Change logs for bind9 source package in Hardy

  • bind9 (1:9.4.2.dfsg.P2-2ubuntu0.12) hardy-security; urgency=low
    
      * SECURITY UPDATE: denial of service via specific combinations of RDATA
        - bin/named/query.c: fix logic
        - Patch backported from 9.8.3-P4
        - CVE-2012-5166
     -- Marc Deslauriers <email address hidden>   Fri, 05 Oct 2012 09:47:25 -0400
  • bind9 (1:9.4.2.dfsg.P2-2ubuntu0.11) hardy-security; urgency=low
    
      * SECURITY UPDATE: denial of service via large crafted resource record
        - check length in lib/dns/include/dns/rdata.h,
          lib/dns/{master,rdata,rdataslab}.c.
        - Patch backported from 9.6-ESV-R7-P3
        - CVE-2012-4244
     -- Marc Deslauriers <email address hidden>   Thu, 13 Sep 2012 08:03:16 -0400
  • bind9 (1:9.4.2.dfsg.P2-2ubuntu0.10) hardy-security; urgency=low
    
      * SECURITY UPDATE: ghost domain names attack
        - lib/dns/rbtdb.c: Restrict the TTL of NS RRset to no more than that
          of the old NS RRset when replacing it.
        - Patch backported from 9.6-ESV-R6.
        - CVE-2012-1033
      * SECURITY UPDATE: denial of service via zero length rdata handling
        - lib/dns/rdata.c,lib/dns/rdataslab.c: use sentinel pointer for
          duplicate rdata.
        - Patch backported from 9.6-ESV-R7-P1.
        - CVE-2012-1667
     -- Marc Deslauriers <email address hidden>   Mon, 04 Jun 2012 13:53:06 -0400
  • bind9 (1:9.4.2.dfsg.P2-2ubuntu0.9) hardy-security; urgency=low
    
      * SECURITY UPDATE: denial of service via specially crafted packet
        - bin/named/query.c,lib/dns/rbtdb.c: correctly handle cache lookups
          that return RRSIG data associated with nonexistent records.
        - Patch backported from 9.4-ESV-R5-P1.
        - CVE-2011-4313
     -- Marc Deslauriers <email address hidden>   Wed, 16 Nov 2011 14:30:39 -0500
  • bind9 (1:9.4.2.dfsg.P2-2ubuntu0.8) hardy-security; urgency=low
    
      * SECURITY UPDATE: denial of service via specially crafted packet
        - lib/dns/include/dns/rdataset.h, lib/dns/{masterdump,message,ncache,
          nsec3,rbtdb,rdataset,resolver,validator}.c: Use an rdataset attribute
          flag to indicate negative-cache records rather than using rrtype 0.
        - Patch backported from 9.6-ESV-R4-P3.
        - CVE-2011-2464
     -- Marc Deslauriers <email address hidden>   Tue, 05 Jul 2011 09:30:37 -0400
  • bind9 (1:9.4.2.dfsg.P2-2ubuntu0.7) hardy-security; urgency=low
    
      * SECURITY UPDATE: denial of service via multiple trust anchors for a
        single zone
        - lib/dns/validator.c: fix arguments to dns_keytable_findnextkeynode().
        - Upstream change 2869.
        - CVE-2010-3762
      * SECURITY UPDATE: denial of service via off-by-one
        - lib/dns/ncache.c: correctly validate length.
        - Patch backported from 9.4-ESV-R4-P1.
        - CVE-2011-1910
      * Added tests for previous security update to test suite and backport
        DNS_DBFIND_ADDITIONALOK so they work.
     -- Marc Deslauriers <email address hidden>   Fri, 27 May 2011 13:26:22 -0400
  • bind9 (1:9.4.2.dfsg.P2-2ubuntu0.6) hardy-security; urgency=low
    
      * SECURITY UPDATE: denial of service via ncache entry and a rrsig for the
        same type
        - lib/dns/rbtdb.c: properly mark existing RRSIG records as stale.
        - CVE-2010-3613
      * SECURITY UPDATE: answers incorrectly marked as insecure during key
        algorithm rollover
        - lib/dns/include/dns/types.h, lib/dns/validator.c: improve logic.
        - CVE-2010-3614
     -- Marc Deslauriers <email address hidden>   Fri, 26 Nov 2010 09:41:20 -0500
  • bind9 (1:9.4.2.dfsg.P2-2ubuntu0.5) hardy-security; urgency=low
    
