diff -Nru bind9-9.10.3.dfsg.P4/debian/bind9-resolvconf.service bind9-9.10.3.dfsg.P4/debian/bind9-resolvconf.service
--- bind9-9.10.3.dfsg.P4/debian/bind9-resolvconf.service	2016-04-04 00:58:17.000000000 +0000
+++ bind9-9.10.3.dfsg.P4/debian/bind9-resolvconf.service	2016-11-15 16:30:00.000000000 +0000
@@ -8,6 +8,7 @@
 [Service]
 ExecStart=/bin/sh -c 'echo nameserver 127.0.0.1 | /sbin/resolvconf -a lo.named'
 ExecStop=/sbin/resolvconf -d lo.named
+RemainAfterExit=yes
 
 [Install]
 WantedBy=bind9.service
diff -Nru bind9-9.10.3.dfsg.P4/debian/changelog bind9-9.10.3.dfsg.P4/debian/changelog
--- bind9-9.10.3.dfsg.P4/debian/changelog	2016-04-27 01:40:48.000000000 +0000
+++ bind9-9.10.3.dfsg.P4/debian/changelog	2016-11-15 16:30:31.000000000 +0000
@@ -1,3 +1,29 @@
+bind9 (1:9.10.3.dfsg.P4-8ubuntu1.3) xenial; urgency=medium
+
+  * Add RemainAfterExit to bind9-resolvconf unit configuration file
+    (LP: #1536181).
+
+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Tue, 15 Nov 2016 08:30:31 -0800
+
+bind9 (1:9.10.3.dfsg.P4-8ubuntu1.2) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: denial of service via responses containing a DNAME
+    answer
+    - debian/patches/CVE-2016-8864.patch: remove assertion failure in
+      lib/dns/resolver.c.
+    - CVE-2016-8864
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 31 Oct 2016 08:56:39 -0400
+
+bind9 (1:9.10.3.dfsg.P4-8ubuntu1.1) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: denial of service via assertion failure
+    - debian/patches/CVE-2016-2776.patch: properly handle lengths in
+      lib/dns/message.c.
+    - CVE-2016-2776
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 26 Sep 2016 14:15:52 -0400
+
 bind9 (1:9.10.3.dfsg.P4-8ubuntu1) xenial-proposed; urgency=medium
 
   * Fix bad patch from when we switched to quilt.  Closes: #820847  LP:
diff -Nru bind9-9.10.3.dfsg.P4/debian/patches/CVE-2016-2776.patch bind9-9.10.3.dfsg.P4/debian/patches/CVE-2016-2776.patch
--- bind9-9.10.3.dfsg.P4/debian/patches/CVE-2016-2776.patch	1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.10.3.dfsg.P4/debian/patches/CVE-2016-2776.patch	2016-11-15 16:29:36.000000000 +0000
@@ -0,0 +1,92 @@
+Description: fix denial of service via assertion failure
+Origin: backported from patch provided by upstream
+
+Index: bind9-9.10.3.dfsg.P4/lib/dns/message.c
+===================================================================
+--- bind9-9.10.3.dfsg.P4.orig/lib/dns/message.c	2016-09-26 14:15:47.390151098 -0400
++++ bind9-9.10.3.dfsg.P4/lib/dns/message.c	2016-09-26 14:15:47.386151045 -0400
+@@ -1754,7 +1754,7 @@
+ 	if (r.length < DNS_MESSAGE_HEADERLEN)
+ 		return (ISC_R_NOSPACE);
+ 
+-	if (r.length < msg->reserved)
++	if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
+ 		return (ISC_R_NOSPACE);
+ 
+ 	/*
+@@ -1895,8 +1895,29 @@
+ 
+ 	return (ISC_TRUE);
+ }
+-
+ #endif
++
++static isc_result_t
++renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
++	  dns_compress_t *cctx, isc_buffer_t *target,
++	  unsigned int reserved, unsigned int options, unsigned int *countp)
++{
++	isc_result_t result;
++
++	/*
++	 * Shrink the space in the buffer by the reserved amount.
++	 */
++	if (target->length - target->used < reserved)
++		return (ISC_R_NOSPACE);
++
++	target->length -= reserved;
++	result = dns_rdataset_towire(rdataset, owner_name,
++				     cctx, target, options, countp);
++	target->length += reserved;
++
++	return (result);
++}
++
+ isc_result_t
+ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
+ 			  unsigned int options)
+@@ -1939,6 +1960,8 @@
+ 	/*
+ 	 * Shrink the space in the buffer by the reserved amount.
+ 	 */
++	if (msg->buffer->length - msg->buffer->used < msg->reserved)
++		return (ISC_R_NOSPACE);
+ 	msg->buffer->length -= msg->reserved;
+ 
+ 	total = 0;
+@@ -2214,9 +2237,8 @@
+ 		 * Render.
