Change log for bind9 package in Debian

175 of 154 results
Published in buster-release on 2019-03-04
Published in sid-release on 2019-02-22
bind9 (1:9.11.5.P4+dfsg-1) unstable; urgency=high

  [ Bernhard Schmidt ]
  * New upstream version 9.11.5.P4+dfsg
    - CVE-2018-5744: A specially crafted packet can cause named to leak memory
    - CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over
      to an unsupported key algorithm when using managed-keys
    - CVE-2019-6465: Controls for zone transfers might not be properly applied
      to Dynamically Loadable Zones (DLZs) if the zones are writable.
  * d/watch: Do not use beta or RC versions
  * d/libdns1104.symbols: fix symbols-file-contains-debian-revision for dnstap
    symbols

  [ Ondřej Surý ]
  * Add new upstream GPG signing-key

 -- Bernhard Schmidt <email address hidden>  Fri, 22 Feb 2019 17:54:10 +0100
Superseded in buster-release on 2019-03-04
Superseded in sid-release on 2019-02-24
bind9 (1:9.11.5.P1+dfsg-2) unstable; urgency=medium

  [ Dominik George ]
  * Support dyndb modules with apparmor. (Closes: #900879)

  [ Bernhard Schmidt ]
  * apparmor-policy: permit locking of the allow-new-zones database
    (Closes: #922065)
  * apparmor-policy: allow access to Samba DLZ files (Closes: #920530)

 -- Bernhard Schmidt <email address hidden>  Tue, 12 Feb 2019 00:34:21 +0100
Superseded in buster-release on 2019-02-22
Published in sid-release on 2018-12-18
bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium

  * New upstream version 9.11.5.P1+dfsg

 -- Ondřej Surý <email address hidden>  Tue, 18 Dec 2018 13:59:25 +0000
Superseded in buster-release on 2018-12-21
Superseded in sid-release on 2018-12-22
bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium

  * Use <email address hidden> as Maintainer address
  * New upstream version 9.11.5+dfsg
  * Add EXTENSIONS= to version file programmatically, not with the patch
  * Rebase patches for BIND 9.11.5
  * Adjust package names for new SONAMEs

 -- Ondřej Surý <email address hidden>  Mon, 22 Oct 2018 10:30:28 +0000
Superseded in buster-release on 2018-12-16
Superseded in sid-release on 2019-01-20
bind9 (1:9.11.4.P2+dfsg-3) unstable; urgency=medium

  * Also avoid OpenSSL 1.1.1 in udebs.
    Thanks to KiBi for the hint
  * autopkgtest: Make an external query and check for DNSSEC

 -- Bernhard Schmidt <email address hidden>  Wed, 26 Sep 2018 11:21:35 +0200
Superseded in sid-release on 2018-09-26
bind9 (1:9.11.4.P2+dfsg-2) unstable; urgency=medium

  * Temporarily disable EDDSA to relax OpenSSL version requirement

 -- Bernhard Schmidt <email address hidden>  Mon, 24 Sep 2018 11:08:15 +0200
Superseded in sid-release on 2018-09-27
bind9 (1:9.11.4.P2+dfsg-1) unstable; urgency=medium

  [ Bernhard Schmidt ]
  * Add a very simple autopkgtest (dig @127.0.0.1)

  [ Ondřej Surý ]
  * New upstream version 9.11.4.P2+dfsg
  * Rebase patches for BIND 9.11.4-P2

 -- Ondřej Surý <email address hidden>  Mon, 10 Sep 2018 08:36:06 +0000
Superseded in sid-release on 2018-09-24
bind9 (1:9.11.4.P1+dfsg-1) unstable; urgency=medium

  [ Timo Aaltonen ]
  * skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11
    crashing on startup. (LP: #1769440)

  [ Bernhard Schmidt ]
  * Add gbp.conf for pristine-tar usage
  * d/watch: Properly deal with -P patch releases

  [ Ondřej Surý ]
  * Don't fail to start if /etc/default/bind9 doesn't exist
  * New upstream version 9.11.4.P1+dfsg
  * Rebase patches for BIND 9.11.4-P1
  * Add new dst__openssleddsa_init optional symbol (it depends on OpenSSL version) (Closes: #897643)
  * Put aside named.conf.option from stretch when upgrading (Closes: #905177)

 -- Ondřej Surý <email address hidden>  Fri, 31 Aug 2018 09:53:27 +0000
Superseded in buster-release on 2018-09-28
Superseded in sid-release on 2018-09-08
bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium

  * Brown-paper-bag release :-(
  * Fix missing colon in AppArmor profile (Closes: #904983)

 -- Bernhard Schmidt <email address hidden>  Mon, 30 Jul 2018 16:28:21 +0200
Superseded in sid-release on 2018-07-30
bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium

  * Enable IDN support for dig+host using libidn2 (Closes: #459010)
  * Use root.hints from dns-root-data (Closes: #888491)

 -- Bernhard Schmidt <email address hidden>  Sun, 29 Jul 2018 23:26:09 +0200
Superseded in buster-release on 2018-08-05
Superseded in sid-release on 2018-08-07
bind9 (1:9.11.4+dfsg-2) unstable; urgency=medium

  * Enable dnstap support (Courtesy of Richard James Salts) (Closes: #890483)
  * Remove auth-nxdomain no; from named.conf.options (Closes: #896889)

 -- Ondřej Surý <email address hidden>  Mon, 16 Jul 2018 18:49:50 +0000
Published in jessie-release on 2018-06-23
bind9 (1:9.9.5.dfsg-9+deb8u15) jessie-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Addresses could be referenced after being freed in resolver.c, causing an
    assertion failure. (CVE-2017-3145)

 -- Salvatore Bonaccorso <email address hidden>  Mon, 15 Jan 2018 22:58:53 +0100
Superseded in buster-release on 2018-07-27
Published in sid-release on 2018-06-14
bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium

  * [CVE-2018-5738]: Add upstream fix to close the default open recursion
    (Closes: #901483)
  * Change the maintainer address (Closes: #899959)

 -- Ondřej Surý <email address hidden>  Thu, 14 Jun 2018 13:01:47 +0000
Superseded in buster-release on 2018-06-20
Superseded in sid-release on 2018-06-14
bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium

  [ Bernhard Schmidt ]
  * New upstream version 9.11.3+dfsg
    (Closes: #867570, #888463)
    - Refresh patches
    - Drop stdatomic.h patches applied upstream
  * Follow SONAME bump of libdns
  * Follow SONAME bump of libisc
  * Add missing symbols for libisccfg160
  * Add python3-distutils Build-Dependency
  * Drop Priority: standard for library packages
  * Fix apparmor profile name (Closes: #893005)
    Thanks to Andreas Hasenack
  * Update bind9-host description (Closes: #729561)
  * Add flags=(attach_disconnected) to AppArmor profile to prepare
    to use more systemd hardening options, see #863841
  * Add myself to Uploaders

  [ Ondřej Surý ]
  * Update Vcs-* links to salsa.d.o

 -- Bernhard Schmidt <email address hidden>  Fri, 23 Mar 2018 00:09:58 +0100
Published in stretch-release on 2018-03-10
bind9 (1:9.10.3.dfsg.P4-12.3+deb9u4) stretch-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Addresses could be referenced after being freed in resolver.c, causing an
    assertion failure. (CVE-2017-3145)

 -- Salvatore Bonaccorso <email address hidden>  Mon, 15 Jan 2018 22:40:17 +0100
Superseded in buster-release on 2018-04-14
Superseded in sid-release on 2018-04-09
bind9 (1:9.11.2.P1-1) unstable; urgency=medium

  * New upstream version 9.11.2-P1
  * Refresh patches for new release

 -- Ondřej Surý <email address hidden>  Wed, 17 Jan 2018 06:06:04 +0000
Superseded in sid-release on 2018-01-17
bind9 (1:9.11.2+dfsg-10) unstable; urgency=medium

  * Disable lmdb usage in export version of libraries (Closes: #887407)

 -- Ondřej Surý <email address hidden>  Tue, 16 Jan 2018 05:59:31 +0000
Superseded in sid-release on 2018-01-16
bind9 (1:9.11.2+dfsg-9) unstable; urgency=medium

  * Fix various mistakes in bind9 conffiles (Closes: #887398)

 -- Ondřej Surý <email address hidden>  Mon, 15 Jan 2018 23:12:43 +0000
Superseded in sid-release on 2018-01-16
bind9 (1:9.11.2+dfsg-8) unstable; urgency=medium

  * Pull more stdatomic patch to fix builds on 32-bit architectures
  * Remove extra native pkcs11 patch (it has been replaced by sed rules)

 -- Ondřej Surý <email address hidden>  Mon, 15 Jan 2018 21:02:30 +0000
Superseded in sid-release on 2018-01-16
bind9 (1:9.11.2+dfsg-7) unstable; urgency=medium

  * Pull upstream patch to use C11 stdatomic where available (Closes: #778720)

 -- Ondřej Surý <email address hidden>  Mon, 15 Jan 2018 15:59:48 +0000
Superseded in sid-release on 2018-01-16
bind9 (1:9.11.2+dfsg-6) unstable; urgency=medium

  * Add named-nzd2nzf to bind9 package
  * Simplify installation rules
  * Enable lmdb (to actually build named-nzd2nzf)
  * Move delv from bind9 to dnsutils package (Closes: #887326)