      * SECURITY UPDATE: incorrect cache update from additional section
        - bin/named/query.c, lib/dns/include/dns/types.h,
          lib/dns/{resolver.c,validator.c}: further fixes backported from
          9.4.3-P5
        - CVE-2009-4022
      * SECURITY UPDATE: incorrect caching of bogus NXDOMAIN responses
        - bin/named/query.c, lib/dns/include/dns/types.h,
          lib/dns/{resolver.c,validator.c}: fixes backported from 9.4.3-P5
        - CVE-2010-0097
     -- Marc Deslauriers <email address hidden>   Tue, 19 Jan 2010 13:15:01 -0500
  • bind9 (1:9.4.2.dfsg.P2-2ubuntu0.4) hardy-security; urgency=low
    
      * SECURITY UPDATE: incorrect cache update from additional section
        - bin/named/query.c, lib/dns/{include/dns/types.h,masterdump.c,
          rbtdb.c,resolver.c,validator.c}: handle the additional section
          properly. lib/dns/api, version: increment versions.
        - debian/*: increment to libdns36, add libdns35 metapackage so
          upgrade-manager won't hold the bind9 upgrade back.
        - CVE-2009-4022
     -- Marc Deslauriers <email address hidden>   Fri, 04 Dec 2009 09:13:41 -0500
  • bind9 (1:9.4.2.dfsg.P2-2ubuntu0.2) hardy-security; urgency=low
    
      * SECURITY UPDATE: server can exit on malicious update packet.
        - bin/named/update.c: backported upstream fix.
        - CVE-2009-0696
    
     -- Kees Cook <email address hidden>   Tue, 28 Jul 2009 20:10:39 -0700
  • bind9 (1:9.4.2.dfsg.P2-2ubuntu0.1) hardy-security; urgency=low
    
      * SECURITY UPDATE: clients treat malformed signatures as good when verifying
        server DSA and ECDSA certificates.
        - update lib/dns/openssldsa_link.c to properly check the return code of
          DSA_do_verify()
        - CVE-2009-0025
    
     -- Jamie Strandboge <email address hidden>   Wed, 07 Jan 2009 17:01:34 -0600
  • bind9 (1:9.4.2.dfsg.P2-2) hardy-proposed; urgency=low
    
      * apparmor profile: add /var/log/named
      * dig: add -DDIG_SIGCHASE to compile options.  LP: #257682
    
    bind9 (1:9.4.2.dfsg.P2-1) unstable; urgency=low
    
      [Internet Software Consortium, Inc]
    
      * 9.4.2-P2
    
      [LaMont Jones]
    
      * meta: fix Depends versions, package vs sonames.  Closes: #490877
    
    bind9 (1:9.4.2-13) unstable; urgency=low
    
      * SECURITY UPDATE: Randomize UDP query source ports to improve forgery resilience.
      * References
        CVE-2008-1447
    
    bind9 (1:9.4.2-12) unstable; urgency=low
    
      * apparmor: allow bind to create files in /var/{lib,cache}/bind
    
     -- LaMont Jones <email address hidden>   Fri, 26 Sep 2008 06:38:32 -0600
  • bind9 (1:9.4.2-10ubuntu0.1) hardy-security; urgency=low
    
      * SECURITY UPDATE: Randomize UDP query source ports to improve forgery resilience.
      * References
        CVE-2008-1447
    
     -- LaMont Jones <email address hidden>   Sun, 06 Jul 2008 19:36:16 -0600
  • bind9 (1:9.4.2-10) unstable; urgency=low
    
      [Jamie Strandboge]
    
      * debian/bind9.preinst: AA force-complain on upgrade without existing
        profile.  LP: #204658
    
      [LaMont Jones]
    
      * host: manpage inaccurately describes default query.  LP: #203087
    
     -- LaMont Jones <email address hidden>   Wed,  09 Apr 2008 20:33:51 +0100
  • bind9 (1:9.4.2-9) unstable; urgency=low
    
      * apparmor: allow subdirs in {/etc,/var/cache,/var/lib}/bind
      * apparmor: make profile match README.Debian
    
    bind9 (1:9.4.2-8) unstable; urgency=low
    
      [ISC]
    
      * CVE-2008-0122: off by one error in (unused) inet_network function.
        Closes: #462783  LP: #203476
    
      [Michael Milligan]
    
      * Fix min-cache-ttl and min-ncache-ttl keywords
    
      [Jamie Strandboge]
    
