-
bind9 (1:9.11.5.P1+dfsg-1ubuntu2.6) disco-security; urgency=medium
* SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single
connection
- debian/patches/CVE-2019-6477.patch: limit number of clients in
bin/named/client.c, bin/named/include/named/client.h.
- CVE-2019-6477
-- Marc Deslauriers <email address hidden> Mon, 18 Nov 2019 09:52:07 -0500
-
bind9 (1:9.11.5.P1+dfsg-1ubuntu2.5) disco-security; urgency=medium
* SECURITY UPDATE: DoS via malformed packets
- debian/patches/CVE-2019-6471.patch: fix race condition in
lib/dns/dispatch.c.
- CVE-2019-6471
-- Marc Deslauriers <email address hidden> Tue, 18 Jun 2019 18:50:18 -0400
-
bind9 (1:9.11.5.P1+dfsg-1ubuntu2.4) disco; urgency=medium
* d/rules: add back EdDSA support (LP: #1825712)
-- Andreas Hasenack <email address hidden> Fri, 26 Apr 2019 14:20:00 +0000
-
bind9 (1:9.11.5.P1+dfsg-1ubuntu2.3) disco-security; urgency=medium
* SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
- debian/patches/CVE-2018-5743.patch: add reference counting in
bin/named/client.c, bin/named/include/named/client.h,
bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
lib/isc/include/isc/quota.h, lib/isc/quota.c,
lib/isc/win32/libisc.def.in.
- debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
operations with isc_refcount reference counting in
bin/named/client.c, bin/named/include/named/interfacemgr.h,
bin/named/interfacemgr.c.
- debian/libisc1100.symbols: added new symbols.
- CVE-2018-5743
-- Marc Deslauriers <email address hidden> Wed, 24 Apr 2019 05:00:07 -0400
-
bind9 (1:9.11.5.P1+dfsg-1ubuntu2) disco; urgency=medium
* SECURITY UPDATE: memory leak via specially crafted packet
- debian/patches/CVE-2018-5744.patch: silently drop additional keytag
options in bin/named/client.c.
- CVE-2018-5744
* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- debian/patches/CVE-2018-5745.patch: properly handle situations when
the key tag cannot be computed in lib/dns/include/dst/dst.h,
lib/dns/zone.c.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
the zone table as a DLZ zone bin/named/xfrout.c.
- CVE-2019-6465
-- Marc Deslauriers <email address hidden> Fri, 22 Feb 2019 10:52:30 +0100
-
bind9 (1:9.11.5.P1+dfsg-1ubuntu1) disco; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Build without lmdb support as that package is in Universe
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
option (LP #1804648)
- d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
close to a query timeout (LP #1797926)
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium
* New upstream version 9.11.5.P1+dfsg
-- Andreas Hasenack <email address hidden> Thu, 17 Jan 2019 18:59:25 -0200
-
bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Build without lmdb support as that package is in Universe
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
* Dropped:
- SECURITY UPDATE: denial of service crash when deny-answer-aliases
option is used
+ debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
trigger a crash if deny-answer-aliases was set
+ debian/patches/CVE-2018-5740-2.patch: add tests
+ debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
chainingp correctly, add test
+ CVE-2018-5740
[Fixed in new upstream version 9.11.5]
- d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
line (Closes: #904983)
[Fixed in 1:9.11.4+dfsg-4]
- Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440)
[Fixed in 1:9.11.4.P1+dfsg-1]
- Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
(it depends on OpenSSL version) (Closes: #897643)
[Fixed in 1:9.11.4.P1+dfsg-1]
* Added:
- d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
option (LP: #1804648)
- d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
close to a query timeout (LP: #1797926)
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium
* Use <email address hidden> as Maintainer address
* New upstream version 9.11.5+dfsg
* Add EXTENSIONS= to version file programmatically, not with the patch
* Rebase patches for BIND 9.11.5
* Adjust package names for new SONAMEs
bind9 (1:9.11.4.P2+dfsg-3) unstable; urgency=medium
* Also avoid OpenSSL 1.1.1 in udebs.
Thanks to KiBi for the hint
* autopkgtest: Make an external query and check for DNSSEC
bind9 (1:9.11.4.P2+dfsg-2) unstable; urgency=medium
* Temporarily disable EDDSA to relax OpenSSL version requirement
bind9 (1:9.11.4.P2+dfsg-1) unstable; urgency=medium
[ Bernhard Schmidt ]
* Add a very simple autopkgtest (dig @127.0.0.1)
[ Ondřej Surý ]
* New upstream version 9.11.4.P2+dfsg
* Rebase patches for BIND 9.11.4-P2
bind9 (1:9.11.4.P1+dfsg-1) unstable; urgency=medium
[ Timo Aaltonen ]
* skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11
crashing on startup. (LP: #1769440)
[ Bernhard Schmidt ]
* Add gbp.conf for pristine-tar usage
* d/watch: Properly deal with -P patch releases
[ Ondřej Surý ]
* Don't fail to start if /etc/default/bind9 doesn't exist
* New upstream version 9.11.4.P1+dfsg
* Rebase patches for BIND 9.11.4-P1
* Add new dst__openssleddsa_init optional symbol (it depends on OpenSSL version) (Closes: #897643)
* Put aside named.conf.option from stretch when upgrading (Closes: #905177)
bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium
* Brown-paper-bag release :-(
* Fix missing colon in AppArmor profile (Closes: #904983)
-- Andreas Hasenack <email address hidden> Thu, 13 Dec 2018 19:40:23 -0200
-
bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high
* No change rebuild against openssl 1.1.1 with TLS 1.3 support.
-- Dimitri John Ledkov <email address hidden> Sat, 29 Sep 2018 01:36:45 +0100