 -- Ondřej Surý <email address hidden>  Mon, 15 Jan 2018 14:19:31 +0000
Superseded in buster-release on 2018-01-22
Superseded in sid-release on 2018-07-10
bind9 (1:9.11.2+dfsg-5) unstable; urgency=medium

  * Remove duplicate invoke-rc.d start invocation (Closes: #883575)
  * Don't fail in postrm when /var/lib/bind cannot be removed (Closes: #882999)
  * Use dh-apparmor for profile management
  * apparmor-profile: allow changing thread name (Closes: #883228)
  * Bump debhelper compat level to 10
  * Bump Standards-Version to 4.1.2, no changes necessary

 -- Bernhard Schmidt <email address hidden>  Sun, 10 Dec 2017 20:23:12 +0100
Superseded in jessie-release on 2018-06-23
bind9 (1:9.9.5.dfsg-9+deb8u14) jessie; urgency=high

  [ Bernhard Schmidt ]
  * Import upcoming DNSSEC KSK-2017 from 9.10.5

  [ Ondřej Surý ]
  * Non-maintainer upload.

 -- Ondřej Surý <email address hidden>  Mon, 28 Aug 2017 10:26:39 +0200
Superseded in buster-release on 2017-12-16
Superseded in sid-release on 2017-12-11
bind9 (1:9.11.2+dfsg-4) unstable; urgency=medium

  * Team upload.
  * Fix symlinks in libbind-export-dev to point to /lib (Closes: #883536)

 -- Bernhard Schmidt <email address hidden>  Tue, 05 Dec 2017 00:09:25 +0100
Superseded in sid-release on 2017-12-05
bind9 (1:9.11.2+dfsg-3) unstable; urgency=medium

  * Team upload.
  * Only install files into bind9:any on arch-any builds (Closes: #883448)
  * Adjust dependencies for udeb packages (Closes: #883449)

 -- Bernhard Schmidt <email address hidden>  Mon, 04 Dec 2017 10:56:58 +0100
Superseded in sid-release on 2017-12-05
bind9 (1:9.11.2+dfsg-2) unstable; urgency=medium

  * Team upload.
  * Workaround for FTBFS on binary-any builds (Closes: #883159)

 -- Bernhard Schmidt <email address hidden>  Sun, 03 Dec 2017 20:36:32 +0100
Superseded in sid-release on 2017-12-04
bind9 (1:9.11.2+dfsg-1) unstable; urgency=low

  * d/watch: Bump the BIND version to 9.11.x
  * Remove 'order random_1' patch, it was a horrible deviation from standards
  * Modernize d/rules using debhelper
  * New upstream version 9.11.2+dfsg
  * Delete dyndb patch, as dyndb is now included in upstream sources
  * Rebase patches for new upstream release.
  * Add python3-ply to Build-Depends
  * Restore the native pkcs11 patch
  * Fix the Debian version parsing
  * Remove lwresd as it has been deprecated by upstream anyway
  * Add new tools: mdig to dnsutils and dnssec-keymgr to bind9utils
  * Update the SONAMEs of BIND libraries
  * Fix python3 packaging errors
  * Bump the standards version to 4.1.1.1 (no change)
  * Add support for dh_missing

 -- Ondřej Surý <email address hidden>  Tue, 28 Nov 2017 22:59:30 +0000
Superseded in buster-release on 2017-12-10
Published in sid-release on 2017-11-02
bind9 (1:9.10.6+dfsg-5) unstable; urgency=medium

  [ Chris Lamb ]
  * Make the build reproducible (Closes: #828012)

  [ Micah Cowan ]
  * Try not to be fragile to varying value of LIBS make var. (Closes: #833307)

  [ Ondřej Surý ]
  * Update the softhsm2.so non-MA path (Closes: #860722)
  * Enable JSON output in the statistics channel (Closes: #860722)
  * Merge NMUs' changelogs (Closes: #880077)
  * Use /dev/urandom to avoid blocking in the server process. (Closes: #854243)

 -- Ondřej Surý <email address hidden>  Thu, 02 Nov 2017 10:31:01 +0000
Superseded in buster-release on 2017-11-08
Superseded in sid-release on 2017-11-04
bind9 (1:9.10.6+dfsg-4) unstable; urgency=medium

  [ Michael Biebl ]
  * Improve bind9-resolvconf.service (Closes: #826353)

  [ Ondřej Surý ]
  * Add insserv.conf.d configuration (Closes: #650538)
  * Change bind9-resolvconf.server to Type=oneshot + RemainAfterExit=yes (Closes: #832040)
  * Only add static and development symlinks for *-export.{a,so} libraries (Closes: #857522)
  * Update Vcs-* fields to standard variants
  * Rebuild with newer debhelper (Closes: #879542)

 -- Ondřej Surý <email address hidden>  Mon, 23 Oct 2017 07:02:50 +0000
Superseded in sid-release on 2017-10-24
bind9 (1:9.10.6+dfsg-3) unstable; urgency=medium

  * Make lwresd hard depend on bind9 package (Closes: #879127)

 -- Ondřej Surý <email address hidden>  Sun, 22 Oct 2017 11:08:20 +0000
Superseded in sid-release on 2017-10-23
bind9 (1:9.10.6+dfsg-2) unstable; urgency=medium

  [ Timo Aaltonen ]
  * d/copyright: Add Bv9ARM.pdf to Files-Excluded.

