-
bind9 (1:9.9.5.dfsg-3ubuntu0.19) trusty-security; urgency=medium
* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- lib/dns/zone.c: enhance rfc 5011 logging
- lib/dns/include/dst/dst.h, lib/dns/zone.c: properly handle situations
when the key tag cannot be computed.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- bin/named/xfrout.c: handle zone transfers marked in the zone table as
a DLZ zone.
- CVE-2019-6465
-- Marc Deslauriers <email address hidden> Wed, 20 Feb 2019 10:21:50 +0100
-
bind9 (1:9.9.5.dfsg-3ubuntu0.18) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service crash when deny-answer-aliases
option is used
- lib/dns/resolver.c: explicit DNAME query could trigger a crash if
deny-answer-aliases was set
- Patch backported from 9.9.13-P1.
- CVE-2018-5740
-- Marc Deslauriers <email address hidden> Wed, 19 Sep 2018 14:23:16 +0200
-
bind9 (1:9.9.5.dfsg-3ubuntu0.17) trusty-security; urgency=medium
* SECURITY UPDATE: assertion failure via improper cleanup
- lib/dns/resolver.c: fix cleanup handling.
- Patch backported from 9.9.11-P1.
- CVE-2017-3145
-- Marc Deslauriers <email address hidden> Tue, 16 Jan 2018 07:29:46 -0500
-
bind9 (1:9.9.5.dfsg-3ubuntu0.16) trusty-security; urgency=medium
* SECURITY REGRESSION: regression in last security update
- fix verification of TSIG signed TCP message sequences where not all
the messages contain TSIG records in lib/dns/tsig.c, aded test to
lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
- 6fcdcabc11f18eb128167f7f7eca4a244bf75c52
* Update the built in managed keys to include the upcoming root KSK in
bind.keys, bin/named/bind.keys.h.
- 9543825c155c5c5ec42cc4d95fe6f0d52ef9b0a7
-- Marc Deslauriers <email address hidden> Fri, 15 Sep 2017 07:53:57 -0400
-
bind9 (1:9.9.5.dfsg-3ubuntu0.15) trusty-security; urgency=medium
* SECURITY UPDATE: TSIG authentication issues
- lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c: fix TSIG logic.
- CVE-2017-3142
- CVE-2017-3143
-- Marc Deslauriers <email address hidden> Thu, 29 Jun 2017 08:11:53 -0400
-
bind9 (1:9.9.5.dfsg-3ubuntu0.14) trusty-security; urgency=medium
* SECURITY UPDATE: Denial of Service due to an error handling
synthesized records when using DNS64 with "break-dnssec yes;"
- bin/named/query.c: reset noqname if query_dns64() called.
- CVE-2017-3136
* SECURITY UPDATE: Denial of Service due to resolver terminating when
processing a response packet containing a CNAME or DNAME
- lib/dns/resolver.c: don't expect a specific
ordering of answer components
- lib/dns/name.c: remove part of assertion that triggers in
dns_name_split() (partial cherrypick of upstream
dc3912f3caac1104fef441fd18571b7a975708ea
- bin/tests/system/dname/ns2/example.db,
bin/tests/system/dname/tests.sh: add testcases.
- CVE-2017-3137
* SECURITY UPDATE: Denial of Service when receiving a null command on
the control channel
- lib/isc/lex.c, lib/isc/include/isc/lex.h: don't throw an assert if no
command token is given
- bin/tests/system/rndc/tests.sh: add testcase.
- CVE-2017-3138
-- Steve Beattie <email address hidden> Wed, 12 Apr 2017 09:45:52 -0700
-
bind9 (1:9.9.5.dfsg-3ubuntu0.13) trusty-security; urgency=medium
* SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
a NULL pointer
- bin/named/query.c, lib/dns/message.c, lib/dns/rdataset.c: properly
handle dns64 and rpz combination.
