-
bind9 (1:9.16.48-0ubuntu0.20.04.1) focal-security; urgency=medium
* Updated to 9.16.48 to fix multiple security issues.
- Please see the following for a list of changes, including possibly
incompatible ones:
https://downloads.isc.org/isc/bind9/9.16.48/doc/arm/html/notes.html
- CVE-2023-4408
- CVE-2023-5517
- CVE-2023-6516
- CVE-2023-50387
- CVE-2023-50868
* Packaging changes required for 9.16.48:
- Dropped patches no longer required with 9.16.48:
+ CVE-*.patch
+ fix-rebinding-protection.patch,
+ 0003-Print-diagnostics-on-dns_name_issubdomain-failure-in.patch
+ lp-1909950-fix-race-between-deactivating-handle-async-callback.patch
+ lp1997375-segfault-isc-nm-tcp-send.patch
- Synced other patches with Debian's 1:9.16.48-1 package
- debian/*.install, debian/*.links: updated with new files in 9.16.48.
- debian/rules, debian/not-installed: don't delete old -dev files, just
don't install them.
- debian/control, debian/rules: switch packages required to build
documentation.
-- Marc Deslauriers <email address hidden> Wed, 14 Feb 2024 07:49:14 -0500
-
bind9 (1:9.16.1-0ubuntu2.16) focal-security; urgency=medium
* SECURITY UPDATE: DoS via recusive packet parsing
- debian/patches/CVE-2023-3341.patch: add a max depth check to
lib/isccc/include/isccc/result.h, lib/isccc/result.c, lib/isccc/cc.c.
- CVE-2023-3341
-- Marc Deslauriers <email address hidden> Tue, 19 Sep 2023 07:22:19 -0400
-
bind9 (1:9.16.1-0ubuntu2.15) focal-security; urgency=medium
* SECURITY UPDATE: Configured cache size limit can be significantly
exceeded
- debian/patches/CVE-2023-2828.patch: fix cache expiry in
lib/dns/rbtdb.c.
- CVE-2023-2828
-- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:38:29 -0400
-
bind9 (1:9.16.1-0ubuntu2.14) focal; urgency=medium
* d/bind9.named.service: restart the named service on failure.
(LP: #2006054)
bind9 (1:9.16.1-0ubuntu2.13) focal; urgency=medium
* d/p/lp1997375-segfault-isc-nm-tcp-send.patch: Fix segfault on
isc__nm_tcpdns_send by moving the tcpdns processing to another
thread. (LP: #1997375)
-- Athos Ribeiro <email address hidden> Fri, 03 Mar 2023 12:37:25 -0300
-
bind9 (1:9.16.1-0ubuntu2.13) focal; urgency=medium
* d/p/lp1997375-segfault-isc-nm-tcp-send.patch: Fix segfault on
isc__nm_tcpdns_send by moving the tcpdns processing to another
thread. (LP: #1997375)
-- Sergio Durigan Junior <email address hidden> Thu, 02 Feb 2023 13:38:24 -0500
-
bind9 (1:9.16.1-0ubuntu2.12) focal-security; urgency=medium
* SECURITY UPDATE: An UPDATE message flood may cause named to exhaust all
available memory
- debian/patches/CVE-2022-3094.patch: add counter in
bin/named/bind9.xsl, bin/named/statschannel.c,
lib/ns/include/ns/server.h, lib/ns/include/ns/stats.h,
lib/ns/server.c, lib/ns/update.c.
- CVE-2022-3094
-- Marc Deslauriers <email address hidden> Tue, 24 Jan 2023 08:30:54 -0500
-
bind9 (1:9.16.1-0ubuntu2.11) focal-security; urgency=medium
* SECURITY UPDATE: Processing large delegations may severely degrade
resolver performance
- debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c.
- CVE-2022-2795
* SECURITY UPDATE: memory leak in ECDSA DNSSEC verification code
- debian/patches/CVE-2022-38177.patch: fix return handling in
lib/dns/opensslecdsa_link.c.
- CVE-2022-38177
* SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code
- debian/patches/CVE-2022-38178.patch: fix return handling in
lib/dns/openssleddsa_link.c.
- CVE-2022-38178
-- Marc Deslauriers <email address hidden> Tue, 20 Sep 2022 08:05:01 -0400
-
bind9 (1:9.16.1-0ubuntu2.10) focal-security; urgency=medium
* SECURITY UPDATE: cache poisoning via bogus NS records
- debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of
records into the cache in lib/dns/resolver.c.
