils too
(Closes: #1000354)
-- Ondřej Surý <email address hidden> Mon, 22 Nov 2021 08:58:22 +0100
-
bind9 (1:9.17.19-3) unstable; urgency=medium
* Remove the .so libraries from excluded files
-- Ondřej Surý <email address hidden> Fri, 12 Nov 2021 14:24:13 +0100
-
bind9 (1:9.17.19-2) unstable; urgency=medium
* Add libjemalloc-dev to Build-Depends
* Sync the packaging between BIND 9.16 and BIND 9.17 branches
* Don't install static libraries to bind9-dev, they are not built
-- Ondřej Surý <email address hidden> Tue, 09 Nov 2021 10:42:43 +0100
-
bind9 (1:9.17.19-1) unstable; urgency=medium
* New upstream version 9.17.19
-- Ondřej Surý <email address hidden> Mon, 25 Oct 2021 14:29:06 +0200
-
bind9 (1:9.16.21-1) unstable; urgency=medium
* New upstream version 9.16.21
-- Ondřej Surý <email address hidden> Thu, 16 Sep 2021 09:54:17 +0200
-
bind9 (1:9.16.15-1) unstable; urgency=high
* New upstream version 9.16.15 (Closes: #987741, #987742, #987743)
+ CVE-2021-25214: A malformed incoming IXFR transfer could trigger an
assertion failure in ``named``, causing it to quit abnormally.
+ CVE-2021-25215: ``named`` crashed when a DNAME record placed in the
ANSWER section during DNAME chasing turned out to be the final
answer to a client query.
+ CVE-2021-25216: When a server's configuration set the
``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` option, a
specially crafted GSS-TSIG query could cause a buffer overflow in
the ISC implementation of SPNEGO (a protocol enabling negotiation of
the security mechanism used for GSSAPI authentication).
* Add patches to implement I-D draft-hardaker-dnsop-nsec3-guidance
-- Ondřej Surý <email address hidden> Thu, 29 Apr 2021 09:11:32 +0200
-
bind9 (1:9.16.13-1) unstable; urgency=medium
* New upstream version 9.16.13
* Add upstream patches to fix TCP timeouts firing too early
-- Ondřej Surý <email address hidden> Thu, 18 Mar 2021 14:23:49 +0100
-
bind9 (1:9.16.12-3) unstable; urgency=medium
* Add most important patches from upcoming 9.16.13 release
-- Ondřej Surý <email address hidden> Fri, 12 Mar 2021 09:59:49 +0100
-
bind9 (1:9.16.12-1) unstable; urgency=high
* New upstream version 9.16.12
+ [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation.
(Closes: #983004)
* Adjust the bind9-libs and bind9-dev packages for new upstream library
names
-- Ondřej Surý <email address hidden> Thu, 18 Feb 2021 08:13:58 +0100
-
bind9 (1:9.16.11-3) unstable; urgency=medium
* Split the simple validation test to separate file and mark it as flaky
(Closes: #976045)
-- Ondřej Surý <email address hidden> Sun, 14 Feb 2021 20:04:39 +0100
-
bind9 (1:9.16.11-2) unstable; urgency=medium
* Cherry-pick upstream commit to fix segfault with named ACLs used in
allow-update (Closes: #980786)
-- Bernhard Schmidt <email address hidden> Fri, 29 Jan 2021 08:27:31 +0100
-
bind9 (1:9.16.11-1) unstable; urgency=medium
* Add the ISC code-signing key for 2021-2022
* New upstream version 9.16.11
-- Ondřej Surý <email address hidden> Thu, 21 Jan 2021 09:58:33 +0100
-
bind9 (1:9.16.8-1) unstable; urgency=medium
[ Ondřej Surý ]
* New upstream version 9.16.8
[ Bernhard Schmidt ]
* d/t/control:
- tag autopkgtest with needs-internet (Closes: #973955)
- depend on bind9-dnsutils insead of the transitional dnsutils
* d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
-- Bernhard Schmidt <email address hidden> Mon, 09 Nov 2020 23:03:53 +0100
-
bind9 (1:9.16.6-3) unstable; urgency=medium
[ Ondřej Surý ]
* Add upstream patches to fix some rare conditions (Closes: #969448)
[ Bernhard Schmidt ]
* Set Restart=on-failure in systemd unit
-- Bernhard Schmidt <email address hidden> Tue, 15 Sep 2020 00:26:14 +0200
-
bind9 (1:9.16.6-2) unstable; urgency=medium
* Move Build-Depends for documentation to Build-Depends-Indep, this
should fix the arch-any build on s390x where xindy is not available.
-- Bernhard Schmidt <email address hidden> Sat, 22 Aug 2020 20:06:00 +0200
-
bind9 (1:9.16.6-1) unstable; urgency=medium
* New upstream version 9.16.6
-- Ondřej Surý <email address hidden> Thu, 20 Aug 2020 21:32:46 +0200
-
bind9 (1:9.16.4-1) unstable; urgency=medium
* New upstream version 9.16.4
* Update Debian packaging for sphinx-doc documentation
-- Ondřej Surý <email address hidden> Wed, 17 Jun 2020 09:27:29 +0200
-
bind9 (1:9.16.3-1) unstable; urgency=medium
* New upstream version 9.16.3
-- Ondřej Surý <email address hidden> Tue, 19 May 2020 14:14:35 +0200
-
bind9 (1:9.16.2-3) unstable; urgency=medium
[ Simon Deziel ]
* apparmor: use profile name specifier
-- Bernhard Schmidt <email address hidden> Thu, 23 Apr 2020 11:45:43 +0200
-
bind9 (1:9.16.2-2) unstable; urgency=medium
* Update gbp.conf to debian/master and upstream/latest
* Reintroduce the bind9-dev package (Closes: #954906)
-- Ondřej Surý <email address hidden> Thu, 16 Apr 2020 12:14:44 +0200
-
bind9 (1:9.16.2-1) unstable; urgency=medium
* Update d/copyright (Closes: #947978)
* New upstream version 9.16.2 (Closes: #952946, #954919)
-- Ondřej Surý <email address hidden> Thu, 16 Apr 2020 10:07:07 +0200
-
bind9 (1:9.16.1-2) unstable; urgency=medium
[ Andreas Hasenack ]
* Bring back the DEP8 test from sid
* Use iproute2 instead of net-tools
* d/control: drop hardcoded python3 dependency
[ Bernhard Schmidt ]
* Fix apparmor profile name.
Thanks to Andreas Hasenack
* Enable readline support
[ Andreas Hasenack ]
* Update apparmor profile with what is in sid
* Create the missing transitional packages for dnsutils, bind9utils
* There is a licensing conflict with adding libreadline and we should
use libedit-dev instead.
[ Ondřej Surý ]
* Add Breaks: freeipa, so the package doesn't migrate to testing before freeipa is fixed
-- Ondřej Surý <email address hidden> Sun, 22 Mar 2020 09:21:21 +0100
-
bind9 (1:9.11.16+dfsg-2) unstable; urgency=medium
* No-changes source-only upload to allow migration
Should also fix FTBFS on several platforms that was caused by #952115
in libxml2.