  [ Ondřej Surý ]
  * Replace lwresd with symlink instead of hard copy (Closes: #868538)
  * Fix the symbols file to compensate for missing bsdcompat symbol on kFreeBSD (Closes: #879017)
  * Re-enable threading support on kFreeBSD (Closes: #879018)
  * Drop Multi-Arch: same header from libbind-dev (Closes: #874232)
  * Remove transitional host package (Closes: #645437, #878228)

 -- Ondřej Surý <email address hidden>  Thu, 19 Oct 2017 09:35:03 +0000
Superseded in sid-release on 2018-01-22
bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium

  * New upstream version 9.10.6+dfsg
  * Use OpenSSL 1.1.0 for crypto
  * Add support for downloading upstream sources using d/watch
    + Make d/copyright machine readable for Files-Excluded: support
    + Update Files-Exclude: * to remove obsolete software dropped in
      contrib/, but not really used
  * Add initial README.source
  * Limit the d/watch to 9.10.x (aka stable) for now
  * Update patches for BIND 9.10.6 release
  * Update PKCS11 patch
  * Move under pkg-dns umbrella
  * Reformat files in debian/ with wrap-and-sort -a for better maintainability
  * Update the d/export.diff for BIND 9.10.6
  * Remove FAQ from d/bind9.docs
  * Bump SONAME versions for BIND libraries
  * Add symbols files for libraries and enable strict symbol checks
  * arpaname and named-rrchecker has been moved to /usr/bin
  * Install required python library into bind9utils to accompany
    dnssec-checkds and dnssec-coverage
  * Change Vcs-* to pkg-dns/bind9
  * Also exclude idnkit from upstream tarball
  * Finish the debian/copyright update into machine readable format
  * Enable Multi-Arch on libirs-export189
  * Cleanup maintainer scripts
  * Add lintian override for false positive on full-path command
  * Remove unnecessary complexity when generating ${Description} to d/control

 -- Ondřej Surý <email address hidden>  Fri, 06 Oct 2017 06:18:21 +0000
Superseded in stretch-release on 2018-03-10
bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium

  [ Bernhard Schmidt ]
  * Import upcoming DNSSEC KSK-2017 from 9.10.5

  [ Ondřej Surý ]
  * Non-maintainer upload.

 -- Ondřej Surý <email address hidden>  Mon, 28 Aug 2017 09:36:28 +0200
Superseded in buster-release on 2017-11-17
Superseded in sid-release on 2017-12-09
bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium

  * Non-maintainer upload.
  * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)

 -- Bernhard Schmidt <email address hidden>  Fri, 11 Aug 2017 19:10:07 +0200
Superseded in buster-release on 2017-09-03
Superseded in sid-release on 2017-08-23
bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium

  * Non-maintainer upload.
  * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
    signed TCP message sequences where not all the messages contain TSIG
    records. These may be used in AXFR and IXFR responses.
    (Closes: #868952)

 -- Salvatore Bonaccorso <email address hidden>  Fri, 21 Jul 2017 22:28:32 +0200
Superseded in jessie-release on 2017-12-09
bind9 (1:9.9.5.dfsg-9+deb8u12) jessie-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Add patch to fix CVE-2017-3042 and CVE-2017-3043
    CVE-2017-3042: error in TSIG authentication can permit unauthorized zone
    transfers. An attacker may be able to circumvent TSIG authentication of
    AXFR and Notify requests.
    CVE-2017-3043: error in TSIG authentication can permit unauthorized
    dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
    signature for a dynamic update.

 -- Yves-Alexis Perez <email address hidden>  Fri, 30 Jun 2017 18:10:30 +0200
Superseded in stretch-release on 2017-10-07
bind9 (1:9.10.3.dfsg.P4-12.3+deb9u1) stretch-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * debian/patches:
    - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
      CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
      transfers. An attacker may be able to circumvent TSIG authentication of
      AXFR and Notify requests.
      CVE-2017-3143: error in TSIG authentication can permit unauthorized
      dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
      signature for a dynamic update.

 -- Yves-Alexis Perez <email address hidden>  Fri, 30 Jun 2017 16:20:29 +0200
Superseded in buster-release on 2017-07-28
Superseded in sid-release on 2017-07-25
bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high

  * Non-maintainer upload.

