Ubuntu
bind9 package

Merge bind9 from Debian unstable for 22.04

Bug #1946833 reported by Bryce Harrington
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Fix Released
Undecided
Athos Ribeiro
Ubuntu ubuntu-22.01

Bug Description

Upstream: 9.18.0
Debian: 1:9.18.0-1
Ubuntu: 1:9.16.15-1ubuntu3

Debian typically updates bind9 every 1 months on average, but it was last updated 21.04 and looks overdue. Check back in on this monthly.

~~No release expected for bind9 this cycle~~
bind9 9.18 upstream release is scheduled for January 2022

### New Debian Changes ###

bind9 (1:9.16.15-1) unstable; urgency=high

  * New upstream version 9.16.15 (Closes: #987741, #987742, #987743)
   + CVE-2021-25214: A malformed incoming IXFR transfer could trigger an
     assertion failure in ``named``, causing it to quit abnormally.
   + CVE-2021-25215: ``named`` crashed when a DNAME record placed in the
     ANSWER section during DNAME chasing turned out to be the final
     answer to a client query.
   + CVE-2021-25216: When a server's configuration set the
    ``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` option, a
    specially crafted GSS-TSIG query could cause a buffer overflow in
    the ISC implementation of SPNEGO (a protocol enabling negotiation of
    the security mechanism used for GSSAPI authentication).
  * Add patches to implement I-D draft-hardaker-dnsop-nsec3-guidance

 -- Ondřej Surý <email address hidden> Thu, 29 Apr 2021 09:11:32 +0200

bind9 (1:9.16.13-1) unstable; urgency=medium

  * New upstream version 9.16.13
  * Add upstream patches to fix TCP timeouts firing too early

 -- Ondřej Surý <email address hidden> Thu, 18 Mar 2021 14:23:49 +0100

bind9 (1:9.16.12-3) unstable; urgency=medium

  * Add most important patches from upcoming 9.16.13 release

 -- Ondřej Surý <email address hidden> Fri, 12 Mar 2021 09:59:49 +0100

bind9 (1:9.16.12-2) unstable; urgency=medium

  * Add patch to fix sphinx-build failure on Ubuntu Xenial

 -- Ondřej Surý <email address hidden> Thu, 18 Feb 2021 12:26:09 +0100

bind9 (1:9.16.12-1) unstable; urgency=high

  * New upstream version 9.16.12
   + [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation.
     (Closes: #983004)
  * Adjust the bind9-libs and bind9-dev packages for new upstream library
    names

 -- Ondřej Surý <email address hidden> Thu, 18 Feb 2021 08:13:58 +0100

bind9 (1:9.16.11-3) unstable; urgency=medium

  * Split the simple validation test to separate file and mark it as flaky
    (Closes: #976045)

 -- Ondřej Surý <email address hidden> Sun, 14 Feb 2021 20:04:39 +0100

bind9 (1:9.16.11-2) unstable; urgency=medium

  * Cherry-pick upstream commit to fix segfault with named ACLs used in
    allow-update (Closes: #980786)

 -- Bernhard Schmidt <email address hidden> Fri, 29 Jan 2021 08:27:31 +0100

bind9 (1:9.16.11-1) unstable; urgency=medium

  * Add the ISC code-signing key for 2021-2022
  * New upstream version 9.16.11

 -- Ondřej Surý <email address hidden> Thu, 21 Jan 2021 09:58:33 +0100

bind9 (1:9.16.10-1) unstable; urgency=medium

  * New upstream version 9.16.10

 -- Ondřej Surý <email address hidden> Wed, 16 Dec 2020 22:22:25 +0100

bind9 (1:9.16.9-1) unstable; urgency=medium

  * New upstream version 9.16.9

 -- Ondřej Surý <email address hidden> Thu, 26 Nov 2020 12:52:28 +0100

bind9 (1:9.16.8-1) unstable; urgency=medium

  [ Ondřej Surý ]
  * New upstream version 9.16.8

  [ Bernhard Schmidt ]
  * d/t/control:
    - tag autopkgtest with needs-internet (Closes: #973955)
    - depend on bind9-dnsutils insead of the transitional dnsutils
  * d/rules: change deprecated --with-libjson-c configure argument to
    --with-json-c