- CVE-2021-25220
-- Marc Deslauriers <email address hidden> Tue, 15 Mar 2022 10:11:35 -0400
-
bind9 (1:9.16.1-0ubuntu2.9) focal-security; urgency=medium
* SECURITY UPDATE: resolver performance degradation via lame cache abuse
- debian/patches/CVE-2021-25219.patch: disable lame cache in
bin/named/config.c, bin/named/server.c, lib/dns/resolver.c.
- CVE-2021-25219
-- Marc Deslauriers <email address hidden> Wed, 27 Oct 2021 07:00:32 -0400
-
bind9 (1:9.16.1-0ubuntu2.8) focal-security; urgency=medium
* SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
- debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
- CVE-2021-25214
* SECURITY UPDATE: assert via answering certain queries for DNAME records
- debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
- CVE-2021-25215
* SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
- debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
- CVE-2021-25216
-- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 07:15:23 -0400
-
bind9 (1:9.16.1-0ubuntu2.7) focal; urgency=medium
* Fix a race between deactivating socket handle and processing
async callbacks, which can lead to sockets not being closed
properly, exhausting TCP connection limits. (LP: #1909950)
- d/p/lp-1909950-fix-race-between-deactivating-handle-async-callback.patch
-- Matthew Ruffell <email address hidden> Thu, 18 Feb 2021 16:28:44 +1300
-
bind9 (1:9.16.1-0ubuntu2.6) focal-security; urgency=medium
* SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
- debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
- CVE-2020-8625
* This update does _not_ contain the changes from 1:9.16.1-0ubuntu2.5 in
focal-proposed.
-- Marc Deslauriers <email address hidden> Tue, 16 Feb 2021 15:08:33 -0500
-
bind9 (1:9.16.1-0ubuntu2.5) focal; urgency=medium
* Fix a race between deactivating socket handle and processing
async callbacks, which can lead to sockets not being closed
properly, exhausting TCP connection limits. (LP: #1909950)
- d/p/lp-1909950-fix-race-between-deactivating-handle-async-callback.patch
-- Matthew Ruffell <email address hidden> Mon, 01 Feb 2021 16:28:44 +1300
-
bind9 (1:9.16.1-0ubuntu2.4) focal; urgency=medium
* Fix rare condition that can break bind9 with a crash (LP: #1896740)
- 0003-Print-diagnostics-on-dns_name_issubdomain-failure-in.patch
-- Christian Ehrhardt <email address hidden> Mon, 28 Sep 2020 12:30:22 +0200
-
bind9 (1:9.16.1-0ubuntu2.3) focal-security; urgency=medium
* SECURITY UPDATE: A specially crafted large TCP payload can trigger an
assertion failure
- debian/patches/CVE-2020-8620.patch: add extra checks to
lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/netmgr.c,
lib/isc/netmgr/tcp.c, lib/isc/netmgr/udp.c.
- CVE-2020-8620
* SECURITY UPDATE: Attempting QNAME minimization after forwarding can
lead to an assertion failure
- debian/patches/CVE-2020-8621.patch: disable QNAME minimization in
lib/dns/resolver.c.
- CVE-2020-8621
* SECURITY UPDATE: A truncated TSIG response can lead to an assertion
failure
- debian/patches/CVE-2020-8622.patch: move code in lib/dns/message.c.
- CVE-2020-8622
* SECURITY UPDATE: A flaw in native PKCS#11 code can lead to a remotely
triggerable assertion failure
- debian/patches/CVE-2020-8623.patch: add extra checks in
lib/dns/pkcs11rsa_link.c, lib/isc/include/pk11/internal.h,
lib/isc/pk11.c.
- CVE-2020-8623
* SECURITY UPDATE: update-policy rules of type subdomain were enforced
incorrectly
- debian/patches/CVE-2020-8624.patch: add extra check in
bin/named/zoneconf.c.
- CVE-2020-8624
-- Marc Deslauriers <email address hidden> Tue, 18 Aug 2020 07:38:53 -0400
-
bind9 (1:9.16.1-0ubuntu2.2) focal-security; urgency=medium
* SECURITY UPDATE: assertion when attempting to fill oversized TCP buffer
- debian/patches/CVE-2020-8618.patch: add fix to lib/ns/client.c,
lib/ns/include/ns/client.h, lib/ns/xfrout.c.
- CVE-2020-8618
* SECURITY UPDATE: INSIST failure when a zone with an interior wildcard
label was queried in a certain pattern
- debian/patches/CVE-2020-8619.patch: add fix to lib/dns/rbtdb.c.
