Format: 1.8
Date: Wed, 17 Apr 2024 23:48:51 +0200
Source: bind9
Architecture: source
Version: 1:9.19.23-1+ubuntu20.04.1+deb.sury.org+1
Distribution: focal
Urgency: high
Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Closes: 903586 942377 947978 994696 1000354 1000565 1000893 1004271 1008021 1022968 1052416 1052417 1056984 1063448
Changes:
 bind9 (1:9.19.23-1+ubuntu20.04.1+deb.sury.org+1) focal; urgency=medium
 .
   * No-change backport to focal.
 .
 bind9 (1:9.19.23-1) unstable; urgency=medium
 .
   * New upstream version 9.19.23
 .
 bind9 (1:9.19.22-1) unstable; urgency=medium
 .
   * New upstream version 9.19.22
    - A regression caused by CVE-2023-6516 fix could lead into
      an out-of-memory condition when the server is under heavy
      load.
 .
 bind9 (1:9.19.21-1) unstable; urgency=high
 .
   [ Helmut Grohne ]
   * Drop unused Build-Depends: python3. (Closes: #1063448)
 .
   [ Ondřej Surý ]
   * New upstream version 9.19.21
    - CVE-2023-4408: Parsing large DNS messages may cause excessive CPU
      load
    - CVE-2023-5517: Querying RFC 1918 reverse zones may cause an assertion
      failure when "nxdomain-redirect" is enabled
    - CVE-2023-5679: Enabling both DNS64 and serve-stale may cause an
      assertion failure during recursive resolution
    - CVE-2023-6516: Specific recursive query patterns may lead to an
      out-of-memory condition
    - CVE-2023-50387: KeyTrap - Extreme CPU consumption in DNSSEC validator
    - CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust
      CPU resources
 .
 bind9 (1:9.19.19-1) unstable; urgency=medium
 .
   [ Ondřej Surý ]
   * New upstream version 9.19.19
 .
   [ Bernhard Schmidt ]
   * Sync 9.18 to 9.19 (Closes: #1056984)
 .
 bind9 (1:9.19.18-1) unstable; urgency=medium
 .
   * New upstream version 9.19.18
 .
 bind9 (1:9.19.17-1) unstable; urgency=medium
 .
   * New upstream version 9.19.17
    - CVE-2023-3341: A stack exhaustion flaw in control channel code may
      cause named to terminate unexpectedly (Closes: #1052416)
    - CVE-2023-4236: named may terminate unexpectedly under high
      DNS-over-TLS query load (Closes: #1052417)
 .
 bind9 (1:9.19.16-1) experimental; urgency=medium
 .
   * New upstream version 9.19.16
 .
 bind9 (1:9.19.15-1) experimental; urgency=medium
 .
   * New upstream version 9.19.15
 .
 bind9 (1:9.19.14-1) experimental; urgency=medium
 .
   * New upstream version 9.19.14
 .
 bind9 (1:9.19.13-1) experimental; urgency=medium
 .
   * New upstream version 9.19.13
 .
 bind9 (1:9.19.12-2) experimental; urgency=medium
 .
   * Add liburcu-dev to Build-Depends
 .
 bind9 (1:9.19.12-1) experimental; urgency=medium
 .
   * New upstream version 9.19.12
 .
 bind9 (1:9.19.11-1) experimental; urgency=medium
 .
   * New upstream version 9.19.11
   * Update the d/bind9-dev.install, d/bind9.install and d/not-installed
     after library squash
 .
 bind9 (1:9.19.10-1) experimental; urgency=medium
 .
   * New upstream version 9.19.10
   * Drop libtool-bin from B-D (Closes: #1022968)
 .
 bind9 (1:9.19.9-2) experimental; urgency=medium
 .
   * Allow the named to use systemd notify service
 .
 bind9 (1:9.19.9-1) experimental; urgency=medium
 .
   * New upstream version 9.19.9
 .
 bind9 (1:9.19.8-1) experimental; urgency=medium
 .
   * New upstream version 9.19.8
 .
 bind9 (1:9.19.7-1) experimental; urgency=medium
 .
