Change logs for bind9 source package in Bionic

  • bind9 (1:9.11.3+dfsg-1ubuntu1.11) bionic-security; urgency=medium
    
      * SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single
        connection
        - debian/patches/CVE-2019-6477.patch: limit number of clients in
          bin/named/client.c, bin/named/include/named/client.h.
        - CVE-2019-6477
    
     -- Marc Deslauriers <email address hidden>  Mon, 18 Nov 2019 10:01:47 -0500
  • bind9 (1:9.11.3+dfsg-1ubuntu1.10) bionic; urgency=medium
    
      * d/p/fix-socket-failures-during-name-resolution.patch: fix socket failures
        due to uninitialized memory during name resolution (LP: #1804542)
    
     -- Lucas Kanashiro <email address hidden>  Mon, 30 Sep 2019 15:39:12 -0300
  • bind9 (1:9.11.3+dfsg-1ubuntu1.9) bionic; urgency=medium
    
      * d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
        close to a query timeout (LP: #1797926)
    
     -- Christian Ehrhardt <email address hidden>  Wed, 07 Aug 2019 16:43:40 +0200
  • bind9 (1:9.11.3+dfsg-1ubuntu1.8) bionic-security; urgency=medium
    
      * SECURITY UPDATE: DoS via malformed packets
        - debian/patches/CVE-2019-6471.patch: fix race condition in
          lib/dns/dispatch.c.
        - CVE-2019-6471
    
     -- Marc Deslauriers <email address hidden>  Tue, 18 Jun 2019 18:55:08 -0400
  • bind9 (1:9.11.3+dfsg-1ubuntu1.7) bionic-security; urgency=medium
    
      * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
        - debian/patches/CVE-2018-5743.patch: add reference counting in
          bin/named/client.c, bin/named/include/named/client.h,
          bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
          lib/isc/include/isc/quota.h, lib/isc/quota.c,
          lib/isc/win32/libisc.def.in.
        - debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
          operations with isc_refcount reference counting in
          bin/named/client.c, bin/named/include/named/interfacemgr.h,
          bin/named/interfacemgr.c.
        - debian/libisc169.symbols: added new symbols.
        - CVE-2018-5743
    
     -- Marc Deslauriers <email address hidden>  Wed, 24 Apr 2019 06:04:51 -0400
  • bind9 (1:9.11.3+dfsg-1ubuntu1.5) bionic-security; urgency=medium
    
      * SECURITY UPDATE: memory leak via specially crafted packet
        - debian/patches/CVE-2018-5744.patch: silently drop additional keytag
          options in bin/named/client.c.
        - CVE-2018-5744
      * SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
        unsupported key algorithm when using managed-keys
        - debian/patches/CVE-2018-5745.patch: properly handle situations when
          the key tag cannot be computed in lib/dns/include/dst/dst.h,
          lib/dns/zone.c.
        - CVE-2018-5745
      * SECURITY UPDATE: Controls for zone transfers may not be properly
        applied to Dynamically Loadable Zones (DLZs) if the zones are writable
        - debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
          the zone table as a DLZ zone bin/named/xfrout.c.
        - CVE-2019-6465
    
     -- Marc Deslauriers <email address hidden>  Wed, 20 Feb 2019 09:10:34 +0100
  • bind9 (1:9.11.3+dfsg-1ubuntu1.4) bionic; urgency=medium
    
      * Disable EDDSA to avoid picking up new symbols when rebuilding against
        new OpenSSL. Cherrypick from Debian & Disco. LP: #1815474
    
     -- Dimitri John Ledkov <email address hidden>  Tue, 05 Feb 2019 14:31:40 +0000
  • bind9 (1:9.11.3+dfsg-1ubuntu1.3) bionic; urgency=medium
    
      [ Karl Stenerud ]
      * d/p/skip-rtld-deepbind-for-dyndb.diff: fix named-pkcs11 crashing on
        startup. Thanks to Petr Menšík <email address hidden> (LP: #1769440)
    
     -- Andreas Hasenack <email address hidden>  Wed, 10 Oct 2018 14:33:34 -0300
  • bind9 (1:9.11.3+dfsg-1ubuntu1.2) bionic-security; urgency=medium
    
      * SECURITY UPDATE: denial of service crash when deny-answer-aliases
        option is used
        - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
          trigger a crash if deny-answer-aliases was set
        - debian/patches/CVE-2018-5740-2.patch: add tests
        - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
          *chainingp correctly, add test
        - CVE-2018-5740
    
     -- Steve Beattie <email address hidden>  Thu, 09 Aug 2018 23:26:07 -0700
  • bind9 (1:9.11.3+dfsg-1ubuntu1.1) bionic-security; urgency=medium
    
      * SECURITY UPDATE: improperly permits recursive query service
        - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
          in bin/named/server.c.
        - CVE-2018-5738
    
     -- Marc Deslauriers <email address hidden>  Mon, 11 Jun 2018 09:41:51 -0400
  • bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low
    