  [ Yves-Alexis Perez ]
  * debian/patches:
    - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
      CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
      transfers. An attacker may be able to circumvent TSIG authentication of
      AXFR and Notify requests.
      CVE-2017-3143: error in TSIG authentication can permit unauthorized
      dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
      signature for a dynamic update.
      (Closes: #866564)

 -- Salvatore Bonaccorso <email address hidden>  Sun, 16 Jul 2017 22:13:21 +0200
Superseded in buster-release on 2017-07-21
Superseded in stretch-release on 2017-07-22
Superseded in sid-release on 2017-08-28
bind9 (1:9.10.3.dfsg.P4-12.3) unstable; urgency=high

  * Non-maintainer upload.
  * Dns64 with "break-dnssec yes;" can result in a assertion failure
    (CVE-2017-3136) (Closes: #860224)
  * Some chaining (CNAME or DNAME) responses to upstream queries could trigger
    assertion failures (CVE-2017-3137) (Closes: #860225)
  * 'rndc ""' could trigger a assertion failure in named (CVE-2017-3138)
    (Closes: #860226)

 -- Salvatore Bonaccorso <email address hidden>  Sun, 07 May 2017 15:22:46 +0200
Superseded in jessie-release on 2017-07-22
bind9 (1:9.9.5.dfsg-9+deb8u10) jessie-security; urgency=medium

  * Fix regression caused by the fix for CVE-2016-8864 (closes: #855540).
  * Fix CVE-2017-3135: a malicously crafted query can cause named to crash if
    both DNS64 and RPZ are being used (closes: #855520).

 -- Michael Gilbert <email address hidden>  Sun, 26 Feb 2017 00:03:04 +0000
Superseded in stretch-release on 2017-05-20
Superseded in sid-release on 2017-05-09
bind9 (1:9.10.3.dfsg.P4-12.2) unstable; urgency=medium

  * Non-maintainer upload.
  * Replace 32_mips_atomic.diff with a version that uses C11 atomics. Fixes
    hangs and crashes on MIPS. (Closes: #778720)

 -- James Cowgill <email address hidden>  Tue, 18 Apr 2017 16:42:50 +0100
Superseded in stretch-release on 2017-04-26
Superseded in sid-release on 2017-05-25
bind9 (1:9.10.3.dfsg.P4-12.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Use /dev/urandom to avoid blocking in the server process.
    (closes: #854243)

 -- Bastian Blank <email address hidden>  Fri, 17 Mar 2017 19:07:16 +0100
Superseded in stretch-release on 2017-03-26
Superseded in sid-release on 2017-03-18
bind9 (1:9.10.3.dfsg.P4-12) unstable; urgency=high

  * Merge and accept the non-maintainer upload.
  * Fix regression caused by the fix for CVE-2016-8864 (closes: #855540).
  * Fix CVE-2017-3135: a malicously crafted query can cause named to crash if
    both DNS64 and RPZ are being used (closes: #855520).

 -- Michael Gilbert <email address hidden>  Sun, 19 Feb 2017 22:39:32 +0000
Superseded in stretch-release on 2017-02-25
Superseded in sid-release on 2017-02-20
bind9 (1:9.10.3.dfsg.P4-11.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Disable GOST to prevent ENGINE_by_id failed (crypto failure) in chroot.
    Patch by Marc Haber <email address hidden> (Closes: #820974).

 -- Arturo Borrero Gonzalez <email address hidden>  Tue, 07 Feb 2017 10:42:00 +0100
Superseded in stretch-release on 2017-02-18
Superseded in sid-release on 2017-02-07
bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium

  * Fix some lintian warnings.
  * Add lsb-base dependency to lwresd (closes: #848519).
  * Fix CVE-2016-2775: crash in lwresd due to a long query name
    (closes: #831796).
  * Fix CVE-2016-2776: maliciously crafted query can cause named to crash
    (closes: #839010).
  * Fix CVE-2016-8864: incorrect handling of a DNAME record can cause
    named to crash (closes: #842858).
  * Fix CVE-2016-9131: maliciously crafted response to an ANY query can
    cause named to crash (closes: #851065).
  * Fix CVE-2016-9147: query with contradictory DNSSEC information can
    cause named to crash (closes: #851063).
  * Fix CVE-2016-9444: maliciously formed DNSSEC Delegation Signer (DS)
    record can cause named to crash (closes: #851062).
  * Openssl 1.1 is not yet supported, so build with openssl 1.0 for now
    (closes: #828082).

  [ LaMont Jones ]
  * Update VCS fields in control.
  * -DDIG_SIGCHASE got dropped by the change in hardening.

  [ Stefan Bader ]
  * Use the defaults file in systemd.