-- Bernhard Schmidt <email address hidden> Tue, 25 Feb 2020 22:12:13 +0100
-
bind9 (1:9.11.16+dfsg-1) unstable; urgency=medium
* New upstream version 9.11.16+dfsg
* Bump libisc SOVERSION to 1105
-- Ondřej Surý <email address hidden> Thu, 20 Feb 2020 10:44:11 +0100
-
bind9 (1:9.11.14+dfsg-3) unstable; urgency=medium
* cherry-pick upstream patch to fix FTBFS on armel
-- Bernhard Schmidt <email address hidden> Thu, 16 Jan 2020 16:58:50 +0100
-
bind9 (1:9.11.14+dfsg-2) unstable; urgency=medium
[ Bernhard Schmidt ]
* Unmark bind9-host as deprecated (Closes: #948139)
[ Andreas Hasenack ]
* d/control: drop hardcoded python3 dependency
* Use iproute2 instead of net-tools
-- Bernhard Schmidt <email address hidden> Thu, 16 Jan 2020 14:23:27 +0100
-
bind9 (1:9.11.14+dfsg-1) unstable; urgency=medium
* New upstream version 9.11.14+dfsg
* Make lib/dns/gen.c independent of isc/platform.h header
-- Ondřej Surý <email address hidden> Thu, 19 Dec 2019 09:40:34 +0100
-
bind9 (1:9.11.5.P4+dfsg-5.1) unstable; urgency=high
* Non-maintainer upload.
* move item_out test inside lock in dns_dispatch_getnext() (CVE-2019-6471)
(Closes: #930746)
-- Salvatore Bonaccorso <email address hidden> Fri, 21 Jun 2019 11:24:31 +0200
-
bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium
* AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ.
Thanks to Steven Monai (Closes: 928398)
-- Bernhard Schmidt <email address hidden> Fri, 03 May 2019 19:44:57 +0200
-
bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium
[ Bernhard Schmidt ]
* AppArmor: Also add /var/lib/samba/bind-dns/dns/** (Closes: #927827)
[ Ondřej Surý ]
* [CVE-2018-5743]: Limiting simultaneous TCP clients is ineffective
(Closes: #927932)
* Update symbols file for new symbol in libisc
* Enable EDDSA again, but disable broken Ed448 support (Closes: #927962)
-- Ondřej Surý <email address hidden> Fri, 26 Apr 2019 08:33:13 +0000
-
bind9 (1:9.11.5.P4+dfsg-3) unstable; urgency=medium
* More fixes to the AppArmor policy for Samba AD DLZ
- allow access to /dev/urandom
- allow locking for dns.keytab
- fix path to smb.conf
-- Bernhard Schmidt <email address hidden> Mon, 22 Apr 2019 22:31:06 +0200
-
bind9 (1:9.11.5.P4+dfsg-2) unstable; urgency=medium
[ Ondřej Surý ]
* Update d/gbp.conf for Debian Buster
[ Bernhard Schmidt ]
* Cherry-Pick upstream commit to prevent dnssec-keymgr from immediately
expiring and deleting old DNSSEC keys when being run for the first
time (Closes: #923984)
* Update AppArmor policy for Samba AD DLZ
- Add changed default location for named.conf
- Allow read/mmap on some Samba libraries
Thanks to Steven Monai (Closes: #920530)
[ Andreas Beckmann ]
* bind9.preinst: cope with ancient conffile named.conf.options
(Closes: #905177)
-- Bernhard Schmidt <email address hidden> Tue, 02 Apr 2019 21:12:50 +0200
-
bind9 (1:9.11.5.P4+dfsg-1) unstable; urgency=high
[ Bernhard Schmidt ]
* New upstream version 9.11.5.P4+dfsg
- CVE-2018-5744: A specially crafted packet can cause named to leak memory
- CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over
to an unsupported key algorithm when using managed-keys
- CVE-2019-6465: Controls for zone transfers might not be properly applied
to Dynamically Loadable Zones (DLZs) if the zones are writable.
* d/watch: Do not use beta or RC versions
* d/libdns1104.symbols: fix symbols-file-contains-debian-revision for dnstap
symbols
[ Ondřej Surý ]
* Add new upstream GPG signing-key
-- Bernhard Schmidt <email address hidden> Fri, 22 Feb 2019 17:54:10 +0100
-
bind9 (1:9.11.5.P1+dfsg-2) unstable; urgency=medium
[ Dominik George ]
* Support dyndb modules with apparmor. (Closes: #900879)
[ Bernhard Schmidt ]
* apparmor-policy: permit locking of the allow-new-zones database
(Closes: #922065)
* apparmor-policy: allow access to Samba DLZ files (Closes: #920530)
-- Bernhard Schmidt <email address hidden> Tue, 12 Feb 2019 00:34:21 +0100
-
bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium
* New upstream version 9.11.5.P1+dfsg
-- Ondřej Surý <email address hidden> Tue, 18 Dec 2018 13:59:25 +0000
-
bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium
* Use <email address hidden> as Maintainer address
* New upstream version 9.11.5+dfsg
* Add EXTENSIONS= to version file programmatically, not with the patch
* Rebase patches for BIND 9.11.5
* Adjust package names for new SONAMEs
-- Ondřej Surý <email address hidden> Mon, 22 Oct 2018 10:30:28 +0000
-
bind9 (1:9.11.4.P2+dfsg-3) unstable; urgency=medium
* Also avoid OpenSSL 1.1.1 in udebs.