+ 		 */
+ 		count = 0;
+-		result = dns_rdataset_towire(msg->opt, dns_rootname,
+-					     msg->cctx, msg->buffer, 0,
+-					     &count);
++		result = renderset(msg->opt, dns_rootname, msg->cctx,
++				   msg->buffer, msg->reserved, 0, &count);
+ 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+@@ -2232,9 +2254,8 @@
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+ 		count = 0;
+-		result = dns_rdataset_towire(msg->tsig, msg->tsigname,
+-					     msg->cctx, msg->buffer, 0,
+-					     &count);
++		result = renderset(msg->tsig, msg->tsigname, msg->cctx,
++				   msg->buffer, msg->reserved, 0, &count);
+ 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+@@ -2255,9 +2276,8 @@
+ 		 * the owner name of a SIG(0) is irrelevant, and will not
+ 		 * be set in a message being rendered.
+ 		 */
+-		result = dns_rdataset_towire(msg->sig0, dns_rootname,
+-					     msg->cctx, msg->buffer, 0,
+-					     &count);
++		result = renderset(msg->sig0, dns_rootname, msg->cctx,
++				   msg->buffer, msg->reserved, 0, &count);
+ 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
diff -Nru bind9-9.10.3.dfsg.P4/debian/patches/CVE-2016-8864.patch bind9-9.10.3.dfsg.P4/debian/patches/CVE-2016-8864.patch
--- bind9-9.10.3.dfsg.P4/debian/patches/CVE-2016-8864.patch	1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.10.3.dfsg.P4/debian/patches/CVE-2016-8864.patch	2016-11-15 16:29:36.000000000 +0000
@@ -0,0 +1,189 @@
+Description: fix denial of service via responses containing a DNAME answer
+Origin: backported from 9.10.4-P4
+
+Index: bind9-9.10.3.dfsg.P4/lib/dns/resolver.c
+===================================================================
+--- bind9-9.10.3.dfsg.P4.orig/lib/dns/resolver.c	2016-10-31 08:53:33.663609748 -0400
++++ bind9-9.10.3.dfsg.P4/lib/dns/resolver.c	2016-10-31 08:53:33.659609703 -0400
+@@ -614,7 +614,9 @@
+ 	valarg->addrinfo = addrinfo;
+ 
+ 	if (!ISC_LIST_EMPTY(fctx->validators))
+-		INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
++		valoptions |= DNS_VALIDATOR_DEFER;
++	else
++		valoptions &= ~DNS_VALIDATOR_DEFER;
+ 
+ 	result = dns_validator_create(fctx->res->view, name, type, rdataset,
+ 				      sigrdataset, fctx->rmessage,
+@@ -5534,13 +5536,6 @@
+ 							   rdataset,
+ 							   sigrdataset,
+ 							   valoptions, task);
+-					/*
+-					 * Defer any further validations.
+-					 * This prevents multiple validators
+-					 * from manipulating fctx->rmessage
+-					 * simultaneously.
+-					 */
+-					valoptions |= DNS_VALIDATOR_DEFER;
+ 				}
+ 			} else if (CHAINING(rdataset)) {
+ 				if (rdataset->type == dns_rdatatype_cname)
+@@ -5655,6 +5650,11 @@
+ 				       eresult == DNS_R_NCACHENXRRSET);
+ 			}
+ 			event->result = eresult;
++			if (adbp != NULL && *adbp != NULL) {
++				if (anodep != NULL && *anodep != NULL)
++					dns_db_detachnode(*adbp, anodep);
++				dns_db_detach(adbp);
++			}
+ 			dns_db_attach(fctx->cache, adbp);
+ 			dns_db_transfernode(fctx->cache, &node, anodep);
+ 			clone_results(fctx);
+@@ -5905,6 +5905,11 @@
+ 		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+ 		if (event != NULL) {
+ 			event->result = eresult;
++			if (adbp != NULL && *adbp != NULL) {
++				if (anodep != NULL && *anodep != NULL)
++					dns_db_detachnode(*adbp, anodep);
++				dns_db_detach(adbp);
++			}
+ 			dns_db_attach(fctx->cache, adbp);
+ 			dns_db_transfernode(fctx->cache, &node, anodep);
+ 			clone_results(fctx);
+@@ -6726,13 +6731,15 @@
+ answer_response(fetchctx_t *fctx) {
+ 	isc_result_t result;
+ 	dns_message_t *message;
+-	dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
++	dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
++	dns_name_t *cname = NULL;
+ 	dns_rdataset_t *rdataset, *ns_rdataset;
+ 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
+-	isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
++	isc_boolean_t have_answer, found_cname, found_dname, found_type;
++	isc_boolean_t wanted_chaining;
