-
bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5.3) zesty; urgency=medium
* d/bind9.service: source the defaults file and start the daemon with the
options set there (LP: #1565060).
-- Andreas Hasenack <email address hidden> Mon, 06 Nov 2017 17:41:19 -0200
-
bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5.2) zesty-security; urgency=medium
* SECURITY REGRESSION: regression in last security update
- debian/patches/CVE-2017-3142-regression.patch: fix verification of
TSIG signed TCP message sequences where not all the messages contain
TSIG records in lib/dns/tsig.c, aded test to
lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
* debian/patches/update_keys.patch: Update the built in managed keys to
include the upcoming root KSK in bind.keys, bind.keys.h.
-- Marc Deslauriers <email address hidden> Fri, 15 Sep 2017 07:42:53 -0400
-
bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5.1) zesty-security; urgency=medium
* SECURITY UPDATE: TSIG authentication issues
- debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
- CVE-2017-3142
- CVE-2017-3143
-- Marc Deslauriers <email address hidden> Thu, 29 Jun 2017 07:34:07 -0400
-
bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium
* SECURITY UPDATE: Denial of Service due to an error handling
synthesized records when using DNS64 with "break-dnssec yes;"
- debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
called.
- CVE-2017-3136
* SECURITY UPDATE: Denial of Service due to resolver terminating when
processing a response packet containing a CNAME or DNAME
- debian/patches/CVE-2017-3137.patch: don't expect a specific
ordering of answer components; add testcases.
- CVE-2017-3137
* SECURITY UPDATE: Denial of Service when receiving a null command on
the control channel
- debian/patches/CVE-2017-3138.patch: don't throw an assert if no
command token is given; add testcase.
- CVE-2017-3138
-- Steve Beattie <email address hidden> Wed, 12 Apr 2017 01:32:15 -0700
-
bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium
* SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
a NULL pointer
- debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
combination in bin/named/query.c, lib/dns/message.c,
lib/dns/rdataset.c.
- CVE-2017-3135
* SECURITY UPDATE: regression in CVE-2016-8864
- debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
was still being cached when it should have been in lib/dns/resolver.c,
added tests to bin/tests/system/dname/ans3/ans.pl,
bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
- No CVE number
-- Marc Deslauriers <email address hidden> Wed, 15 Feb 2017 09:37:39 -0500
-
bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium
* SECURITY UPDATE: assertion failure via class mismatch
- debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
records in lib/dns/resolver.c.
- CVE-2016-9131
* SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
- debian/patches/CVE-2016-9147.patch: fix logic when records are
returned without the requested data in lib/dns/resolver.c.
- CVE-2016-9147
* SECURITY UPDATE: assertion failure via unusually-formed DS record
- debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
lib/dns/message.c, lib/dns/resolver.c.
- CVE-2016-9444
* SECURITY UPDATE: regression in CVE-2016-8864
- debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
responses in lib/dns/resolver.c, added tests to
bin/tests/system/dname/ns2/example.db,
bin/tests/system/dname/tests.sh.
- No CVE number
-- Marc Deslauriers <email address hidden> Wed, 25 Jan 2017 09:28:10 -0500
-
bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium
* Add RemainAfterExit to bind9-resolvconf unit configuration file
(LP: #1536181).
-- Nishanth Aravamudan <email address hidden> Tue, 15 Nov 2016 08:24:58 -0800
-
bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium
* SECURITY UPDATE: denial of service via assertion failure
- debian/patches/CVE-2016-2776.patch: properly handle lengths in
lib/dns/message.c.
- CVE-2016-2776
-- Marc Deslauriers <email address hidden> Tue, 04 Oct 2016 14:31:17 -0400