-
bind9 (1:9.16.6-3ubuntu1.2) groovy-security; urgency=medium
* SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
- debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
- CVE-2021-25214
* SECURITY UPDATE: assert via answering certain queries for DNAME records
- debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
- CVE-2021-25215
* SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
- debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
- CVE-2021-25216
-- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 07:14:19 -0400
-
bind9 (1:9.16.6-3ubuntu1.1) groovy-security; urgency=medium
* SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
- debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
- CVE-2020-8625
-- Marc Deslauriers <email address hidden> Mon, 15 Feb 2021 08:04:07 -0500
-
bind9 (1:9.16.6-3ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP #1864761)
- d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
bind9 (1:9.16.6-3) unstable; urgency=medium
[ Ondřej Surý ]
* Add upstream patches to fix some rare conditions (Closes: #969448)
[ Bernhard Schmidt ]
* Set Restart=on-failure in systemd unit
-- Andreas Hasenack <email address hidden> Tue, 15 Sep 2020 10:46:52 -0300
-
bind9 (1:9.16.6-2ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP #1864761)
- d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
* Dropped:
- d/not-installed: list dnstap-read.1 manpage, which is being
installed by the makefile even when dnstap is disabled.
[Fixed upstream]
bind9 (1:9.16.6-2) unstable; urgency=medium
* Move Build-Depends for documentation to Build-Depends-Indep, this
should fix the arch-any build on s390x where xindy is not available.
bind9 (1:9.16.6-1) unstable; urgency=medium
* New upstream version 9.16.6
bind9 (1:9.16.5-1) unstable; urgency=medium
* New upstream version 9.16.5
* Add fonts-freefont-otf, latexmk, texlive-fonts-recommended,
texlive-latex-recommended, texlive-xetex, xindy to Build-Depends
* Install man pages for tsig-gen and named-compilezone
-- Andreas Hasenack <email address hidden> Mon, 24 Aug 2020 10:57:08 -0300
-
bind9 (1:9.16.4-1ubuntu2) groovy; urgency=medium
* No change rebuild against new json-c ABI.
-- Dimitri John Ledkov <email address hidden> Tue, 28 Jul 2020 17:42:17 +0100
-
bind9 (1:9.16.4-1ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP #1864761)
- d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
* Dropped:
- SECURITY UPDATE: assertion when attempting to fill oversized TCP buffer
+ debian/patches/CVE-2020-8618.patch: add fix to lib/ns/client.c,
lib/ns/include/ns/client.h, lib/ns/xfrout.c.
+ CVE-2020-8618
[Fixed upstream]
- SECURITY UPDATE: INSIST failure when a zone with an interior wildcard
label was queried in a certain pattern
+ debian/patches/CVE-2020-8619.patch: add fix to lib/dns/rbtdb.c.
+ CVE-2020-8619
[Fixed upstream]
* Added changes:
- d/not-installed: list dnstap-read.1 manpage, which is being
installed by the makefile even when dnstap is disabled.
bind9 (1:9.16.4-1) unstable; urgency=medium
* New upstream version 9.16.4
* Update Debian packaging for sphinx-doc documentation
-- Andreas Hasenack <email address hidden> Mon, 06 Jul 2020 15:22:36 -0300
-
bind9 (1:9.16.3-1ubuntu2) groovy; urgency=medium
* SECURITY UPDATE: assertion when attempting to fill oversized TCP buffer
- debian/patches/CVE-2020-8618.patch: add fix to lib/ns/client.c,
lib/ns/include/ns/client.h, lib/ns/xfrout.c.
- CVE-2020-8618
* SECURITY UPDATE: INSIST failure when a zone with an interior wildcard
label was queried in a certain pattern
- debian/patches/CVE-2020-8619.patch: add fix to lib/dns/rbtdb.c.
- CVE-2020-8619
-- Marc Deslauriers <email address hidden> Thu, 18 Jun 2020 08:29:47 -0400
-
bind9 (1:9.16.3-1ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP #1864761)
- d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
* Dropped:
- d/control: make bind9-dnsutils multi-arch foreign as another step
towards fixing LP #1864761
[The correct fix was to change the dep8 dependency to be on the real
package, and not the transitional one]
- SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
performed when processing referrals
+ debian/patches/CVE-2020-8616.patch: further limit the number of
queries that can be triggered from a request in lib/dns/adb.c,
lib/dns/include/dns/adb.h, lib/dns/resolver.c.