- CVE-2020-8619
-- Marc Deslauriers <email address hidden> Tue, 16 Jun 2020 09:29:41 -0400
-
bind9 (1:9.16.1-0ubuntu2.1) focal-security; urgency=medium
* SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
performed when processing referrals
- debian/patches/CVE-2020-8616.patch: further limit the number of
queries that can be triggered from a request in lib/dns/adb.c,
lib/dns/include/dns/adb.h, lib/dns/resolver.c.
- CVE-2020-8616
* SECURITY UPDATE: A logic error in code which checks TSIG validity can
be used to trigger an assertion failure in tsig.c
- debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
BADTIME response in lib/dns/tsig.c.
- CVE-2020-8617
-- Marc Deslauriers <email address hidden> Fri, 15 May 2020 08:03:11 -0400
-
bind9 (1:9.16.1-0ubuntu2) focal; urgency=medium
* d/p/fix-rebinding-protection.patch: fix rebinding protection bug
when using forwarder setups (LP: #1873046)
-- Andreas Hasenack <email address hidden> Wed, 15 Apr 2020 14:59:51 -0300
-
bind9 (1:9.16.1-0ubuntu1) focal; urgency=medium
* New upstream release: 19.16.1 (LP: #1868272)
- drop d/p/bind-v9.16.0-tcp_quota_fix.patch, fixed upstream
- drop d/p/Fix-dns_client_addtrustedkey.patch, fixed upstream
* d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
-- Andreas Hasenack <email address hidden> Tue, 24 Mar 2020 11:44:46 -0300
-
bind9 (1:9.16.0-1ubuntu5) focal; urgency=medium
* d/control, d/rules: enable GeoIP2 support, since libmaxminddb is now
in main (LP: #1866875)
-- Andreas Hasenack <email address hidden> Mon, 16 Mar 2020 16:17:47 -0300
-
bind9 (1:9.16.0-1ubuntu4) focal; urgency=medium
* d/p/bind-v9.16.0-tcp_quota_fix.patch: fix error in handling TCP
client quota limits (LP: #1866378)
* d/p/Fix-dns_client_addtrustedkey.patch: fix buffer size in
dns_client_addtrustedkey (LP: #1866384)
-- Andreas Hasenack <email address hidden> Fri, 06 Mar 2020 15:12:56 -0300
-
bind9 (1:9.16.0-1ubuntu3) focal; urgency=medium
* d/control: make bind9-dnsutils multi-arch foreign as another step
towards fixing LP: #1864761
bind9 (1:9.16.0-1ubuntu2) focal; urgency=medium
* d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP: #1864761)
bind9 (1:9.16.0-1ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/control, d/rules: go back to old geoip support, since
libmaxminddb (for GeoIP2) is in universe
* Added back from sid packaging:
- d/t/control, d/t/simpletest: bring back the dep8 test from
debian/sid, with our delta to not query external hosts
- use iproute2 instead of net-tools (LP #1850699):
+ d/control: replace net-tools depends with iproute2
+ d/bind9.init: use ip instead of ifconfig
- d/control: drop hardcoded python3 dependency
(LP #1856211, Closes #946643)
- d/extras/apparmor.d/usr.sbin.named:
+ Add flags=(attach_disconnected) to AppArmor profile
+ AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ
(Closes: #928398)
- d/rules: fix typo in the apparmor profile installation
* Added:
- d/control: create transitional packages for dnsutils, bind9utils
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/control: Enable readline-like support in dnsutils (nslookup and nsupdate)
via libedit-dev (libreadline has a license conflict with bind)
bind9 (1:9.16.0-1) experimental; urgency=medium
* Change the branch to 9.16
* New upstream version 9.16.0
bind9 (1:9.15.8-1) experimental; urgency=medium
* New upstream version 9.15.8
bind9 (1:9.15.7-1) experimental; urgency=medium
* Add libuv1-dev, libcmocka-dev, libedit-dev and zlib1g-dev to B-D
* Update d/watch to use tar.xz
* New upstream version 9.15.7
bind9 (1:9.15.6-1) experimental; urgency=medium
* Remove useless patches
* New upstream version 9.15.6
bind9 (1:9.15.5-1) experimental; urgency=medium
* New upstream version 9.15.5
* Install python files to dist-packages (Courtesy of Jim Popovitch)
* Remove GPL licensed apport file until one with better license is available
* Remove debian/nslookup.1
* Remove 4-clause BSD content from the package
bind9 (1:9.15.4-1) unstable; urgency=medium
* New upstream version 9.15.4
bind9 (1:9.15.3-2) unstable; urgency=medium
* Fix the section for bind9 alias in the systemd unit [GL #1193]
bind9 (1:9.15.3-1) unstable; urgency=medium
* New upstream version 9.15.3
* isc-config has been removed, remove it from the debian/