Thanks to KiBi for the hint
* autopkgtest: Make an external query and check for DNSSEC
-- Bernhard Schmidt <email address hidden> Wed, 26 Sep 2018 11:21:35 +0200
-
bind9 (1:9.11.4.P2+dfsg-2) unstable; urgency=medium
* Temporarily disable EDDSA to relax OpenSSL version requirement
-- Bernhard Schmidt <email address hidden> Mon, 24 Sep 2018 11:08:15 +0200
-
bind9 (1:9.11.4.P2+dfsg-1) unstable; urgency=medium
[ Bernhard Schmidt ]
* Add a very simple autopkgtest (dig @127.0.0.1)
[ Ondřej Surý ]
* New upstream version 9.11.4.P2+dfsg
* Rebase patches for BIND 9.11.4-P2
-- Ondřej Surý <email address hidden> Mon, 10 Sep 2018 08:36:06 +0000
-
bind9 (1:9.11.4.P1+dfsg-1) unstable; urgency=medium
[ Timo Aaltonen ]
* skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11
crashing on startup. (LP: #1769440)
[ Bernhard Schmidt ]
* Add gbp.conf for pristine-tar usage
* d/watch: Properly deal with -P patch releases
[ Ondřej Surý ]
* Don't fail to start if /etc/default/bind9 doesn't exist
* New upstream version 9.11.4.P1+dfsg
* Rebase patches for BIND 9.11.4-P1
* Add new dst__openssleddsa_init optional symbol (it depends on OpenSSL version) (Closes: #897643)
* Put aside named.conf.option from stretch when upgrading (Closes: #905177)
-- Ondřej Surý <email address hidden> Fri, 31 Aug 2018 09:53:27 +0000
-
bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium
* Brown-paper-bag release :-(
* Fix missing colon in AppArmor profile (Closes: #904983)
-- Bernhard Schmidt <email address hidden> Mon, 30 Jul 2018 16:28:21 +0200
-
bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium
* Enable IDN support for dig+host using libidn2 (Closes: #459010)
* Use root.hints from dns-root-data (Closes: #888491)
-- Bernhard Schmidt <email address hidden> Sun, 29 Jul 2018 23:26:09 +0200
-
bind9 (1:9.11.4+dfsg-2) unstable; urgency=medium
* Enable dnstap support (Courtesy of Richard James Salts) (Closes: #890483)
* Remove auth-nxdomain no; from named.conf.options (Closes: #896889)
-- Ondřej Surý <email address hidden> Mon, 16 Jul 2018 18:49:50 +0000
-
bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
* [CVE-2018-5738]: Add upstream fix to close the default open recursion
(Closes: #901483)
* Change the maintainer address (Closes: #899959)
-- Ondřej Surý <email address hidden> Thu, 14 Jun 2018 13:01:47 +0000
-
bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
[ Bernhard Schmidt ]
* New upstream version 9.11.3+dfsg
(Closes: #867570, #888463)
- Refresh patches
- Drop stdatomic.h patches applied upstream
* Follow SONAME bump of libdns
* Follow SONAME bump of libisc
* Add missing symbols for libisccfg160
* Add python3-distutils Build-Dependency
* Drop Priority: standard for library packages
* Fix apparmor profile name (Closes: #893005)
Thanks to Andreas Hasenack
* Update bind9-host description (Closes: #729561)
* Add flags=(attach_disconnected) to AppArmor profile to prepare
to use more systemd hardening options, see #863841
* Add myself to Uploaders
[ Ondřej Surý ]
* Update Vcs-* links to salsa.d.o
-- Bernhard Schmidt <email address hidden> Fri, 23 Mar 2018 00:09:58 +0100
-
bind9 (1:9.11.2.P1-1) unstable; urgency=medium
* New upstream version 9.11.2-P1
* Refresh patches for new release
-- Ondřej Surý <email address hidden> Wed, 17 Jan 2018 06:06:04 +0000
-
bind9 (1:9.11.2+dfsg-10) unstable; urgency=medium
* Disable lmdb usage in export version of libraries (Closes: #887407)
-- Ondřej Surý <email address hidden> Tue, 16 Jan 2018 05:59:31 +0000
-
bind9 (1:9.11.2+dfsg-9) unstable; urgency=medium
* Fix various mistakes in bind9 conffiles (Closes: #887398)
-- Ondřej Surý <email address hidden> Mon, 15 Jan 2018 23:12:43 +0000
-
bind9 (1:9.11.2+dfsg-8) unstable; urgency=medium
* Pull more stdatomic patch to fix builds on 32-bit architectures
* Remove extra native pkcs11 patch (it has been replaced by sed rules)
-- Ondřej Surý <email address hidden> Mon, 15 Jan 2018 21:02:30 +0000
-
bind9 (1:9.11.2+dfsg-7) unstable; urgency=medium
* Pull upstream patch to use C11 stdatomic where available (Closes: #778720)
-- Ondřej Surý <email address hidden> Mon, 15 Jan 2018 15:59:48 +0000
-
bind9 (1:9.11.2+dfsg-6) unstable; urgency=medium
* Add named-nzd2nzf to bind9 package
* Simplify installation rules
* Enable lmdb (to actually build named-nzd2nzf)
* Move delv from bind9 to dnsutils package (Closes: #887326)
-- Ondřej Surý <email address hidden> Mon, 15 Jan 2018 14:19:31 +0000
-
bind9 (1:9.11.2+dfsg-5) unstable; urgency=medium
* Remove duplicate invoke-rc.d start invocation (Closes: #883575)
* Don't fail in postrm when /var/lib/bind cannot be removed (Closes: #882999)
* Use dh-apparmor for profile management
* apparmor-profile: allow changing thread name (Closes: #883228)
* Bump debhelper compat level to 10
* Bump Standards-Version to 4.1.2, no changes necessary
-- Bernhard Schmidt <email address hidden> Sun, 10 Dec 2017 20:23:12 +0100
-
bind9 (1:9.11.2+dfsg-4) unstable; urgency=medium
* Team upload.
* Fix symlinks in libbind-export-dev to point to /lib (Closes: #883536)
-- Bernhard Schmidt <email address hidden> Tue, 05 Dec 2017 00:09:25 +0100
-
bind9 (1:9.11.2+dfsg-3) unstable; urgency=medium
* Team upload.
* Only install files into bind9:any on arch-any builds (Closes: #883448)
* Adjust dependencies for udeb packages (Closes: #883449)
-- Bernhard Schmidt <email address hidden> Mon, 04 Dec 2017 10:56:58 +0100
-
bind9 (1:9.11.2+dfsg-2) unstable; urgency=medium
* Team upload.
* Workaround for FTBFS on binary-any builds (Closes: #883159)
-- Bernhard Schmidt <email address hidden> Sun, 03 Dec 2017 20:36:32 +0100
-
bind9 (1:9.11.2+dfsg-1) unstable; urgency=low
* d/watch: Bump the BIND version to 9.11.x
* Remove 'order random_1' patch, it was a horrible deviation from standards
* Modernize d/rules using debhelper
* New upstream version 9.11.2+dfsg
* Delete dyndb patch, as dyndb is now included in upstream sources
* Rebase patches for new upstream release.