- CVE-2017-3135
* SECURITY UPDATE: regression in CVE-2016-8864
- lib/dns/resolver.c: synthesised CNAME before matching DNAME was still
being cached when it should have been,
- bin/tests/system/dname/ans3/ans.pl,
bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh:
added tests.
- No CVE number
-- Marc Deslauriers <email address hidden> Wed, 15 Feb 2017 09:19:14 -0500
-
bind9 (1:9.9.5.dfsg-3ubuntu0.12) trusty; urgency=medium
* Backport (70_precise_mtime.diff) 18b87b2a58d422fe4d3073540bf89b5a812ed2e5
to trusty. LP: #1553176
-- LaMont Jones <email address hidden> Fri, 03 Feb 2017 13:13:21 -0700
-
bind9 (1:9.9.5.dfsg-3ubuntu0.11) trusty-security; urgency=medium
* SECURITY UPDATE: assertion failure via class mismatch
- lib/dns/resolver.c: properly handle certain TKEY records.
- CVE-2016-9131
* SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
- lib/dns/resolver.c: fix logic when records are returned without the
requested data.
- CVE-2016-9147
* SECURITY UPDATE: assertion failure via unusually-formed DS record
- lib/dns/message.c, lib/dns/resolver.c: handle missing RRSIGs.
- CVE-2016-9444
* SECURITY UPDATE: regression in CVE-2016-8864
- lib/dns/resolver.c: properly handle CNAME -> DNAME in responses,
added tests to bin/tests/system/dname/ns2/example.db,
bin/tests/system/dname/tests.sh.
- No CVE number
-- Marc Deslauriers <email address hidden> Mon, 09 Jan 2017 09:27:53 -0500
-
bind9 (1:9.9.5.dfsg-3ubuntu0.10) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via responses containing a DNAME
answer
- lib/dns/resolver.c: remove assertion failure.
- patch backported from 9.9.9-P4.
- CVE-2016-8864
-- Marc Deslauriers <email address hidden> Mon, 31 Oct 2016 08:57:15 -0400
-
bind9 (1:9.9.5.dfsg-3ubuntu0.9) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via assertion failure
- lib/dns/message.c: properly handle lengths.
- backported from patch provided by upstream.
- CVE-2016-2776
-- Marc Deslauriers <email address hidden> Mon, 26 Sep 2016 14:40:09 -0400
-
bind9 (1:9.9.5.dfsg-3ubuntu0.8) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via rndc control channel input
parsing error
- properly check data in bin/named/control.c, bin/named/controlconf.c,
bin/rndc/rndc.c, lib/isccc/cc.c.
- CVE-2016-1285
* SECURITY UPDATE: denial of service via resource record signatures
parsing issue
- fix improper DNAME handling in lib/dns/resolver.c.
- CVE-2016-1286
-- Marc Deslauriers <email address hidden> Tue, 08 Mar 2016 08:32:14 -0500
-
bind9 (1:9.9.5.dfsg-3ubuntu0.7) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via string formatting operations
- lib/dns/rdata/in_1/apl_42.c: use correct length.
- CVE-2015-8704
-- Marc Deslauriers <email address hidden> Mon, 18 Jan 2016 07:55:47 -0500
-
bind9 (1:9.9.5.dfsg-3ubuntu0.6) trusty-security; urgency=medium
* SECURITY UPDATE: REQUIRE failure via incorrect class
- properly handle class in lib/dns/include/dns/message.h,
lib/dns/message.c, lib/dns/resolver.c, lib/dns/xfrin.c.
- CVE-2015-8000
-- Marc Deslauriers <email address hidden> Mon, 14 Dec 2015 13:45:55 -0500
-
bind9 (1:9.9.5.dfsg-3ubuntu0.5) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service in DNSSEC-signed record validation
via malformed keys
- fix validation inlib/dns/hmac_link.c, lib/dns/include/dst/dst.h,
lib/dns/ncache.c, lib/dns/openssldh_link.c,
lib/dns/openssldsa_link.c, lib/dns/opensslecdsa_link.c,
lib/dns/opensslrsa_link.c, lib/dns/resolver.c.
