-
bind9 (1:9.11.3+dfsg-1ubuntu1.19) bionic; urgency=medium
* d/bind9.service: restart the bind9 service on failure.
(LP: #2006054)
-- Athos Ribeiro <email address hidden> Fri, 03 Mar 2023 12:42:18 -0300
-
bind9 (1:9.11.3+dfsg-1ubuntu1.18) bionic-security; urgency=medium
* SECURITY UPDATE: Processing large delegations may severely degrade
resolver performance
- debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c.
- CVE-2022-2795
* SECURITY UPDATE: memory leak in ECDSA DNSSEC verification code
- debian/patches/CVE-2022-38177.patch: fix return handling in
lib/dns/opensslecdsa_link.c.
- CVE-2022-38177
* SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code
- debian/patches/CVE-2022-38178.patch: fix return handling in
lib/dns/openssleddsa_link.c.
- CVE-2022-38178
-- Marc Deslauriers <email address hidden> Tue, 20 Sep 2022 08:11:06 -0400
-
bind9 (1:9.11.3+dfsg-1ubuntu1.17) bionic-security; urgency=medium
* SECURITY UPDATE: cache poisoning via bogus NS records
- debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of
records into the cache in lib/dns/resolver.c.
- CVE-2021-25220
-- Marc Deslauriers <email address hidden> Tue, 15 Mar 2022 10:14:01 -0400
-
bind9 (1:9.11.3+dfsg-1ubuntu1.16) bionic-security; urgency=medium
* SECURITY UPDATE: resolver performance degradation via lame cache abuse
- debian/patches/CVE-2021-25219.patch: disable lame cache in
bin/named/config.c, bin/named/server.c, lib/dns/resolver.c.
- CVE-2021-25219
-- Marc Deslauriers <email address hidden> Wed, 27 Oct 2021 07:02:44 -0400
-
bind9 (1:9.11.3+dfsg-1ubuntu1.15) bionic-security; urgency=medium
* SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
- debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
- CVE-2021-25214
* SECURITY UPDATE: assert via answering certain queries for DNAME records
- debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
- CVE-2021-25215
* SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
- debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
- debian/libdns1100.symbols: removed internal SPNEGO symbols.
- CVE-2021-25216
-- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 07:16:20 -0400
-
bind9 (1:9.11.3+dfsg-1ubuntu1.14) bionic-security; urgency=medium
* SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
- debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
- CVE-2020-8625
-- Marc Deslauriers <email address hidden> Mon, 15 Feb 2021 08:08:25 -0500
-
bind9 (1:9.11.3+dfsg-1ubuntu1.13) bionic-security; urgency=medium
* SECURITY UPDATE: A truncated TSIG response can lead to an assertion
failure
- debian/patches/CVE-2020-8622.patch: move code in lib/dns/message.c.
- CVE-2020-8622
* SECURITY UPDATE: A flaw in native PKCS#11 code can lead to a remotely
triggerable assertion failure
- debian/patches/CVE-2020-8623.patch: add extra checks in
lib/dns/pkcs11dh_link.c, lib/dns/pkcs11dsa_link.c,
lib/dns/pkcs11rsa_link.c, lib/isc/include/pk11/internal.h,
lib/isc/pk11.c.
- CVE-2020-8623
* SECURITY UPDATE: update-policy rules of type subdomain were enforced
incorrectly
- debian/patches/CVE-2020-8624.patch: add extra check in
bin/named/zoneconf.c.
- CVE-2020-8624
-- Marc Deslauriers <email address hidden> Tue, 18 Aug 2020 08:08:32 -0400
-
bind9 (1:9.11.3+dfsg-1ubuntu1.12) bionic-security; urgency=medium
* SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
performed when processing referrals
- debian/patches/CVE-2020-8616.patch: further limit the number of
queries that can be triggered from a request in lib/dns/adb.c,
lib/dns/include/dns/adb.h, lib/dns/resolver.c.
- CVE-2020-8616
* SECURITY UPDATE: A logic error in code which checks TSIG validity can
be used to trigger an assertion failure in tsig.c
- debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
BADTIME response in lib/dns/tsig.c.
- CVE-2020-8617
-- Marc Deslauriers <email address hidden> Fri, 15 May 2020 08:17:59 -0400
-
bind9 (1:9.11.3+dfsg-1ubuntu1.11) bionic-security; urgency=medium
* SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single
connection
- debian/patches/CVE-2019-6477.patch: limit number of clients in
bin/named/client.c, bin/named/include/named/client.h.
