Merge bind9 from Debian unstable for l-series

Scheduled-For: ubuntu-23.01
Upstream: 9.18.7
Debian: 1:9.18.7-1
Ubuntu: 1:9.18.4-2ubuntu2

### New Debian Changes ###

bind9 (1:9.18.7-1) unstable; urgency=medium

  * New upstream version 9.18.7
   - CVE-2022-2795: Processing large delegations may severely degrade
     resolver performance
   - CVE-2022-2881: Buffer overread in statistics channel code
   - CVE-2022-2906: Memory leaks in code handling Diffie-Hellman key
     exchange via TKEY RRs (OpenSSL 3.0.0+ only)
   - CVE-2022-3080: BIND 9 resolvers configured to answer from stale
     cache with zero stale-answer-client-timeout may terminate unexpectedly
   - CVE-2022-38177: Memory leak in ECDSA DNSSEC verification code
   - CVE-2022-38178: Memory leaks in EdDSA DNSSEC verification code

 -- Ondřej Surý <email address hidden> Wed, 21 Sep 2022 12:48:36 +0200

bind9 (1:9.18.6-1) unstable; urgency=medium

  * Disable treat-warnings-as-errors in sphinx-build
  * New upstream version 9.18.6

 -- Ondřej Surý <email address hidden> Thu, 18 Aug 2022 09:39:20 +0200

bind9 (1:9.18.5-1) unstable; urgency=medium

  * New upstream version 9.18.5

 -- Ondřej Surý <email address hidden> Wed, 20 Jul 2022 16:40:31 +0200

bind9 (1:9.18.4-2) unstable; urgency=medium

  [ Simon Deziel ]
  * debian/extras/etc/db.0: correct descriptive comment

  [ Bernhard Schmidt ]
  * Add sleep workaround in tests/simpletests (Closes: #1012059)

 -- Ondřej Surý <email address hidden> Tue, 05 Jul 2022 12:58:06 +0200

bind9 (1:9.18.4-1) unstable; urgency=medium

  * Disable treat-warnings-as-errors in sphinx-build
  * New upstream version 9.18.4

 -- Ondřej Surý <email address hidden> Wed, 15 Jun 2022 14:36:44 +0200

bind9 (1:9.18.3-1) unstable; urgency=medium

  * New upstream version 9.18.3

 -- Ondřej Surý <email address hidden> Wed, 18 May 2022 16:53:01 +0200

bind9 (1:9.18.2-1) unstable; urgency=medium

  * Drop libldap2-dev from Build-Depends (Closes: #1008021)
  * New upstream version 9.18.2
  * Add runtime dependency on libuv1 >= 1.40.0 (Closes: #1009889)

 -- Ondřej Surý <email address hidden> Tue, 26 Apr 2022 11:03:35 +0200

bind9 (1:9.18.1-1) unstable; urgency=high

  * New upstream version 9.18.1
  * CVE-2021-25220: The rules for acceptance of records into the cache
    have been tightened to prevent the possibility of poisoning if
    forwarders send records outside the configured bailiwick.
  * CVE-2022-0396: TCP connections with 'keep-response-order' enabled
    could leave the TCP sockets in the 'CLOSE_WAIT' state when the client
    did not properly shut down the connection.
  * CVE-2022-0635: Lookups involving a DNAME could trigger an assertion
    failure when 'synth-from-dnssec' was enabled (which is the default)
  * CVE-2022-0667: When chasing DS records, a timed out or artificially
    delayed fetch could cause 'named' to crash while resuming a DS lookup.

 -- Ondřej Surý <email address hidden> Mon, 14 Mar 2022 15:29:31 +0100

bind9 (1:9.18.0-2) unstable; urgency=medium

  * Add patch to use detected L1 cache-line size instead of hard-coded
    value, this should fix architectures with 128-byte L1 cache.

