Change logs for bind9 source package in Xenial

  • bind9 (1:9.10.3.dfsg.P4-8ubuntu1.12) xenial-security; urgency=medium
    
      * SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
        unsupported key algorithm when using managed-keys
        - debian/patches/CVE-2018-5745-pre.patch: enhance rfc 5011 logging in
          lib/dns/zone.c,
        - debian/patches/CVE-2018-5745.patch: properly handle situations when
          the key tag cannot be computed in lib/dns/include/dst/dst.h,
          lib/dns/zone.c.
        - CVE-2018-5745
      * SECURITY UPDATE: Controls for zone transfers may not be properly
        applied to Dynamically Loadable Zones (DLZs) if the zones are writable
        - debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
          the zone table as a DLZ zone bin/named/xfrout.c.
        - CVE-2019-6465
    
     -- Marc Deslauriers <email address hidden>  Wed, 20 Feb 2019 10:07:28 +0100
  • bind9 (1:9.10.3.dfsg.P4-8ubuntu1.11) xenial-security; urgency=medium
    
      * SECURITY UPDATE: denial of service crash when deny-answer-aliases
        option is used
        - debian/patches/CVE-2018-5740.patch: explicit DNAME query could
          trigger a crash if deny-answer-aliases was set
        - CVE-2018-5740
    
     -- Marc Deslauriers <email address hidden>  Wed, 19 Sep 2018 14:18:30 +0200
  • bind9 (1:9.10.3.dfsg.P4-8ubuntu1.10) xenial-security; urgency=medium
    
      * SECURITY UPDATE: assertion failure via improper cleanup
        - debian/patches/CVE-2017-3145.patch: fix cleanup handling in
          lib/dns/resolver.c.
        - CVE-2017-3145
    
     -- Marc Deslauriers <email address hidden>  Tue, 16 Jan 2018 07:27:16 -0500
  • bind9 (1:9.10.3.dfsg.P4-8ubuntu1.9) xenial; urgency=medium
    
      * d/bind9.service: source the defaults file and start the daemon with the
        options set there (LP: #1565060).
    
     -- Andreas Hasenack <email address hidden>  Mon, 06 Nov 2017 17:26:27 -0200
  • bind9 (1:9.10.3.dfsg.P4-8ubuntu1.8) xenial-security; urgency=medium
    
      * SECURITY REGRESSION: regression in last security update
        - debian/patches/CVE-2017-3142-regression.patch: fix verification of
          TSIG signed TCP message sequences where not all the messages contain
          TSIG records in lib/dns/tsig.c, aded test to
          lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
      * debian/patches/update_keys.patch: Update the built in managed keys to
        include the upcoming root KSK in bind.keys, bind.keys.h.
    
     -- Marc Deslauriers <email address hidden>  Fri, 15 Sep 2017 07:50:24 -0400
  • bind9 (1:9.10.3.dfsg.P4-8ubuntu1.7) xenial-security; urgency=medium
    
      * SECURITY UPDATE: TSIG authentication issues
        - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
          lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
        - CVE-2017-3142
        - CVE-2017-3143
    
     -- Marc Deslauriers <email address hidden>  Thu, 29 Jun 2017 07:51:25 -0400
  • bind9 (1:9.10.3.dfsg.P4-8ubuntu1.6) xenial-security; urgency=medium
    
      * SECURITY UPDATE: Denial of Service due to an error handling
        synthesized records when using DNS64 with "break-dnssec yes;"
        - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
          called.
        - CVE-2017-3136
      * SECURITY UPDATE: Denial of Service due to resolver terminating when
        processing a response packet containing a CNAME or DNAME
        - debian/patches/CVE-2017-3137.patch: don't expect a specific
          ordering of answer components; add testcases.
        - CVE-2017-3137
      * SECURITY UPDATE: Denial of Service when receiving a null command on
        the control channel
        - debian/patches/CVE-2017-3138.patch: don't throw an assert if no
          command token is given; add testcase.
        - CVE-2017-3138
    