- CVE-2019-6477
-- Marc Deslauriers <email address hidden> Mon, 18 Nov 2019 10:01:47 -0500
-
bind9 (1:9.11.3+dfsg-1ubuntu1.10) bionic; urgency=medium
* d/p/fix-socket-failures-during-name-resolution.patch: fix socket failures
due to uninitialized memory during name resolution (LP: #1804542)
-- Lucas Kanashiro <email address hidden> Mon, 30 Sep 2019 15:39:12 -0300
-
bind9 (1:9.11.3+dfsg-1ubuntu1.9) bionic; urgency=medium
* d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
close to a query timeout (LP: #1797926)
-- Christian Ehrhardt <email address hidden> Wed, 07 Aug 2019 16:43:40 +0200
-
bind9 (1:9.11.3+dfsg-1ubuntu1.8) bionic-security; urgency=medium
* SECURITY UPDATE: DoS via malformed packets
- debian/patches/CVE-2019-6471.patch: fix race condition in
lib/dns/dispatch.c.
- CVE-2019-6471
-- Marc Deslauriers <email address hidden> Tue, 18 Jun 2019 18:55:08 -0400
-
bind9 (1:9.11.3+dfsg-1ubuntu1.7) bionic-security; urgency=medium
* SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
- debian/patches/CVE-2018-5743.patch: add reference counting in
bin/named/client.c, bin/named/include/named/client.h,
bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
lib/isc/include/isc/quota.h, lib/isc/quota.c,
lib/isc/win32/libisc.def.in.
- debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
operations with isc_refcount reference counting in
bin/named/client.c, bin/named/include/named/interfacemgr.h,
bin/named/interfacemgr.c.
- debian/libisc169.symbols: added new symbols.
- CVE-2018-5743
-- Marc Deslauriers <email address hidden> Wed, 24 Apr 2019 06:04:51 -0400
-
bind9 (1:9.11.3+dfsg-1ubuntu1.5) bionic-security; urgency=medium
* SECURITY UPDATE: memory leak via specially crafted packet
- debian/patches/CVE-2018-5744.patch: silently drop additional keytag
options in bin/named/client.c.
- CVE-2018-5744
* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- debian/patches/CVE-2018-5745.patch: properly handle situations when
the key tag cannot be computed in lib/dns/include/dst/dst.h,
lib/dns/zone.c.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
the zone table as a DLZ zone bin/named/xfrout.c.
- CVE-2019-6465
-- Marc Deslauriers <email address hidden> Wed, 20 Feb 2019 09:10:34 +0100
-
bind9 (1:9.11.3+dfsg-1ubuntu1.4) bionic; urgency=medium
* Disable EDDSA to avoid picking up new symbols when rebuilding against
new OpenSSL. Cherrypick from Debian & Disco. LP: #1815474
-- Dimitri John Ledkov <email address hidden> Tue, 05 Feb 2019 14:31:40 +0000
-
bind9 (1:9.11.3+dfsg-1ubuntu1.3) bionic; urgency=medium
[ Karl Stenerud ]
* d/p/skip-rtld-deepbind-for-dyndb.diff: fix named-pkcs11 crashing on
startup. Thanks to Petr Menšík <email address hidden> (LP: #1769440)
-- Andreas Hasenack <email address hidden> Wed, 10 Oct 2018 14:33:34 -0300
-
bind9 (1:9.11.3+dfsg-1ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: denial of service crash when deny-answer-aliases
option is used
- debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
trigger a crash if deny-answer-aliases was set
- debian/patches/CVE-2018-5740-2.patch: add tests
- debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
*chainingp correctly, add test
- CVE-2018-5740
-- Steve Beattie <email address hidden> Thu, 09 Aug 2018 23:26:07 -0700
-
bind9 (1:9.11.3+dfsg-1ubuntu1.1) bionic-security; urgency=medium
* SECURITY UPDATE: improperly permits recursive query service
- debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
in bin/named/server.c.
