Format: 1.8 Date: Wed, 17 Apr 2024 23:47:27 +0200 Source: bind9 Architecture: source Version: 1:9.18.26-1+ubuntu20.04.1+deb.sury.org+1 Distribution: focal Urgency: high Maintainer: Debian DNS Team Changed-By: Ondřej Surý Closes: 903586 942377 947978 994696 1000354 1000565 1000893 1004271 1008021 1009889 1012059 1016646 1020315 1022968 1025519 Changes: bind9 (1:9.18.26-1+ubuntu20.04.1+deb.sury.org+1) focal; urgency=medium . * No-change backport to focal. . bind9 (1:9.18.26-1) unstable; urgency=medium . * New upstream version 9.18.26 . bind9 (1:9.18.25-1) unstable; urgency=medium . * New upstream version 9.18.25 - A regression caused by CVE-2023-6516 fix could lead into an out-of-memory condition when the server is under heavy load. . bind9 (1:9.18.24-1) unstable; urgency=medium . * New upstream version 9.18.24 - CVE-2023-4408: Parsing large DNS messages may cause excessive CPU load - CVE-2023-5517: Querying RFC 1918 reverse zones may cause an assertion failure when "nxdomain-redirect" is enabled - CVE-2023-5679: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution - CVE-2023-6516: Specific recursive query patterns may lead to an out-of-memory condition - CVE-2023-50387: KeyTrap - Extreme CPU consumption in DNSSEC validator - CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources . bind9 (1:9.18.21-1) unstable; urgency=medium . * New upstream version 9.18.21 . bind9 (1:9.18.20-1) unstable; urgency=medium . * New upstream version 9.18.20 . bind9 (1:9.18.19-1) unstable; urgency=medium . * New upstream version 9.18.19 . bind9 (1:9.18.18-1) unstable; urgency=medium . * New upstream version 9.18.18 . bind9 (1:9.18.17-1) unstable; urgency=medium . * New upstream version 9.18.17 . bind9 (1:9.18.16-1) unstable; urgency=medium . * New upstream version 9.18.16 - CVE-2023-2828: The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured max-cache-size limit. - CVE-2023-2911: A query that prioritizes stale data over lookup triggers a fetch to refresh the stale data in cache. If the fetch is aborted for exceeding the recursion quota, it was possible for named to enter an infinite callback loop and crash due to stack overflow. This has been fixed. . bind9 (1:9.18.15-1) unstable; urgency=medium . * New upstream version 9.18.15 . bind9 (1:9.18.14-1) unstable; urgency=medium . * New upstream version 9.18.14 . bind9 (1:9.18.13-1) unstable; urgency=medium . * New upstream version 9.18.13 . bind9 (1:9.18.12-1) unstable; urgency=medium . * New upstream version 9.18.12 * Drop libtool-bin from B-D (Closes: #1022968) . bind9 (1:9.18.11-2) unstable; urgency=medium . * Allow the named to use systemd notify service . bind9 (1:9.18.11-1) unstable; urgency=medium . * New upstream version 9.18.11 . bind9 (1:9.18.10-2) unstable; urgency=medium . * Backport upstream feature to use sd_notify() * Use systemd notify for service readyness check (Closes: #994696) * apparmor.d: Allow named to read all OpenSSL config files. (Closes: #1025519) * apparmor.d: Allow named to query for hugepages support. (Closes: #1020315) * Fix path to README.Debian (Closes: #1016646) . bind9 (1:9.18.10-1) unstable; urgency=medium . * New upstream version 9.18.10 . bind9 (1:9.18.9-1) unstable; urgency=medium . * New upstream version 9.18.9 . bind9 (1:9.18.8-1) unstable; urgency=medium . * New upstream version 9.18.8 . bind9 (1:9.18.7-1) unstable; urgency=medium . * New upstream version 9.18.7 - CVE-2022-2795: Processing large delegations may severely degrade resolver performance - CVE-2022-2881: Buffer overread in statistics channel code - CVE-2022-2906: Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only) - CVE-2022-3080: BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly - CVE-2022-38177: Memory leak in ECDSA DNSSEC verification code - CVE-2022-38178: Memory leaks in EdDSA DNSSEC verification code . bind9 (1:9.18.6-2) unstable; urgency=medium . * No-change source-only upload . bind9 (1:9.18.6-1) unstable; urgency=medium . * Disable treat-warnings-as-errors in sphinx-build * New upstream version 9.18.6 . bind9 (1:9.18.5-1) unstable; urgency=medium . * New upstream version 9.18.5 . bind9 (1:9.18.4-2) unstable; urgency=medium . [ Simon Deziel ] * debian/extras/etc/db.0: correct descriptive comment . [ Bernhard Schmidt ] * Add sleep workaround in tests/simpletests (Closes: #1012059) . bind9 (1:9.18.4-1) unstable; urgency=medium . * Disable treat-warnings-as-errors in sphinx-build * New upstream version 9.18.4 . bind9 (1:9.18.3-1) unstable; urgency=medium . * New upstream version 9.18.3 . bind9 (1:9.18.2-1) unstable; urgency=medium . * Drop libldap2-dev from Build-Depends (Closes: #1008021) * New upstream version 9.18.2 * Add runtime dependency on libuv1 >= 1.40.0 (Closes: #1009889) . bind9 (1:9.18.1-1) unstable; urgency=high . * New upstream version 9.18.1 * CVE-2021-25220: The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records outside the configured bailiwick. * CVE-2022-0396: TCP connections with 'keep-response-order' enabled could leave the TCP sockets in the 'CLOSE_WAIT' state when the client did not properly shut down the connection. * CVE-2022-0635: Lookups involving a DNAME could trigger an assertion failure when 'synth-from-dnssec' was enabled (which is the default) * CVE-2022-0667: When chasing DS records, a timed out or artificially delayed fetch could cause 'named' to crash while resuming a DS lookup. . bind9 (1:9.18.0-2) unstable; urgency=medium . * Add patch to use detected L1 cache-line size instead of hard-coded value, this should fix architectures with 128-byte L1 cache. . bind9 (1:9.18.0-1) unstable; urgency=medium . * Bump the upstream version in debian/ to 9.18 * New upstream version 9.18.0 . bind9 (1:9.18.0~0+git28350c-1) unstable; urgency=medium . * New upstream version 9.18.0~0+git28350c + Pull the 9.18.0 pre-release git to have the L1 cache line fix (Closes: #1004271) * Fix the typo when backing up and restoring configure{,.ac} (Closes: #903586) * Remove some prehistoring conffile no longer in use (Closes: #942377) * Pick UTC date for release_date variable (Closes: #1000893) . bind9 (1:9.17.22-1) unstable; urgency=medium . * New upstream version 9.17.22 . bind9 (1:9.17.21-1) unstable; urgency=medium . * New upstream version 9.17.21 . bind9 (1:9.17.20-3) unstable; urgency=medium . * Retain bind9-resolvconf.service alias (Closes: #1000565) . bind9 (1:9.17.20-2) unstable; urgency=medium . * Tighten the dependencies on bind9-libs for the utils too (Closes: #1000354) . bind9 (1:9.17.20-1) unstable; urgency=medium . * New upstream version 9.17.20 * Remove the sphinx-patch, the role has been fixed upstream . bind9 (1:9.17.19-3) unstable; urgency=medium . * Remove the .so libraries from excluded files . bind9 (1:9.17.19-2) unstable; urgency=medium . * Add libjemalloc-dev to Build-Depends * Sync the packaging between BIND 9.16 and BIND 9.17 branches * Don't install static libraries to bind9-dev, they are not built . bind9 (1:9.17.19-1) unstable; urgency=medium . * New upstream version 9.17.19 . bind9 (1:9.17.18-1) experimental; urgency=medium . * New upstream version 9.17.18 . bind9 (1:9.17.17-2) experimental; urgency=medium . * Bump MAPAPI to 3.0 . bind9 (1:9.17.17-1) experimental; urgency=medium . * New upstream version 9.17.17 . bind9 (1:9.17.16-1) experimental; urgency=medium . * New upstream version 9.17.16 . bind9 (1:9.17.15-1) experimental; urgency=medium . * New upstream version 9.17.15 . bind9 (1:9.17.14-3) experimental; urgency=medium . * Add upstream patch to address 'Checking of key-directory and dnssec-policy was broken' . bind9 (1:9.17.14-2) experimental; urgency=medium . * Add upstream patch to fix: 'W' in wildcard expansions was being mapped to '\000'. . bind9 (1:9.17.14-1) experimental; urgency=medium . * New upstream version 9.17.14 . bind9 (1:9.17.13-2) experimental; urgency=medium . * Revert upstream 'Add a Sphinx role for linking GitLab issues/MRs' . bind9 (1:9.17.13-1) experimental; urgency=medium . * New upstream version 9.17.13 . bind9 (1:9.17.12-2) experimental; urgency=medium . * Add filter-a.so plugin into main package . bind9 (1:9.17.12-1) experimental; urgency=medium . * New upstream version 9.17.12 * Add patches to implement I-D draft-hardaker-dnsop-nsec3-guidance . bind9 (1:9.17.11-1) experimental; urgency=medium . * New upstream version 9.17.11 * Add upstream patches to fix TCP timeouts firing too early . bind9 (1:9.17.10-1) experimental; urgency=high . * New upstream version 9.17.10 + [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation. * Adjust the bind9-libs package for new upstream library names * Add libnghttp2-dev to Build-Depends * Update the way how we ignore development libraries, so the real ones gets installed . bind9 (1:9.17.9-1) experimental; urgency=medium . * Exclude test-async.so from dh_install * Update the ISC code-signing key * New upstream version 9.17.9 . bind9 (1:9.17.8-1) experimental; urgency=medium . * New upstream version 9.17.8 . bind9 (1:9.17.7-1) experimental; urgency=medium . * New upstream version 9.17.7 . bind9 (1:9.17.6-1) experimental; urgency=medium . * New upstream version 9.17.6 . bind9 (1:9.17.5-2) experimental; urgency=medium . [ Bernhard Schmidt ] * Move Build-Depends for documentation to Build-Depends-Indep * Set Restart=on-failure in systemd unit . bind9 (1:9.17.5-1) experimental; urgency=medium . * New upstream version 9.17.5 . bind9 (1:9.17.4-1) experimental; urgency=medium . * Add libtool-bin to Build-Depends * Disable static linking * New upstream version 9.17.4 . bind9 (1:9.17.3-1) experimental; urgency=medium . * New upstream version 9.17.2 * Adjust d/*.install files after upstream moved binaries from sbin to bin * Remove rfc-compliance from docs, it's gone * New upstream version 9.17.3 * Add fonts-freefont-otf, latexmk, texlive-fonts-extra, texlive-latex-recommended, texlive-xetex, and xindy to Build-Depends * Install man pages for tsig-gen and named-compilezone . bind9 (1:9.17.1+git20200519-1) experimental; urgency=medium . * New upstream version 9.17.1+git20200519 * Update Debian packaging for autoconf/automake and sphinx-doc . bind9 (1:9.17.1-1) experimental; urgency=medium . * Update d/copyright (Closes: #947978) * New upstream version 9.17.1 . bind9 (1:9.17.0-1) experimental; urgency=medium . [ Andreas Hasenack ] * Bring back the DEP8 test from sid * Use iproute2 instead of net-tools * d/control: drop hardcoded python3 dependency . [ Bernhard Schmidt ] * Fix apparmor profile name. Thanks to Andreas Hasenack * Enable readline support . [ Andreas Hasenack ] * Update apparmor profile with what is in sid * Create the missing transitional packages for dnsutils, bind9utils * There is a licensing conflict with adding libreadline and we should use libedit-dev instead. . [ Ondřej Surý ] * Switch to BIND 9.17 for the -dev packages * New upstream version 9.17.0 Checksums-Sha1: 981e17f472f17ded775cb8fd50ad637c9534a00e 3499 bind9_9.18.26-1+ubuntu20.04.1+deb.sury.org+1.dsc c421f5a47d4e50da6904d299e3b7ffc80d5be485 5519432 bind9_9.18.26.orig.tar.xz c72e781c5982f9468d824f269b1e9c755cd613f2 833 bind9_9.18.26.orig.tar.xz.asc b4e9af7539f4f0c8c24b9fa10da6605b09c10b9c 60968 bind9_9.18.26-1+ubuntu20.04.1+deb.sury.org+1.debian.tar.xz a0ce0e2124f6e4bae597b88920a4e5a9d96a4c0e 10871 bind9_9.18.26-1+ubuntu20.04.1+deb.sury.org+1_source.buildinfo Checksums-Sha256: 72c49fda601420158240b1b1c79aadef34e6e89f99c42c2756e79d27aef24d81 3499 bind9_9.18.26-1+ubuntu20.04.1+deb.sury.org+1.dsc 75ffee52731e9604c849b658df29e927f1c4f01d5a71ea3ebcbeb63702cb6651 5519432 bind9_9.18.26.orig.tar.xz 8b9233f9a440c4a693c50b83de87e09edae06bec7540b4a96ac9d8863e2c27c4 833 bind9_9.18.26.orig.tar.xz.asc e91adb19e5a17bc88e748438b46c0c81aa7d743979fd8b80b4b366bd96eb7e21 60968 bind9_9.18.26-1+ubuntu20.04.1+deb.sury.org+1.debian.tar.xz d892e2bfc7c1b317650a2a23b9d7496d7ae6bc9d70b7aac5edf1f62de6845167 10871 bind9_9.18.26-1+ubuntu20.04.1+deb.sury.org+1_source.buildinfo Files: 73cb52258978271d8453cc827899dcd7 3499 net optional bind9_9.18.26-1+ubuntu20.04.1+deb.sury.org+1.dsc b9a6f9edd47e91e9fffe2ce8ffe576fb 5519432 net optional bind9_9.18.26.orig.tar.xz d225e201553dca644d3455ca11c71b53 833 net optional bind9_9.18.26.orig.tar.xz.asc ae55cdc5476b30a2d03773d3a9227091 60968 net optional bind9_9.18.26-1+ubuntu20.04.1+deb.sury.org+1.debian.tar.xz f16bcab06e893b025a16e0b0678a8b6b 10871 net optional bind9_9.18.26-1+ubuntu20.04.1+deb.sury.org+1_source.buildinfo