     -- Steve Beattie <email address hidden>  Wed, 12 Apr 2017 00:57:50 -0700
  • bind9 (1:9.10.3.dfsg.P4-8ubuntu1.5) xenial-security; urgency=medium
    
      * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
        a NULL pointer
        - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
          combination in bin/named/query.c, lib/dns/message.c,
          lib/dns/rdataset.c.
        - CVE-2017-3135
      * SECURITY UPDATE: regression in CVE-2016-8864
        - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
          was still being cached when it should have been in lib/dns/resolver.c,
          added tests to bin/tests/system/dname/ans3/ans.pl,
          bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
        - No CVE number
    
     -- Marc Deslauriers <email address hidden>  Wed, 15 Feb 2017 10:29:00 -0500
  • bind9 (1:9.10.3.dfsg.P4-8ubuntu1.4) xenial-security; urgency=medium
    
      * SECURITY UPDATE: assertion failure via class mismatch
        - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
          records in lib/dns/resolver.c.
        - CVE-2016-9131
      * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
        - debian/patches/CVE-2016-9147.patch: fix logic when records are
          returned without the requested data in lib/dns/resolver.c.
        - CVE-2016-9147
      * SECURITY UPDATE: assertion failure via unusually-formed DS record
        - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
          lib/dns/message.c, lib/dns/resolver.c.
        - CVE-2016-9444
      * SECURITY UPDATE: regression in CVE-2016-8864
        - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
          responses in lib/dns/resolver.c, added tests to
          bin/tests/system/dname/ns2/example.db,
          bin/tests/system/dname/tests.sh.
        - No CVE number
    
     -- Marc Deslauriers <email address hidden>  Mon, 09 Jan 2017 08:50:20 -0500
  • bind9 (1:9.10.3.dfsg.P4-8ubuntu1.3) xenial; urgency=medium
    
      * Add RemainAfterExit to bind9-resolvconf unit configuration file
        (LP: #1536181).
    
     -- Nishanth Aravamudan <email address hidden>  Tue, 15 Nov 2016 08:30:31 -0800
  • bind9 (1:9.10.3.dfsg.P4-8ubuntu1.2) xenial-security; urgency=medium
    
      * SECURITY UPDATE: denial of service via responses containing a DNAME
        answer
        - debian/patches/CVE-2016-8864.patch: remove assertion failure in
          lib/dns/resolver.c.
        - CVE-2016-8864
    
     -- Marc Deslauriers <email address hidden>  Mon, 31 Oct 2016 08:56:39 -0400
  • bind9 (1:9.10.3.dfsg.P4-8ubuntu1.1) xenial-security; urgency=medium
    
      * SECURITY UPDATE: denial of service via assertion failure
        - debian/patches/CVE-2016-2776.patch: properly handle lengths in
          lib/dns/message.c.
        - CVE-2016-2776
    
     -- Marc Deslauriers <email address hidden>  Mon, 26 Sep 2016 14:15:52 -0400
  • bind9 (1:9.10.3.dfsg.P4-8ubuntu1) xenial-proposed; urgency=medium
    
      * Fix bad patch from when we switched to quilt.  Closes: #820847  LP:
        #1552801, #1549788, #1553460
    
     -- LaMont Jones <email address hidden>  Tue, 26 Apr 2016 16:30:06 -0600
  • bind9 (1:9.10.3.dfsg.P4-8) unstable; urgency=medium
    
      [Timo Aaltonen]
    
      * Fix bind9-resolvconf.service installation.
      * Add support for native pkcs11.  LP: #1565392
    
      [Samuel Thibault]
    
      * Detect in6_pktinfo on hurd-i386.  Closes: #820404
    
     -- LaMont Jones <email address hidden>  Wed, 13 Apr 2016 13:19:37 -0600
  • bind9 (1:9.10.3.dfsg.P4-5) experimental; urgency=medium
    
      * Drop dead code in bind9.preinst.
      * move from /var/run to /run for policy.
    
