乐胖代购免代理版

diff -pruN 1:9.20.0-2/debian/NEWS 1:9.20.0-2ubuntu3/debian/NEWS --- 1:9.20.0-2/debian/NEWS 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.20.0-2ubuntu3/debian/NEWS 2024-08-20 19:34:03.000000000 +0000 @@ -0,0 +1,56 @@ +bind9 (1:9.18.0-2ubuntu1) jammy; urgency=medium + + Support for DNS over TLS (DoT) and DNS over HTTPS (DoH) were included in + bind 9.17. This package is built with support for both. + + The /etc/bind/db.root configuration file has not been shipped in the + specified path by recent bind versions, but was available in bionic. Unless + there are local changes to this file, it will be removed upon package + upgrade (if present). + + The binary files which are neither daemons nor administrative programs have + been moved from /usr/sbin to /usr/bin. They are: + dnssec-cds, dnssec-dsfromkey, dnssec-keyfromlabel, dnssec-keygen, + dnssec-revoke, dnssec-settime, dnssec-signzone, dnssec-verify, + named-checkconf, named-checkzone, named-compilezone, dnssec-importkey, + named-journalprint, named-nzd2nzf, and nsec3hash. + + Support for the map zone file format has been removed since bind 9.17. Users + relying on such zone file format should convert their zones to use the raw + format and change configurations accordingly before upgrading bind. + + Several obsolete, non-working configuration options have been removed and + are now treated as configuration failures when present. They are: + acache-cleaning-interval, acache-enable, additional-from-auth, + additional-from-cache, allow-v6-synthesis, cleaning-interval, dnssec-enable, + dnssec-lookaside, filter-aaaa, filter-aaaa-on-v4, filter-aaaa-on-v6, + geoip-use-ecs, lwres, max-acache-size, nosit-udp-size, queryport-pool-ports, + queryport-pool-updateinterval, request-sit, sit-secret, support-ixfr, + use-queryport-pool, and use-ixfr. + + -- Athos Ribeiro Mon, 07 Feb 2022 10:14:33 -0300 + +bind9 (1:9.16.0-1ubuntu1) focal; urgency=medium + + Some packages like isc-dhcp do not build with bind 9.14 or higher, so a new + source package bind9-libs version 9.11 was created for that purpose, + providing only libraries and header files. The bind9 9.16.x packages do not + provide development libraries or headers. See commit + https://salsa.debian.org/dns-team/bind9-libs/commit/40cab7029d for more + details. udebs used in the debian-installer are also being provided by + bind9-libs. + + Another package which doesn't build with the newer bind9 package is + bind-dyndb-ldap. It will build using the libraries from bind9-libs, but + since this is a server plugin, it won't work with the newer server. + + Native pkcs#11 support via softhsm2 is no longer being built for this + package. This was first introduced in 1:9.10.3.dfsg.P4-8 (see + https://bugs.launchpad.net/bugs/1565392) for FreeIPA. Ubuntu Focal no longer + ships FreeIPA, and Debian also dropped the native pkcs#11 support. + + There are no development libraries or header files in this bind9 9.16.x + packaging at the moment. This may change later, see + https://gitlab.isc.org/isc-projects/bind9/merge_requests/3089#note_111229 + + -- Andreas Hasenack Sat, 22 Feb 2020 17:40:38 -0300 diff -pruN 1:9.20.0-2/debian/bind9-dnsutils.install 1:9.20.0-2ubuntu3/debian/bind9-dnsutils.install --- 1:9.20.0-2/debian/bind9-dnsutils.install 2024-07-27 03:02:39.000000000 +0000 +++ 1:9.20.0-2ubuntu3/debian/bind9-dnsutils.install 2024-08-20 19:34:03.000000000 +0000 @@ -1,12 +1,10 @@ usr/bin/delv usr/bin/dig -usr/bin/dnstap-read usr/bin/mdig usr/bin/nslookup usr/bin/nsupdate usr/share/man/man1/delv.1 usr/share/man/man1/dig.1 -usr/share/man/man1/dnstap-read.1 usr/share/man/man1/mdig.1 usr/share/man/man1/nslookup.1 usr/share/man/man1/nsupdate.1 diff -pruN 1:9.20.0-2/debian/bind9.apport 1:9.20.0-2ubuntu3/debian/bind9.apport --- 1:9.20.0-2/debian/bind9.apport 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.20.0-2ubuntu3/debian/bind9.apport 2024-08-20 19:34:03.000000000 +0000 @@ -0,0 +1,24 @@ +'''apport hook for bind9 + +(c) 2010 Andres Rodriguez. +Author: Andres Rodriguez + +This program is free software; you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 2 of the License, or (at your +option) any later version. See http://www.gnu.org/copyleft/gpl.html for +the full text of the license. +''' + +from apport.hookutils import * +import re + +def add_info(report, ui): + + # getting syslog stuff + report['SyslogBind9'] = recent_syslog(re.compile(r'named\[')) + + # Attaching related packages info + attach_related_packages(report, ['bind9utils', 'apparmor']) + + attach_mac_events(report, '/usr/sbin/named') diff -pruN 1:9.20.0-2/debian/changelog 1:9.20.0-2ubuntu3/debian/changelog --- 1:9.20.0-2/debian/changelog 2024-07-27 03:02:39.000000000 +0000 +++ 1:9.20.0-2ubuntu3/debian/changelog 2024-08-28 14:52:29.000000000 +0000 @@ -1,3 +1,58 @@ +bind9 (1:9.20.0-2ubuntu3) oracular; urgency=medium + + * d/t/control: Disable dyndb-ldap test as bind-dyndb-ldap has been removed + from Ubuntu for now (LP: #2078003). + + -- Lena Voytek Wed, 28 Aug 2024 07:52:29 -0700 + +bind9 (1:9.20.0-2ubuntu2) oracular; urgency=medium + + * d/p/stop-using-malloc_usable_size.patch: Fix buffer overflows by removing + memory size check implementations based on malloc_usable_size and + malloc_size (LP: #2077327). + + -- Lena Voytek Mon, 26 Aug 2024 11:23:58 -0700 + +bind9 (1:9.20.0-2ubuntu1) oracular; urgency=medium + + * Merge with Debian unstable to update to new 9.20 LTS + Upstream release info: https://www.isc.org/blogs/2024-bind920/ + * Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: build-depends on dh-apport and use it + - d/control: remove optional libjemalloc-dev Build-Depends as it is not in + main. + - d/NEWS: mention relevant packaging changes + - Improve dep-8 test suite (LP #2003584): + + d/t/zonetest: Add dep8 test for checking the domain zone creation process + + d/t/control: Add new test outline + - d/po/de.po: Fix German UTF-8 encoding + - d/copyright: Fix lintian warnings + + Remove the entry for lib/isc/hp.c lib/isc/include/isc/hp.h as they were + deleted in 9.18.2 + + Remove the entry for lib/isc/include/pkcs11/pkcs11.h as it is no longer + bundled as of 9.17.19 + + Update the location of random_test.c and add info about its public + domain section + + Add wildcards to folders as needed + + Note that m4/ uses the FSFAP license + - d/control: Remove lsb-base dependency as it is no longer needed + + See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019851 + - d/t/control, d/t/dyndb-ldap: add DEP8 test (LP #2032650) + - bind9-libs: Hard-code libuv1t64 instead of libuv1. + * Dropped Changes: + - d/p/always-use-standard-library-stdatomic.patch: Fixed upstream + + -- Lena Voytek Mon, 12 Aug 2024 11:47:50 -0700 + bind9 (1:9.20.0-2) unstable; urgency=medium * Fix the assertion failure in samba-libs DLZ module. (Closes: #1074378) @@ -232,6 +287,359 @@ bind9 (1:9.19.0-1) unstable; urgency=med -- Ondřej Surý Thu, 21 Apr 2022 09:51:08 +0200 +bind9 (1:9.18.28-0ubuntu1) oracular; urgency=medium + + * Updated to 9.18.28 to fix multiple security issues. + - CVE-2024-0760: A flood of DNS messages over TCP may make the server + unstable + - CVE-2024-1737: BIND's database will be slow if a very large number of + RRs exist at the same name + - CVE-2024-1975: SIG(0) can be used to exhaust CPU resources + - CVE-2024-4076: Assertion failure when serving both stale cache data + and authoritative zone content + + -- Marc Deslauriers Tue, 16 Jul 2024 14:16:20 -0400 + +bind9 (1:9.18.24-0ubuntu5) noble; urgency=high + + * No change rebuild against libssl3t64, libuv1t64. + + -- Julian Andres Klode Mon, 08 Apr 2024 16:37:41 +0200 + +bind9 (1:9.18.24-0ubuntu4) noble; urgency=medium + + * No-change rebuild for CVE-2024-3094 + + -- Steve Langasek Sun, 31 Mar 2024 00:04:23 +0000 + +bind9 (1:9.18.24-0ubuntu3) noble; urgency=medium + + * bind9-libs: Hard-code libuv1t64 instead of libuv1. + + -- Matthias Klose Wed, 06 Mar 2024 12:35:21 +0100 + +bind9 (1:9.18.24-0ubuntu2) noble; urgency=medium + + * No-change rebuild against libssl3t64 + + -- Steve Langasek Mon, 04 Mar 2024 17:27:42 +0000 + +bind9 (1:9.18.24-0ubuntu1) noble; urgency=medium + + * Updated to 9.18.21 to fix security issues. + - Security Fixes: + + Validating DNS messages containing a lot of DNSSEC signatures could + cause excessive CPU load, leading to a denial-of-service condition. + This has been fixed. (CVE-2023-50387) + + Preparing an NSEC3 closest encloser proof could cause excessive CPU + load, leading to a denial-of-service condition. This has been + fixed. (CVE-2023-50868) + + Parsing DNS messages with many different names could cause + excessive CPU load. This has been fixed. (CVE-2023-4408) + + Specific queries could cause named to crash with an assertion + failure when nxdomain-redirect was enabled. This has been fixed. + (CVE-2023-5517) + + A bad interaction between DNS64 and serve-stale could cause named + to crash with an assertion failure, when both of these features + were enabled. This has been fixed. (CVE-2023-5679) + + Under certain circumstances, the DNS-over-TLS client code + incorrectly attempted to process more than one DNS message at a + time, which could cause named to crash with an assertion failure. + This has been fixed. + - Bug Fixes: + + The counters exported via the statistics channel were changed back + to 64-bit signed values; they were being inadvertently truncated to + unsigned 32-bit values since BIND 9.15.0. + - See https://bind9.readthedocs.io/en/v9.18.24/notes.html for + additional information + + -- Marc Deslauriers Wed, 14 Feb 2024 14:31:05 -0500 + +bind9 (1:9.18.21-0ubuntu1) noble; urgency=medium + + * New upstream release 9.18.21 (LP: #2040359) + - Updates: + + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and + 2801:1b8:10::b. + + Honor nsupdate -v option when server command specified by sending both + the UPDATE request and the initial query over TCP. + + Mark cookie-algorithm aes as deprecated, use SipHash-2-4, instead. + + Mark resolver-nonbackoff-tries and resolver-retry-interval as + deprecated. + + Mark dnssec-must-be-secure as deprecated. + - Bug Fixes: + + Do not schedule unsigned versions of inline-signed zones containing + DNSSEC records for resigning. + + Take local authoritative data into account when looking up stale cache + data. + + Fix use of named -X and lock-file at the same time. + + Fix