 -- Ondřej Surý <email address hidden> Thu, 27 Jan 2022 13:16:04 +0100

bind9 (1:9.18.0-1) unstable; urgency=medium

  * Bump the upstream version in debian/ to 9.18
  * New upstream version 9.18.0

 -- Ondřej Surý <email address hidden> Wed, 26 Jan 2022 12:31:55 +0100

bind9 (1:9.18.0~0+git28350c-1) unstable; urgency=medium

  * New upstream version 9.18.0~0+git28350c
   + Pull the 9.18.0 pre-release git to have the L1 cache line
     fix (Closes: #1004271)
  * Fix the typo when backing up and restoring configure{,.ac}
    (Closes: #903586)
  * Remove some prehistoring conffile no longer in use
    (Closes: #942377)
  * Pick UTC date for release_date variable (Closes: #1000893)

### Old Ubuntu Delta ###

bind9 (1:9.18.4-2ubuntu2) kinetic; urgency=medium

  * SECURITY UPDATE: Processing large delegations may severely degrade
    resolver performance
    - debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c.
    - CVE-2022-2795
  * SECURITY UPDATE: Buffer overread in statistics channel code
    - debian/patches/CVE-2022-2881.patch: clear buffer in lib/isc/httpd.c.
    - CVE-2022-2881
  * SECURITY UPDATE: Memory leaks in code handling Diffie-Hellman key
    exchange via TKEY RRs
    - debian/patches/CVE-2022-2906.patch: adjust return code handling in
      lib/dns/openssldh_link.c.
    - CVE-2022-2906
  * SECURITY UPDATE: resolvers configured to answer from cache with zero
    stale-answer-timeout may terminate unexpectedly
    - debian/patches/CVE-2022-3080.patch: refactor stale RRset handling in
      lib/ns/include/ns/query.h, lib/ns/query.c.
    - CVE-2022-3080
  * SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code
    - debian/patches/CVE-2022-38178.patch: fix return handling in
      lib/dns/openssleddsa_link.c.
    - CVE-2022-38178

 -- Marc Deslauriers <email address hidden> Wed, 21 Sep 2022 09:18:42 -0400

bind9 (1:9.18.4-2ubuntu1) kinetic; urgency=medium

  * Merge with Debian unstable (LP: #1971250)
    Remaining changes:
    - Don't build dnstap as it depends on universe packages:
      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
        protobuf-c-compiler (universe packages)
      + d/dnsutils.install: don't install dnstap
      + d/libdns1104.symbols: don't include dnstap symbols
      + d/rules: don't build dnstap nor install dnstap.proto
    - Add back apport:
      + d/bind9.apport: add back old bind9 apport hook, but without calling
        attach_conffiles() since that is already done by apport itself, with
        confirmation from the user.
      + d/control, d/rules: build-depends on dh-apport and use it
    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
    - d/bind9.named.service: use systemd Type=forking to signal daemon init.
      This fixes a regression of #900788 where services whose startup depend
      on name resolutions may fail due to bind9 not being ready (LP #1899902).
    - d/control: remove optional libjemalloc-dev Build-Depends as it is not in
      main.
    - d/NEWS: mention some of the relevant changes in 9.18.0 packaging
      or functionality that may affect usability.
  * Dropped changes:
    - d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe.patch,
      d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo.patch,
      d/p/lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-.patch,
      d/p/lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh.patch,
      d/p/lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv.patch,
      d/p/lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC.patch,
      d/p/lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the.patch:
      Fix dig error when trying the next server after a TCP connection
      failure. This upstream patchset also fixes a crash when using
      the 'host' command for numeric lookups (LP #1964400) and an
      infinite hang when passing a non-existent hostname to 'host' (LP
      #1964686).
      [ Incorporated by upstream. ]
    - SECURITY UPDATE: Destroying a TLS session early causes assertion
      failure
      + debian/patches/CVE-2022-1183.patch: fix destroying logic in
        lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/tlsstream.c.
      [ Incorporated by upstream. ]

 -- Sergio Durigan Junior <email address hidden> Wed, 20 Jul 2022 05:28:13 -0400