* Add python3-ply to Build-Depends
* Restore the native pkcs11 patch
* Fix the Debian version parsing
* Remove lwresd as it has been deprecated by upstream anyway
* Add new tools: mdig to dnsutils and dnssec-keymgr to bind9utils
* Update the SONAMEs of BIND libraries
* Fix python3 packaging errors
* Bump the standards version to 4.1.1.1 (no change)
* Add support for dh_missing
-- Ondřej Surý <email address hidden> Tue, 28 Nov 2017 22:59:30 +0000
-
bind9 (1:9.10.6+dfsg-5) unstable; urgency=medium
[ Chris Lamb ]
* Make the build reproducible (Closes: #828012)
[ Micah Cowan ]
* Try not to be fragile to varying value of LIBS make var. (Closes: #833307)
[ Ondřej Surý ]
* Update the softhsm2.so non-MA path (Closes: #860722)
* Enable JSON output in the statistics channel (Closes: #860722)
* Merge NMUs' changelogs (Closes: #880077)
* Use /dev/urandom to avoid blocking in the server process. (Closes: #854243)
-- Ondřej Surý <email address hidden> Thu, 02 Nov 2017 10:31:01 +0000
-
bind9 (1:9.10.6+dfsg-4) unstable; urgency=medium
[ Michael Biebl ]
* Improve bind9-resolvconf.service (Closes: #826353)
[ Ondřej Surý ]
* Add insserv.conf.d configuration (Closes: #650538)
* Change bind9-resolvconf.server to Type=oneshot + RemainAfterExit=yes (Closes: #832040)
* Only add static and development symlinks for *-export.{a,so} libraries (Closes: #857522)
* Update Vcs-* fields to standard variants
* Rebuild with newer debhelper (Closes: #879542)
-- Ondřej Surý <email address hidden> Mon, 23 Oct 2017 07:02:50 +0000
-
bind9 (1:9.10.6+dfsg-3) unstable; urgency=medium
* Make lwresd hard depend on bind9 package (Closes: #879127)
-- Ondřej Surý <email address hidden> Sun, 22 Oct 2017 11:08:20 +0000
-
bind9 (1:9.10.6+dfsg-2) unstable; urgency=medium
[ Timo Aaltonen ]
* d/copyright: Add Bv9ARM.pdf to Files-Excluded.
[ Ondřej Surý ]
* Replace lwresd with symlink instead of hard copy (Closes: #868538)
* Fix the symbols file to compensate for missing bsdcompat symbol on kFreeBSD (Closes: #879017)
* Re-enable threading support on kFreeBSD (Closes: #879018)
* Drop Multi-Arch: same header from libbind-dev (Closes: #874232)
* Remove transitional host package (Closes: #645437, #878228)
-- Ondřej Surý <email address hidden> Thu, 19 Oct 2017 09:35:03 +0000
-
bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium
* New upstream version 9.10.6+dfsg
* Use OpenSSL 1.1.0 for crypto
* Add support for downloading upstream sources using d/watch
+ Make d/copyright machine readable for Files-Excluded: support
+ Update Files-Exclude: * to remove obsolete software dropped in
contrib/, but not really used
* Add initial README.source
* Limit the d/watch to 9.10.x (aka stable) for now
* Update patches for BIND 9.10.6 release
* Update PKCS11 patch
* Move under pkg-dns umbrella
* Reformat files in debian/ with wrap-and-sort -a for better maintainability
* Update the d/export.diff for BIND 9.10.6
* Remove FAQ from d/bind9.docs
* Bump SONAME versions for BIND libraries
* Add symbols files for libraries and enable strict symbol checks
* arpaname and named-rrchecker has been moved to /usr/bin
* Install required python library into bind9utils to accompany
dnssec-checkds and dnssec-coverage
* Change Vcs-* to pkg-dns/bind9
* Also exclude idnkit from upstream tarball
* Finish the debian/copyright update into machine readable format
* Enable Multi-Arch on libirs-export189
* Cleanup maintainer scripts
* Add lintian override for false positive on full-path command
* Remove unnecessary complexity when generating ${Description} to d/control
-- Ondřej Surý <email address hidden> Fri, 06 Oct 2017 06:18:21 +0000
-
bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium
* Non-maintainer upload.
* Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)
-- Bernhard Schmidt <email address hidden> Fri, 11 Aug 2017 19:10:07 +0200
-
bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
* Non-maintainer upload.
* Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
signed TCP message sequences where not all the messages contain TSIG
records. These may be used in AXFR and IXFR responses.
(Closes: #868952)
-- Salvatore Bonaccorso <email address hidden> Fri, 21 Jul 2017 22:28:32 +0200
-
bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
* Non-maintainer upload.
[ Yves-Alexis Perez ]
* debian/patches:
- debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
transfers. An attacker may be able to circumvent TSIG authentication of
AXFR and Notify requests.
CVE-2017-3143: error in TSIG authentication can permit unauthorized
dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
signature for a dynamic update.
(Closes: #866564)
-- Salvatore Bonaccorso <email address hidden> Sun, 16 Jul 2017 22:13:21 +0200
-
bind9 (1:9.10.3.dfsg.P4-12.3) unstable; urgency=high
* Non-maintainer upload.
* Dns64 with "break-dnssec yes;" can result in a assertion failure
(CVE-2017-3136) (Closes: #860224)
* Some chaining (CNAME or DNAME) responses to upstream queries could trigger
assertion failures (CVE-2017-3137) (Closes: #860225)
* 'rndc ""' could trigger a assertion failure in named (CVE-2017-3138)
(Closes: #860226)
-- Salvatore Bonaccorso <email address hidden> Sun, 07 May 2017 15:22:46 +0200
-
bind9 (1:9.10.3.dfsg.P4-12.2) unstable; urgency=medium
* Non-maintainer upload.
* Replace 32_mips_atomic.diff with a version that uses C11 atomics. Fixes
hangs and crashes on MIPS. (Closes: #778720)
-- James Cowgill <email address hidden> Tue, 18 Apr 2017 16:42:50 +0100
-
bind9 (1:9.10.3.dfsg.P4-12.1) unstable; urgency=medium
* Non-maintainer upload.
* Use /dev/urandom to avoid blocking in the server process.
(closes: #854243)
-- Bastian Blank <email address hidden> Fri, 17 Mar 2017 19:07:16 +0100
-
bind9 (1:9.10.3.dfsg.P4-12) unstable; urgency=high
* Merge and accept the non-maintainer upload.
* Fix regression caused by the fix for CVE-2016-8864 (closes: #855540).
* Fix CVE-2017-3135: a malicously crafted query can cause named to crash if
both DNS64 and RPZ are being used (closes: #855520).
-- Michael Gilbert <email address hidden> Sun, 19 Feb 2017 22:39:32 +0000
-
bind9 (1:9.10.3.dfsg.P4-11.1) unstable; urgency=medium
* Non-maintainer upload.
* Disable GOST to prevent ENGINE_by_id failed (crypto failure) in chroot.
Patch by Marc Haber <email address hidden> (Closes: #820974).
-- Arturo Borrero Gonzalez <email address hidden> Tue, 07 Feb 2017 10:42:00 +0100
-
bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium
* Fix some lintian warnings.
* Add lsb-base dependency to lwresd (closes: #848519).
* Fix CVE-2016-2775: crash in lwresd due to a long query name
(closes: #831796).
* Fix CVE-2016-2776: maliciously crafted query can cause named to crash
(closes: #839010).
* Fix CVE-2016-8864: incorrect handling of a DNAME record can cause
named to crash (closes: #842858).
* Fix CVE-2016-9131: maliciously crafted response to an ANY query can
cause named to crash (closes: #851065).
* Fix CVE-2016-9147: query with contradictory DNSSEC information can
cause named to crash (closes: #851063).
* Fix CVE-2016-9444: maliciously formed DNSSEC Delegation Signer (DS)
record can cause named to crash (closes: #851062).
* Openssl 1.1 is not yet supported, so build with openssl 1.0 for now
(closes: #828082).