   * New upstream version 9.19.7
 .
 bind9 (1:9.19.6-2) experimental; urgency=medium
 .
   * Use systemd notify for service readyness check (Closes: #994696)
 .
 bind9 (1:9.19.6-1) experimental; urgency=medium
 .
   * New upstream version 9.19.6
 .
 bind9 (1:9.19.5-1) experimental; urgency=medium
 .
   * New upstream version 9.19.5
    - CVE-2022-2795: Processing large delegations may severely degrade
      resolver performance
    - CVE-2022-2881: Buffer overread in statistics channel code
    - CVE-2022-2906: Memory leaks in code handling Diffie-Hellman key
      exchange via TKEY RRs (OpenSSL 3.0.0+ only)
    - CVE-2022-3080: BIND 9 resolvers configured to answer from stale
      cache with zero stale-answer-client-timeout may terminate unexpectedly
    - CVE-2022-38177: Memory leak in ECDSA DNSSEC verification code
    - CVE-2022-38178: Memory leaks in EdDSA DNSSEC verification code
 .
 bind9 (1:9.19.4-1) unstable; urgency=medium
 .
   * Remove doc/misc/options.active from the docs
   * New upstream version 9.19.4
 .
 bind9 (1:9.19.3-1) unstable; urgency=medium
 .
   * New upstream version 9.19.3
 .
 bind9 (1:9.19.2-1) unstable; urgency=medium
 .
   * New upstream version 9.19.2
 .
 bind9 (1:9.19.1-1) unstable; urgency=medium
 .
   * Disable treat-warnings-as-errors in sphinx-build
   * New upstream version 9.19.1
 .
 bind9 (1:9.19.0-1) unstable; urgency=medium
 .
   * Update d/ for BIND 9.19 Development
   * New upstream version 9.19.0
 .
 bind9 (1:9.18.2-1) unstable; urgency=medium
 .
   * Drop libldap2-dev from Build-Depends (Closes: #1008021)
   * New upstream version 9.18.2
 .
 bind9 (1:9.18.1-1) unstable; urgency=high
 .
   * New upstream version 9.18.1
   * CVE-2021-25220: The rules for acceptance of records into the cache
     have been tightened to prevent the possibility of poisoning if
     forwarders send records outside the configured bailiwick.
   * CVE-2022-0396: TCP connections with 'keep-response-order' enabled
     could leave the TCP sockets in the 'CLOSE_WAIT' state when the client
     did not properly shut down the connection.
   * CVE-2022-0635: Lookups involving a DNAME could trigger an assertion
     failure when 'synth-from-dnssec' was enabled (which is the default)
   * CVE-2022-0667: When chasing DS records, a timed out or artificially
     delayed fetch could cause 'named' to crash while resuming a DS lookup.
 .
 bind9 (1:9.18.0-2) unstable; urgency=medium
 .
   * Add patch to use detected L1 cache-line size instead of hard-coded
     value, this should fix architectures with 128-byte L1 cache.
 .
 bind9 (1:9.18.0-1) unstable; urgency=medium
 .
   * Bump the upstream version in debian/ to 9.18
   * New upstream version 9.18.0
 .
 bind9 (1:9.18.0~0+git28350c-1) unstable; urgency=medium
 .
   * New upstream version 9.18.0~0+git28350c
    + Pull the 9.18.0 pre-release git to have the L1 cache line
      fix (Closes: #1004271)
   * Fix the typo when backing up and restoring configure{,.ac}
     (Closes: #903586)
   * Remove some prehistoring conffile no longer in use
     (Closes: #942377)
   * Pick UTC date for release_date variable (Closes: #1000893)
 .
 bind9 (1:9.17.22-1) unstable; urgency=medium
 .
   * New upstream version 9.17.22
 .
 bind9 (1:9.17.21-1) unstable; urgency=medium
 .
   * New upstream version 9.17.21
 .
 bind9 (1:9.17.20-3) unstable; urgency=medium
 .
   * Retain bind9-resolvconf.service alias (Closes: #1000565)
 .
 bind9 (1:9.17.20-2) unstable; urgency=medium
 .