+ CVE-2020-8616
[Fixed upstream]
- SECURITY UPDATE: A logic error in code which checks TSIG validity can
be used to trigger an assertion failure in tsig.c
+ debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
BADTIME response in lib/dns/tsig.c.
+ CVE-2020-8617
[Fixed upstream]
bind9 (1:9.16.3-1) unstable; urgency=medium
* New upstream version 9.16.3
-- Andreas Hasenack <email address hidden> Tue, 02 Jun 2020 17:37:44 -0300
-
bind9 (1:9.16.2-3ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP #1864761)
- d/control: make bind9-dnsutils multi-arch foreign as another step
towards fixing LP #1864761
- d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
- SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
performed when processing referrals
+ debian/patches/CVE-2020-8616.patch: further limit the number of
queries that can be triggered from a request in lib/dns/adb.c,
lib/dns/include/dns/adb.h, lib/dns/resolver.c.
+ CVE-2020-8616
- SECURITY UPDATE: A logic error in code which checks TSIG validity can
be used to trigger an assertion failure in tsig.c
+ debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
BADTIME response in lib/dns/tsig.c.
+ CVE-2020-8617
* Dropped:
- use iproute2 instead of net-tools (LP #1850699):
+ d/control: replace net-tools depends with iproute2
+ d/bind9.init: use ip instead of ifconfig
[In 1:9.16.1-2]
- d/control: Enable readline-like support in dnsutils (nslookup and nsupdate)
via libedit-dev (libreadline has a license conflict with bind)
[In 1:9.16.1-2]
- d/control: drop hardcoded python3 dependency
(LP #1856211, Closes #946643)
[In 1:9.16.1-2]
- d/extras/apparmor.d/usr.sbin.named:
+ Add flags=(attach_disconnected) to AppArmor profile
+ AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ
(Closes: #928398)
[In 1:9.16.1-2]
- d/rules: fix typo in the apparmor profile installation
[In 1:9.16.1-2]
- d/control: create transitional packages for dnsutils, bind9utils
[In 1:9.16.1-2]
- d/p/fix-rebinding-protection.patch: fix rebinding protection bug
when using forwarder setups (LP #1873046)
[Fixed upstream]
bind9 (1:9.16.2-3) unstable; urgency=medium
[ Simon Deziel ]
* apparmor: use profile name specifier
bind9 (1:9.16.2-2) unstable; urgency=medium
* Update gbp.conf to debian/master and upstream/latest
* Reintroduce the bind9-dev package (Closes: #954906)
bind9 (1:9.16.2-1) unstable; urgency=medium
* Update d/copyright (Closes: #947978)
* New upstream version 9.16.2 (Closes: #952946, #954919)
bind9 (1:9.16.1-2) unstable; urgency=medium
[ Andreas Hasenack ]
* Bring back the DEP8 test from sid
* Use iproute2 instead of net-tools
* d/control: drop hardcoded python3 dependency
[ Bernhard Schmidt ]
* Fix apparmor profile name.
Thanks to Andreas Hasenack
* Enable readline support
[ Andreas Hasenack ]
* Update apparmor profile with what is in sid
* Create the missing transitional packages for dnsutils, bind9utils
* There is a licensing conflict with adding libreadline and we should
use libedit-dev instead.
[ Ondřej Surý ]
* Add Breaks: freeipa, so the package doesn't migrate to testing before freeipa is fixed
bind9 (1:9.16.1-1) experimental; urgency=medium
* New upstream version 9.16.1
-- Andreas Hasenack <email address hidden> Fri, 22 May 2020 09:52:13 -0300
-
bind9 (1:9.16.1-0ubuntu3) groovy; urgency=medium
* SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
performed when processing referrals
- debian/patches/CVE-2020-8616.patch: further limit the number of
queries that can be triggered from a request in lib/dns/adb.c,
lib/dns/include/dns/adb.h, lib/dns/resolver.c.
- CVE-2020-8616
* SECURITY UPDATE: A logic error in code which checks TSIG validity can
be used to trigger an assertion failure in tsig.c
- debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
BADTIME response in lib/dns/tsig.c.
- CVE-2020-8617
-- Marc Deslauriers <email address hidden> Tue, 19 May 2020 09:03:32 -0400
-
bind9 (1:9.16.1-0ubuntu2) focal; urgency=medium
* d/p/fix-rebinding-protection.patch: fix rebinding protection bug
when using forwarder setups (LP: #1873046)
-- Andreas Hasenack <email address hidden> Wed, 15 Apr 2020 14:59:51 -0300