bind9 (1:9.15.2-2) unstable; urgency=medium
* Tighten libmaxminddb-dev dependency
* Install the tmpfile for named service again
bind9 (1:9.15.2-1) unstable; urgency=medium
* New upstream version 9.15.2
* Disable old GeoIP and enable new GeoIP2
bind9 (1:9.15.1-2) experimental; urgency=medium
* Change --with-json=/usr to --with-json-c (and use pkg-config)
bind9 (1:9.15.1-1) experimental; urgency=medium
* New upstream version 9.15.1
* Rebase patches for 9.15.1
bind9 (1:9.15.0-2) experimental; urgency=medium
* Fix Debian buster armhf build
bind9 (1:9.15.0-1) experimental; urgency=medium
* Update debian/ for BIND 9.15
* New upstream version 9.15.0
bind9 (1:9.14.2-1) experimental; urgency=medium
* Make named.service to be known as bind9.service
* New upstream version 9.14.2
bind9 (1:9.14.1-1) experimental; urgency=medium
[ Ondřej Surý ]
* New upstream version 9.14.1
* Remove the transitional packages and only keep bind9 names as the
product name is 'BIND 9'
[ Bernhard Schmidt ]
* Update AppArmor policy for Samba AD DLZ.
Thanks to Steven Monai (Closes: #920530)
* More fixes to the AppArmor policy
* AppArmor policy: Allow access to /dev/urandom
* AppArmor: Also add /var/lib/samba/bind-dns/dns/** (Closes: #927827)
bind9 (1:9.14.0-1) experimental; urgency=medium
* New upstream version 9.14.0
bind9 (1:9.14.0~rc3-1) experimental; urgency=medium
* New upstream version 9.14.0~rc3
bind9 (1:9.14.0~rc2-1) experimental; urgency=medium
* New upstream version 9.14.0~rc2
* Plugins are now in /usr/lib/<triplet>/named/*.so
bind9 (1:9.14.0~rc1-1) experimental; urgency=medium
* Update branches for DEP-14
* Bump the d/watch from 9.13 -> 9.14
* New upstream version 9.14.0~rc1
bind9 (1:9.13.6-2) experimental; urgency=medium
* Add B/R for dnsutils
bind9 (1:9.13.6-1) experimental; urgency=medium
[ Ondřej Surý ]
* New upstream version 9.13.6
* Add usr/share/man/man8/filter-aaaa.8 to the bind package
* Rename packages back to BIND 9
* Rename the init scripts to named to match the name of the daemon
* Bump to debhelper compat level 12
* Fix dh_install, dh_installinit and dh_installsystemd invocation for
debhelper-compat level 12
* Add new upstream GPG signing-key
* Disable building in subdirectory
* Add bind-libs transitional package to cleanly remove src:bind from the
archive
* Disable subdirectory build in dh_auto_install target
* Disable dh_auto_test as neither kyua (needed for unit tests) or
setting up virtual interfaces on lo (needed for system tests) is
available in Debian builds
[ Dominik George ]
* Support dyndb modules in apparmor.
* Also allow mapping from dyndb modules.
[ Bernhard Schmidt ]
* apparmor-policy: permit locking of the allow-new-zones database
(Closes: #922065)
* apparmor-policy: allow access to Samba DLZ files (Closes: #920530)
bind (1:9.13.5-1) experimental; urgency=medium
* New upstream version 9.13.5
bind (1:9.13.4-1) experimental; urgency=medium
* Use <email address hidden> as Maintainer address
* New upstream version 9.13.4
bind (1:9.13.3-3) experimental; urgency=medium
* Remove deprecated -r /dev/urandom option from rndc invocation
bind (1:9.13.3-2) experimental; urgency=medium
* Remove --disable-static from the dh_auto_configure call
bind (1:9.13.3-1) experimental; urgency=medium
* New upstream version 9.13.3
* Rebase patches for BIND 9.13.3
bind (1:9.13.3~400-g47066d3d01-1) experimental; urgency=medium
* New upstream version 9.13.3~400-g47066d3d01
bind (1:9.13.3~398-g5c00162f54-1) experimental; urgency=medium
[ Bernhard Schmidt ]
* Enable IDN support for dig+host using libidn2 (Closes: #459010)
* Use root.hints from dns-root-data (Closes: #888491)
* Adjust apparmor profile for dns-root-data
* Fix missing colon in AppArmor profile (Closes: #904983)
* d/watch: Properly deal with -P patch releases
[ Timo Aaltonen ]
* skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11 crashing on startup. (LP: #1769440)
[ Ondřej Surý ]
* New upstream version 9.13.3~398-g5c00162f54
* Rebase patches for new upstream snapshot release
bind (1:9.13.2-1~exp0) experimental; urgency=medium
* Don't repack, all non-free files are gone from BIND 9.13
* New upstream version 9.13.2
* Rebase patches for BIND 9.13.2
* Stop providing bind-dev package and checking for symbols, they are not
tightly coupled with rest of the package.