[ LaMont Jones ]
* Update VCS fields in control.
* -DDIG_SIGCHASE got dropped by the change in hardening.
[ Stefan Bader ]
* Use the defaults file in systemd.
-- Michael Gilbert <email address hidden> Thu, 19 Jan 2017 04:03:28 +0000
-
bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium
* Non-maintainer upload.
* Add explicit ordering for nss-lookup.target in bind9.service,
lwresd.service. Patches by Michael Biebl <email address hidden>.
(Closes: #826243, #826245)
-- Christian Hofstaedtler <email address hidden> Sat, 02 Jul 2016 14:32:50 +0200
-
bind9 (1:9.10.3.dfsg.P4-10) unstable; urgency=medium
* Use python3
-- LaMont Jones <email address hidden> Tue, 03 May 2016 17:39:49 -0600
-
bind9 (1:9.10.3.dfsg.P4-9) unstable; urgency=medium
* Fix bad patch from when we switched to quilt. Closes: #820847 LP:
#1552801, #1549788, #1553460
* freshen patch to remove fuzz.
-- LaMont Jones <email address hidden> Tue, 26 Apr 2016 15:17:58 -0600
-
bind9 (1:9.10.3.dfsg.P4-8) unstable; urgency=medium
[Timo Aaltonen]
* Fix bind9-resolvconf.service installation.
* Add support for native pkcs11. LP: #1565392
[Samuel Thibault]
* Detect in6_pktinfo on hurd-i386. Closes: #820404
-- LaMont Jones <email address hidden> Wed, 13 Apr 2016 13:19:37 -0600
-
bind9 (1:9.10.3.dfsg.P4-7) unstable; urgency=medium
* Fix libisccc-export dependencies. Closes: #820043
-- Michael Gilbert <email address hidden> Tue, 05 Apr 2016 02:53:22 +0000
-
bind9 (1:9.10.3.dfsg.P4-6) unstable; urgency=medium
* Upload 9.10 to unstable. Closes: #781739
* Add -DNO_VERSION_DATE to CFLAGS. Closes: #783885
-- Michael Gilbert <email address hidden> Mon, 04 Apr 2016 00:39:57 +0000
-
bind9 (1:9.9.5.dfsg-12.1) unstable; urgency=high
* Non-maintainer upload.
* Add patch to fix CVE-2015-8000.
CVE-2015-8000: Insufficient testing when parsing a message allowed
records with an incorrect class to be accepted, triggering a REQUIRE
failure when those records were subsequently cached. (Closes: #808081)
-- Salvatore Bonaccorso <email address hidden> Wed, 16 Dec 2015 15:01:39 +0100
-
bind9 (1:9.9.5.dfsg-12) unstable; urgency=high
* Fix CVE-2015-5722: maliciously crafted DNSSEC key can cause named to crash.
-- Michael Gilbert <email address hidden> Thu, 03 Sep 2015 01:16:32 +0000
-
bind9 (1:9.9.5.dfsg-11) unstable; urgency=high
* Fix CVE-2015-5477: maliciously crafted TKEY query can cause named to exit
(closes: #793903).
-- Michael Gilbert <email address hidden> Wed, 29 Jul 2015 23:46:48 +0000
-
bind9 (1:9.9.5.dfsg-10) unstable; urgency=high
* Fix CVE-2015-4620: DNSSEC validation of a malicously crafted zone can
cause the resolver to crash (closes: #791715).
-- Michael Gilbert <email address hidden> Thu, 09 Jul 2015 00:43:38 +0000
-
bind9 (1:9.9.5.dfsg-9) unstable; urgency=high
* Fix CVE-2015-1349: named crash due to managed key rollover, primarily only
affecting setups using DNSSEC (closes: #778733).
-- Michael Gilbert <email address hidden> Thu, 19 Feb 2015 03:42:21 +0000
-
bind9 (1:9.9.5.dfsg-8) unstable; urgency=medium
* Launch rndc command in the background in networking scripts to avoid a
hang in named from bringing down the entire network (closes: #760555).
-- Michael Gilbert <email address hidden> Thu, 01 Jan 2015 17:51:52 +0000
-
bind9 (1:9.9.5.dfsg-7) unstable; urgency=medium
* Fix CVE-2014-8500: limit recursion in order to avoid memory consuption
issues that can lead to denial-of-service (closes: #772610).
-- Michael Gilbert <email address hidden> Sun, 14 Dec 2014 05:05:48 +0000
-
bind9 (1:9.9.5.dfsg-6) unstable; urgency=medium
* Include dlz_dlopen.h in libbind-dev (closes: #769117).
-- Michael Gilbert <email address hidden> Sun, 30 Nov 2014 22:53:50 +0000
-
bind9 (1:9.9.5.dfsg-5) unstable; urgency=medium
* Avoid libnsl dependency on non-linux architectures. Closes: #766430
* Install export libraries to /lib instead of /usr/lib. Closes: #766544
* Add myself to the maintainer team with approval from LaMont and Bdale.
-- Michael Gilbert <email address hidden> Thu, 30 Oct 2014 02:42:17 +0000
-
bind9 (1:9.9.5.dfsg-4.3) unstable; urgency=medium
* Non-maintainer upload.
* Mark critical section as not parallel in the makefile. Closes: #762766
-- Michael Gilbert <email address hidden> Mon, 13 Oct 2014 04:37:55 +0000
-
bind9 (1:9.9.5.dfsg-4.2) unstable; urgency=low
* Non-maintainer upload.
* Fix intermittent parallel build failure. Closes: #762766
* Set -fno-delete-null-pointer-checks. Closes: #750760
* Use separate packages for the udebs. Closes: #762762
* Don't install configuration files to /usr. Closes: #762948
-- Michael Gilbert <email address hidden> Mon, 06 Oct 2014 01:23:57 +0000
-
bind9 (1:9.9.5.dfsg-4.1) unstable; urgency=low
* Non-maintainer upload.