improper lock-file removal. + + Fix bound checking in Content-Length header in the statistics channel. + + Fix memory leaks from not clearing the OpenSSL error stack. + + Fix SERVFAIL responses from introduction of krb5-subdomain-self-rhs and + ms-subdomain-self-rhs update policies. + + Fix stale-refresh-time feature being disabled by cache flush. + + Fix DNS message corruption from partial writes. + - See https://bind9.readthedocs.io/en/v9.18.21/notes.html for additional + information + * d/p/CVE-2023-3341.patch, d/p/CVE-2023-4236.patch: Remove - fixed by + upstream in version 9.18.19 + * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the + standard library stdatomic.h + + -- Lena Voytek Thu, 25 Jan 2024 08:37:15 -0700 + +bind9 (1:9.18.18-0ubuntu2) mantic; urgency=medium + + * SECURITY UPDATE: DoS via recusive packet parsing + - debian/patches/CVE-2023-3341.patch: add a max depth check to + lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c. + - CVE-2023-3341 + * SECURITY UPDATE: Dos via DNS-over-TLS queries + - debian/patches/CVE-2023-4236.patch: check return code in + lib/isc/netmgr/tlsdns.c. + - CVE-2023-4236 + + -- Marc Deslauriers Wed, 20 Sep 2023 12:45:21 -0400 + +bind9 (1:9.18.18-0ubuntu1) mantic; urgency=medium + + * New upstream release 9.18.18 (LP: #2034367) + - Updates: + + Mark a primary server as temporarily unreachable when a TCP connection + response to an SOA query times out, matching behavior of a refused TCP + connection. + + Mark dialup and heartbeat-interval options as deprecated. + + Retry DNS queries without an EDNS COOKIE when the first response is + FORMERR with the EDNS COOKIE that was sent originally. + + Use NS records for the relaxed QNAME minimization mode to reduce the + number of queries from named. + - Bug Fixes: + + Fix assertion failure from processing already-queued queries while + server is being reconfigured or cache is being flushed. + + Fix failure to load zones containing resource records with a TTL value + larger than 86400 seconds when dnssec-policy is set to insecure. + + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + + Fix stability issues with the catalog zone implementation. + - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional + information. + + -- Lena Voytek Tue, 05 Sep 2023 13:20:06 -0700 + +bind9 (1:9.18.16-1ubuntu4) mantic; urgency=medium + + * d/t/dyndb-ldap: allow writing to the dns tree (LP: #2034250) + + -- Andreas Hasenack Tue, 05 Sep 2023 10:20:27 -0300 + +bind9 (1:9.18.16-1ubuntu3) mantic; urgency=medium + + * d/t/control: exclude the i386 architecture for the dyndb-ldap test, + since bind9-dyndb-ldap is not available there on Ubuntu + * d/t/dyndb-ldap: fix for the ldap bind9 dn entry + + -- Andreas Hasenack Wed, 30 Aug 2023 10:14:04 -0300 + +bind9 (1:9.18.16-1ubuntu2) mantic; urgency=medium + + * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) + + -- Andreas Hasenack Tue, 22 Aug 2023 09:24:02 -0300 + +bind9 (1:9.18.16-1ubuntu1) mantic; urgency=medium + + * Merge with Debian unstable (LP: #2018050). Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: build-depends on dh-apport and use it + - d/control: remove optional libjemalloc-dev Build-Depends as it is not in + main. + - d/NEWS: mention relevant packaging changes + - Improve dep-8 test suite (LP #2003584): + + d/t/zonetest: Add dep8 test for checking the domain zone creation + process + + d/t/control: Add new test outline + * Added Changes: + - d/po/de.po: Fix German UTF-8 encoding + - d/copyright: Fix lintian warnings + + Remove the entry for lib/isc/hp.c lib/isc/include/isc/hp.h as they were + deleted in 9.18.2 + + Remove the entry for lib/isc/include/pkcs11/pkcs11.h as it is no longer + bundled as of 9.17.19 + + Update the location of random_test.c and add info about its public + domain section + + Add wildcards to folders as needed + + Note that m4/ uses the FSFAP license + - d/control: Remove lsb-base dependency as it is no longer needed + + See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019851 + + -- Lena Voytek Mon, 26 Jun 2023 14:25:50 -0700 + +bind9 (1:9.18.12-1ubuntu1) lunar; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: build-depends on dh-apport and use it + - d/control: remove optional libjemalloc-dev Build-Depends as it is not in + main. + - d/NEWS: mention relevant packaging changes + - Improve dep-8 test suite (LP #2003584): + + d/t/zonetest: Add dep8 test for checking the domain zone creation process + + d/t/control: Add new test outline + + -- Lena Voytek Wed, 22 Feb 2023 10:10:14 -0700 + +bind9 (1:9.18.11-2ubuntu1) lunar; urgency=medium + + * Merge with Debian unstable (LP: #2004172). Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: build-depends on dh-apport and use it + - d/control: remove optional libjemalloc-dev Build-Depends as it is not in + main. + - d/NEWS: mention relevant packaging changes + - Improve dep-8 test suite (LP #2003584): + + d/t/zonetest: Add dep8 test for checking the domain zone creation process + + d/t/control: Add new test outline + * Dropped Changes: + - d/extras/apparmor.d/usr.sbin.named: Allow systemd notify access in + apparmor for named + [Fixed in Debian 1:9.18.11-2] + + -- Lena Voytek Mon, 30 Jan 2023 08:37:28 -0700 + +bind9 (1:9.18.10-2ubuntu2) lunar; urgency=medium + + * Improve dep-8 test suite (LP: #2003584): + - d/t/zonetest: Add dep8 test for checking the domain zone creation process + - d/t/control: Add new test outline + + -- Lena Voytek Fri, 27 Jan 2023 09:16:29 -0700 + +bind9 (1:9.18.10-2ubuntu1) lunar; urgency=medium + + * Merge with Debian unstable (LP: #1993375). Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: build-depends on dh-apport and use it + - d/NEWS: mention relevant packaging changes + - d/control: remove optional libjemalloc-dev Build-Depends as it is not in + main. + * Added Changes: + - d/extras/apparmor.d/usr.sbin.named: Allow systemd notify access in + apparmor for named + * Dropped Changes: + - fixed upstream: + + debian/patches/CVE-2022-2795.patch + + debian/patches/CVE-2022-2881.patch + + debian/patches/CVE-2022-2906.patch + + debian/patches/CVE-2022-3080.patch + + debian/patches/CVE-2022-38178.patch + - d/bind9.named.service: use systemd Type=forking to signal daemon init. + + Changed to Type=notify with sd_notify patch in debian + + -- Lena Voytek Tue, 10 Jan 2023 15:24:45 -0700 + +bind9 (1:9.18.4-2ubuntu2) kinetic; urgency=medium + + * SECURITY UPDATE: Processing large delegations may severely degrade + resolver performance + - debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c. + - CVE-2022-2795 + * SECURITY UPDATE: Buffer overread in statistics channel code + - debian/patches/CVE-2022-2881.patch: clear buffer in lib/isc/httpd.c. + - CVE-2022-2881 + * SECURITY UPDATE: Memory leaks in code handling Diffie-Hellman key + exchange via TKEY RRs + - debian/patches/CVE-2022-2906.patch: adjust return code handling in + lib/dns/openssldh_link.c. + - CVE-2022-2906 + * SECURITY UPDATE: resolvers configured to answer from cache with zero + stale-answer-timeout may terminate unexpectedly + - debian/patches/CVE-2022-3080.patch: refactor stale RRset handling in + lib/ns/include/ns/query.h, lib/ns/query.c. + - CVE-2022-3080 + * SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code + - debian/patches/CVE-2022-38178.patch: fix return handling in + lib/dns/openssleddsa_link.c. + - CVE-2022-38178 + + -- Marc Deslauriers Wed, 21 Sep 2022 09:18:42 -0400 + +bind9 (1:9.18.4-2ubuntu1) kinetic; urgency=medium + + * Merge with Debian unstable (LP: #1971250) + Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: build-depends on dh-apport and use it + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging + - d/bind9.named.service: use systemd Type=forking to signal daemon init. + This fixes a regression of #900788 where services whose startup depend + on name resolutions may fail due to bind9 not being ready (LP #1899902). + - d/control: remove optional libjemalloc-dev Build-Depends as it is not in + main. + - d/NEWS: mention some of the relevant changes in 9.18.0 packaging + or functionality that may affect usability. + * Dropped changes: + - d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe.patch, + d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo.patch, + d/p/lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-.patch, + d/p/lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh.patch, + d/p/lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv.patch, + d/p/lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC.patch, + d/p/lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the.patch: + Fix dig error when trying the next server after a TCP connection + failure. This upstream patchset also fixes a crash when using + the "host" command for numeric lookups (LP #1964400) and an + infinite hang when passing a non-existent hostname to "host" (LP + #1964686). + [ Incorporated by upstream. ] + - SECURITY UPDATE: Destroying a TLS session early causes assertion + failure + + debian/patches/CVE-2022-1183.patch: fix destroying logic in + lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/tlsstream.c. + [ Incorporated by upstream. ] + + -- Sergio Durigan Junior Wed, 20 Jul 2022 05:28:13 -0400 + bind9 (1:9.18.2-1) unstable; urgency=medium * Drop libldap2-dev from Build-Depends (Closes: #1008021) @@ -239,6 +647,76 @@ bind9 (1:9.18.2-1) unstable; urgency=med -- Ondřej Surý Thu, 21 Apr 2022 09:40:25 +0200 +bind9 (1:9.18.1-1ubuntu2) kinetic; urgency=medium + + * SECURITY UPDATE: Destroying a TLS session early causes assertion + failure + - debian/patches/CVE-2022-1183.patch: fix destroying logic in + lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/tlsstream.c. + - CVE-2022-1183 + + -- Marc Deslauriers Tue, 17 May 2022 07:38:24 -0400 + +bind9 (1:9.18.1-1ubuntu1) jammy; urgency=medium + + * Merge with Debian unstable (LP: #1965981). Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: build-depends on dh-apport and use it + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging + - d/bind9.named.service: use systemd Type=forking to signal daemon init. + This fixes a regression of #900788 where services whose startup depend + on name resolutions may fail due to bind9 not being ready (LP #1899902). + - d/control: remove optional libjemalloc-dev Build-Depends as it is not in + main. + - d/NEWS: mention some of the relevant changes in 9.18.0 packaging + or functionality that may affect usability. + * Dropped changes: + - d/p/0003-Remove-spurious-debugging-true.patch: remove development leftover + debugging flag from nslookup code (LP: #1961556). + [ Incorporated in 9.18.1. ] + - SECURITY UPDATE: cache poisoning via bogus NS records + + debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of + records into the cache in lib/dns/resolver.c. + + CVE-2021-25220 + [ Incorporated in 9.18.1. ] + - SECURITY UPDATE: DoS via specially crafted TCP stream + + debian/patches/CVE-2022-0396.patch: ensure correct ordering in + lib/isc/netmgr/netmgr.c. + + CVE-2022-0396 + [ Incorporated in 9.18.1. ] + - SECURITY UPDATE: DNAME insist with synth-from-dnssec enabled + + debian/patches/CVE-2022-0635.patch: fix logic in lib/dns/rbtdb.c. + + CVE-2022-0635 + [ Incorporated in 9.18.1. ] + - SECURITY UPDATE: Assertion failure on delayed DS lookup + + debian/patches/CVE-2022-0667.patch: fix logic in lib/dns/resolver.c. + + CVE-2022-0667 + [ Incorporated in 9.18.1. ] + * Added changes: + - d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe.patch, + d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo.patch, + d/p/lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-.patch, + d/p/lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh.patch, + d/p/lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv.patch, + d/p/lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC.patch, + d/p/lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the.patch: + Fix dig error when trying the next server after a TCP connection + failure. This upstream patchset also fixes a crash when using + the "host" command for numeric lookups (LP: #1964400) and an + infinite hang when passing a non-existent hostname to "host" (LP: + #1964686). + + -- Sergio Durigan Junior Wed, 23 Mar 2022 13:48:30 -0400 + bind9 (1:9.18.1-1) unstable; urgency=high * New upstream version 9.18.1 @@ -255,6 +733,64 @@ bind9 (1:9.18.1-1) unstable; urgency=hig -- Ondřej Surý Mon, 14 Mar 2022 15:29:31 +0100 +bind9 (1:9.18.0-2ubuntu3) jammy; urgency=medium + + * SECURITY UPDATE: cache poisoning via bogus NS records + - debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of + records into the cache in lib/dns/resolver.c. + - CVE-2021-25220 + * SECURITY UPDATE: DoS via specially crafted TCP stream + - debian/patches/CVE-2022-0396.patch: ensure correct ordering in + lib/isc/netmgr/netmgr.c. + - CVE-2022-0396 + * SECURITY UPDATE: DNAME insist with synth-from-dnssec enabled + - debian/patches/CVE-2022-0635.patch: fix logic in lib/dns/rbtdb.c. + - CVE-2022-0635 + * SECURITY UPDATE: Assertion failure on delayed DS lookup + - debian/patches/CVE-2022-0667.patch: fix logic in lib/dns/resolver.c. + - CVE-2022-0667 + + -- Marc Deslauriers Thu, 17 Mar 2022 09:33:36 -0400 + +bind9 (1:9.18.0-2ubuntu2) jammy; urgency=medium + + * d/p/0003-Remove-spurious-debugging-true.patch: remove development leftover + debugging flag from nslookup code (LP: #1961556). + + -- Athos Ribeiro Tue, 22 Feb 2022 17:04:03 -0300 + +bind9 (1:9.18.0-2ubuntu1) jammy; urgency=medium + + * Merge with Debian unstable (LP: #1946833). Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: build-depends on dh-apport and use it + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging + - d/bind9.named.service: use systemd Type=forking to signal daemon init. + This fixes a regression of #900788 where services whose startup depend + on name resolutions may fail due to bind9 not being ready (LP #1899902). + * Dropped Changes: + - SECURITY UPDATE: resolver performance degradation via lame cache abuse + + debian/patches/CVE-2021-25219.patch: disable lame cache in + bin/named/config.c, bin/named/server.c, lib/dns/resolver.c. + + CVE-2021-25219 + [ Fixed in 9.17.19 ] + * New Changes: + - d/control: remove optional libjemalloc-dev Build-Depends as it is not in + main. + - d/NEWS: mention some of the relevant changes in 9.18.0 packaging + or functionality that may affect usability. + + -- Athos Ribeiro Mon, 14 Feb 2022 17:40:31 -0300 + bind9 (1:9.18.0-2) unstable; urgency=medium * Add patch to use detected L1 cache-line size instead of hard-coded @@ -595,6 +1131,67 @@ bind9 (1:9.16.16-1) unstable; urgency=me -- Ondřej Surý Thu, 20 May 2021 10:00:00 +0200 +bind9 (1:9.16.15-1ubuntu3) jammy; urgency=medium + + * No-change rebuild against openssl3 + + -- Simon Chopin Wed, 01 Dec 2021 16:06:43 +0000 + +bind9 (1:9.16.15-1ubuntu2) jammy; urgency=medium + + * SECURITY UPDATE: resolver performance degradation via lame cache abuse + - debian/patches/CVE-2021-25219.patch: disable lame cache in + bin/named/config.c, bin/named/server.c, lib/dns/resolver.c. + - CVE-2021-25219 + + -- Marc Deslauriers Mon, 01 Nov 2021 18:56:43 -0400 + +bind9 (1:9.16.15-1ubuntu1) impish; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: buil-depends on dh-apport and use it + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging + - d/bind9.named.service: use systemd Type=forking to signal daemon init. + This fixes a regression of #900788 where services whose startup depend + on name resolutions may fail due to bind9 not being ready (LP #1899902). + * Drop changes: + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + [Fixed in 1:9.16.11-3] + - SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation + + debian/patches/CVE-2020-8625.patch: properly calculate length in + lib/dns/spnego.c. + + CVE-2020-8625 + [Fixed in 1:9.16.12-1] + - SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR) + + debian/patches/CVE-2021-25214.patch: immediately reject the entire + transfer for certain RR in lib/dns/xfrin.c. + + CVE-2021-25214 + [Fixed in 1:9.16.15-1] + - SECURITY UPDATE: assert via answering certain queries for DNAME records + + debian/patches/CVE-2021-25215.patch: fix assert checks in + lib/ns/query.c. + + CVE-2021-25215 + [Fixed in 1:9.16.15-1] + - SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation + + debian/rules: build with --disable-isc-spnego to disable internal + SPNEGO and use the one from the kerberos libraries. + + CVE-2021-25216 + [Fixed in 1:9.16.15-1] + + -- Athos Ribeiro Mon, 12 Jul 2021 20:26:40 -0300 + bind9 (1:9.16.15-1) unstable; urgency=high * New upstream version 9.16.15 (Closes: #987741, #987742, #987743) @@ -674,6 +1271,72 @@ bind9 (1:9.16.9-1) unstable; urgency=med -- Ondřej Surý Thu, 26 Nov 2020 12:52:28 +0100 +bind9 (1:9.16.8-1ubuntu3.2) impish; urgency=medium + + * d/bind9.named.service: use systemd Type=forking to signal daemon init. This + fixes a regression of #900788 where services whose startup depend on name + resolutions may fail due to bind9 not being ready (LP: #1899902). + + -- Athos Ribeiro Fri, 18 Jun 2021 09:24:39 -0300 + +bind9 (1:9.16.8-1ubuntu3.1) hirsute-security; urgency=medium + + * SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR) + - debian/patches/CVE-2021-25214.patch: immediately reject the entire + transfer for certain RR in lib/dns/xfrin.c. + - CVE-2021-25214 + * SECURITY UPDATE: assert via answering certain queries for DNAME records + - debian/patches/CVE-2021-25215.patch: fix assert checks in + lib/ns/query.c. + - CVE-2021-25215 + * SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation + - debian/rules: build with --disable-isc-spnego to disable internal + SPNEGO and use the one from the kerberos libraries. + - CVE-2021-25216 + + -- Marc Deslauriers Tue, 27 Apr 2021 07:07:30 -0400 + +bind9 (1:9.16.8-1ubuntu3) hirsute; urgency=medium + + * SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation + - debian/patches/CVE-2020-8625.patch: properly calculate length in + lib/dns/spnego.c. + - CVE-2020-8625 + + -- Marc Deslauriers Thu, 25 Feb 2021 07:29:46 -0500 + +bind9 (1:9.16.8-1ubuntu2) hirsute; urgency=medium + + * No-change rebuild to drop the udeb package. + + -- Matthias Klose Mon, 22 Feb 2021 10:44:18 +0100 + +bind9 (1:9.16.8-1ubuntu1) hirsute; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: buil-depends on dh-apport and use it + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging + * Dropped changes (merged in Debian): + - d/t/control: change the dep8 test dependency to be on the real + bind9-dnsutils package, and not the transitional one (LP #1864761) + - d/rules: change deprecated --with-libjson-c configure argument to + --with-json-c + + -- Paride Legovini Sun, 06 Dec 2020 17:10:15 +0100 + bind9 (1:9.16.8-1) unstable; urgency=medium [ Ondřej Surý ] @@ -694,6 +1357,31 @@ bind9 (1:9.16.7-1) unstable; urgency=med -- Ondřej Surý Thu, 17 Sep 2020 10:36:51 +0200 +bind9 (1:9.16.6-3ubuntu1) groovy; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: buil-depends on dh-apport and use it + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging + - d/t/control: change the dep8 test dependency to be on the real + bind9-dnsutils package, and not the transitional one (LP #1864761) + - d/rules: change deprecated --with-libjson-c configure argument to + --with-json-c + + -- Andreas Hasenack Tue, 15 Sep 2020 10:46:52 -0300 + bind9 (1:9.16.6-3) unstable; urgency=medium [ Ondřej Surý ] @@ -704,6 +1392,35 @@ bind9 (1:9.16.6-3) unstable; urgency=med -- Bernhard Schmidt Tue, 15 Sep 2020 00:26:14 +0200 +bind9 (1:9.16.6-2ubuntu1) groovy; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: buil-depends on dh-apport and use it + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging + - d/t/control: change the dep8 test dependency to be on the real + bind9-dnsutils package, and not the transitional one (LP #1864761) + - d/rules: change deprecated --with-libjson-c configure argument to + --with-json-c + * Dropped: + - d/not-installed: list dnstap-read.1 manpage, which is being + installed by the makefile even when dnstap is disabled. + [Fixed upstream] + + -- Andreas Hasenack Mon, 24 Aug 2020 10:57:08 -0300 + bind9 (1:9.16.6-2) unstable; urgency=medium * Move Build-Depends for documentation to Build-Depends-Indep, this @@ -726,6 +1443,51 @@ bind9 (1:9.16.5-1) unstable; urgency=med -- Ondřej Surý Thu, 16 Jul 2020 00:29:57 +0200 +bind9 (1:9.16.4-1ubuntu2) groovy; urgency=medium + + * No change rebuild against new json-c ABI. + + -- Dimitri John Ledkov Tue, 28 Jul 2020 17:42:17 +0100 + +bind9 (1:9.16.4-1ubuntu1) groovy; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: buil-depends on dh-apport and use it + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging + - d/t/control: change the dep8 test dependency to be on the real + bind9-dnsutils package, and not the transitional one (LP #1864761) + - d/rules: change deprecated --with-libjson-c configure argument to + --with-json-c + * Dropped: + - SECURITY UPDATE: assertion when attempting to fill oversized TCP buffer + + debian/patches/CVE-2020-8618.patch: add fix to lib/ns/client.c, + lib/ns/include/ns/client.h, lib/ns/xfrout.c. + + CVE-2020-8618 + [Fixed upstream] + - SECURITY UPDATE: INSIST failure when a zone with an interior wildcard + label was queried in a certain pattern + + debian/patches/CVE-2020-8619.patch: add fix to lib/dns/rbtdb.c. + + CVE-2020-8619 + [Fixed upstream] + * Added changes: + - d/not-installed: list dnstap-read.1 manpage, which is being + installed by the makefile even when dnstap is disabled. + + -- Andreas Hasenack Mon, 06 Jul 2020 15:22:36 -0300 + bind9 (1:9.16.4-1) unstable; urgency=medium * New upstream version 9.16.4 @@ -733,12 +1495,129 @@ bind9 (1:9.16.4-1) unstable; urgency=med -- Ondřej Surý Wed, 17 Jun 2020 09:27:29 +0200 +bind9 (1:9.16.3-1ubuntu2) groovy; urgency=medium + + * SECURITY UPDATE: assertion when attempting to fill oversized TCP buffer + - debian/patches/CVE-2020-8618.patch: add fix to lib/ns/client.c, + lib/ns/include/ns/client.h, lib/ns/xfrout.c. + - CVE-2020-8618 + * SECURITY UPDATE: INSIST failure when a zone with an interior wildcard + label was queried in a certain pattern + - debian/patches/CVE-2020-8619.patch: add fix to lib/dns/rbtdb.c. + - CVE-2020-8619 + + -- Marc Deslauriers Thu, 18 Jun 2020 08:29:47 -0400 + +bind9 (1:9.16.3-1ubuntu1) groovy; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: buil-depends on dh-apport and use it + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging + - d/t/control: change the dep8 test dependency to be on the real + bind9-dnsutils package, and not the transitional one (LP #1864761) + - d/rules: change deprecated --with-libjson-c configure argument to + --with-json-c + * Dropped: + - d/control: make bind9-dnsutils multi-arch foreign as another step + towards fixing LP #1864761 + [The correct fix was to change the dep8 dependency to be on the real + package, and not the transitional one] + - SECURITY UPDATE: BIND does not sufficiently limit the number of fetches + performed when processing referrals + + debian/patches/CVE-2020-8616.patch: further limit the number of + queries that can be triggered from a request in lib/dns/adb.c, + lib/dns/include/dns/adb.h, lib/dns/resolver.c. + + CVE-2020-8616 + [Fixed upstream] + - SECURITY UPDATE: A logic error in code which checks TSIG validity can + be used to trigger an assertion failure in tsig.c + + debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG + BADTIME response in lib/dns/tsig.c. + + CVE-2020-8617 + [Fixed upstream] + + -- Andreas Hasenack Tue, 02 Jun 2020 17:37:44 -0300 + bind9 (1:9.16.3-1) unstable; urgency=medium * New upstream version 9.16.3 -- Ondřej Surý Tue, 19 May 2020 14:14:35 +0200 +bind9 (1:9.16.2-3ubuntu1) groovy; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: buil-depends on dh-apport and use it + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging + - d/t/control: change the dep8 test dependency to be on the real + bind9-dnsutils package, and not the transitional one (LP #1864761) + - d/control: make bind9-dnsutils multi-arch foreign as another step + towards fixing LP #1864761 + - d/rules: change deprecated --with-libjson-c configure argument to + --with-json-c + - SECURITY UPDATE: BIND does not sufficiently limit the number of fetches + performed when processing referrals + + debian/patches/CVE-2020-8616.patch: further limit the number of + queries that can be triggered from a request in lib/dns/adb.c, + lib/dns/include/dns/adb.h, lib/dns/resolver.c. + + CVE-2020-8616 + - SECURITY UPDATE: A logic error in code which checks TSIG validity can + be used to trigger an assertion failure in tsig.c + + debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG + BADTIME response in lib/dns/tsig.c. + + CVE-2020-8617 + * Dropped: + - use iproute2 instead of net-tools (LP #1850699): + + d/control: replace net-tools depends with iproute2 + + d/bind9.init: use ip instead of ifconfig + [In 1:9.16.1-2] + - d/control: Enable readline-like support in dnsutils (nslookup and nsupdate) + via libedit-dev (libreadline has a license conflict with bind) + [In 1:9.16.1-2] + - d/control: drop hardcoded python3 dependency + (LP #1856211, Closes #946643) + [In 1:9.16.1-2] + - d/extras/apparmor.d/usr.sbin.named: + + Add flags=(attach_disconnected) to AppArmor profile + + AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ + (Closes: #928398) + [In 1:9.16.1-2] + - d/rules: fix typo in the apparmor profile installation + [In 1:9.16.1-2] + - d/control: create transitional packages for dnsutils, bind9utils + [In 1:9.16.1-2] + - d/p/fix-rebinding-protection.patch: fix rebinding protection bug + when using forwarder setups (LP #1873046) + [Fixed upstream] + + -- Andreas Hasenack Fri, 22 May 2020 09:52:13 -0300 + bind9 (1:9.16.2-3) unstable; urgency=medium [ Simon Deziel ] @@ -789,6 +1668,106 @@ bind9 (1:9.16.1-1) experimental; urgency -- Ondřej Surý Fri, 20 Mar 2020 13:59:34 +0100 +bind9 (1:9.16.1-0ubuntu3) groovy; urgency=medium + + * SECURITY UPDATE: BIND does not sufficiently limit the number of fetches + performed when processing referrals + - debian/patches/CVE-2020-8616.patch: further limit the number of + queries that can be triggered from a request in lib/dns/adb.c, + lib/dns/include/dns/adb.h, lib/dns/resolver.c. + - CVE-2020-8616 + * SECURITY UPDATE: A logic error in code which checks TSIG validity can + be used to trigger an assertion failure in tsig.c + - debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG + BADTIME response in lib/dns/tsig.c. + - CVE-2020-8617 + + -- Marc Deslauriers Tue, 19 May 2020 09:03:32 -0400 + +bind9 (1:9.16.1-0ubuntu2) focal; urgency=medium + + * d/p/fix-rebinding-protection.patch: fix rebinding protection bug + when using forwarder setups (LP: #1873046) + + -- Andreas Hasenack Wed, 15 Apr 2020 14:59:51 -0300 + +bind9 (1:9.16.1-0ubuntu1) focal; urgency=medium + + * New upstream release: 19.16.1 (LP: #1868272) + - drop d/p/bind-v9.16.0-tcp_quota_fix.patch, fixed upstream + - drop d/p/Fix-dns_client_addtrustedkey.patch, fixed upstream + * d/rules: change deprecated --with-libjson-c configure argument to + --with-json-c + + -- Andreas Hasenack Tue, 24 Mar 2020 11:44:46 -0300 + +bind9 (1:9.16.0-1ubuntu5) focal; urgency=medium + + * d/control, d/rules: enable GeoIP2 support, since libmaxminddb is now + in main (LP: #1866875) + + -- Andreas Hasenack Mon, 16 Mar 2020 16:17:47 -0300 + +bind9 (1:9.16.0-1ubuntu4) focal; urgency=medium + + * d/p/bind-v9.16.0-tcp_quota_fix.patch: fix error in handling TCP + client quota limits (LP: #1866378) + * d/p/Fix-dns_client_addtrustedkey.patch: fix buffer size in + dns_client_addtrustedkey (LP: #1866384) + + -- Andreas Hasenack Fri, 06 Mar 2020 15:12:56 -0300 + +bind9 (1:9.16.0-1ubuntu3) focal; urgency=medium + + * d/control: make bind9-dnsutils multi-arch foreign as another step + towards fixing LP: #1864761 + + -- Andreas Hasenack Wed, 26 Feb 2020 20:19:40 -0300 + +bind9 (1:9.16.0-1ubuntu2) focal; urgency=medium + + * d/t/control: change the dep8 test dependency to be on the real + bind9-dnsutils package, and not the transitional one (LP: #1864761) + + -- Andreas Hasenack Wed, 26 Feb 2020 14:16:04 -0300 + +bind9 (1:9.16.0-1ubuntu1) focal; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: buil-depends on dh-apport and use it + - d/control, d/rules: go back to old geoip support, since + libmaxminddb (for GeoIP2) is in universe + * Added back from sid packaging: + - d/t/control, d/t/simpletest: bring back the dep8 test from + debian/sid, with our delta to not query external hosts + - use iproute2 instead of net-tools (LP #1850699): + + d/control: replace net-tools depends with iproute2 + + d/bind9.init: use ip instead of ifconfig + - d/control: drop hardcoded python3 dependency + (LP #1856211, Closes #946643) + - d/extras/apparmor.d/usr.sbin.named: + + Add flags=(attach_disconnected) to AppArmor profile + + AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ + (Closes: #928398) + - d/rules: fix typo in the apparmor profile installation + * Added: + - d/control: create transitional packages for dnsutils, bind9utils + - d/NEWS: mention some of the bigger changes in 9.16.0 packaging + - d/control: Enable readline-like support in dnsutils (nslookup and nsupdate) + via libedit-dev (libreadline has a license conflict with bind) + + -- Andreas Hasenack Mon, 24 Feb 2020 11:51:37 -0300 + bind9 (1:9.16.0-1) experimental; urgency=medium * Change the branch to 9.16 @@ -1080,6 +2059,462 @@ bind (1:9.12.0+dfsg-1~exp0) experimental -- Ondřej Surý Wed, 24 Jan 2018 09:18:13 +0000 +bind9 (1:9.11.14+dfsg-3ubuntu1) focal; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: buil-depends on dh-apport and use it + - d/control, d/rules: go back to old geoip support, since + libmaxminddb (for GeoIP2) is in universe + * Dropped: + - use iproute2 instead of net-tools (LP #1850699): + + d/control: replace net-tools depends with iproute2 + + d/bind9.init: use ip instead of ifconfig + [In 1:9.11.14+dfsg-2] + - d/control: drop hardcoded python3 dependency in bind9utils, + dh-python injects the correct one via ${python3:Depends} + (LP #1856211, Closes #946643) + [In 1:9.11.14+dfsg-1] + + -- Andreas Hasenack Mon, 27 Jan 2020 11:47:26 -0300 + +bind9 (1:9.11.14+dfsg-1ubuntu1) focal; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + - use iproute2 instead of net-tools (LP #1850699): + + d/control: replace net-tools depends with iproute2 + + d/bind9.init: use ip instead of ifconfig + [Updated to also check the exit status of the command] + - d/control: drop hardcoded python3 dependency in bind9utils, + dh-python injects the correct one via ${python3:Depends} + (LP #1856211, Closes: #946643) + * Dropped: + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line + option (LP #1804648) + [Fixed upstream in 9.11.6rc1] + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted + close to a query timeout (LP #1797926) + [Fixed upstream in 9.11.6rc1] + - SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single + connection + + debian/patches/CVE-2019-6477.patch: limit number of clients in + bin/named/client.c, bin/named/include/named/client.h. + + CVE-2019-6477 + [Fixed upstream in 9.11.13] + * Added: + - Add back apport: + + d/bind9.apport: add back old bind9 apport hook, but without calling + attach_conffiles() since that is already done by apport itself, with + confirmation from the user. + + d/control, d/rules: buil-depends on dh-apport and use it + - d/control, d/rules: go back to old geoip support, since + libmaxminddb (for GeoIP2) is in universe + + -- Andreas Hasenack Wed, 15 Jan 2020 14:07:05 -0300 + +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu5) focal; urgency=medium + + * d/control: drop hardcoded python3 dependency in bind9utils, + dh-python injects the correct one via ${python3:Depends} + (LP: #1856211, Closes: #946643) + + -- Andreas Hasenack Thu, 12 Dec 2019 14:40:20 -0300 + +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu4) focal; urgency=medium + + * SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single + connection + - debian/patches/CVE-2019-6477.patch: limit number of clients in + bin/named/client.c, bin/named/include/named/client.h. + - CVE-2019-6477 + + -- Marc Deslauriers Thu, 21 Nov 2019 07:50:24 -0500 + +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu3) focal; urgency=medium + + * use iproute2 instead of net-tools (LP: #1850699): + - d/control: replace net-tools depends with iproute2 + - d/bind9.init: use ip instead of ifconfig + * d/bind9.install, d/control, d/rules: re-enable lmdb, which is now + in main. + + -- Andreas Hasenack Fri, 08 Nov 2019 10:15:01 -0300 + +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu2) eoan; urgency=medium + + * Rebuild against new libjson-c4. + + -- Gianfranco Costamagna Sat, 29 Jun 2019 13:45:33 +0200 + +bind9 (1:9.11.5.P4+dfsg-5.1ubuntu1) eoan; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Build without lmdb support as that package is in Universe + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line + option (LP #1804648) + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted + close to a query timeout (LP #1797926) + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + * Dropped: + - SECURITY UPDATE: DoS via malformed packets + + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c + + CVE-2019-6471 + [Fixed in 1:9.11.5.P4+dfsg-5.1] + + -- Rafael David Tinoco Thu, 27 Jun 2019 14:54:25 +0000 + +bind9 (1:9.11.5.P4+dfsg-5ubuntu1) eoan; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Build without lmdb support as that package is in Universe + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line + option (LP #1804648) + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted + close to a query timeout (LP #1797926) + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + - SECURITY UPDATE: DoS via malformed packets + + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c + + CVE-2019-6471 + + -- Rafael David Tinoco Fri, 21 Jun 2019 18:06:22 +0000 + +bind9 (1:9.11.5.P4+dfsg-4ubuntu2) eoan; urgency=medium + + * SECURITY UPDATE: DoS via malformed packets + - debian/patches/CVE-2019-6471.patch: fix race condition in + lib/dns/dispatch.c. + - CVE-2019-6471 + + -- Marc Deslauriers Thu, 20 Jun 2019 08:15:00 -0400 + +bind9 (1:9.11.5.P4+dfsg-4ubuntu1) eoan; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Build without lmdb support as that package is in Universe + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line + option (LP #1804648) + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted + close to a query timeout (LP #1797926) + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + * Dropped: + - SECURITY UPDATE: memory leak via specially crafted packet + + debian/patches/CVE-2018-5744.patch: silently drop additional keytag + options in bin/named/client.c. + + CVE-2018-5744 + [Fixed upstream in 9.11.5-P2] + - SECURITY UPDATE: assertion failure when a trust anchor rolls over to an + unsupported key algorithm when using managed-keys + + debian/patches/CVE-2018-5745.patch: properly handle situations when + the key tag cannot be computed in lib/dns/include/dst/dst.h, + lib/dns/zone.c. + + CVE-2018-5745 + [Fixed upstream in 9.11.5-P2] + - SECURITY UPDATE: Controls for zone transfers may not be properly + applied to Dynamically Loadable Zones (DLZs) if the zones are writable + + debian/patches/CVE-2019-6465.patch: handle zone transfers marked in + the zone table as a DLZ zone bin/named/xfrout.c. + + CVE-2019-6465 + [Fixed upstream in 9.11.5-P3] + - SECURITY UPDATE: limiting simultaneous TCP clients is ineffective + + debian/patches/CVE-2018-5743.patch: add reference counting in + bin/named/client.c, bin/named/include/named/client.h, + bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c, + lib/isc/include/isc/quota.h, lib/isc/quota.c, + lib/isc/win32/libisc.def.in. + + debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic + operations with isc_refcount reference counting in + bin/named/client.c, bin/named/include/named/interfacemgr.h, + bin/named/interfacemgr.c. + + debian/libisc1100.symbols: added new symbols. + + CVE-2018-5743 + [Fixed in 1:9.11.5.P4+dfsg-4] + - d/rules: add back EdDSA support (LP #1825712) + [Fixed in 1:9.11.5.P4+dfsg-4] + + -- Andreas Hasenack Thu, 02 May 2019 13:35:59 -0300 + +bind9 (1:9.11.5.P1+dfsg-1ubuntu4) eoan; urgency=medium + + * d/rules: add back EdDSA support (LP: #1825712) + + -- Andreas Hasenack Fri, 26 Apr 2019 14:04:37 +0000 + +bind9 (1:9.11.5.P1+dfsg-1ubuntu3) eoan; urgency=medium + + * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective + - debian/patches/CVE-2018-5743.patch: add reference counting in + bin/named/client.c, bin/named/include/named/client.h, + bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c, + lib/isc/include/isc/quota.h, lib/isc/quota.c, + lib/isc/win32/libisc.def.in. + - debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic + operations with isc_refcount reference counting in + bin/named/client.c, bin/named/include/named/interfacemgr.h, + bin/named/interfacemgr.c. + - debian/libisc1100.symbols: added new symbols. + - CVE-2018-5743 + + -- Marc Deslauriers Wed, 24 Apr 2019 05:00:07 -0400 + +bind9 (1:9.11.5.P1+dfsg-1ubuntu2) disco; urgency=medium + + * SECURITY UPDATE: memory leak via specially crafted packet + - debian/patches/CVE-2018-5744.patch: silently drop additional keytag + options in bin/named/client.c. + - CVE-2018-5744 + * SECURITY UPDATE: assertion failure when a trust anchor rolls over to an + unsupported key algorithm when using managed-keys + - debian/patches/CVE-2018-5745.patch: properly handle situations when + the key tag cannot be computed in lib/dns/include/dst/dst.h, + lib/dns/zone.c. + - CVE-2018-5745 + * SECURITY UPDATE: Controls for zone transfers may not be properly + applied to Dynamically Loadable Zones (DLZs) if the zones are writable + - debian/patches/CVE-2019-6465.patch: handle zone transfers marked in + the zone table as a DLZ zone bin/named/xfrout.c. + - CVE-2019-6465 + + -- Marc Deslauriers Fri, 22 Feb 2019 10:52:30 +0100 + +bind9 (1:9.11.5.P1+dfsg-1ubuntu1) disco; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Build without lmdb support as that package is in Universe + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line + option (LP #1804648) + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted + close to a query timeout (LP #1797926) + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + + -- Andreas Hasenack Thu, 17 Jan 2019 18:59:25 -0200 + +bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Build without lmdb support as that package is in Universe + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + * Dropped: + - SECURITY UPDATE: denial of service crash when deny-answer-aliases + option is used + + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could + trigger a crash if deny-answer-aliases was set + + debian/patches/CVE-2018-5740-2.patch: add tests + + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set + chainingp correctly, add test + + CVE-2018-5740 + [Fixed in new upstream version 9.11.5] + - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the + line (Closes: #904983) + [Fixed in 1:9.11.4+dfsg-4] + - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440) + [Fixed in 1:9.11.4.P1+dfsg-1] + - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol + (it depends on OpenSSL version) (Closes: #897643) + [Fixed in 1:9.11.4.P1+dfsg-1] + * Added: + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line + option (LP: #1804648) + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted + close to a query timeout (LP: #1797926) + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + + -- Andreas Hasenack Thu, 13 Dec 2018 19:40:23 -0200 + +bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high + + * No change rebuild against openssl 1.1.1 with TLS 1.3 support. + + -- Dimitri John Ledkov Sat, 29 Sep 2018 01:36:45 +0100 + +bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium + + * SECURITY UPDATE: denial of service crash when deny-answer-aliases + option is used + - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could + trigger a crash if deny-answer-aliases was set + - debian/patches/CVE-2018-5740-2.patch: add tests + - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set + chainingp correctly, add test + - CVE-2018-5740 + + -- Marc Deslauriers Thu, 20 Sep 2018 11:11:05 +0200 + +bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium + + * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol + (it depends on OpenSSL version) (Closes: #897643) + + -- Dimitri John Ledkov Tue, 18 Sep 2018 10:39:12 +0200 + +bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium + + * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11 + crashing on startup. (LP: #1769440) + + -- Karl Stenerud Thu, 30 Aug 2018 07:11:39 -0700 + +bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Build without lmdb support as that package is in Universe + * Added: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1102.symbols: don't include dnstap symbols + + d/rules: don't build dnstap + - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the + line (Closes: #904983) + + -- Andreas Hasenack Mon, 30 Jul 2018 10:56:04 -0300 + +bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium + + * Merge with Debian unstable (LP: #1777935). Remaining