* Add docbook-xsl and docbook-xml to Build-Depends
* Add pkg-config to Build-Depends and cleanup versioned Build-Depends
* Enable dnstap support (Courtesy of Richard James Salts)
* Remove auth-nxdomain no; from named.conf.options (Closes: #896889)
bind (1:9.13.1+dfsg-1) experimental; urgency=medium
* New upstream version 9.13.1+dfsg
* d/watch: Always package the latest version
* d/patches: Remove 0003-Add-min-cache-ttl-and-min-ncache-ttl-keywords.patch,
so we less divert from upstream
* d/patches: Refresh patches on top of BIND 9.13.1
bind (1:9.12.0+dfsg-1~exp1) experimental; urgency=medium
* Move to standard master/upstream/pristine-tar branching
* Add /etc/default/bind file to bind package
* Don't fail the systemd unit if /etc/default/bind doesn't exist
bind (1:9.12.0+dfsg-1~exp0) experimental; urgency=medium
* New upstream version 9.12.0+dfsg
* Rename bind9 to just bind, and merge all shared libraries into bind-libs.
* Update Vcs-* links to salsa.d.o
* Update d/watch and d/gbp.conf for BIND 9.12
* Remove export version of the libraries; we really need to deprecate ISC-DHCP in buster+1
* d/patches changes:
+ Convert 02_version.diff to sed rule in d/rules
+ Remove the extra native-pkcs11 patch that double builds everything; a solution with OpenSSL engines is far more suitable and less intrusive
+ Remove stdatomic.h patches; already merged upstream into BIND 9.12
+ Refresh all the other patches for BIND 9.12.0
+ Fix the min-(n)cache-ttl patch for BIND 9.12
* Remove isc-hmac-fixup from bind package
* Remove man3 from bind-dev package as they are not installed
* Add dnssec-cds to bind-utils package
* Update missing and new symbols for BIND 9.12
-- Andreas Hasenack <email address hidden> Wed, 26 Feb 2020 20:19:40 -0300
-
bind9 (1:9.16.0-1ubuntu2) focal; urgency=medium
* d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP: #1864761)
-- Andreas Hasenack <email address hidden> Wed, 26 Feb 2020 14:16:04 -0300
-
bind9 (1:9.16.0-1ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/control, d/rules: go back to old geoip support, since
libmaxminddb (for GeoIP2) is in universe
* Added back from sid packaging:
- d/t/control, d/t/simpletest: bring back the dep8 test from
debian/sid, with our delta to not query external hosts
- use iproute2 instead of net-tools (LP #1850699):
+ d/control: replace net-tools depends with iproute2
+ d/bind9.init: use ip instead of ifconfig
- d/control: drop hardcoded python3 dependency
(LP #1856211, Closes #946643)
- d/extras/apparmor.d/usr.sbin.named:
+ Add flags=(attach_disconnected) to AppArmor profile
+ AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ
(Closes: #928398)
- d/rules: fix typo in the apparmor profile installation
* Added:
- d/control: create transitional packages for dnsutils, bind9utils
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/control: Enable readline-like support in dnsutils (nslookup and nsupdate)
via libedit-dev (libreadline has a license conflict with bind)
bind9 (1:9.16.0-1) experimental; urgency=medium
* Change the branch to 9.16
* New upstream version 9.16.0
bind9 (1:9.15.8-1) experimental; urgency=medium
* New upstream version 9.15.8
bind9 (1:9.15.7-1) experimental; urgency=medium
* Add libuv1-dev, libcmocka-dev, libedit-dev and zlib1g-dev to B-D
* Update d/watch to use tar.xz
* New upstream version 9.15.7
bind9 (1:9.15.6-1) experimental; urgency=medium
* Remove useless patches
* New upstream version 9.15.6
bind9 (1:9.15.5-1) experimental; urgency=medium
* New upstream version 9.15.5
* Install python files to dist-packages (Courtesy of Jim Popovitch)
* Remove GPL licensed apport file until one with better license is available
* Remove debian/nslookup.1
* Remove 4-clause BSD content from the package
bind9 (1:9.15.4-1) unstable; urgency=medium
* New upstream version 9.15.4
bind9 (1:9.15.3-2) unstable; urgency=medium
* Fix the section for bind9 alias in the systemd unit [GL #1193]
bind9 (1:9.15.3-1) unstable; urgency=medium
* New upstream version 9.15.3
* isc-config has been removed, remove it from the debian/
bind9 (1:9.15.2-2) unstable; urgency=medium
* Tighten libmaxminddb-dev dependency
* Install the tmpfile for named service again