* Add support for hurd. Closes: #746540
* Provide shared libraries for isc-dhcp. Closes: #656150
-- Michael Gilbert <email address hidden> Sun, 14 Sep 2014 00:58:06 +0000
-
bind9 (1:9.9.5.dfsg-4) unstable; urgency=low
[Julien Cristau]
* FTBFS on kfreebsd. Closes: #741285
[LaMont Jones]
* revert aclocal.m4 expansion from earlier merge
-- LaMont Jones <email address hidden> Tue, 29 Apr 2014 14:48:50 -0600
-
bind9 (1:9.9.5.dfsg-3) unstable; urgency=low
* Re-enable rrl (now a configure option). Closes: #741059 LP: #1288823
-- LaMont Jones <email address hidden> Mon, 24 Mar 2014 06:55:55 -0600
-
bind9 (1:9.9.5.dfsg-2) unstable; urgency=low
* merge in ubuntu 1:9.9.3.dfsg.P2-4ubuntu3
* move dnssec-coverage to bind9utils. Closes: #739994
* dnssec-{checkds,verify} manpages in wrong package. Closes: #739995
-- LaMont Jones <email address hidden> Wed, 26 Feb 2014 09:30:31 -0700
-
bind9 (1:9.9.3.dfsg.P2-4) unstable; urgency=low
[Peter Marschall]
* If rndc.conf exists, skip creation of rndc.key. Closes: #620394
[Al Tarakanoff]
* properly quote check of pid in bind9 init.d. LP: #1092243
[LaMont Jones]
* include distro and package version in version string
* apparmor: allow GeoIP data file access. LP: #834901
* enable filter-aaaa. Closes: #701704 LP: #1115168
-- LaMont Jones <email address hidden> Thu, 29 Aug 2013 16:22:29 -0600
-
bind9 (1:9.9.3.dfsg.P2-3) unstable; urgency=low
[Michael Stapelberg]
* add systemd service file. Closes: #718212
[LaMont Jones]
* deliver more dnssec-* tools in bind9utils. Closes: #713026
* support parallel=N DEB_BUILD_OPTIONS, fix -j build. Closes: #713025
* deliver rrl.h and stat.h Closes: #692483, #720813
-- LaMont Jones <email address hidden> Tue, 27 Aug 2013 10:06:37 -0600
-
bind9 (1:9.9.3.dfsg.P2-2) unstable; urgency=low
* ack NMUs of 9.8.4
- upstream 9.9.3-P2 fixes: CVE-2013-4854, CVE-2012-5689,
CVE-2013-2266
- deliver rrl.h
[LaMont Jones]
* Use ISC's bin/tests
* Diff cleanup and rationalization to 9.9.3 upstream
-- LaMont Jones <email address hidden> Sat, 17 Aug 2013 07:09:54 -0600
-
bind9 (1:9.8.4.dfsg.P1-6+nmu3) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2013-4854: A specially crafted query that includes malformed rdata can
cause named to terminate with an assertion failure while rejecting the
malformed query. (Closes: #717936).
-- Salvatore Bonaccorso <email address hidden> Sat, 27 Jul 2013 10:24:07 +0200
-
bind9 (1:9.8.4.dfsg.P1-6+nmu2) unstable; urgency=medium
* Non-maintainer upload.
* Install /usr/include/dns/rrl.h (closes: #699834).
-- Michael Gilbert <email address hidden> Tue, 16 Apr 2013 01:59:05 +0000
-
bind9 (1:9.8.4.dfsg.P1-6+nmu1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix cve-2012-5689: issue in nameservers using DNS64 to perform a AAAA
lookup for a record with an A record overwrite rule in a Response Policy
Zone (closes: #699145).
* Fix cve-2013-2266: issues in regular expression handling (closes: #704174).
-- Michael Gilbert <email address hidden> Fri, 29 Mar 2013 00:47:25 +0000
-
bind9 (1:9.8.4.dfsg.P1-6) unstable; urgency=low
[Ben Hutchings]
* Initialise OpenSSL before calling chroot(). Closes: #696661
-- LaMont Jones <email address hidden> Fri, 01 Mar 2013 08:23:27 -0700
-
bind9 (1:9.8.4.dfsg.P1-5) unstable; urgency=low
[LaMont Jones]
* Properly acknowledge 1:9.8.1.dfsg.P1-4.4: [Philipp Kern]
- Fix CVE-2012-4244. Thanks to Moritz Mühlenhoff for providing the patch.
[Paul Vixie]
* Include rpz/rrl patches from http://www.redbarn.org/dns/ratelimits.
Closes: #698641
-- LaMont Jones <email address hidden> Wed, 30 Jan 2013 14:04:35 -0700
-
bind9 (1:9.8.4.dfsg.P1-4) unstable; urgency=high
* The rest of the dnssec validation logspam removal. Closes: #697681
-- LaMont Jones <email address hidden> Mon, 21 Jan 2013 13:18:53 -0700
-
bind9 (1:9.8.4.dfsg.P1-3) unstable; urgency=low
[Marc Deslauriers]
* debian/bind9.apport: Add AppArmor info and logs to apport hook.
[LaMont Jones]
* Reduce log level for "sucessfully validated after lower casing" dnssec
based on mail from Mark Andrews. Closes: #697681
* remove /var/lib/bind/bind9-default.md5sum in postrm
* remove /etc/bind/named.conf.options on purge. Closes: #668801
-- LaMont Jones <email address hidden> Wed, 09 Jan 2013 09:47:24 -0700
-
bind9 (1:9.8.4.dfsg.P1-2) unstable; urgency=low
[Michael Gilbert]
* Use /var/lib/bind for state file. Closes: #689332
[LaMont Jones]
* Re-enable dlopen, do not build the test that fails. Closes: #692416
* Update db.root with new IP for D.root-servers.net. Closes: #697352
-- LaMont Jones <email address hidden> Mon, 07 Jan 2013 06:50:25 -0700
-
bind9 (1:9.8.4.dfsg.P1-1) unstable; urgency=low
* CVE-2012-5688
- Named could die on specific queries with dns64 enabled.
[Addressed in change #3388 for BIND 9.8.5 and 9.9.3.]
-- LaMont Jones <email address hidden> Wed, 05 Dec 2012 05:22:06 -0700
-
bind9 (1:9.8.4.dfsg-1) unstable; urgency=low
[Matthew Grant]
* Turn off dlopen as it was causing test compile failures.
* Add missing library .postrm files for debhelper
[LaMont Jones]
* New upstream version
* soname fixup
* Ack NMUs
-- LaMont Jones <email address hidden> Mon, 29 Oct 2012 08:37:49 -0600
-
bind9 (1:9.8.1.dfsg.P1-4.3) unstable; urgency=medium
[ Philipp Kern ]
* Non-maintainer upload.
[ Marc Deslauriers ]
* SECURITY UPDATE: denial of service via specific combinations of RDATA
- bin/named/query.c: fix logic
- Patch backported from 9.8.3-P4
- CVE-2012-5166
-- Philipp Kern <email address hidden> Sun, 28 Oct 2012 20:28:11 +0100
-
bind9 (1:9.8.1.dfsg.P1-4.2) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix denial of service vulnerability triggered
through an assert because of using bad cache
(CVE-2012-3817; Closes: #683259).
-- Nico Golde <email address hidden> Mon, 30 Jul 2012 20:56:10 +0200
-
bind9 (1:9.8.1.dfsg.P1-4.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* SECURITY UPDATE: ghost domain names attack
- lib/dns/rbtdb.c: Restrict the TTL of NS RRset to no more than that
of the old NS RRset when replacing it.
- Patch backported from 9.8.2.
- CVE-2012-1033
* SECURITY UPDATE: denial of service via zero length rdata handling
- lib/dns/rdata.c,lib/dns/rdataslab.c: use sentinel pointer for
duplicate rdata.
- Patch backported from 9.8.3-P1.