     -- LaMont Jones <email address hidden>  Sat, 19 Mar 2016 19:52:04 -0600
  • bind9 (1:9.10.3.dfsg.P4-4) experimental; urgency=medium
    
      * use multiarch path in udebs
      * Updated root cache file.  Closes: #806954
    
     -- LaMont Jones <email address hidden>  Fri, 18 Mar 2016 20:50:49 -0600
  • bind9 (1:9.10.3.dfsg.P4-3) experimental; urgency=medium
    
      * Fix vcs links
      * build in debian/tmp, use bind9.install
    
     -- LaMont Jones <email address hidden>  Fri, 18 Mar 2016 14:46:30 -0600
  • bind9 (1:9.10.3.dfsg.P4-2) experimental; urgency=medium
    
      * updated precise_time patch
      * add RT#s to some patches
      * Merge ubuntu changes
      * Fix debian/rules to properly remove files from bind9 that are delivered
        elsewhere.  LP: #1559090
    
     -- LaMont Jones <email address hidden>  Fri, 18 Mar 2016 10:58:07 -0600
  • bind9 (1:9.10.3.dfsg.P4-1ubuntu2) xenial; urgency=medium
    
      * Bump debhelper to v9 to use dh-exec.
      * libbind-export-dev: Fix the libbind.so symlink.
      * Move static libs to the multiarch libdir again.
    
     -- Matthias Klose <email address hidden>  Fri, 18 Mar 2016 13:30:03 +0100
  • bind9 (1:9.10.3.dfsg.P4-1ubuntu1) xenial; urgency=medium
    
      * Fix udeb dependencies.
    
     -- Matthias Klose <email address hidden>  Fri, 18 Mar 2016 12:47:02 +0100
  • bind9 (1:9.10.3.dfsg.P4-1) experimental; urgency=medium
    
      [ ISC ]
      * New upstream: 9.10.3-P3
        - Specific APL data could trigger a INSIST.  (CVE-2015-8704) [RT #41396]
        - render_ecs errors were mishandled when printing out a OPT record
          resulting in a assertion failure.  (CVE-2015-8705) [RT #41397]
        - Fixed a regression in resolver.c:possibly_mark() which caused
          known-bogus servers to be queried anyway. [RT #41321]
      * New upstream: 9.10.3-P4
        - Malformed control messages can trigger assertions in named and rndc.
          (CVE-2016-1285) [RT #41666]
        - Fix resolver assertion failure due to improper DNAME handling when
          parsing fetch reply messages. (CVE-2016-1286) [RT #41753]
        - Duplicate EDNS COOKIE options in a response could trigger an
          assertion failure. (CVE-2016-2088) [RT #41809]
    
      [LaMont Jones]
    
      * Do not build -export libs for libbind90 and liblwres.  Relates in part
        to, and is the last fix to LP: #1551351
      * update patches for 9.10.3.dfsg.P4.  Drop 50_CVE_2015-8704.diff
    
      [ Stefan Bader ]
    
      * Do not modify signal handlers for external apps. LP: #1556175
    
     -- LaMont Jones <email address hidden>  Thu, 17 Mar 2016 14:53:36 -0600
  • bind9 (1:9.10.3.dfsg.P2-5) experimental; urgency=medium
    
      [Timo Aaltonen]
    
      * Sync 30_dynamic_db.diff from Fedora.
      * rules: Backup some files which dh_autoreconf_clean would remove, restore
        on clean.
    
