Superseded
by bind9 - 1:9.10.3.dfsg.P4-12.6ubuntu1
Published
Changelog
bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium
* Merge with Debian unstable (LP: #1701687). Remaining changes:
- Add RemainAfterExit to bind9-resolvconf unit configuration file
(LP #1536181).
- rules: Fix path to libsofthsm2.so. (LP #1685780)
* Drop:
- SECURITY UPDATE: denial of service via assertion failure
+ debian/patches/CVE-2016-2776.patch: properly handle lengths in
lib/dns/message.c.
+ CVE-2016-2776
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: assertion failure via class mismatch
+ debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
records in lib/dns/resolver.c.
+ CVE-2016-9131
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
+ debian/patches/CVE-2016-9147.patch: fix logic when records are
returned without the requested data in lib/dns/resolver.c.
+ CVE-2016-9147
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: assertion failure via unusually-formed DS record
+ debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
lib/dns/message.c, lib/dns/resolver.c.
+ CVE-2016-9444
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: regression in CVE-2016-8864
+ debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
responses in lib/dns/resolver.c, added tests to
bin/tests/system/dname/ns2/example.db,
bin/tests/system/dname/tests.sh.
+ No CVE number
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
- SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
a NULL pointer
+ debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
combination in bin/named/query.c, lib/dns/message.c,
lib/dns/rdataset.c.
+ CVE-2017-3135
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12]
- SECURITY UPDATE: regression in CVE-2016-8864
+ debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
was still being cached when it should have been in lib/dns/resolver.c,
added tests to bin/tests/system/dname/ans3/ans.pl,
bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
+ No CVE number
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12]
- SECURITY UPDATE: Denial of Service due to an error handling
synthesized records when using DNS64 with "break-dnssec yes;"
+ debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
called.
+ CVE-2017-3136
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
- SECURITY UPDATE: Denial of Service due to resolver terminating when
processing a response packet containing a CNAME or DNAME
+ debian/patches/CVE-2017-3137.patch: don't expect a specific
ordering of answer components; add testcases.
+ CVE-2017-3137
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
- SECURITY UPDATE: Denial of Service when receiving a null command on
the control channel
+ debian/patches/CVE-2017-3138.patch: don't throw an assert if no
command token is given; add testcase.
+ CVE-2017-3138
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
- SECURITY UPDATE: TSIG authentication issues
+ debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
+ CVE-2017-3142
+ CVE-2017-3143
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.4]
* d/p/CVE-2016-8864-regression-test.patch: tests for the regression
introduced with the CVE-2016-8864.patch and fixed in
CVE-2016-8864-regression.patch.
* d/p/CVE-2016-8864-regression2-test.patch: tests for the second
regression (RT #44318) introduced with the CVE-2016-8864.patch
and fixed in CVE-2016-8864-regression2.patch.
* d/control, d/rules: add json support for the statistics channels.
(LP: #1669193)
-- Andreas Hasenack <email address hidden> Fri, 11 Aug 2017 17:12:09 -0300