   * Tighten the dependencies on bind9-libs for the utils too
     (Closes: #1000354)
 .
 bind9 (1:9.17.20-1) unstable; urgency=medium
 .
   * New upstream version 9.17.20
   * Remove the sphinx-patch, the role has been fixed upstream
 .
 bind9 (1:9.17.19-3) unstable; urgency=medium
 .
   * Remove the .so libraries from excluded files
 .
 bind9 (1:9.17.19-2) unstable; urgency=medium
 .
   * Add libjemalloc-dev to Build-Depends
   * Sync the packaging between BIND 9.16 and BIND 9.17 branches
   * Don't install static libraries to bind9-dev, they are not built
 .
 bind9 (1:9.17.19-1) unstable; urgency=medium
 .
   * New upstream version 9.17.19
 .
 bind9 (1:9.17.18-1) experimental; urgency=medium
 .
   * New upstream version 9.17.18
 .
 bind9 (1:9.17.17-2) experimental; urgency=medium
 .
   * Bump MAPAPI to 3.0
 .
 bind9 (1:9.17.17-1) experimental; urgency=medium
 .
   * New upstream version 9.17.17
 .
 bind9 (1:9.17.16-1) experimental; urgency=medium
 .
   * New upstream version 9.17.16
 .
 bind9 (1:9.17.15-1) experimental; urgency=medium
 .
   * New upstream version 9.17.15
 .
 bind9 (1:9.17.14-3) experimental; urgency=medium
 .
   * Add upstream patch to address 'Checking of key-directory and
     dnssec-policy was broken'
 .
 bind9 (1:9.17.14-2) experimental; urgency=medium
 .
   * Add upstream patch to fix: 'W' in wildcard expansions was being mapped
     to '\000'.
 .
 bind9 (1:9.17.14-1) experimental; urgency=medium
 .
   * New upstream version 9.17.14
 .
 bind9 (1:9.17.13-2) experimental; urgency=medium
 .
   * Revert upstream 'Add a Sphinx role for linking GitLab issues/MRs'
 .
 bind9 (1:9.17.13-1) experimental; urgency=medium
 .
   * New upstream version 9.17.13
 .
 bind9 (1:9.17.12-2) experimental; urgency=medium
 .
   * Add filter-a.so plugin into main package
 .
 bind9 (1:9.17.12-1) experimental; urgency=medium
 .
   * New upstream version 9.17.12
   * Add patches to implement I-D draft-hardaker-dnsop-nsec3-guidance
 .
 bind9 (1:9.17.11-1) experimental; urgency=medium
 .
   * New upstream version 9.17.11
   * Add upstream patches to fix TCP timeouts firing too early
 .
 bind9 (1:9.17.10-1) experimental; urgency=high
 .
   * New upstream version 9.17.10
    + [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation.
   * Adjust the bind9-libs package for new upstream library names
   * Add libnghttp2-dev to Build-Depends
   * Update the way how we ignore development libraries, so the real ones
     gets installed
 .
 bind9 (1:9.17.9-1) experimental; urgency=medium
 .
   * Exclude test-async.so from dh_install
   * Update the ISC code-signing key
   * New upstream version 9.17.9
 .
 bind9 (1:9.17.8-1) experimental; urgency=medium
 .
   * New upstream version 9.17.8
 .
 bind9 (1:9.17.7-1) experimental; urgency=medium
 .
   * New upstream version 9.17.7
 .
 bind9 (1:9.17.6-1) experimental; urgency=medium
 .
   * New upstream version 9.17.6
 .
 bind9 (1:9.17.5-2) experimental; urgency=medium
 .
   [ Bernhard Schmidt ]
   * Move Build-Depends for documentation to Build-Depends-Indep
   * Set Restart=on-failure in systemd unit
 .
 bind9 (1:9.17.5-1) experimental; urgency=medium
 .
   * New upstream version 9.17.5
 .
 bind9 (1:9.17.4-1) experimental; urgency=medium
 .
   * Add libtool-bin to Build-Depends
   * Disable static linking
   * New upstream version 9.17.4
 .
 bind9 (1:9.17.3-1) experimental; urgency=medium
 .