      * apparmor: force complain-mode for apparmor on certain upgrades.  LP: #203528
      * debian/bind9.postrm: purge /etc/apparmor.d/force-complain/usr.sbin.named
    
    bind9 (1:9.4.2-7) unstable; urgency=low
    
      [Jamie Strandboge]
    
      * Allow rw access to /var/lib/bind/* in apparmor-profile.  LP: #201954
    
      [LaMont Jones]
    
      * Drop root-delegation comments from named.conf.  Closes: #217829, #297219
    
     -- LaMont Jones <email address hidden>   Fri,  04 Apr 2008 11:44:26 +0100
  • bind9 (1:9.4.2-6) unstable; urgency=low
    
      * Correct apparmor profile filename.  LP: #200739
    
    bind9 (1:9.4.2-5) unstable; urgency=low
    
      * add "order random_1" support (return one random RR)
      * Fix doc pathnames in README.Debian.  Closes: #266891
      * Add AAAA ::1 entry to db.local.  Closes: #230088
    
     -- Adam Sommer <email address hidden>   Fri,  14 Mar 2008 10:06:29 +0000
  • bind9 (1:9.4.2-4) unstable; urgency=low
    
      * incorporate ubuntu apparmor change from Jamie Strandboge,
        with changes:
        - Add apparmor profile, reload apparmor profile on config
        - Add a note about apparmor to README.Debian
        - conflicts/replaces old apparmor versions
      * db.root: include AAAA RRs.  Closes: #464111
      * Don't die when /var/lib/bind already exists.  LP: #191685
      * build: turn on optimization.  Closes: #435194
    
     -- LaMont Jones <email address hidden>   Mon,  03 Mar 2008 18:58:30 +0000
  • bind9 (1:9.4.2-3ubuntu1) hardy; urgency=low
    
      * add AppArmor profile
        + debian/apparmor-profile
        + debian/bind9.postinst: Reload AA profile on configuration
      * updated debian/README.Debian for note on AppArmor
      * debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we
        should now take control
      * debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
        to make sure that if earlier version of apparmor-profiles gets installed
        it won't overwrite our profile
      * Modify Maintainer value to match the DebianMaintainerField
        specification.
    
     -- Jamie Strandboge <email address hidden>   Wed, 13 Feb 2008 17:30:45 +0000
  • bind9 (1:9.4.2-3) unstable; urgency=low
    
      * don't run rndc-confgen when it's not there.  Closes: #459551
      * control: drop use of ${Source-Version}
    
    bind9 (1:9.4.2-2) unstable; urgency=low
    
      * init.d: add --oknodo to start-stop-daemon.  Closes: #411881
      * init: LSB dependency info.  Closes: #459421, #448006
      * meta: bind9 Suggests: resolvconf.  Closes: #252285
      * bind9: deliver /var/lib/bind directory, and document.
        Closes: #248771, #200253, #202981, #209022
      * lwresd: create bind user/group and rndc key if needed, at install.
        Closes: #190742
      * dnsutils: update long description.  Closes: #236901
    
     -- LaMont Jones <email address hidden>   Wed,  13 Feb 2008 09:58:47 +0000
  • bind9 (1:9.4.2-1) unstable; urgency=low
    
      [Mike O'Connor]
    
      * bind9.init: LSB compliance.  Closes: #448006
    
      [Internet Software Consortium, Inc]
    
      * New release: 9.4.2
    
      [LaMont Jones]
    
      * soname shifts for new release
    
    bind9 (1:9.4.2~rc2-1) experimental; urgency=low
    
      * New upstream release
    
     -- Ubuntu Archive Auto-Sync <email address hidden>   Fri,  30 Nov 2007 12:38:07 +0000
  • bind9 (1:9.4.1-P1-4) unstable; urgency=low
    
      [Thomas Antepoth]
    
      * unix/socket.c: don't send to a socket with pending_send.  Closes: #430065
    
      [LaMont Jones]
    
      * document git repositories
      * db.root: l.root-servers.net changed IP address.  Closes: #449148  LP: #160176
      * init.d: if there are no networks configured, error out quickly
    
     -- Ubuntu Archive Auto-Sync <email address hidden>   Thu,  15 Nov 2007 10:37:33 +0000
  • bind9 (1:9.4.1-P1-3) unstable; urgency=low
    
      * Only deliver upstream changes with bind9-doc
    
     -- LaMont Jones <email address hidden>   Thu,  04 Oct 2007 17:07:00 +0100