bind9 (1:9.15.2-1) unstable; urgency=medium
* New upstream version 9.15.2
* Disable old GeoIP and enable new GeoIP2
bind9 (1:9.15.1-2) experimental; urgency=medium
* Change --with-json=/usr to --with-json-c (and use pkg-config)
bind9 (1:9.15.1-1) experimental; urgency=medium
* New upstream version 9.15.1
* Rebase patches for 9.15.1
bind9 (1:9.15.0-2) experimental; urgency=medium
* Fix Debian buster armhf build
bind9 (1:9.15.0-1) experimental; urgency=medium
* Update debian/ for BIND 9.15
* New upstream version 9.15.0
bind9 (1:9.14.2-1) experimental; urgency=medium
* Make named.service to be known as bind9.service
* New upstream version 9.14.2
bind9 (1:9.14.1-1) experimental; urgency=medium
[ Ondřej Surý ]
* New upstream version 9.14.1
* Remove the transitional packages and only keep bind9 names as the
product name is 'BIND 9'
[ Bernhard Schmidt ]
* Update AppArmor policy for Samba AD DLZ.
Thanks to Steven Monai (Closes: #920530)
* More fixes to the AppArmor policy
* AppArmor policy: Allow access to /dev/urandom
* AppArmor: Also add /var/lib/samba/bind-dns/dns/** (Closes: #927827)
bind9 (1:9.14.0-1) experimental; urgency=medium
* New upstream version 9.14.0
bind9 (1:9.14.0~rc3-1) experimental; urgency=medium
* New upstream version 9.14.0~rc3
bind9 (1:9.14.0~rc2-1) experimental; urgency=medium
* New upstream version 9.14.0~rc2
* Plugins are now in /usr/lib/<triplet>/named/*.so
bind9 (1:9.14.0~rc1-1) experimental; urgency=medium
* Update branches for DEP-14
* Bump the d/watch from 9.13 -> 9.14
* New upstream version 9.14.0~rc1
bind9 (1:9.13.6-2) experimental; urgency=medium
* Add B/R for dnsutils
bind9 (1:9.13.6-1) experimental; urgency=medium
[ Ondřej Surý ]
* New upstream version 9.13.6
* Add usr/share/man/man8/filter-aaaa.8 to the bind package
* Rename packages back to BIND 9
* Rename the init scripts to named to match the name of the daemon
* Bump to debhelper compat level 12
* Fix dh_install, dh_installinit and dh_installsystemd invocation for
debhelper-compat level 12
* Add new upstream GPG signing-key
* Disable building in subdirectory
* Add bind-libs transitional package to cleanly remove src:bind from the
archive
* Disable subdirectory build in dh_auto_install target
* Disable dh_auto_test as neither kyua (needed for unit tests) or
setting up virtual interfaces on lo (needed for system tests) is
available in Debian builds
[ Dominik George ]
* Support dyndb modules in apparmor.
* Also allow mapping from dyndb modules.
[ Bernhard Schmidt ]
* apparmor-policy: permit locking of the allow-new-zones database
(Closes: #922065)
* apparmor-policy: allow access to Samba DLZ files (Closes: #920530)
bind (1:9.13.5-1) experimental; urgency=medium
* New upstream version 9.13.5
bind (1:9.13.4-1) experimental; urgency=medium
* Use <email address hidden> as Maintainer address
* New upstream version 9.13.4
bind (1:9.13.3-3) experimental; urgency=medium
* Remove deprecated -r /dev/urandom option from rndc invocation
bind (1:9.13.3-2) experimental; urgency=medium
* Remove --disable-static from the dh_auto_configure call
bind (1:9.13.3-1) experimental; urgency=medium
* New upstream version 9.13.3
* Rebase patches for BIND 9.13.3
bind (1:9.13.3~400-g47066d3d01-1) experimental; urgency=medium
* New upstream version 9.13.3~400-g47066d3d01
bind (1:9.13.3~398-g5c00162f54-1) experimental; urgency=medium
[ Bernhard Schmidt ]
* Enable IDN support for dig+host using libidn2 (Closes: #459010)
* Use root.hints from dns-root-data (Closes: #888491)
* Adjust apparmor profile for dns-root-data
* Fix missing colon in AppArmor profile (Closes: #904983)
* d/watch: Properly deal with -P patch releases
[ Timo Aaltonen ]
* skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11 crashing on startup. (LP: #1769440)
[ Ondřej Surý ]
* New upstream version 9.13.3~398-g5c00162f54
* Rebase patches for new upstream snapshot release
bind (1:9.13.2-1~exp0) experimental; urgency=medium
* Don't repack, all non-free files are gone from BIND 9.13
* New upstream version 9.13.2
* Rebase patches for BIND 9.13.2
* Stop providing bind-dev package and checking for symbols, they are not
tightly coupled with rest of the package.