   * New upstream version 9.17.2
   * Adjust d/*.install files after upstream moved binaries from sbin to bin
   * Remove rfc-compliance from docs, it's gone
   * New upstream version 9.17.3
   * Add fonts-freefont-otf, latexmk, texlive-fonts-extra,
     texlive-latex-recommended, texlive-xetex, and xindy to Build-Depends
   * Install man pages for tsig-gen and named-compilezone
 .
 bind9 (1:9.17.1+git20200519-1) experimental; urgency=medium
 .
   * New upstream version 9.17.1+git20200519
   * Update Debian packaging for autoconf/automake and sphinx-doc
 .
 bind9 (1:9.17.1-1) experimental; urgency=medium
 .
   * Update d/copyright (Closes: #947978)
   * New upstream version 9.17.1
 .
 bind9 (1:9.17.0-1) experimental; urgency=medium
 .
   [ Andreas Hasenack ]
   * Bring back the DEP8 test from sid
   * Use iproute2 instead of net-tools
   * d/control: drop hardcoded python3 dependency
 .
   [ Bernhard Schmidt ]
   * Fix apparmor profile name.
     Thanks to Andreas Hasenack
   * Enable readline support
 .
   [ Andreas Hasenack ]
   * Update apparmor profile with what is in sid
   * Create the missing transitional packages for dnsutils, bind9utils
   * There is a licensing conflict with adding libreadline and we should
     use libedit-dev instead.
 .
   [ Ondřej Surý ]
   * Switch to BIND 9.17 for the -dev packages
   * New upstream version 9.17.0
Checksums-Sha1:
 3e39203e235871997b5a242809218f00edf93d97 3480 bind9_9.19.23-1+ubuntu20.04.1+deb.sury.org+1.dsc
 8891e63a3c46534134833c27f18f8d976b6809e7 5733136 bind9_9.19.23.orig.tar.xz
 44ac7c4a76dc1bce23b4e330e5c6d3be30809341 833 bind9_9.19.23.orig.tar.xz.asc
 f84faa37fe7ed65a701522efbd94e326f40690e5 59352 bind9_9.19.23-1+ubuntu20.04.1+deb.sury.org+1.debian.tar.xz
 a02f0225ecaffda4bf31e0b90fc498e6ffb0bc60 10990 bind9_9.19.23-1+ubuntu20.04.1+deb.sury.org+1_source.buildinfo
Checksums-Sha256:
 892870f43e031f1154f53bdd9964eb4a7515067f7974e5e9cb0e202c07437a8c 3480 bind9_9.19.23-1+ubuntu20.04.1+deb.sury.org+1.dsc
 f041a41e0a1a888704071bb3428cbbd9fbfe99a8b155220464f5e6e64682fa2c 5733136 bind9_9.19.23.orig.tar.xz
 cf314cc4279671338d8a989999a121377034b7cc6efcb2f142f5f8119ae30b1f 833 bind9_9.19.23.orig.tar.xz.asc
 2e993251e95072686878304e51c42471f877af8504670aed0f2d660917d4c4ca 59352 bind9_9.19.23-1+ubuntu20.04.1+deb.sury.org+1.debian.tar.xz
 f3f4c9eb5e9ab48382ed6c4c6fe294ce97d337cf722c3099226eaeb8eb10366c 10990 bind9_9.19.23-1+ubuntu20.04.1+deb.sury.org+1_source.buildinfo
Files:
 393d3b45425f3c7953cf2db938484122 3480 net optional bind9_9.19.23-1+ubuntu20.04.1+deb.sury.org+1.dsc
 6f805daa67bbf7beb22107f7ce0675bc 5733136 net optional bind9_9.19.23.orig.tar.xz
 620445cf0750f540dc608725021fddd9 833 net optional bind9_9.19.23.orig.tar.xz.asc
 fc0be944c614855b9b4a9ec4459f4e5c 59352 net optional bind9_9.19.23-1+ubuntu20.04.1+deb.sury.org+1.debian.tar.xz
 7d85ef7e674944971e57dd8c88d8e316 10990 net optional bind9_9.19.23-1+ubuntu20.04.1+deb.sury.org+1_source.buildinfo