 -- Michael Gilbert <email address hidden>  Thu, 19 Jan 2017 04:03:28 +0000
Deleted in experimental-release (Reason: None provided.)
bind9 (1:9.10.4-P5-1) experimental; urgency=medium

  * New upstream: 9.10.4-P5
    - Fixes CVE-2016-2775: crash in lwresd due to a long query name
      (closes: #831796).
    - Fixes CVE-2016-2776: maliciously crafted query can cause named to crash
      (closes: #839010).
    - Fixes CVE-2016-6170: improper zone size limits (closes: #830810).
    - Fixes CVE-2016-8864: incorrect handling of a DNAME record can cause
      named to crash (closes: #842858).
    - Fixes CVE-2016-9131: maliciously crafted response to an ANY query can
      cause named to crash (closes: #851065).
    - Fixes CVE-2016-9147: query with contradictory DNSSEC information can
      cause named to crash (closes: #851063).
    - Fixes CVE-2016-9444: maliciously formed DNSSEC Delegation Signer (DS)
      record can cause named to crash (closes: #851062).
  * Openssl 1.1 is not yet supported, so build with openssl 1.0 for now
    (closes: #828082).
  * Update debian/copyright to format 1.0.
  * Add upstream signing key.

 -- Michael Gilbert <email address hidden>  Sun, 15 Jan 2017 06:04:12 +0000
Superseded in jessie-release on 2017-05-07
bind9 (1:9.9.5.dfsg-9+deb8u8) jessie-security; urgency=medium

  * CVE-2016-8864: Fix assertion failure in DNAME processing with patch
    provided by ISC.

 -- Florian Weimer <email address hidden>  Tue, 01 Nov 2016 17:51:22 +0100
Superseded in stretch-release on 2017-02-02
Superseded in sid-release on 2017-01-22
bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Add explicit ordering for nss-lookup.target in bind9.service,
    lwresd.service. Patches by Michael Biebl <email address hidden>.
    (Closes: #826243, #826245)

 -- Christian Hofstaedtler <email address hidden>  Sat, 02 Jul 2016 14:32:50 +0200
Superseded in stretch-release on 2016-07-18
Superseded in sid-release on 2016-07-12
bind9 (1:9.10.3.dfsg.P4-10) unstable; urgency=medium

  * Use python3

 -- LaMont Jones <email address hidden>  Tue, 03 May 2016 17:39:49 -0600
Superseded in stretch-release on 2016-05-09
Superseded in sid-release on 2016-05-04
bind9 (1:9.10.3.dfsg.P4-9) unstable; urgency=medium

  * Fix bad patch from when we switched to quilt.  Closes: #820847  LP:
    #1552801, #1549788, #1553460
  * freshen patch to remove fuzz.

 -- LaMont Jones <email address hidden>  Tue, 26 Apr 2016 15:17:58 -0600
Superseded in stretch-release on 2016-05-03
Superseded in sid-release on 2016-04-27
bind9 (1:9.10.3.dfsg.P4-8) unstable; urgency=medium

  [Timo Aaltonen]

  * Fix bind9-resolvconf.service installation.
  * Add support for native pkcs11.  LP: #1565392

  [Samuel Thibault]

  * Detect in6_pktinfo on hurd-i386.  Closes: #820404

 -- LaMont Jones <email address hidden>  Wed, 13 Apr 2016 13:19:37 -0600
Superseded in stretch-release on 2016-04-19
Superseded in sid-release on 2017-12-09
bind9 (1:9.10.3.dfsg.P4-7) unstable; urgency=medium

  * Fix libisccc-export dependencies.  Closes: #820043

 -- Michael Gilbert <email address hidden>  Tue, 05 Apr 2016 02:53:22 +0000
Superseded in sid-release on 2016-04-05
bind9 (1:9.10.3.dfsg.P4-6) unstable; urgency=medium

  * Upload 9.10 to unstable.  Closes: #781739
  * Add -DNO_VERSION_DATE to CFLAGS.  Closes: #783885

 -- Michael Gilbert <email address hidden>  Mon, 04 Apr 2016 00:39:57 +0000
Published in wheezy-release on 2016-04-02
bind9 (1:9.8.4.dfsg.P1-6+nmu2+deb7u10) wheezy-security; urgency=high

  * Fix CVE-2016-1285: error parsing control channel input.
  * Fix CVE-2016-1286: error parsing DNAME resource records.

 -- Michael Gilbert <email address hidden>  Tue, 08 Mar 2016 02:51:39 +0000
Superseded in jessie-release on 2017-01-14
bind9 (1:9.9.5.dfsg-9+deb8u6) jessie-security; urgency=high

  * Fix CVE-2016-1285: error parsing control channel input.
  * Fix CVE-2016-1286: error parsing DNAME resource records.