* Add docbook-xsl and docbook-xml to Build-Depends
* Add pkg-config to Build-Depends and cleanup versioned Build-Depends
* Enable dnstap support (Courtesy of Richard James Salts)
* Remove auth-nxdomain no; from named.conf.options (Closes: #896889)
bind (1:9.13.1+dfsg-1) experimental; urgency=medium
* New upstream version 9.13.1+dfsg
* d/watch: Always package the latest version
* d/patches: Remove 0003-Add-min-cache-ttl-and-min-ncache-ttl-keywords.patch,
so we less divert from upstream
* d/patches: Refresh patches on top of BIND 9.13.1
bind (1:9.12.0+dfsg-1~exp1) experimental; urgency=medium
* Move to standard master/upstream/pristine-tar branching
* Add /etc/default/bind file to bind package
* Don't fail the systemd unit if /etc/default/bind doesn't exist
bind (1:9.12.0+dfsg-1~exp0) experimental; urgency=medium
* New upstream version 9.12.0+dfsg
* Rename bind9 to just bind, and merge all shared libraries into bind-libs.
* Update Vcs-* links to salsa.d.o
* Update d/watch and d/gbp.conf for BIND 9.12
* Remove export version of the libraries; we really need to deprecate ISC-DHCP in buster+1
* d/patches changes:
+ Convert 02_version.diff to sed rule in d/rules
+ Remove the extra native-pkcs11 patch that double builds everything; a solution with OpenSSL engines is far more suitable and less intrusive
+ Remove stdatomic.h patches; already merged upstream into BIND 9.12
+ Refresh all the other patches for BIND 9.12.0
+ Fix the min-(n)cache-ttl patch for BIND 9.12
* Remove isc-hmac-fixup from bind package
* Remove man3 from bind-dev package as they are not installed
* Add dnssec-cds to bind-utils package
* Update missing and new symbols for BIND 9.12
-- Andreas Hasenack <email address hidden> Mon, 24 Feb 2020 11:51:37 -0300
-
bind9 (1:9.11.14+dfsg-3ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/control, d/rules: go back to old geoip support, since
libmaxminddb (for GeoIP2) is in universe
* Dropped:
- use iproute2 instead of net-tools (LP #1850699):
+ d/control: replace net-tools depends with iproute2
+ d/bind9.init: use ip instead of ifconfig
[In 1:9.11.14+dfsg-2]
- d/control: drop hardcoded python3 dependency in bind9utils,
dh-python injects the correct one via ${python3:Depends}
(LP #1856211, Closes #946643)
[In 1:9.11.14+dfsg-1]
bind9 (1:9.11.14+dfsg-3) unstable; urgency=medium
* cherry-pick upstream patch to fix FTBFS on armel
bind9 (1:9.11.14+dfsg-2) unstable; urgency=medium
[ Bernhard Schmidt ]
* Unmark bind9-host as deprecated (Closes: #948139)
[ Andreas Hasenack ]
* d/control: drop hardcoded python3 dependency
* Use iproute2 instead of net-tools
-- Andreas Hasenack <email address hidden> Mon, 27 Jan 2020 11:47:26 -0300
-
bind9 (1:9.11.14+dfsg-1ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- use iproute2 instead of net-tools (LP #1850699):
+ d/control: replace net-tools depends with iproute2
+ d/bind9.init: use ip instead of ifconfig
[Updated to also check the exit status of the command]
- d/control: drop hardcoded python3 dependency in bind9utils,
dh-python injects the correct one via ${python3:Depends}
(LP #1856211, Closes: #946643)
* Dropped:
- d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
option (LP #1804648)
[Fixed upstream in 9.11.6rc1]
- d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
close to a query timeout (LP #1797926)
[Fixed upstream in 9.11.6rc1]
- SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single
connection
+ debian/patches/CVE-2019-6477.patch: limit number of clients in
bin/named/client.c, bin/named/include/named/client.h.