 -- Bernhard Schmidt <email address hidden> Mon, 09 Nov 2020 23:03:53 +0100

bind9 (1:9.16.7-1) unstable; urgency=medium

  * New upstream version 9.16.7

 -- Ondřej Surý <email address hidden> Thu, 17 Sep 2020 10:36:51 +0200

bind9 (1:9.16.6-3) unstable; urgency=medium

### Old Ubuntu Delta ###

bind9 (1:9.16.15-1ubuntu1) impish; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - Don't build dnstap as it depends on universe packages:
      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
        protobuf-c-compiler (universe packages)
      + d/dnsutils.install: don't install dnstap
      + d/libdns1104.symbols: don't include dnstap symbols
      + d/rules: don't build dnstap nor install dnstap.proto
    - Add back apport:
      + d/bind9.apport: add back old bind9 apport hook, but without calling
        attach_conffiles() since that is already done by apport itself, with
        confirmation from the user.
      + d/control, d/rules: buil-depends on dh-apport and use it
    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
    - d/bind9.named.service: use systemd Type=forking to signal daemon init.
      This fixes a regression of #900788 where services whose startup depend
      on name resolutions may fail due to bind9 not being ready (LP #1899902).
  * Drop changes:
    - d/t/simpletest: drop the internetsociety.org test as it requires
      network egress access that is not available in the Ubuntu autopkgtest
      farm.
      [Fixed in 1:9.16.11-3]
    - SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
      + debian/patches/CVE-2020-8625.patch: properly calculate length in
        lib/dns/spnego.c.
      + CVE-2020-8625
      [Fixed in 1:9.16.12-1]
    - SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
      + debian/patches/CVE-2021-25214.patch: immediately reject the entire
        transfer for certain RR in lib/dns/xfrin.c.
      + CVE-2021-25214
      [Fixed in 1:9.16.15-1]
    - SECURITY UPDATE: assert via answering certain queries for DNAME records
      + debian/patches/CVE-2021-25215.patch: fix assert checks in
        lib/ns/query.c.
      + CVE-2021-25215
      [Fixed in 1:9.16.15-1]
    - SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
      + debian/rules: build with --disable-isc-spnego to disable internal
        SPNEGO and use the one from the kerberos libraries.
      + CVE-2021-25216
      [Fixed in 1:9.16.15-1]

 -- Athos Ribeiro <email address hidden> Mon, 12 Jul 2021 20:26:40 -0300

See original description
Tags: needs-merge

Related branches

~athos-ribeiro/ubuntu/+source/bind9:merge-lp1946833-jammy
Bryce Harrington (community): Approve
Andreas Hasenack: Needs Information
git-ubuntu import: Pending requested
Diff: 1429 lines (+1243/-10)
7 files modified
debian/NEWS (+56/-0)
debian/bind9-dnsutils.install (+0/-2)
debian/bind9.apport (+24/-0)
debian/bind9.named.service (+2/-1)
debian/changelog (+1157/-0)
debian/control (+3/-5)
debian/rules (+1/-2)

CVE References

Athos Ribeiro (athos-ribeiro)
Changed in bind9 (Ubuntu):
assignee: nobody → Athos Ribeiro (athos-ribeiro)
Bryce Harrington (bryce)
description: updated
Changed in bind9 (Ubuntu):
milestone: none → ubuntu-21.12
Revision history for this message
Robie Basak (racb) wrote :

Note from Timo on ubuntu-server@:

Just a heads-up that the new version breaks bind-dyndb-ldap (again),
upstream has removed the api versioning information which the plugin
depends on, so please don't merge this until there's some understanding
on how b-d-l can be made to work with the new bind9.

https://lists.ubuntu.com/archives/ubuntu-server/2021-November/009035.html

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

As per [1], bind 9.17 (Debian unstable) is a development version, while 9.16 is an extended support one. Since jammy is LTS, we should refrain from releasing with bind 9.17.

ISC schedule says 9.18 will be out on Q1, 2022.