- CVE-2015-5722
-- Marc Deslauriers <email address hidden> Tue, 01 Sep 2015 14:00:51 -0400
-
bind9 (1:9.9.5.dfsg-3ubuntu0.4) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service in TKEY record query handling
- lib/dns/tkey.c: clear out name before trying the answer section.
- CVE-2015-5477
-- Marc Deslauriers <email address hidden> Mon, 27 Jul 2015 11:41:31 -0400
-
bind9 (1:9.9.5.dfsg-3ubuntu0.3) trusty-security; urgency=medium
* SECURITY UPDATE: resolver DoS via specially crafted zone data
- lib/dns/validator.c: don't use uninitialized fixedname.
- CVE-2015-4620
-- Marc Deslauriers <email address hidden> Mon, 29 Jun 2015 15:00:34 -0400
-
bind9 (1:9.9.5.dfsg-3ubuntu0.2) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via revoking a managed trust anchor
and supplying an untrusted replacement
- lib/dns/zone.c: avoid crash due to managed-key rollover
- Based on patch supplied by Evan Hunt <email address hidden>
- CVE-2015-1349
-- Marc Deslauriers <email address hidden> Wed, 18 Feb 2015 07:40:48 -0500
-
bind9 (1:9.9.5.dfsg-3ubuntu0.1) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via delegation handling defect
- limit max recursion in bin/named/config.c, bin/named/query.c,
bin/named/server.c, lib/dns/adb.c, lib/dns/include/dns/adb.h,
lib/dns/include/dns/resolver.h, lib/dns/resolver.c,
lib/export/isc/Makefile.in, lib/isc/counter.c,
lib/isc/include/isc/counter.h, lib/isc/include/isc/Makefile.in,
lib/isc/include/isc/types.h, lib/isc/Makefile.in,
lib/isc/tests/counter_test.c, lib/isc/tests/Makefile.in,
lib/isccfg/namedconf.c.
- Patch extracted from 9.9.6-P1.
- CVE-2014-8500
-- Marc Deslauriers <email address hidden> Tue, 09 Dec 2014 08:46:03 -0500
-
bind9 (1:9.9.5.dfsg-3) unstable; urgency=low
* Re-enable rrl (now a configure option). Closes: #741059 LP: #1288823
-- LaMont Jones <email address hidden> Mon, 24 Mar 2014 06:55:55 -0600
-
bind9 (1:9.9.5.dfsg-2) unstable; urgency=low
* merge in ubuntu 1:9.9.3.dfsg.P2-4ubuntu3
* move dnssec-coverage to bind9utils. Closes: #739994
* dnssec-{checkds,verify} manpages in wrong package. Closes: #739995
-- LaMont Jones <email address hidden> Wed, 26 Feb 2014 09:30:31 -0700
-
bind9 (1:9.9.3.dfsg.P2-4ubuntu3) trusty; urgency=low
* SECURITY UPDATE: denial of service when processing NSEC3-signed zone
queries
- debian/patches/CVE-2014-0591.patch: don't call memcpy with
overlapping ranges in bin/named/query.c.
- patch backported from 9.9.4-P2.
- CVE-2014-0591
-- Marc Deslauriers <email address hidden> Fri, 10 Jan 2014 09:36:55 -0500
-
bind9 (1:9.9.3.dfsg.P2-4ubuntu2) trusty; urgency=medium
* Use dh-autoreconf to update libtool and configure for new ports.
-- Adam Conrad <email address hidden> Wed, 18 Dec 2013 04:42:22 -0700
-
bind9 (1:9.9.3.dfsg.P2-4ubuntu1) saucy; urgency=low
* Use dh_autotools-dev to update config.{sub,guess} for new ports.
-- Adam Conrad <email address hidden> Mon, 07 Oct 2013 23:09:45 -0600