+ CVE-2019-6477
[Fixed upstream in 9.11.13]
* Added:
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/control, d/rules: go back to old geoip support, since
libmaxminddb (for GeoIP2) is in universe
bind9 (1:9.11.14+dfsg-1) unstable; urgency=medium
* New upstream version 9.11.14+dfsg
* Make lib/dns/gen.c independent of isc/platform.h header
bind9 (1:9.11.13+dfsg-1) unstable; urgency=medium
* New upstream version 9.11.13+dfsg
* [CVE-2019-6477]: TCP-pipelined queries can bypass tcp-clients limit
* Bump the libisc soversion from 1100 to 1104
bind9 (1:9.11.12+dfsg-1) unstable; urgency=medium
* Remove GPL licensed apport file until one with better license is available
* Install python files to dist-packages (Courtesy of Jim Popovitch)
* Remove debian/nslookup.1
* Remove 4-clause BSD content from the package
* New upstream version 9.11.12+dfsg
bind9 (1:9.11.11+dfsg-1) unstable; urgency=medium
* New upstream version 9.11.11+dfsg
bind9 (1:9.11.10+dfsg-1) unstable; urgency=medium
* Disable old GeoIP and enable new GeoIP2
* New upstream version 9.11.10+dfsg
* Bump libdns SOVERSION to 1107
bind9 (1:9.11.9+dfsg-1) unstable; urgency=medium
* New upstream version 9.11.9+dfsg
bind9 (1:9.11.8+dfsg-1) experimental; urgency=medium
* New upstream version 9.11.8+dfsg
* Rebase patches for BIND 9.11.8
* AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ.
Thanks to Steven Monai (Closes: 928398)
* Enable readline support in dnsutils (nslookup and nsupdate)
bind9 (1:9.11.7+dfsg-2) experimental; urgency=medium
* Use absolute srcdir path to protoc-c invocation
* Fix Debian buster armhf build
bind9 (1:9.11.7+dfsg-1) experimental; urgency=medium
* New upstream version 9.11.7+dfsg
* Bump libdns SONAME from 1105 to 1106
bind9 (1:9.11.6.P1+dfsg-1) experimental; urgency=medium
* New upstream version 9.11.6.P1+dfsg
* Add patch for atomic support on non-x86 architectures
bind9 (1:9.11.6+dfsg-1) experimental; urgency=medium
[ Ondřej Surý ]
* New upstream version 9.11.6+dfsg (Closes: #923984)
* Update d/gbp.conf for DEP-14
* Fix the checkapi script
* Bump libdns SOVERSION from 1104 to 1105
* Update libdns1105 symbols
[ Bernhard Schmidt]
* Add missing pkg-config build-dep
-- Andreas Hasenack <email address hidden> Wed, 15 Jan 2020 14:07:05 -0300
-
bind9 (1:9.11.5.P4+dfsg-5.1ubuntu5) focal; urgency=medium
* d/control: drop hardcoded python3 dependency in bind9utils,
dh-python injects the correct one via ${python3:Depends}
(LP: #1856211, Closes: #946643)
-- Andreas Hasenack <email address hidden> Thu, 12 Dec 2019 14:40:20 -0300
-
bind9 (1:9.11.5.P4+dfsg-5.1ubuntu4) focal; urgency=medium
* SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single
connection
- debian/patches/CVE-2019-6477.patch: limit number of clients in
bin/named/client.c, bin/named/include/named/client.h.
- CVE-2019-6477
-- Marc Deslauriers <email address hidden> Thu, 21 Nov 2019 07:50:24 -0500
-
bind9 (1:9.11.5.P4+dfsg-5.1ubuntu3) focal; urgency=medium
* use iproute2 instead of net-tools (LP: #1850699):
- d/control: replace net-tools depends with iproute2
- d/bind9.init: use ip instead of ifconfig
* d/bind9.install, d/control, d/rules: re-enable lmdb, which is now
in main.
-- Andreas Hasenack <email address hidden> Fri, 08 Nov 2019 10:15:01 -0300
-
bind9 (1:9.11.5.P4+dfsg-5.1ubuntu2) eoan; urgency=medium
* Rebuild against new libjson-c4.
-- Gianfranco Costamagna <email address hidden> Sat, 29 Jun 2019 13:45:33 +0200