 -- Michael Gilbert <email address hidden>  Tue, 08 Mar 2016 00:40:53 +0000
Deleted in experimental-release (Reason: None provided.)
bind9 (1:9.10.3.dfsg.P4-5) experimental; urgency=medium

  * Drop dead code in bind9.preinst.
  * move from /var/run to /run for policy.

 -- LaMont Jones <email address hidden>  Sat, 19 Mar 2016 19:52:04 -0600
Superseded in experimental-release on 2016-03-26
bind9 (1:9.10.3.dfsg.P2-5) experimental; urgency=medium

  [Timo Aaltonen]

  * Sync 30_dynamic_db.diff from Fedora.
  * rules: Backup some files which dh_autoreconf_clean would remove, restore
    on clean.

  [Jamie Strandboge]

  * apparmor: use @{PROC} instead of /proc, allow read on
    sys.net.ipv4.ip_local_port_range.  LP: #1552441

  [LaMont Jones]

  * Return nanosecond-precise time for files, so that we more-correctly know
    when we can skip loading a zonefile.  (Bug introduced 9.9.3b2)

 -- LaMont Jones <email address hidden>  Thu, 03 Mar 2016 18:17:06 -0700
Superseded in experimental-release on 2016-03-23
bind9 (1:9.10.3.dfsg.P2-4) experimental; urgency=medium

  [Matthias Klose]

  * Fix .so symlinks.
  * libbind-dev: Depend on libirs141.
  * For the udeb's, use a separate build with a reduced feature set, drop the
    name difference, and do both builds in a separate directory.

  [Filip Pytloun]

  * Add apparmor rules needed by freeipa-server.  Closes: #814314

  [LaMont Jones]

  * Do not deliver libraries (left in /lib) as part of bind9.  LP: #1547052
  * clean up library path for libirs.

 -- LaMont Jones <email address hidden>  Fri, 19 Feb 2016 14:26:08 -0700
Superseded in experimental-release on 2016-03-04
bind9 (1:9.10.3.dfsg.P2-3) experimental; urgency=medium

  [Marc Deslauriers]

  * SECURITY UPDATE: denial of service via string formatting operations. 
    CVE-2015-8704

  [Matthias Klose]

  * Add multiarch support.  Closes: #802584
  * Standars cleanup.

  [LaMont Jones]

  * Properly finish converting to 3.0 (quilt) format.
  * Drop geoip_acl patch temporarily while we evaluate the upstream geoip
    changes.
  * Prechroot init appears to have been taken upstream.

 -- LaMont Jones <email address hidden>  Wed, 17 Feb 2016 10:34:24 -0700
Superseded in jessie-release on 2016-04-02
bind9 (1:9.9.5.dfsg-9+deb8u4) jessie-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Add patch to fix CVE-2015-8000.
    CVE-2015-8000: Insufficient testing when parsing a message allowed
    records with an incorrect class to be be accepted, triggering a REQUIRE
    failure when those records were subsequently cached.

 -- Salvatore Bonaccorso <email address hidden>  Mon, 14 Dec 2015 20:02:04 +0100
Superseded in stretch-release on 2016-04-10
Superseded in sid-release on 2016-04-06
bind9 (1:9.9.5.dfsg-12.1) unstable; urgency=high

  * Non-maintainer upload.
  * Add patch to fix CVE-2015-8000.
    CVE-2015-8000: Insufficient testing when parsing a message allowed
    records with an incorrect class to be accepted, triggering a REQUIRE
    failure when those records were subsequently cached. (Closes: #808081)

 -- Salvatore Bonaccorso <email address hidden>  Wed, 16 Dec 2015 15:01:39 +0100
Superseded in wheezy-release on 2016-04-02
bind9 (1:9.8.4.dfsg.P1-6+nmu2+deb7u6) wheezy-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * CVE-2015-5477: A failure to reset a value to NULL in tkey.c could
    result in an assertion failure.

 -- Salvatore Bonaccorso <email address hidden>  Mon, 27 Jul 2015 20:52:06 +0200
Superseded in jessie-release on 2016-01-23
bind9 (1:9.9.5.dfsg-9+deb8u2) jessie-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * CVE-2015-5477: A failure to reset a value to NULL in tkey.c could
    result in an assertion failure.

 -- Salvatore Bonaccorso <email address hidden>  Mon, 27 Jul 2015 21:06:05 +0200
Superseded in stretch-release on 2015-12-20
Superseded in sid-release on 2015-12-18
bind9 (1:9.9.5.dfsg-12) unstable; urgency=high

  * Fix CVE-2015-5722: maliciously crafted DNSSEC key can cause named to crash.

 -- Michael Gilbert <email address hidden>  Thu, 03 Sep 2015 01:16:32 +0000
Superseded in stretch-release on 2015-09-05
Superseded in sid-release on 2015-09-03
bind9 (1:9.9.5.dfsg-11) unstable; urgency=high

  * Fix CVE-2015-5477: maliciously crafted TKEY query can cause named to exit
    (closes: #793903).