- CVE-2018-5738
-- Marc Deslauriers <email address hidden> Mon, 11 Jun 2018 09:41:51 -0400
-
bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low
* New upstream release. (LP: #1763572)
- fix a crash when configured with ipa-dns-install
* Merge from Debian unstable. Remaining changes:
- Build without lmdb support as that package is in Universe
bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
[ Bernhard Schmidt ]
* New upstream version 9.11.3+dfsg
(Closes: #867570, #888463)
- Refresh patches
- Drop stdatomic.h patches applied upstream
* Follow SONAME bump of libdns
* Follow SONAME bump of libisc
* Add missing symbols for libisccfg160
* Add python3-distutils Build-Dependency
* Drop Priority: standard for library packages
* Fix apparmor profile name (Closes: #893005)
Thanks to Andreas Hasenack
* Update bind9-host description (Closes: #729561)
* Add flags=(attach_disconnected) to AppArmor profile to prepare
to use more systemd hardening options, see #863841
* Add myself to Uploaders
[ Ondřej Surý ]
* Update Vcs-* links to salsa.d.o
-- Timo Aaltonen <email address hidden> Fri, 13 Apr 2018 07:40:47 +0300
-
bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium
* debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating
DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews
<email address hidden>. (LP: #1755439)
-- Andreas Hasenack <email address hidden> Fri, 16 Mar 2018 09:38:46 -0300
-
bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium
* Fix apparmor profile filename (LP: #1754981)
-- Andreas Hasenack <email address hidden> Thu, 15 Mar 2018 10:06:57 -0300
-
bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high
* No change rebuild against openssl1.1.
-- Dimitri John Ledkov <email address hidden> Tue, 06 Feb 2018 12:14:22 +0000
-
bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium
* Build without lmdb support as that package is in Universe (LP: #1746296)
- d/control: remove Build-Depends on liblmdb-dev
- d/rules: configure --without-lmdb
- d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires
lmdb.
-- Andreas Hasenack <email address hidden> Tue, 30 Jan 2018 15:21:23 -0200
-
bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium
* Merge with Debian unstable (LP: #1744930).
* Drop:
- Add RemainAfterExit to bind9-resolvconf unit configuration file
(LP #1536181).
[fixed in 1:9.10.6+dfsg-4]
- rules: Fix path to libsofthsm2.so. (LP #1685780)
[adopted in 1:9.10.6+dfsg-5]
- d/p/CVE-2016-8864-regression-test.patch: tests for the regression
introduced with the CVE-2016-8864.patch and fixed in
CVE-2016-8864-regression.patch.
[applied upstream]
- d/p/CVE-2016-8864-regression2-test.patch: tests for the second
regression (RT #44318) introduced with the CVE-2016-8864.patch
and fixed in CVE-2016-8864-regression2.patch.
[applied upstream]
- d/control, d/rules: add json support for the statistics channels.
(LP #1669193)
[adopted in 1:9.10.6+dfsg-5]
* d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing
listing the python ply module as a dependency (Closes: #888463)
bind9 (1:9.11.2.P1-1) unstable; urgency=medium
* New upstream version 9.11.2-P1
* Refresh patches for new release
bind9 (1:9.11.2+dfsg-10) unstable; urgency=medium
* Disable lmdb usage in export version of libraries (Closes: #887407)
bind9 (1:9.11.2+dfsg-9) unstable; urgency=medium
* Fix various mistakes in bind9 conffiles (Closes: #887398)
bind9 (1:9.11.2+dfsg-8) unstable; urgency=medium
* Pull more stdatomic patch to fix builds on 32-bit architectures
* Remove extra native pkcs11 patch (it has been replaced by sed rules)
bind9 (1:9.11.2+dfsg-7) unstable; urgency=medium
* Pull upstream patch to use C11 stdatomic where available (Closes: #778720)
bind9 (1:9.11.2+dfsg-6) unstable; urgency=medium
* Add named-nzd2nzf to bind9 package
* Simplify installation rules
* Enable lmdb (to actually build named-nzd2nzf)
* Move delv from bind9 to dnsutils package (Closes: #887326)
bind9 (1:9.11.2+dfsg-5) unstable; urgency=medium
* Remove duplicate invoke-rc.d start invocation (Closes: #883575)
* Don't fail in postrm when /var/lib/bind cannot be removed (Closes: #882999)
* Use dh-apparmor for profile management
* apparmor-profile: allow changing thread name (Closes: #883228)
* Bump debhelper compat level to 10
* Bump Standards-Version to 4.1.2, no changes necessary
bind9 (1:9.11.2+dfsg-4) unstable; urgency=medium
* Team upload.
* Fix symlinks in libbind-export-dev to point to /lib (Closes: #883536)
bind9 (1:9.11.2+dfsg-3) unstable; urgency=medium
* Team upload.
* Only install files into bind9:any on arch-any builds (Closes: #883448)
* Adjust dependencies for udeb packages (Closes: #883449)
bind9 (1:9.11.2+dfsg-2) unstable; urgency=medium
* Team upload.
* Workaround for FTBFS on binary-any builds (Closes: #883159)
bind9 (1:9.11.2+dfsg-1) unstable; urgency=low
* d/watch: Bump the BIND version to 9.11.x
* Remove 'order random_1' patch, it was a horrible deviation from standards
* Modernize d/rules using debhelper
* New upstream version 9.11.2+dfsg
* Delete dyndb patch, as dyndb is now included in upstream sources
* Rebase patches for new upstream release.