- CVE-2012-1667
-- Luk Claes <email address hidden> Wed, 20 Jun 2012 15:26:09 -0400
-
bind9 (1:9.8.1.dfsg.P1-4) unstable; urgency=low
[Christoph Egger]
* define _GNU_SOURCE on kfreebsd et al. Closes: #658201
[LaMont Jones]
* chmod typo in postinst. LP: #980798
* Correctly order debhelper bits in postrm. Closes: #661040
-- LaMont Jones <email address hidden> Fri, 13 Apr 2012 12:09:24 -0600
-
bind9 (1:9.8.1.dfsg.P1-3) unstable; urgency=low
[Zlatan Todoric]
* fixed Serbian latin translation of debconf template. Closes: #634951
[Peter Eisentraut]
* Add support for "status" action to lwresd init script. Closes: #651540
[Bjørn Steensrud]
* NB Translations. Closes: #654454
[LaMont Jones]
* Default to run_resolvconf=false. LP: #933723
* Deliver named.conf.options on fresh install. Closes: #657042 LP: #920202
* Do not deliver /usr/share/bind9/bind9-default.md5sum in the bind9 deb.
Closes: #620007 LP: #681536
* Deliver and use /etc/apparmor.d/local/usr.sbin.named for local overrides.
LP: #929563
-- LaMont Jones <email address hidden> Fri, 17 Feb 2012 14:40:29 -0800
-
bind9 (1:9.8.1.dfsg.P1-2) unstable; urgency=low
* Deliver named.conf.options on fresh install. Closes: #657042 LP: #920202
-- LaMont Jones <email address hidden> Wed, 25 Jan 2012 03:55:21 -0700
-
bind9 (1:9.8.1.dfsg.P1-1) unstable; urgency=low
[Internet Software Consortium, Inc]
* 9.8.1-P1
- Cache lookup could return RRSIG data associated with nonexistent
records, leading to an assertion failure.
[LaMont Jones]
* add a readme entry for DNSSEC-by-default
* Failed to install due to chgrp on non-existant directory. Closes: #647598
* ack NMU: l10n issues
-- LaMont Jones <email address hidden> Wed, 18 Jan 2012 10:44:14 -0700
-
bind9 (1:9.8.1.dfsg-1.1) unstable; urgency=low
* Non-maintainer upload.
* Fix pending l10n issues. Debconf translations:
- Danish (Joe Hansen). Closes: #619302
- Korean (강민지). Closes: #632006, #632016
- Serbian (FULL NAME). Closes: #634886
-- Christian Perrier <email address hidden> Sat, 03 Dec 2011 17:22:12 +0100
-
bind9 (1:9.8.1.dfsg-1) unstable; urgency=low
[Internet Software Consortium, Inc]
* New upstream release
[LaMont Jones]
* cleanup the messages around killing named
* enable dnssec validation: deliver named.conf.options outside of
conffiledom, and update if able, complain and do not update if not
Closes: #516979
* typo in min-ncache-ttl processing
* disable dlz until we get a patch to make it build again
[Jay Ford]
* Fix "waiting for pid $pid to die" loop to not be infinite. Closes: #570852
-- LaMont Jones <email address hidden> Tue, 01 Nov 2011 16:39:19 -0600
-
bind9 (1:9.7.3.dfsg-1) unstable; urgency=low
[Peter Palfrader] * Add db-4.6 to bdb_libnames in dlz/config.dlz.in so that it finds the right db. [Internet Systems Consortium, Inc] * 9.7.3 - Closes: #612287 [Mahyuddin Susanto] * Updated Indonesian debconf templates. Closes: #608559 [LaMont Jones] * soname changes -- LaMont Jones <email address hidden> Wed, 23 Feb 2011 09:14:36 -0700
-
bind9 (1:9.7.2.dfsg.P3-1.1) unstable; urgency=low
* Non-maintainer upload. * Fix encoding of Danish debconf translation -- Christian Perrier <email address hidden> Wed, 12 Jan 2011 19:49:15 +0100
-
bind9 (1:9.7.2.dfsg.P3-1) unstable; urgency=high
[ISC] * Fix denial of service via ncache entry and a rrsig for the same type (CVE-2010-3613) * answers were incorrectly marked as insecure during key algorithm rollover (CVE-2010-3614) * Using "allow-query" in the "options" or "view" statements to restrict access to authoritative zones had no effect. (CVE-2010-3615) [LaMont Jones] * Adjust indentation for dpkg change. Closes: #597171 -- LaMont Jones <email address hidden> Wed, 01 Dec 2010 16:32:48 -0700
-
bind9 (1:9.7.2.dfsg.P2-2) unstable; urgency=low
[Roy Jamison]
* lib/isc/unix/resource.c was missing inttypes.h include. LP: #674199
-- LaMont Jones <email address hidden> Fri, 12 Nov 2010 10:52:32 -0700
-
bind9 (1:9.7.2.dfsg.P2-1) unstable; urgency=low
[Joe Dalton]
* Add Danish translation of debconf templates. Closes: #599431
[Internet Software Consortium, Inc]
* v9.7.2-P2
[José Figueiredo]
* Add Brazilian Portuguese debconf templates translation. Closes: #597616
[LaMont Jones]
* drop this v3 (quilt) source format idea. Closes: #589916
-- LaMont Jones <email address hidden> Sun, 10 Oct 2010 19:01:57 -0600
-
bind9 (1:9.7.1.dfsg.P2-2) unstable; urgency=low
* Correct conflicts for bind9-host
-- LaMont Jones <email address hidden> Fri, 16 Jul 2010 05:24:38 -0600
-
bind9 (1:9.7.1.dfsg.P2-1) unstable; urgency=low
[Internet Software Consortium, Inc]
* Temporarily and partially disable change 2864 because it would cause
inifinite attempts of RRSIG queries. This is an urgent care fix; we'll
revisit the issue and complete the fix later. [RT #21710]
* Temporarially rollback change 2748. [RT #21594]
* Named failed to accept uncachable negative responses from insecure zones.
[RT# 21555]
[LaMont Jones]
* freshen copyright file
-- LaMont Jones <email address hidden> Thu, 15 Jul 2010 15:07:54 -0600
-
bind9 (1:9.7.1.dfsg-2) unstable; urgency=low
[Regid Ichira]
* explicitly add nsupdate to dynamic updates in README.Debian.