      [Jamie Strandboge]
    
      * apparmor: use @{PROC} instead of /proc, allow read on
        sys.net.ipv4.ip_local_port_range.  LP: #1552441
    
      [LaMont Jones]
    
      * Return nanosecond-precise time for files, so that we more-correctly know
        when we can skip loading a zonefile.  (Bug introduced 9.9.3b2)
    
     -- LaMont Jones <email address hidden>  Thu, 03 Mar 2016 18:17:06 -0700
  • bind9 (1:9.10.3.dfsg.P2-4) experimental; urgency=medium
    
      [Matthias Klose]
    
      * Fix .so symlinks.
      * libbind-dev: Depend on libirs141.
      * For the udeb's, use a separate build with a reduced feature set, drop the
        name difference, and do both builds in a separate directory.
    
      [Filip Pytloun]
    
      * Add apparmor rules needed by freeipa-server.  Closes: #814314
    
      [LaMont Jones]
    
      * Do not deliver libraries (left in /lib) as part of bind9.  LP: #1547052
      * clean up library path for libirs.
    
     -- LaMont Jones <email address hidden>  Fri, 19 Feb 2016 14:26:08 -0700
  • bind9 (1:9.10.3.dfsg.P2-3ubuntu3) xenial; urgency=medium
    
      * For the udeb's, use a separate build with a reduced feature set.
      * Don't call the reduced build "export"; it was used by isc-dhcp as well.
      * Do both builds in a separate builddir.
    
     -- Matthias Klose <email address hidden>  Fri, 19 Feb 2016 15:01:16 +0100
  • bind9 (1:9.10.3.dfsg.P2-3~ubuntu2) xenial; urgency=medium
    
      * libbind-dev: Depend on libirs141.
      * Ship libirs.{a,so} in libbind-dev.
      * Remove obsolete debian/*.dirs files.
    
     -- Matthias Klose <email address hidden>  Fri, 19 Feb 2016 15:01:16 +0100
  • bind9 (1:9.10.3.dfsg.P2-3~ubuntu1) xenial; urgency=medium
    
      * Fix .so symlinks.
    
     -- Matthias Klose <email address hidden>  Thu, 18 Feb 2016 13:55:19 +0100
  • bind9 (1:9.10.3.dfsg.P2-3~build3) xenial; urgency=medium
    
      * xenial copy of Debian upload
    
     -- LaMont Jones <email address hidden>  Wed, 17 Feb 2016 19:06:13 +0000
  • bind9 (1:9.9.5.dfsg-12.1ubuntu1) xenial; urgency=medium
    
      * SECURITY UPDATE: denial of service via string formatting operations
        - lib/dns/rdata/in_1/apl_42.c: use correct length.
        - CVE-2015-8704
    
     -- Marc Deslauriers <email address hidden>  Thu, 28 Jan 2016 08:27:29 -0500
  • bind9 (1:9.9.5.dfsg-12.1) unstable; urgency=high
    
      * Non-maintainer upload.
      * Add patch to fix CVE-2015-8000.
        CVE-2015-8000: Insufficient testing when parsing a message allowed
        records with an incorrect class to be accepted, triggering a REQUIRE
        failure when those records were subsequently cached. (Closes: #808081)
    
     -- Salvatore Bonaccorso <email address hidden>  Wed, 16 Dec 2015 15:01:39 +0100
  • bind9 (1:9.9.5.dfsg-12) unstable; urgency=high
    
      * Fix CVE-2015-5722: maliciously crafted DNSSEC key can cause named to crash.
    
     -- Michael Gilbert <email address hidden>  Thu, 03 Sep 2015 01:16:32 +0000
  • bind9 (1:9.9.5.dfsg-11ubuntu1) wily; urgency=medium
    
      * SECURITY UPDATE: denial of service in DNSSEC-signed record validation
        via malformed keys
        - fix validation inlib/dns/hmac_link.c, lib/dns/include/dst/dst.h,
          lib/dns/ncache.c, lib/dns/openssldh_link.c,
          lib/dns/openssldsa_link.c, lib/dns/opensslecdsa_link.c,
          lib/dns/opensslrsa_link.c, lib/dns/resolver.c.
        - CVE-2015-5722
    
     -- Marc Deslauriers <email address hidden>  Tue, 01 Sep 2015 13:54:11 -0400