* Add python3-ply to Build-Depends
* Restore the native pkcs11 patch
* Fix the Debian version parsing
* Remove lwresd as it has been deprecated by upstream anyway
* Add new tools: mdig to dnsutils and dnssec-keymgr to bind9utils
* Update the SONAMEs of BIND libraries
* Fix python3 packaging errors
* Bump the standards version to 4.1.1.1 (no change)
* Add support for dh_missing
bind9 (1:9.10.6+dfsg-5) unstable; urgency=medium
[ Chris Lamb ]
* Make the build reproducible (Closes: #828012)
[ Micah Cowan ]
* Try not to be fragile to varying value of LIBS make var. (Closes: #833307)
[ Ondřej Surý ]
* Update the softhsm2.so non-MA path (Closes: #860722)
* Enable JSON output in the statistics channel (Closes: #860722)
* Merge NMUs' changelogs (Closes: #880077)
* Use /dev/urandom to avoid blocking in the server process. (Closes: #854243)
bind9 (1:9.10.6+dfsg-4) unstable; urgency=medium
[ Michael Biebl ]
* Improve bind9-resolvconf.service (Closes: #826353)
[ Ondřej Surý ]
* Add insserv.conf.d configuration (Closes: #650538)
* Change bind9-resolvconf.server to Type=oneshot + RemainAfterExit=yes (Closes: #832040)
* Only add static and development symlinks for *-export.{a,so} libraries (Closes: #857522)
* Update Vcs-* fields to standard variants
* Rebuild with newer debhelper (Closes: #879542)
bind9 (1:9.10.6+dfsg-3) unstable; urgency=medium
* Make lwresd hard depend on bind9 package (Closes: #879127)
bind9 (1:9.10.6+dfsg-2) unstable; urgency=medium
[ Timo Aaltonen ]
* d/copyright: Add Bv9ARM.pdf to Files-Excluded.
[ Ondřej Surý ]
* Replace lwresd with symlink instead of hard copy (Closes: #868538)
* Fix the symbols file to compensate for missing bsdcompat symbol on kFreeBSD (Closes: #879017)
* Re-enable threading support on kFreeBSD (Closes: #879018)
* Drop Multi-Arch: same header from libbind-dev (Closes: #874232)
* Remove transitional host package (Closes: #645437, #878228)
bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium
* New upstream version 9.10.6+dfsg
* Use OpenSSL 1.1.0 for crypto
* Add support for downloading upstream sources using d/watch
+ Make d/copyright machine readable for Files-Excluded: support
+ Update Files-Exclude: * to remove obsolete software dropped in
contrib/, but not really used
* Add initial README.source
* Limit the d/watch to 9.10.x (aka stable) for now
* Update patches for BIND 9.10.6 release
* Update PKCS11 patch
* Move under pkg-dns umbrella
* Reformat files in debian/ with wrap-and-sort -a for better maintainability
* Update the d/export.diff for BIND 9.10.6
* Remove FAQ from d/bind9.docs
* Bump SONAME versions for BIND libraries
* Add symbols files for libraries and enable strict symbol checks
* arpaname and named-rrchecker has been moved to /usr/bin
* Install required python library into bind9utils to accompany
dnssec-checkds and dnssec-coverage
* Change Vcs-* to pkg-dns/bind9
* Also exclude idnkit from upstream tarball
* Finish the debian/copyright update into machine readable format
* Enable Multi-Arch on libirs-export189
* Cleanup maintainer scripts
* Add lintian override for false positive on full-path command
* Remove unnecessary complexity when generating ${Description} to d/control
-- Andreas Hasenack <email address hidden> Fri, 26 Jan 2018 11:20:33 -0200
-
bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium
* Merge with Debian unstable (LP: #1712920). Remaining changes:
- Add RemainAfterExit to bind9-resolvconf unit configuration file
(LP #1536181).
- rules: Fix path to libsofthsm2.so. (LP #1685780)
- d/p/CVE-2016-8864-regression-test.patch: tests for the regression
introduced with the CVE-2016-8864.patch and fixed in
CVE-2016-8864-regression.patch.
- d/p/CVE-2016-8864-regression2-test.patch: tests for the second
regression (RT #44318) introduced with the CVE-2016-8864.patch
and fixed in CVE-2016-8864-regression2.patch.
- d/control, d/rules: add json support for the statistics channels.
(LP #1669193)
bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium
* Non-maintainer upload.
* Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)
-- Andreas Hasenack <email address hidden> Thu, 24 Aug 2017 18:28:00 -0300