-
bind9 (1:9.16.8-1ubuntu3.3) hirsute-security; urgency=medium
* SECURITY UPDATE: resolver performance degradation via lame cache abuse
- debian/patches/CVE-2021-25219.patch: disable lame cache in
bin/named/config.c, bin/named/server.c, lib/dns/resolver.c.
- CVE-2021-25219
-- Marc Deslauriers <email address hidden> Wed, 27 Oct 2021 06:57:43 -0400
-
bind9 (1:9.16.8-1ubuntu3.1) hirsute-security; urgency=medium
* SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
- debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
- CVE-2021-25214
* SECURITY UPDATE: assert via answering certain queries for DNAME records
- debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
- CVE-2021-25215
* SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
- debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
- CVE-2021-25216
-- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 07:07:30 -0400
-
bind9 (1:9.16.8-1ubuntu3) hirsute; urgency=medium
* SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
- debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
- CVE-2020-8625
-- Marc Deslauriers <email address hidden> Thu, 25 Feb 2021 07:29:46 -0500
-
bind9 (1:9.16.8-1ubuntu2) hirsute; urgency=medium
* No-change rebuild to drop the udeb package.
-- Matthias Klose <email address hidden> Mon, 22 Feb 2021 10:44:18 +0100
-
bind9 (1:9.16.8-1ubuntu1) hirsute; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
* Dropped changes (merged in Debian):
- d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP #1864761)
- d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
bind9 (1:9.16.8-1) unstable; urgency=medium
[ Ondřej Surý ]
* New upstream version 9.16.8
[ Bernhard Schmidt ]
* d/t/control:
- tag autopkgtest with needs-internet (Closes: #973955)
- depend on bind9-dnsutils insead of the transitional dnsutils
* d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
bind9 (1:9.16.7-1) unstable; urgency=medium
* New upstream version 9.16.7
-- Paride Legovini <email address hidden> Sun, 06 Dec 2020 17:10:15 +0100
-
bind9 (1:9.16.6-3ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP #1864761)
- d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
bind9 (1:9.16.6-3) unstable; urgency=medium
[ Ondřej Surý ]
* Add upstream patches to fix some rare conditions (Closes: #969448)
[ Bernhard Schmidt ]
* Set Restart=on-failure in systemd unit
-- Andreas Hasenack <email address hidden> Tue, 15 Sep 2020 10:46:52 -0300