      * New upstream release. (LP: #1763572)
        - fix a crash when configured with ipa-dns-install
      * Merge from Debian unstable.  Remaining changes:
        - Build without lmdb support as that package is in Universe
    
    bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
    
      [ Bernhard Schmidt ]
      * New upstream version 9.11.3+dfsg
        (Closes: #867570, #888463)
        - Refresh patches
        - Drop stdatomic.h patches applied upstream
      * Follow SONAME bump of libdns
      * Follow SONAME bump of libisc
      * Add missing symbols for libisccfg160
      * Add python3-distutils Build-Dependency
      * Drop Priority: standard for library packages
      * Fix apparmor profile name (Closes: #893005)
        Thanks to Andreas Hasenack
      * Update bind9-host description (Closes: #729561)
      * Add flags=(attach_disconnected) to AppArmor profile to prepare
        to use more systemd hardening options, see #863841
      * Add myself to Uploaders
    
      [ Ondřej Surý ]
      * Update Vcs-* links to salsa.d.o
    
     -- Timo Aaltonen <email address hidden>  Fri, 13 Apr 2018 07:40:47 +0300
  • bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium
    
      * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating
        DNS records in Microsoft AD using GSSAPI.  Thanks to Mark Andrews
        <email address hidden>. (LP: #1755439)
    
     -- Andreas Hasenack <email address hidden>  Fri, 16 Mar 2018 09:38:46 -0300
  • bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium
    
      * Fix apparmor profile filename (LP: #1754981)
    
     -- Andreas Hasenack <email address hidden>  Thu, 15 Mar 2018 10:06:57 -0300
  • bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high
    
      * No change rebuild against openssl1.1.
    
     -- Dimitri John Ledkov <email address hidden>  Tue, 06 Feb 2018 12:14:22 +0000
  • bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium
    
      * Build without lmdb support as that package is in Universe (LP: #1746296)
        - d/control: remove Build-Depends on liblmdb-dev
        - d/rules: configure --without-lmdb
        - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires
          lmdb.
    
     -- Andreas Hasenack <email address hidden>  Tue, 30 Jan 2018 15:21:23 -0200
  • bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium
    
      * Merge with Debian unstable (LP: #1744930).
      * Drop:
        - Add RemainAfterExit to bind9-resolvconf unit configuration file
          (LP #1536181).
          [fixed in 1:9.10.6+dfsg-4]
        - rules: Fix path to libsofthsm2.so. (LP #1685780)
          [adopted in 1:9.10.6+dfsg-5]
        - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
          introduced with the CVE-2016-8864.patch and fixed in
          CVE-2016-8864-regression.patch.
          [applied upstream]
        - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
          regression (RT #44318) introduced with the CVE-2016-8864.patch
          and fixed in CVE-2016-8864-regression2.patch.
          [applied upstream]
        - d/control, d/rules: add json support for the statistics channels.
          (LP #1669193)
          [adopted in 1:9.10.6+dfsg-5]
      * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing
        listing the python ply module as a dependency (Closes: #888463)
    
    bind9 (1:9.11.2.P1-1) unstable; urgency=medium
    
      * New upstream version 9.11.2-P1
      * Refresh patches for new release
    
    bind9 (1:9.11.2+dfsg-10) unstable; urgency=medium
    
      * Disable lmdb usage in export version of libraries (Closes: #887407)
    
    bind9 (1:9.11.2+dfsg-9) unstable; urgency=medium
    
      * Fix various mistakes in bind9 conffiles (Closes: #887398)
    
    bind9 (1:9.11.2+dfsg-8) unstable; urgency=medium
    
      * Pull more stdatomic patch to fix builds on 32-bit architectures
      * Remove extra native pkcs11 patch (it has been replaced by sed rules)
    
    bind9 (1:9.11.2+dfsg-7) unstable; urgency=medium
    
      * Pull upstream patch to use C11 stdatomic where available (Closes: #778720)
    
    bind9 (1:9.11.2+dfsg-6) unstable; urgency=medium
    
      * Add named-nzd2nzf to bind9 package
      * Simplify installation rules
      * Enable lmdb (to actually build named-nzd2nzf)
      * Move delv from bind9 to dnsutils package (Closes: #887326)
    
    bind9 (1:9.11.2+dfsg-5) unstable; urgency=medium
    
      * Remove duplicate invoke-rc.d start invocation (Closes: #883575)
      * Don't fail in postrm when /var/lib/bind cannot be removed (Closes: #882999)
      * Use dh-apparmor for profile management
      * apparmor-profile: allow changing thread name (Closes: #883228)
      * Bump debhelper compat level to 10
      * Bump Standards-Version to 4.1.2, no changes necessary
    
    bind9 (1:9.11.2+dfsg-4) unstable; urgency=medium
    
      * Team upload.
      * Fix symlinks in libbind-export-dev to point to /lib (Closes: #883536)
    
    bind9 (1:9.11.2+dfsg-3) unstable; urgency=medium
    
      * Team upload.
      * Only install files into bind9:any on arch-any builds (Closes: #883448)
      * Adjust dependencies for udeb packages (Closes: #883449)
    
    bind9 (1:9.11.2+dfsg-2) unstable; urgency=medium
    
      * Team upload.
      * Workaround for FTBFS on binary-any builds (Closes: #883159)
    