changes: + - Build without lmdb support as that package is in Universe + * Drop: + - SECURITY UPDATE: improperly permits recursive query service + + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling + in bin/named/server.c. + + CVE-2018-5738 + [Applied in Debian's 1:9.11.3+dfsg-2] + + -- Andreas Hasenack Wed, 20 Jun 2018 17:42:16 -0300 + +bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium + + * SECURITY UPDATE: improperly permits recursive query service + - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling + in bin/named/server.c. + - CVE-2018-5738 + + -- Marc Deslauriers Mon, 11 Jun 2018 09:41:51 -0400 + +bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low + + * New upstream release. (LP: #1763572) + - fix a crash when configured with ipa-dns-install + * Merge from Debian unstable. Remaining changes: + - Build without lmdb support as that package is in Universe + + -- Timo Aaltonen Fri, 13 Apr 2018 07:40:47 +0300 + +bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium + + * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating + DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews + . (LP: #1755439) + + -- Andreas Hasenack Fri, 16 Mar 2018 09:38:46 -0300 + +bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium + + * Fix apparmor profile filename (LP: #1754981) + + -- Andreas Hasenack Thu, 15 Mar 2018 10:06:57 -0300 + +bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high + + * No change rebuild against openssl1.1. + + -- Dimitri John Ledkov Tue, 06 Feb 2018 12:14:22 +0000 + +bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium + + * Build without lmdb support as that package is in Universe (LP: #1746296) + - d/control: remove Build-Depends on liblmdb-dev + - d/rules: configure --without-lmdb + - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires + lmdb. + + -- Andreas Hasenack Tue, 30 Jan 2018 15:21:23 -0200 + +bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium + + * Merge with Debian unstable (LP: #1744930). + * Drop: + - Add RemainAfterExit to bind9-resolvconf unit configuration file + (LP #1536181). + [fixed in 1:9.10.6+dfsg-4] + - rules: Fix path to libsofthsm2.so. (LP #1685780) + [adopted in 1:9.10.6+dfsg-5] + - d/p/CVE-2016-8864-regression-test.patch: tests for the regression + introduced with the CVE-2016-8864.patch and fixed in + CVE-2016-8864-regression.patch. + [applied upstream] + - d/p/CVE-2016-8864-regression2-test.patch: tests for the second + regression (RT #44318) introduced with the CVE-2016-8864.patch + and fixed in CVE-2016-8864-regression2.patch. + [applied upstream] + - d/control, d/rules: add json support for the statistics channels. + (LP #1669193) + [adopted in 1:9.10.6+dfsg-5] + * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing + listing the python ply module as a dependency (Closes: #888463) + + -- Andreas Hasenack Fri, 26 Jan 2018 11:20:33 -0200 + bind9 (1:9.11.2.P1-1) unstable; urgency=medium * New upstream version 9.11.2-P1 @@ -1255,6 +2690,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgenc -- Ondřej Surý Fri, 06 Oct 2017 06:18:21 +0000 +bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium + + * Merge with Debian unstable (LP: #1712920). Remaining changes: + - Add RemainAfterExit to bind9-resolvconf unit configuration file + (LP #1536181). + - rules: Fix path to libsofthsm2.so. (LP #1685780) + - d/p/CVE-2016-8864-regression-test.patch: tests for the regression + introduced with the CVE-2016-8864.patch and fixed in + CVE-2016-8864-regression.patch. + - d/p/CVE-2016-8864-regression2-test.patch: tests for the second + regression (RT #44318) introduced with the CVE-2016-8864.patch + and fixed in CVE-2016-8864-regression2.patch. + - d/control, d/rules: add json support for the statistics channels. + (LP #1669193) + + -- Andreas Hasenack Thu, 24 Aug 2017 18:28:00 -0300 + +bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium + + * Non-maintainer upload. + * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794) + + -- Bernhard Schmidt Fri, 11 Aug 2017 19:10:07 +0200 + +bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium + + * Merge with Debian unstable (LP: #1701687). Remaining changes: + - Add RemainAfterExit to bind9-resolvconf unit configuration file + (LP #1536181). + - rules: Fix path to libsofthsm2.so. (LP #1685780) + * Drop: + - SECURITY UPDATE: denial of service via assertion failure + + debian/patches/CVE-2016-2776.patch: properly handle lengths in + lib/dns/message.c. + + CVE-2016-2776 + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] + - SECURITY UPDATE: assertion failure via class mismatch + + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY + records in lib/dns/resolver.c. + + CVE-2016-9131 + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] + - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information + + debian/patches/CVE-2016-9147.patch: fix logic when records are + returned without the requested data in lib/dns/resolver.c. + + CVE-2016-9147 + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] + - SECURITY UPDATE: assertion failure via unusually-formed DS record + + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in + lib/dns/message.c, lib/dns/resolver.c. + + CVE-2016-9444 + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] + - SECURITY UPDATE: regression in CVE-2016-8864 + + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in + responses in lib/dns/resolver.c, added tests to + bin/tests/system/dname/ns2/example.db, + bin/tests/system/dname/tests.sh. + + No CVE number + + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12] + - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing + a NULL pointer + + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz + combination in bin/named/query.c, lib/dns/message.c, + lib/dns/rdataset.c. + + CVE-2017-3135 + + [Fixed in Debian 1:9.10.3.dfsg.P4-12] + - SECURITY UPDATE: regression in CVE-2016-8864 + + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME + was still being cached when it should have been in lib/dns/resolver.c, + added tests to bin/tests/system/dname/ans3/ans.pl, + bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. + + No CVE number + + [Fixed in Debian 1:9.10.3.dfsg.P4-12] + - SECURITY UPDATE: Denial of Service due to an error handling + synthesized records when using DNS64 with "break-dnssec yes;" + + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() + called. + + CVE-2017-3136 + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] + - SECURITY UPDATE: Denial of Service due to resolver terminating when + processing a response packet containing a CNAME or DNAME + + debian/patches/CVE-2017-3137.patch: don't expect a specific + ordering of answer components; add testcases. + + CVE-2017-3137 + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files] + - SECURITY UPDATE: Denial of Service when receiving a null command on + the control channel + + debian/patches/CVE-2017-3138.patch: don't throw an assert if no + command token is given; add testcase. + + CVE-2017-3138 + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] + - SECURITY UPDATE: TSIG authentication issues + + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in + lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. + + CVE-2017-3142 + + CVE-2017-3143 + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4] + * d/p/CVE-2016-8864-regression-test.patch: tests for the regression + introduced with the CVE-2016-8864.patch and fixed in + CVE-2016-8864-regression.patch. + * d/p/CVE-2016-8864-regression2-test.patch: tests for the second + regression (RT #44318) introduced with the CVE-2016-8864.patch + and fixed in CVE-2016-8864-regression2.patch. + * d/control, d/rules: add json support for the statistics channels. + (LP: #1669193) + + -- Andreas Hasenack Fri, 11 Aug 2017 17:12:09 -0300 + +bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium + + * Non-maintainer upload. + * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG + signed TCP message sequences where not all the messages contain TSIG + records. These may be used in AXFR and IXFR responses. + (Closes: #868952) + + -- Salvatore Bonaccorso Fri, 21 Jul 2017 22:28:32 +0200 + +bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high + + * Non-maintainer upload. + + [ Yves-Alexis Perez ] + * debian/patches: + - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses + CVE-2017-3142: error in TSIG authentication can permit unauthorized zone + transfers. An attacker may be able to circumvent TSIG authentication of + AXFR and Notify requests. + CVE-2017-3143: error in TSIG authentication can permit unauthorized + dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) + signature for a dynamic update. + (Closes: #866564) + + -- Salvatore Bonaccorso Sun, 16 Jul 2017 22:13:21 +0200 + bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium [ Bernhard Schmidt ] @@ -1361,6 +2930,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; ur -- Michael Gilbert Thu, 19 Jan 2017 04:03:28 +0000 +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium + + * SECURITY UPDATE: TSIG authentication issues + - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in + lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. + - CVE-2017-3142 + - CVE-2017-3143 + + -- Marc Deslauriers Mon, 03 Jul 2017 09:48:13 -0400 + +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium + + * rules: Fix path to libsofthsm2.so. (LP: #1685780) + + -- Timo Aaltonen Mon, 24 Apr 2017 15:01:30 +0300 + +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium + + * SECURITY UPDATE: Denial of Service due to an error handling + synthesized records when using DNS64 with "break-dnssec yes;" + - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() + called. + - CVE-2017-3136 + * SECURITY UPDATE: Denial of Service due to resolver terminating when + processing a response packet containing a CNAME or DNAME + - debian/patches/CVE-2017-3137.patch: don't expect a specific + ordering of answer components; add testcases. + - CVE-2017-3137 + * SECURITY UPDATE: Denial of Service when receiving a null command on + the control channel + - debian/patches/CVE-2017-3138.patch: don't throw an assert if no + command token is given; add testcase. + - CVE-2017-3138 + + -- Steve Beattie Wed, 12 Apr 2017 01:32:15 -0700 + +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium + + * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing + a NULL pointer + - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz + combination in bin/named/query.c, lib/dns/message.c, + lib/dns/rdataset.c. + - CVE-2017-3135 + * SECURITY UPDATE: regression in CVE-2016-8864 + - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME + was still being cached when it should have been in lib/dns/resolver.c, + added tests to bin/tests/system/dname/ans3/ans.pl, + bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. + - No CVE number + + -- Marc Deslauriers Wed, 15 Feb 2017 09:37:39 -0500 + +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium + + * SECURITY UPDATE: assertion failure via class mismatch + - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY + records in lib/dns/resolver.c. + - CVE-2016-9131 + * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information + - debian/patches/CVE-2016-9147.patch: fix logic when records are + returned without the requested data in lib/dns/resolver.c. + - CVE-2016-9147 + * SECURITY UPDATE: assertion failure via unusually-formed DS record + - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in + lib/dns/message.c, lib/dns/resolver.c. + - CVE-2016-9444 + * SECURITY UPDATE: regression in CVE-2016-8864 + - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in + responses in lib/dns/resolver.c, added tests to + bin/tests/system/dname/ns2/example.db, + bin/tests/system/dname/tests.sh. + - No CVE number + + -- Marc Deslauriers Wed, 25 Jan 2017 09:28:10 -0500 + +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium + + * Add RemainAfterExit to bind9-resolvconf unit configuration file + (LP: #1536181). + + -- Nishanth Aravamudan Tue, 15 Nov 2016 08:24:58 -0800 + +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium + + * SECURITY UPDATE: denial of service via assertion failure + - debian/patches/CVE-2016-2776.patch: properly handle lengths in + lib/dns/message.c. + - CVE-2016-2776 + + -- Marc Deslauriers Tue, 04 Oct 2016 14:31:17 -0400 + bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium * Non-maintainer upload. diff -pruN 1:9.20.0-2/debian/control 1:9.20.0-2ubuntu3/debian/control --- 1:9.20.0-2/debian/control 2024-07-27 03:02:39.000000000 +0000 +++ 1:9.20.0-2ubuntu3/debian/control 2024-08-20 19:34:03.000000000 +0000 @@ -1,27 +1,26 @@ Source: bind9 Section: net Priority: optional -Maintainer: Debian DNS Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian DNS Team Uploaders: Ondřej Surý , Bernhard Schmidt Build-Depends: bison, debhelper-compat (= 12), dh-apparmor, + dh-apport, dh-exec, libcap2-dev [linux-any], libcmocka-dev, libdb-dev, libedit-dev, - libfstrm-dev, libidn2-dev, - libjemalloc-dev, libjson-c-dev, libkrb5-dev, liblmdb-dev, libltdl-dev, libmaxminddb-dev (>= 1.3.0), libnghttp2-dev, - libprotobuf-c-dev, libssl-dev, libsystemd-dev [linux-any], libtool, @@ -29,7 +28,6 @@ Build-Depends: bison, libuv1-dev, libxml2-dev, pkg-config, - protobuf-c-compiler, zlib1g-dev Build-Depends-Indep: fonts-freefont-otf, latexmk, @@ -53,7 +51,6 @@ Depends: adduser, debconf | debconf-2.0, dns-root-data, iproute2, - lsb-base (>= 3.2-14), netbase, ${misc:Depends}, ${shlibs:Depends} @@ -122,7 +119,8 @@ Section: libs Priority: standard Architecture: any Multi-Arch: same -Depends: ${misc:Depends}, +Depends: libuv1t64 (>= 1.40.0), + ${misc:Depends}, ${shlibs:Depends} Breaks: bind-libs (<< 1:9.13.6~) Replaces: bind-libs (<< 1:9.13.6~) diff -pruN 1:9.20.0-2/debian/copyright 1:9.20.0-2ubuntu3/debian/copyright --- 1:9.20.0-2/debian/copyright 2024-07-27 03:02:39.000000000 +0000 +++ 1:9.20.0-2ubuntu3/debian/copyright 2024-08-20 19:34:03.000000000 +0000 @@ -39,14 +39,6 @@ Comment: and licenses used in the BIND 9 project. You need to look at the individual files to get the specific license that covers that file. -Files: lib/isc/hp.c lib/isc/include/isc/hp.h -Copyright: 2018-2020 Internet Systems Consortium, Inc. ("ISC") - 2014-2016, Pedro Ramalhete, Andreia Correia -License: MPL-2.0 and BSD-3-clause -Comment: - This work is based on C++ code available from: - https://github.com/pramalhe/ConcurrencyFreaks/ - Files: lib/isc/random.c Copyright: 2018-2020 Internet Systems Consortium, Inc. ("ISC") 1996 David Mazieres @@ -61,45 +53,32 @@ License: MPL-2.0 and CC0-1.0 Comment: The SipHash in BIND 9 is based on SipHash reference C implementation. -Files: lib/isc/include/pkcs11/pkcs11.h -Copyright: 2006-2007 g10 Code GmbH - 2006 Andreas Jellinghaus - 2017 Red Hat, Inc. -License: - This file is free software; as a special exception the author gives - unlimited permission to copy and/or distribute it, with or without - modifications, as long as this notice is preserved. - . - This file is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY, to the extent permitted by law; without even - the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - PURPOSE. */ -Comment: The pkcs11.h header was imported from libp11 project - -Files: lib/isc/tests/random_test.c +Files: tests/isc/random_test.c Copyright: 2004-2017 Internet Systems Consortium, Inc. ("ISC") 1996-2003 Internet Software Consortium 1985, 1987, 2000 Stephen L. Moshier License: MPL-2.0 and public-domain + Some code from the Cephes Math Library Release 2.8 is provided, which was + released into the public domain as part of netlib. Files: contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c Copyright: 2004-2017 Internet Systems Consortium, Inc. ("ISC") 2014 Maui Systems Ltd License: MPL-2.0 and ISC -Files: contrib/dlz/modules/perl/ +Files: contrib/dlz/modules/perl/* Copyright: 2004-2017 Internet Systems Consortium, Inc. ("ISC") 2009-2012 John Eaglesham 2002 Stichting NLnet License: MPL-2.0 and ISC -Files: contrib/dlz/modules/wildcard/ +Files: contrib/dlz/modules/wildcard/* Copyright: 2004-2017 Internet Systems Consortium, Inc. ("ISC") 2012 Vadim Goncharov 2002 Stichting NLnet License: MPL-2.0 and ISC -Files: m4/ +Files: m4/* Copyright: 2004-2017 Internet Systems Consortium, Inc. ("ISC") 2008 Guido U. Draheim 2011 Maarten Bosmans @@ -112,7 +91,7 @@ Copyright: 2004-2017 Internet Systems Co 2011 Russ Allbery 2013 Bastien ROUCARIES 2004, 2011-2015 Free Software Foundation, Inc. -License: +License: FSFAP Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without any @@ -120,7 +99,7 @@ License: Comment: The files from m4/ directory were imported from autoconf-archive, and libtool. -Files: debian/ +Files: debian/* Copyright: 2007-2017 LaMont Jones 2013-2017 Michael Gilbert 2017-2019 Ondřej Surý @@ -155,7 +134,7 @@ License: BSD-2-clause 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. . - 2. Redistributions in binary form must reproduce the above copyright + 1. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. . diff -pruN 1:9.20.0-2/debian/patches/series 1:9.20.0-2ubuntu3/debian/patches/series --- 1:9.20.0-2/debian/patches/series 2024-07-27 03:02:39.000000000 +0000 +++ 1:9.20.0-2ubuntu3/debian/patches/series 2024-08-26 18:11:19.000000000 +0000 @@ -1,2 +1,3 @@ 0001-Disable-treat-warnings-as-errors-in-sphinx-build.patch 0002-Disable-RTLD_DEEPBIND-in-Samba-DLZ-module.patch +stop-using-malloc_usable_size.patch diff -pruN 1:9.20.0-2/debian/patches/stop-using-malloc_usable_size.patch 1:9.20.0-2ubuntu3/debian/patches/stop-using-malloc_usable_size.patch --- 1:9.20.0-2/debian/patches/stop-using-malloc_usable_size.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.20.0-2ubuntu3/debian/patches/stop-using-malloc_usable_size.patch 2024-08-26 18:21:40.000000000 +0000 @@ -0,0 +1,151 @@ +Description: Remove memory size check implementations using malloc_usable_size and malloc_size. + Since Ubuntu does not compile bind9 with jemalloc, it uses a fallback version + of the sallocx function which used malloc_usable_size to determine the + allocated memory for a void pointer. Since this function may return a larger + value than expected, this caused a buffer overflow for dig and named. This + patch removes the invalid sallocx functions and uses + size_info *si = &(((size_info *)ptr)[-1] + as the new fallback. +Author: Ondřej Surý +Origin: upstream, https://gitlab.isc.org/isc-projects/bind9/-/commit/f99da39934dd8260cfe9c699b6910c6629534c83 +Bug: https://gitlab.isc.org/isc-projects/bind9/-/issues/4880 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/2077327 +Forwarded: not-needed +Last-Update: 2024-08-26 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/configure.ac ++++ b/configure.ac +@@ -1350,8 +1350,7 @@ + + AS_IF([test "$with_jemalloc" = "no"], + [AS_CASE([$host], +- [*-freebsd*],[AC_MSG_ERROR([You cannot compile without jemalloc; jemalloc is the system allocator on FreeBSD])]) +- AC_CHECK_FUNCS([malloc_size malloc_usable_size])]) ++ [*-freebsd*],[AC_MSG_ERROR([You cannot compile without jemalloc; jemalloc is the system allocator on FreeBSD])])]) + + AM_CONDITIONAL([HAVE_JEMALLOC], [test "$with_jemalloc" = "yes"]) + +--- a/lib/isc/jemalloc_shim.h ++++ b/lib/isc/jemalloc_shim.h +@@ -26,89 +26,6 @@ + #define MALLOCX_TCACHE_NONE (0) + #define MALLOCX_ARENA(a) (0) + +-#if defined(HAVE_MALLOC_SIZE) || defined(HAVE_MALLOC_USABLE_SIZE) +- +-#include +- +-#ifdef HAVE_MALLOC_SIZE +- +-#include +- +-static inline size_t +-sallocx(void *ptr, int flags) { +- UNUSED(flags); +- +- return (malloc_size(ptr)); +-} +- +-#elif HAVE_MALLOC_USABLE_SIZE +- +-#ifdef __DragonFly__ +-/* +- * On DragonFly BSD 'man 3 malloc' advises us to include the following +- * header to have access to malloc_usable_size(). +- */ +-#include +-#else +-#include +-#endif +- +-static inline size_t +-sallocx(void *ptr, int flags) { +- UNUSED(flags); +- +- return (malloc_usable_size(ptr)); +-} +- +-#endif /* HAVE_MALLOC_SIZE */ +- +-static inline void * +-mallocx(size_t size, int flags) { +- void *ptr = malloc(size); +- INSIST(ptr != NULL); +- +- if ((flags & MALLOCX_ZERO) != 0) { +- memset(ptr, 0, sallocx(ptr, flags)); +- } +- +- return (ptr); +-} +- +-static inline void +-sdallocx(void *ptr, size_t size, int flags) { +- UNUSED(size); +- UNUSED(flags); +- +- free(ptr); +-} +- +-static inline void * +-rallocx(void *ptr, size_t size, int flags) { +- void *new_ptr; +- size_t old_size, new_size; +- +- REQUIRE(size != 0); +- +- if ((flags & MALLOCX_ZERO) != 0) { +- old_size = sallocx(ptr, flags); +- } +- +- new_ptr = realloc(ptr, size); +- INSIST(new_ptr != NULL); +- +- if ((flags & MALLOCX_ZERO) != 0) { +- new_size = sallocx(new_ptr, flags); +- if (new_size > old_size) { +- memset((uint8_t *)new_ptr + old_size, 0, +- new_size - old_size); +- } +- } +- +- return (new_ptr); +-} +- +-#else /* defined(HAVE_MALLOC_SIZE) || defined (HAVE_MALLOC_USABLE_SIZE) */ +- + #include + + typedef union { +@@ -135,21 +52,16 @@ + } + + static inline void +-sdallocx(void *ptr, size_t size, int flags) { ++sdallocx(void *ptr, size_t size ISC_ATTR_UNUSED, int flags ISC_ATTR_UNUSED) { + size_info *si = &(((size_info *)ptr)[-1]); + +- UNUSED(size); +- UNUSED(flags); +- + free(si); + } + + static inline size_t +-sallocx(void *ptr, int flags) { ++sallocx(void *ptr, int flags ISC_ATTR_UNUSED) { + size_info *si = &(((size_info *)ptr)[-1]); + +- UNUSED(flags); +- + return (si[0].size); + } + +@@ -169,6 +81,4 @@ + return (ptr); + } + +-#endif /* defined(HAVE_MALLOC_SIZE) || defined (HAVE_MALLOC_USABLE_SIZE) */ +- + #endif /* !defined(HAVE_JEMALLOC) */ diff -pruN 1:9.20.0-2/debian/po/de.po 1:9.20.0-2ubuntu3/debian/po/de.po --- 1:9.20.0-2/debian/po/de.po 2024-07-27 03:02:39.000000000 +0000 +++ 1:9.20.0-2ubuntu3/debian/po/de.po 2024-08-20 19:34:03.000000000 +0000 @@ -28,15 +28,15 @@ msgid "" "The default is to run the BIND9 daemon (named) under the 'bind' user " "account. To use a different account, please enter the appropriate username." msgstr "" -"Standardm��ig wird der BIND9-Daemon (Named) unter der Kennung des Benutzers " -"�bind� betrieben. Um ein anderes Benutzerkonto auszuw�hlen, geben Sie bitte " +"Standardmäßig wird der BIND9-Daemon (Named) unter der Kennung des Benutzers " +"»bind« betrieben. Um ein anderes Benutzerkonto auszuwählen, geben Sie bitte " "den entsprechenden Benutzernamen ein." #. Type: string #. Description #: ../templates:2001 msgid "Other startup options for named:" -msgstr "Weitere Optionen f�r den Start des Named:" +msgstr "Weitere Optionen für den Start des Named:" #. Type: string #. Description @@ -45,8 +45,8 @@ msgid "" "Please provide any additional options (other than username) that should be " "passed to the BIND9 daemon (named) on startup." msgstr "" -"Bitte geben Sie hier die zus�tzlichen Optionen (au�er dem Benutzernamen) " -"ein, die dem Bind9-Daemon (Named) beim Starten �bergeben werden sollen." +"Bitte geben Sie hier die zusätzlichen Optionen (außer dem Benutzernamen) " +"ein, die dem Bind9-Daemon (Named) beim Starten übergeben werden sollen." #. Type: boolean #. Description @@ -62,7 +62,7 @@ msgid "" "daemon (named) rather than what the current connection recommends, when this " "machine moves around." msgstr "" -"Bitte w�hlen Sie aus, ob der Namensaufl�ser (Resolver) dazu gezwungen werden " +"Bitte wählen Sie aus, ob der Namensauflöser (Resolver) dazu gezwungen werden " "soll, den lokalen BIND9-Daemon (Named) zu verwenden, statt den aktuellen " "Verbindungsempfehlungen zu folgen, wenn diese Maschine bewegt wird." @@ -76,8 +76,8 @@ msgstr "" #~ "The default is to start bind9 as bind user, if you would like to change " #~ "that, please give here the username as which bind9 should start as." #~ msgstr "" -#~ "Standardm��ig startet Bind9 unter der Benutzerkennung �bind�. Falls Sie " -#~ "dies �ndern m�chten geben Sie hier bitte den Benutzernamen ein, unter " +#~ "Standardmäßig startet Bind9 unter der Benutzerkennung »bind«. Falls Sie " +#~ "dies ändern möchten geben Sie hier bitte den Benutzernamen ein, unter " #~ "dessen Kennung Bind9 starten soll." #~ msgid "Should resolvconf run when bind9 starts up?" diff -pruN 1:9.20.0-2/debian/rules 1:9.20.0-2ubuntu3/debian/rules --- 1:9.20.0-2/debian/rules 2024-07-27 03:02:39.000000000 +0000 +++ 1:9.20.0-2ubuntu3/debian/rules 2024-08-26 18:09:51.000000000 +0000 @@ -46,7 +46,7 @@ EXCLUDE_FILES := \ --exclude=libns.la %: - dh $@ + dh $@ --with apport prepare_version_extensions: if [ ! -f configure.ac.bak ]; then \ @@ -86,7 +86,6 @@ override_dh_auto_configure: --enable-rrl \ --enable-filter-aaaa \ --disable-native-pkcs11 \ - --enable-dnstap \ $(EXTRA_FEATURES) override_dh_auto_build: diff -pruN 1:9.20.0-2/debian/tests/control 1:9.20.0-2ubuntu3/debian/tests/control --- 1:9.20.0-2/debian/tests/control 2024-07-27 03:02:39.000000000 +0000 +++ 1:9.20.0-2ubuntu3/debian/tests/control 2024-08-28 14:52:29.000000000 +0000 @@ -7,3 +7,20 @@ Tests: validation Restrictions: isolation-container, needs-internet, needs-root, flaky Depends: bind9, bind9-dnsutils + +Tests: zonetest +Restrictions: isolation-container, needs-root +Depends: bind9, + bind9-dnsutils, + bind9-utils + +# This test has been disabled since bind-dyndb-ldap was removed in Ubuntu 24.10 +# See LP: #2078003 for more information +#Tests: dyndb-ldap +#Restrictions: isolation-container, needs-root +#Architecture: !i386 +#Depends: bind9, +# bind9-dyndb-ldap, +# slapd, +# ldap-utils, +# dpkg-dev diff -pruN 1:9.20.0-2/debian/tests/dyndb-ldap 1:9.20.0-2ubuntu3/debian/tests/dyndb-ldap --- 1:9.20.0-2/debian/tests/dyndb-ldap 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.20.0-2ubuntu3/debian/tests/dyndb-ldap 2024-08-28 14:18:07.000000000 +0000 @@ -0,0 +1,280 @@ +#!/bin/bash + +set -e + +ldap_suffix="dc=example,dc=internal" +mydomain="example.internal" +myhostname="dep8" +ldap_admin_dn="cn=admin,${ldap_suffix}" +ldap_admin_pw="secret" +ldap_bind9_dn="uid=bind9,${ldap_suffix}" +ldap_bind9_rdn="uid: bind9" # match ldap_bind9_dn +ldap_bind9_pw="secretagain" + +cleanup() { + result=$? + set +e + if [ ${result} -ne 0 ]; then + echo "## Something failed, gathering logs" + echo + echo "## /var/log/syslog:" + tail -n 200 /var/log/syslog + echo + echo "## slapd journal" + journalctl -u slapd + echo + echo "## bind journal" + journalctl -u bind + fi + sed -i '/include.*ldap_zone/d' /etc/bind/named.conf.local + rm -f /etc/bind/named.conf.ldap_zone +} + +trap cleanup EXIT + +try_reload_apparmor_profile() { + local apparmor_profile="${1}" + local -i rc=0 + local arch + local vendor + + apparmor_parser -r -W -T "${apparmor_profile}" 2>&1 || rc=$? + if [ ${rc} -ne 0 ]; then + # This can fail on armhf in the Ubuntu DEP8 infrastructure + # because that environment restricts changing apparmor profiles. + # (See LP: #2008393) + arch=$(dpkg --print-architecture) + vendor=$(dpkg-vendor --query Vendor) + if [ "${arch}" = "armhf" ] && [ "${vendor}" = "Ubuntu" ]; then + echo "WARNING: failed to enforce apparmor profile." + echo "On armhf and Ubuntu DEP8 infrastructure, this is not a fatal error." + echo "See #2008393 for details." + rc=0 + else + echo "ERROR: failed to adjust the slapd apparmor profile for this test." + fi + fi + return ${rc} +} + +adjust_apparmor_profile() { + local profile_name="usr.sbin.named" + local profile_path="/etc/apparmor.d/${profile_name}" + + if [ -f "${profile_path}" ]; then + if aa-status --enabled 2>/dev/null; then + # Adjust apparmor so bind9 can connect to slapd's unix socket + echo " /run/slapd/ldapi rw," >> "/etc/apparmor.d/local/${profile_name}" + try_reload_apparmor_profile "${profile_path}" + fi + fi +} + +check_slapd_ready() { + ldapwhoami -Q -Y EXTERNAL -H ldapi:/// > /dev/null 2>&1 +} + +wait_service_ready() { + local service="${1}" + local check_function="${2}" + local -i tries=5 + echo -n "Waiting for ${service} to be ready " + while [ ${tries} -ne 0 ]; do + echo -n "." + if "${check_function}"; then + echo + break + fi + tries=$((tries-1)) + sleep 1s + done + if [ ${tries} -eq 0 ]; then + echo "ERROR: ${service} is not ready" + return 1 + fi +} + +setup_slapd() { + local domain="$1" + local password="$2" + # MUST use REAL TABS as delimiters below! + debconf-set-selections << EOF +slapd slapd/domain string ${domain} +slapd shared/organization string ${domain} +slapd slapd/password1 password ${password} +slapd slapd/password2 password ${password} +EOF + rm -rf /var/backups/*slapd* /var/backups/unknown*ldapdb + dpkg-reconfigure -fnoninteractive -pcritical slapd 2>&1 + systemctl restart slapd # http://bugs.debian.org/1010678 + wait_service_ready slapd check_slapd_ready +} + +configure_slapd_logging() { + ldapmodify -Y EXTERNAL -H ldapi:/// 2>&1 <> /etc/bind/named.conf.local + fi + cat > /etc/bind/named.conf.ldap_zone </dev/null)/bind/ldap.so" { + uri "ldapi:///"; + base "ou=dns,${ldap_suffix}"; + auth_method "simple"; + bind_dn "${ldap_bind9_dn}"; + password "${ldap_bind9_pw}"; +}; +EOF + chmod 0640 /etc/bind/named.conf.ldap_zone + chgrp bind /etc/bind/named.conf.ldap_zone + echo "## Restarting bind9" + systemctl restart bind9.service +} + +echo "## Adjust bind9's apparmor profile if needed" +adjust_apparmor_profile + +echo "## Setting up slapd" +setup_slapd "${mydomain}" "${ldap_admin_pw}" +echo + +echo "## Configuring slapd logging" +configure_slapd_logging +echo + +echo "## Creating bind9 ldap uid" +create_bind9_uid +echo + +echo "## Loading bind9-dyndb-ldap schema" +load_dyndb_schema +echo + +echo "## Loading syncproc module" +load_syncprov +echo + +echo "## Loading DNS sample data" +load_dns_data +echo + +echo "## Configuring bind9 to use bind9-dyndb-ldap" +configure_dyndb +echo + +echo "## Checking DNS records" +host "somehost.${mydomain}" 127.0.0.1 +echo +host "${myhostname}.${mydomain}" 127.0.0.1 +echo +host -t srv "_ldap._tcp.${mydomain}" 127.0.0.1 +echo +host -t soa "${mydomain}" 127.0.0.1 diff -pruN 1:9.20.0-2/debian/tests/zonetest 1:9.20.0-2ubuntu3/debian/tests/zonetest --- 1:9.20.0-2/debian/tests/zonetest 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.20.0-2ubuntu3/debian/tests/zonetest 2024-08-20 19:34:03.000000000 +0000 @@ -0,0 +1,49 @@ +#!/bin/sh + +set -e + +setup() ( + systemctl stop bind9 + systemctl stop named + + cat </etc/bind/named.conf.options +options { directory "/var/cache/bind"; listen-on port 53 { 127.0.0.1; }; allow-query { any; }; recursion yes; }; +EOF + + cat </etc/bind/named.conf.local +zone "localdomain.test" { type master; file "/etc/bind/zones/forward.localdomain.test"; }; +EOF + + mkdir -p /etc/bind/zones/ + + cat </etc/bind/zones/forward.localdomain.test +\$TTL 604800 +@ IN SOA localdomain.test. root.localdomain.test. ( + 2 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS ns.localdomain.test. +ns IN A 127.0.0.1 +EOF + + systemctl start bind9 + systemctl start named +) + +run() ( + named-checkconf + named-checkzone localdomain.test /etc/bind/zones/forward.localdomain.test + dig @localhost localdomain.test | grep 'NOERROR' +) + +teardown() ( + systemctl stop bind9 + systemctl stop named +) + +setup +run +teardown