I am wondering if we should

a) merge 9.16.22 (which never landed in unstable, but is in debian stable) or 9.16.23 (which is only available in salsa);

b) do (a) for now and wait to see if 9.18 lands before the jammy feature freeze. If it lands, we can perform a second merge; or

c) Push this merge to January or February. If 9.18 does not land until then, merge 9.16.2x

[1] https://www.isc.org/blogs/2021-bind-release-model/

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote : Re: [Bug 1946833] Re: Merge bind9 from Debian unstable for 22.04

On Thursday, December 02 2021, Athos Ribeiro wrote:

> As per [1], bind 9.17 (Debian unstable) is a development version, while
> 9.16 is an extended support one. Since jammy is LTS, we should refrain
> from releasing with bind 9.17.
>
> ISC schedule says 9.18 will be out on Q1, 2022.
>
> I am wondering if we should
>
> a) merge 9.16.22 (which never landed in unstable, but is in debian
> stable) or 9.16.23 (which is only available in salsa);
>
> b) do (a) for now and wait to see if 9.18 lands before the jammy feature
> freeze. If it lands, we can perform a second merge; or
>
> c) Push this merge to January or February. If 9.18 does not land until
> then, merge 9.16.2x

Thanks for the thoughtful comment, Athos.

We've discussed this in private, so you know that my preference is (c).
Although you could merge 9.16.2x right now, this would mean going
"ahead" of Debian (in the sense that we'd be releasing a version that is
not and has never been present in unstable), which requires a bit more
work than a regular merge, and then maybe throwing this away if/when
upstream releases 9.18 and Debian picks it up (assuming they both do
this before our Feature Freeze).

So yeah, I think we should postpone this merge to the beginning of
February and reassess the situation when we get there. If there's no
9.18 by then, you can merge 9.16.2x and be done with it.

Thanks,

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

+1 for (c). I don't think it's worth the effort right now. Let's see how things look in Jan/Feb next year.

Athos Ribeiro (athos-ribeiro)
Changed in bind9 (Ubuntu):
milestone: ubuntu-21.12 → ubuntu-22.01
Athos Ribeiro (athos-ribeiro)
description: updated
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Bind9 was released today and 1:9.18.0-1 is already available in Debian unstable.

description: updated
Changed in bind9 (Ubuntu):
status: New → In Progress
Revision history for this message
Dominic (triatic) wrote :

It would be ideal if 9.18 could be included before the feature freeze. Any news?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

It's in review, and your message made me notice the MP wasn't linked to this bug. I fixed that.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bind9 - 1:9.18.0-2ubuntu1

---------------
bind9 (1:9.18.0-2ubuntu1) jammy; urgency=medium

  * Merge with Debian unstable (LP: #1946833). Remaining changes:
    - Don't build dnstap as it depends on universe packages:
      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
        protobuf-c-compiler (universe packages)
      + d/dnsutils.install: don't install dnstap
      + d/libdns1104.symbols: don't include dnstap symbols
      + d/rules: don't build dnstap nor install dnstap.proto
    - Add back apport:
      + d/bind9.apport: add back old bind9 apport hook, but without calling
        attach_conffiles() since that is already done by apport itself, with
        confirmation from the user.
      + d/control, d/rules: build-depends on dh-apport and use it
    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
    - d/bind9.named.service: use systemd Type=forking to signal daemon init.
      This fixes a regression of #900788 where services whose startup depend
      on name resolutions may fail due to bind9 not being ready (LP #1899902).
  * Dropped Changes:
    - SECURITY UPDATE: resolver performance degradation via lame cache abuse
      + debian/patches/CVE-2021-25219.patch: disable lame cache in
        bin/named/config.c, bin/named/server.c, lib/dns/resolver.c.
      + CVE-2021-25219
      [ Fixed in 9.17.19 ]
  * New Changes:
    - d/control: remove optional libjemalloc-dev Build-Depends as it is not in
      main.
    - d/NEWS: mention some of the relevant changes in 9.18.0 packaging
      or functionality that may affect usability.

 -- Athos Ribeiro <email address hidden> Mon, 14 Feb 2022 17:40:31 -0300

Changed in bind9 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.