 -- Michael Gilbert <email address hidden>  Wed, 29 Jul 2015 23:46:48 +0000
Superseded in stretch-release on 2015-08-01
Superseded in sid-release on 2015-07-30
bind9 (1:9.9.5.dfsg-10) unstable; urgency=high

  * Fix CVE-2015-4620: DNSSEC validation of a malicously crafted zone can
    cause the resolver to crash (closes: #791715).

 -- Michael Gilbert <email address hidden>  Thu, 09 Jul 2015 00:43:38 +0000
Superseded in stretch-release on 2015-07-11
Superseded in jessie-release on 2015-09-05
Superseded in sid-release on 2016-07-16
bind9 (1:9.9.5.dfsg-9) unstable; urgency=high


  * Fix CVE-2015-1349: named crash due to managed key rollover, primarily only
    affecting setups using DNSSEC (closes: #778733).

 -- Michael Gilbert <email address hidden>  Thu, 19 Feb 2015 03:42:21 +0000
Superseded in wheezy-release on 2015-09-05
bind9 (1:9.8.4.dfsg.P1-6+nmu2+deb7u3) wheezy-security; urgency=high


  * Non-maintainer upload by the Security Team.
  * CVE-2014-8500: Failure to place limits on delegation chaining can allow an
    attacker to crash BIND or cause memory exhaustion.

 -- Giuseppe Iuculano <email address hidden>  Mon, 08 Dec 2014 20:02:06 +0100
Superseded in jessie-release on 2015-04-10
Superseded in sid-release on 2015-03-30
bind9 (1:9.9.5.dfsg-8) unstable; urgency=medium


  * Launch rndc command in the background in networking scripts to avoid a
    hang in named from bringing down the entire network (closes: #760555).

 -- Michael Gilbert <email address hidden>  Thu, 01 Jan 2015 17:51:52 +0000
Superseded in jessie-release on 2015-01-07
Superseded in sid-release on 2015-01-02
bind9 (1:9.9.5.dfsg-7) unstable; urgency=medium


  * Fix CVE-2014-8500: limit recursion in order to avoid memory consuption
    issues that can lead to denial-of-service (closes: #772610).

 -- Michael Gilbert <email address hidden>  Sun, 14 Dec 2014 05:05:48 +0000
Superseded in jessie-release on 2014-12-21
Superseded in sid-release on 2014-12-14
bind9 (1:9.9.5.dfsg-6) unstable; urgency=medium


  * Include dlz_dlopen.h in libbind-dev (closes: #769117).

 -- Michael Gilbert <email address hidden>  Sun, 30 Nov 2014 22:53:50 +0000

Available diffs

Superseded in jessie-release on 2014-12-06
Superseded in sid-release on 2014-12-01
bind9 (1:9.9.5.dfsg-5) unstable; urgency=medium


  * Avoid libnsl dependency on non-linux architectures.  Closes: #766430
  * Install export libraries to /lib instead of /usr/lib.  Closes: #766544
  * Add myself to the maintainer team with approval from LaMont and Bdale.

 -- Michael Gilbert <email address hidden>  Thu, 30 Oct 2014 02:42:17 +0000
Superseded in wheezy-release on 2015-01-10
bind9 (1:9.8.4.dfsg.P1-6+nmu2+deb7u2) wheezy-security; urgency=high


  * Non-maintainer upload by the Security Team.
  * CVE-2014-0591: named crash when handling malformed NSEC3-signed zones.
    A remote attacker could use this flaw against an authoritative name
    server that served NCES3-signed zones by sending a specially crafted
    query, which, when processed, would cause named to crash. (Closes: #735190)

 -- Salvatore Bonaccorso <email address hidden>  Fri, 05 Sep 2014 22:18:48 +0200
Superseded in jessie-release on 2014-11-04
Superseded in sid-release on 2014-10-31
bind9 (1:9.9.5.dfsg-4.3) unstable; urgency=medium


  * Non-maintainer upload.
  * Mark critical section as not parallel in the makefile.  Closes: #762766

 -- Michael Gilbert <email address hidden>  Mon, 13 Oct 2014 04:37:55 +0000
Superseded in sid-release on 2014-10-15
bind9 (1:9.9.5.dfsg-4.2) unstable; urgency=low


  * Non-maintainer upload.
  * Fix intermittent parallel build failure.  Closes: #762766
  * Set -fno-delete-null-pointer-checks.  Closes: #750760
  * Use separate packages for the udebs.  Closes: #762762
  * Don't install configuration files to /usr.  Closes: #762948

 -- Michael Gilbert <email address hidden>  Mon, 06 Oct 2014 01:23:57 +0000
175 of 154 results