    bind9 (1:9.11.2+dfsg-1) unstable; urgency=low
    
      * d/watch: Bump the BIND version to 9.11.x
      * Remove 'order random_1' patch, it was a horrible deviation from standards
      * Modernize d/rules using debhelper
      * New upstream version 9.11.2+dfsg
      * Delete dyndb patch, as dyndb is now included in upstream sources
      * Rebase patches for new upstream release.
      * Add python3-ply to Build-Depends
      * Restore the native pkcs11 patch
      * Fix the Debian version parsing
      * Remove lwresd as it has been deprecated by upstream anyway
      * Add new tools: mdig to dnsutils and dnssec-keymgr to bind9utils
      * Update the SONAMEs of BIND libraries
      * Fix python3 packaging errors
      * Bump the standards version to 4.1.1.1 (no change)
      * Add support for dh_missing
    
    bind9 (1:9.10.6+dfsg-5) unstable; urgency=medium
    
      [ Chris Lamb ]
      * Make the build reproducible (Closes: #828012)
    
      [ Micah Cowan ]
      * Try not to be fragile to varying value of LIBS make var. (Closes: #833307)
    
      [ Ondřej Surý ]
      * Update the softhsm2.so non-MA path (Closes: #860722)
      * Enable JSON output in the statistics channel (Closes: #860722)
      * Merge NMUs' changelogs (Closes: #880077)
      * Use /dev/urandom to avoid blocking in the server process. (Closes: #854243)
    
    bind9 (1:9.10.6+dfsg-4) unstable; urgency=medium
    
      [ Michael Biebl ]
      * Improve bind9-resolvconf.service (Closes: #826353)
    
      [ Ondřej Surý ]
      * Add insserv.conf.d configuration (Closes: #650538)
      * Change bind9-resolvconf.server to Type=oneshot + RemainAfterExit=yes (Closes: #832040)
      * Only add static and development symlinks for *-export.{a,so} libraries (Closes: #857522)
      * Update Vcs-* fields to standard variants
      * Rebuild with newer debhelper (Closes: #879542)
    
    bind9 (1:9.10.6+dfsg-3) unstable; urgency=medium
    
      * Make lwresd hard depend on bind9 package (Closes: #879127)
    
    bind9 (1:9.10.6+dfsg-2) unstable; urgency=medium
    
      [ Timo Aaltonen ]
      * d/copyright: Add Bv9ARM.pdf to Files-Excluded.
    
      [ Ondřej Surý ]
      * Replace lwresd with symlink instead of hard copy (Closes: #868538)
      * Fix the symbols file to compensate for missing bsdcompat symbol on kFreeBSD (Closes: #879017)
      * Re-enable threading support on kFreeBSD (Closes: #879018)
      * Drop Multi-Arch: same header from libbind-dev (Closes: #874232)
      * Remove transitional host package (Closes: #645437, #878228)
    
    bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium
    
      * New upstream version 9.10.6+dfsg
      * Use OpenSSL 1.1.0 for crypto
      * Add support for downloading upstream sources using d/watch
        + Make d/copyright machine readable for Files-Excluded: support
        + Update Files-Exclude: * to remove obsolete software dropped in
          contrib/, but not really used
      * Add initial README.source
      * Limit the d/watch to 9.10.x (aka stable) for now
      * Update patches for BIND 9.10.6 release
      * Update PKCS11 patch
      * Move under pkg-dns umbrella
      * Reformat files in debian/ with wrap-and-sort -a for better maintainability
      * Update the d/export.diff for BIND 9.10.6
      * Remove FAQ from d/bind9.docs
      * Bump SONAME versions for BIND libraries
      * Add symbols files for libraries and enable strict symbol checks
      * arpaname and named-rrchecker has been moved to /usr/bin
      * Install required python library into bind9utils to accompany
        dnssec-checkds and dnssec-coverage
      * Change Vcs-* to pkg-dns/bind9
      * Also exclude idnkit from upstream tarball
      * Finish the debian/copyright update into machine readable format
      * Enable Multi-Arch on libirs-export189
      * Cleanup maintainer scripts
      * Add lintian override for false positive on full-path command
      * Remove unnecessary complexity when generating ${Description} to d/control
    
     -- Andreas Hasenack <email address hidden>  Fri, 26 Jan 2018 11:20:33 -0200
  • bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium
    
      * Merge with Debian unstable (LP: #1712920). Remaining changes:
        - Add RemainAfterExit to bind9-resolvconf unit configuration file
          (LP #1536181).
        - rules: Fix path to libsofthsm2.so. (LP #1685780)
        - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
          introduced with the CVE-2016-8864.patch and fixed in
          CVE-2016-8864-regression.patch.
        - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
          regression (RT #44318) introduced with the CVE-2016-8864.patch
          and fixed in CVE-2016-8864-regression2.patch.
        - d/control, d/rules: add json support for the statistics channels.
          (LP #1669193)
    
    bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium
    
      * Non-maintainer upload.
      * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)
    
     -- Andreas Hasenack <email address hidden>  Thu, 24 Aug 2017 18:28:00 -0300