+ 	unsigned int aflag;
+ 	dns_rdatatype_t type;
+-	dns_fixedname_t fdname, fqname;
++	dns_fixedname_t fdname, fqname, fqdname;
+ 	dns_view_t *view;
+ 
+ 	FCTXTRACE("answer_response");
+@@ -6746,6 +6753,7 @@
+ 
+ 	done = ISC_FALSE;
+ 	found_cname = ISC_FALSE;
++	found_dname = ISC_FALSE;
+ 	found_type = ISC_FALSE;
+ 	chaining = ISC_FALSE;
+ 	have_answer = ISC_FALSE;
+@@ -6755,12 +6763,13 @@
+ 		aa = ISC_TRUE;
+ 	else
+ 		aa = ISC_FALSE;
+-	qname = &fctx->name;
++	dqname = qname = &fctx->name;
+ 	type = fctx->type;
+ 	view = fctx->res->view;
++	dns_fixedname_init(&fqdname);
+ 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+ 	while (!done && result == ISC_R_SUCCESS) {
+-		dns_namereln_t namereln;
++		dns_namereln_t namereln, dnamereln;
+ 		int order;
+ 		unsigned int nlabels;
+ 
+@@ -6768,6 +6777,8 @@
+ 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+ 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+ 		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
++		dnamereln = dns_name_fullcompare(dqname, name, &order,
++						 &nlabels);
+ 		if (namereln == dns_namereln_equal) {
+ 			wanted_chaining = ISC_FALSE;
+ 			for (rdataset = ISC_LIST_HEAD(name->list);
+@@ -6862,7 +6873,7 @@
+ 					}
+ 				} else if (rdataset->type == dns_rdatatype_rrsig
+ 					   && rdataset->covers ==
+-					   dns_rdatatype_cname
++					      dns_rdatatype_cname
+ 					   && !found_type) {
+ 					/*
+ 					 * We're looking for something else,
+@@ -6892,11 +6903,18 @@
+ 						 * a CNAME or DNAME).
+ 						 */
+ 						INSIST(!external);
+-						if (aflag ==
+-						    DNS_RDATASETATTR_ANSWER) {
++						if ((rdataset->type !=
++						     dns_rdatatype_cname) ||
++						    !found_dname ||
++						    (aflag ==
++						     DNS_RDATASETATTR_ANSWER))
++						{
+ 							have_answer = ISC_TRUE;
++							if (rdataset->type ==
++							    dns_rdatatype_cname)
++								cname = name;
+ 							name->attributes |=
+-								DNS_NAMEATTR_ANSWER;
++							    DNS_NAMEATTR_ANSWER;
+ 						}
+ 						rdataset->attributes |= aflag;
+ 						if (aa)
+@@ -6990,11 +7008,11 @@
+ 					return (DNS_R_FORMERR);
+ 				}
+ 
+-				if (namereln != dns_namereln_subdomain) {
++				if (dnamereln != dns_namereln_subdomain) {
+ 					char qbuf[DNS_NAME_FORMATSIZE];
+ 					char obuf[DNS_NAME_FORMATSIZE];
+ 
+-					dns_name_format(qname, qbuf,
++					dns_name_format(dqname, qbuf,
+ 							sizeof(qbuf));
+ 					dns_name_format(name, obuf,
+ 							sizeof(obuf));
+@@ -7009,7 +7027,7 @@
+ 					want_chaining = ISC_TRUE;
+ 					POST(want_chaining);
+ 					aflag = DNS_RDATASETATTR_ANSWER;
+-					result = dname_target(rdataset, qname,
++					result = dname_target(rdataset, dqname,
+ 							      nlabels, &fdname);
+ 					if (result == ISC_R_NOSPACE) {
+ 						/*
+@@ -7026,10 +7044,13 @@
+ 
+ 					dname = dns_fixedname_name(&fdname);
+ 					if (!is_answertarget_allowed(view,
+-							qname, rdataset->type,
+-							dname, &fctx->domain)) {
++						     dqname, rdataset->type,
++						     dname, &fctx->domain))
++					{
+ 						return (DNS_R_SERVFAIL);
+ 					}
++					dqname = dns_fixedname_name(&fqdname);
++					dns_name_copy(dname, dqname, NULL);
+ 				} else {
+ 					/*
+ 					 * We've found a signature that
+@@ -7054,6 +7075,10 @@
+ 					INSIST(!external);
+ 					if (aflag == DNS_RDATASETATTR_ANSWER) {
+ 						have_answer = ISC_TRUE;
++						found_dname = ISC_TRUE;
++						if (cname != NULL)
++							cname->attributes &=
++							   ~DNS_NAMEATTR_ANSWER;
+ 						name->attributes |=
+ 							DNS_NAMEATTR_ANSWER;
+ 					}
diff -Nru bind9-9.10.3.dfsg.P4/debian/patches/series bind9-9.10.3.dfsg.P4/debian/patches/series
--- bind9-9.10.3.dfsg.P4/debian/patches/series	2016-04-27 01:40:48.000000000 +0000
+++ bind9-9.10.3.dfsg.P4/debian/patches/series	2016-11-15 16:29:36.000000000 +0000
@@ -10,3 +10,5 @@
 34_prepare_native_pkcs11.diff
 70_precise_time.diff
 75_ctxstart_no_sighandling.diff
+CVE-2016-2776.patch
+CVE-2016-8864.patch