Closes: #577398
[LaMont Jones]
* Cleanup bind9-host description. Closes: #579421
* switch to 3.0 (quilt) source format, but not to quilt. Closes: #578210
[Stephen Gran]
* updated geoip patch for ipv6, based on work by John 'Warthog9' Hawley
<email address hidden>. Closes: #584603
-- LaMont Jones <email address hidden> Fri, 02 Jul 2010 08:19:29 -0600
-
bind9 (1:9.7.1.dfsg-1) unstable; urgency=low
[Internet Software Consortium, Inc]
* 9.7.1
[LaMont Jones]
* Add freebsd support. Closes: #578447
* soname changes
* freshen root cache. LP: #596363
-- LaMont Jones <email address hidden> Mon, 21 Jun 2010 09:53:30 -0600
-
bind9 (1:9.7.0.dfsg.P1-1) unstable; urgency=low
[Internet Software Consortium, Inc]
* 9.7.0-P1
- 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
-- LaMont Jones <email address hidden> Wed, 17 Mar 2010 08:06:42 -0600
-
bind9 (1:9.7.0.dfsg.1-1) unstable; urgency=low
[Niko Tyni]
* fix mips/mipsel startup. Closes: #516616
[LaMont Jones]
* ignore failures due to a lack of /etc/bind/named.conf*. LP: #422968
* ldap API changed regarding % sign. LP: #227344
* Drop more rfc and draft files. Closes: #572606
* update config.guess, config.sub. Closes: #572528
-- LaMont Jones <email address hidden> Fri, 12 Mar 2010 14:56:08 -0700
-
bind9 (1:9.7.0.dfsg-2) unstable; urgency=low
[Aurelien Jarno]
* kfreebsd has linux threads. Closes: #470500
[LaMont Jones]
* do not error out on initial install. Closes: #572443
-- LaMont Jones <email address hidden> Thu, 04 Mar 2010 09:32:13 -0700
-
bind9 (1:9.7.0.dfsg-1) unstable; urgency=low
* New upstream release
-- LaMont Jones <email address hidden> Wed, 17 Feb 2010 14:53:36 -0700
-
bind9 (1:9.6.1.dfsg.P3-1) unstable; urgency=low
* New upstream release. CVE-2010-0097
-- LaMont Jones <email address hidden> Tue, 19 Jan 2010 11:29:51 -0700
-
bind9 (1:9.6.1.dfsg.P2-1) unstable; urgency=low
[Internet Software Consortium, Inc]
* 9.6.1-P2
- When validating, track whether pending data was from the
additional section or not and only return it if validates
as secure. [RT #20438] CVE-2009-4022
[LaMont Jones]
* prerm: do not stop named on upgrade. Closes: #542888
* Drop some RFCs that crept into the diff.
* meta: add ${misc:Depends}
* lintian: update config.guess, config.sub in idnkit-1.0 tree
* dnsutils: remove pre-sarge dpkg-divert calls in postinst
* meta: soname changes
* l10n: missing newline in pofile.
-- LaMont Jones <email address hidden> Fri, 27 Nov 2009 10:07:10 -0700
-
bind9 (1:9.6.1.dfsg.P1-3) unstable; urgency=low
* Build-Depend on the fixed libgeoip-dev. Closes: #540973
-- LaMont Jones <email address hidden> Mon, 17 Aug 2009 06:53:11 -0600
-
bind9 (1:9.6.1.dfsg.P1-2) unstable; urgency=low
[Jamie Strandboge]
* reload individual named profile, not all of apparmor. LP: #412751
[Guillaume Delacour]
* bind9 did not purge cleanly. Closes: #497959
[LaMont Jones]
* postinst: do not append a blank line to /etc/default/bind9.
Closes: #541469
* init.d stop needs to not error out. LP: #398033
* meta: fix build-depends. Closes: #539230
-- LaMont Jones <email address hidden> Fri, 14 Aug 2009 17:03:31 -0600
-
bind9 (1:9.6.1.dfsg.P1-1) unstable; urgency=low
[Internet Software Consortium, Inc]
* A specially crafted update packet will cause named to exit.
CVE-2009-0696, CERT VU#725188. Closes: #538975
[InterNIC]
* Update db.root hints file.
[LaMont Jones]
* Move default zone definitions from named.conf to named.conf.default-zones.
Closes: #492308
* use start-stop-daemon if rndc stop fails. Closes: #536487
* lwresd: pidfile name was wrong in init script. Closes: #527137
-- LaMont Jones <email address hidden> Tue, 28 Jul 2009 22:03:14 -0600
-
bind9 (1:9.6.1.dfsg-2) unstable; urgency=low
* ia64: fix atomic.h
-- LaMont Jones <email address hidden> Tue, 23 Jun 2009 01:56:35 -0600
-
bind9 (1:9.6.0.dfsg.P1-2) unstable; urgency=low
* random_1 broke memory usage assertions.
-- LaMont Jones <email address hidden> Thu, 23 Apr 2009 05:15:45 -0600
-
bind9 (1:9.5.1.dfsg.P2-1) unstable; urgency=low
[Internet Software Consortium, Inc]
* 9.5.1-P2
- DNSSEC lookaside validation failed to handle unknown algorithms. [RT #19479]
[LaMont Jones]
* meta: fix override disparity
[Sven Joachim]
* meta: pass host and build into configure for hybrid build machines.
Closes: #515110
-- LaMont Jones <email address hidden> Fri, 20 Mar 2009 19:08:03 -0600
-
bind9 (1:9.5.1.dfsg.P1-3) unstable; urgency=low
* package -2 for unstable
-- LaMont Jones <email address hidden> Wed, 18 Mar 2009 09:40:18 -0600
-
bind9 (1:9.5.1.dfsg.P1-1) unstable; urgency=low
* New upstream patch release
- supportable version of fix from 9.5.0.dfsg.P2-5.1
- CVE-2009-0025: Closes: #511936
- 2475: Overly agressive cache entry removal. Closes: #511768
- other bug fixes worthy of patch-release inclusion
-- LaMont Jones <email address hidden> Mon, 26 Jan 2009 10:33:42 -0700
-
bind9 (1:9.5.0.dfsg.P2-5.1) unstable; urgency=low
* Non-maintainer upload.
* Apply upstream ACL fixes from 9.5.1 to fix RC bug. Patch was provided
by Evan Hunt (upstream bind9 developer) after Emmanuel Bouthenot
contacted him. Closes: #496954, #501800.
* Remove obsolete dh_installmanpages invocation which was adding
unwanted manual pages to bind9. Closes: #486196.
-- Ben Hutchings <email address hidden> Fri, 02 Jan 2009 16:51:42 +0000
-
bind9 (1:9.5.0.dfsg.P2-5) unstable; urgency=low
[ISC]
* 2463: IPv6 Advanced Socket API broken on linux. LP: #249824
[Jamie Strandboge]
* apparmor: add capability sys_resource
* apparmor: add krb keytab access. LP: #277370
[LaMont Jones]
* apparmor: allow proc/*/net/if_inet6 read access too. LP: #289060
* apparmor: add /var/log/named/* entries. LP: #294935
[Ben Hutchings]
* meta: Add dependency of bind9 on net-tools (ifconfig used in init script)
* meta: Fix bind9utils Depends.
* meta: fix typo in package description
[localization folks]
* l10n: add polish debconf translations. Closes: #506856 (L)
-- LaMont Jones <email address hidden> Sun, 07 Dec 2008 21:03:29 -0700
-
bind9 (1:9.5.0.dfsg.P2-4) unstable; urgency=low
* meta: fix typo in Depends: lsb-base. Closes: #501365
-- LaMont Jones <email address hidden> Tue, 07 Oct 2008 17:20:11 -0600
