-
bind9 (1:9.11.5.P4+dfsg-5.1ubuntu2.2) eoan-security; urgency=medium
* SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
performed when processing referrals
- debian/patches/CVE-2020-8616.patch: further limit the number of
queries that can be triggered from a request in lib/dns/adb.c,
lib/dns/include/dns/adb.h, lib/dns/resolver.c.
- CVE-2020-8616
* SECURITY UPDATE: A logic error in code which checks TSIG validity can
be used to trigger an assertion failure in tsig.c
- debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
BADTIME response in lib/dns/tsig.c.
- CVE-2020-8617
-- Marc Deslauriers <email address hidden> Fri, 15 May 2020 08:09:01 -0400
-
bind9 (1:9.11.5.P4+dfsg-5.1ubuntu2.1) eoan-security; urgency=medium
* SECURITY UPDATE: TCP Pipelining doesn't limit TCP clients on a single
connection
- debian/patches/CVE-2019-6477.patch: limit number of clients in
bin/named/client.c, bin/named/include/named/client.h.
- CVE-2019-6477
-- Marc Deslauriers <email address hidden> Mon, 18 Nov 2019 09:49:31 -0500
-
bind9 (1:9.11.5.P4+dfsg-5.1ubuntu2) eoan; urgency=medium
* Rebuild against new libjson-c4.
-- Gianfranco Costamagna <email address hidden> Sat, 29 Jun 2019 13:45:33 +0200
-
bind9 (1:9.11.5.P4+dfsg-5.1ubuntu1) eoan; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Build without lmdb support as that package is in Universe
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
option (LP #1804648)
- d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
close to a query timeout (LP #1797926)
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
* Dropped:
- SECURITY UPDATE: DoS via malformed packets
+ d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c
+ CVE-2019-6471
[Fixed in 1:9.11.5.P4+dfsg-5.1]
bind9 (1:9.11.5.P4+dfsg-5.1) unstable; urgency=high
* Non-maintainer upload.
* move item_out test inside lock in dns_dispatch_getnext() (CVE-2019-6471)
(Closes: #930746)
-- Rafael David Tinoco <email address hidden> Thu, 27 Jun 2019 14:54:25 +0000
-
bind9 (1:9.11.5.P4+dfsg-5ubuntu1) eoan; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Build without lmdb support as that package is in Universe
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
option (LP #1804648)
- d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
close to a query timeout (LP #1797926)
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- SECURITY UPDATE: DoS via malformed packets
+ d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c
+ CVE-2019-6471
bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium
* AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ.
Thanks to Steven Monai (Closes: 928398)
-- Rafael David Tinoco <email address hidden> Fri, 21 Jun 2019 18:06:22 +0000
-
bind9 (1:9.11.5.P4+dfsg-4ubuntu2) eoan; urgency=medium
* SECURITY UPDATE: DoS via malformed packets
- debian/patches/CVE-2019-6471.patch: fix race condition in
lib/dns/dispatch.c.
- CVE-2019-6471
-- Marc Deslauriers <email address hidden> Thu, 20 Jun 2019 08:15:00 -0400
-
bind9 (1:9.11.5.P4+dfsg-4ubuntu1) eoan; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Build without lmdb support as that package is in Universe
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
option (LP #1804648)
- d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
close to a query timeout (LP #1797926)
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
* Dropped:
- SECURITY UPDATE: memory leak via specially crafted packet
+ debian/patches/CVE-2018-5744.patch: silently drop additional keytag
options in bin/named/client.c.
+ CVE-2018-5744
[Fixed upstream in 9.11.5-P2]
- SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
+ debian/patches/CVE-2018-5745.patch: properly handle situations when
the key tag cannot be computed in lib/dns/include/dst/dst.h,
lib/dns/zone.c.
+ CVE-2018-5745
[Fixed upstream in 9.11.5-P2]
- SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
+ debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
the zone table as a DLZ zone bin/named/xfrout.c.
+ CVE-2019-6465
[Fixed upstream in 9.11.5-P3]
- SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
+ debian/patches/CVE-2018-5743.patch: add reference counting in
bin/named/client.c, bin/named/include/named/client.h,
bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
lib/isc/include/isc/quota.h, lib/isc/quota.c,
lib/isc/win32/libisc.def.in.
+ debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
operations with isc_refcount reference counting in
bin/named/client.c, bin/named/include/named/interfacemgr.h,
bin/named/interfacemgr.c.
+ debian/libisc1100.symbols: added new symbols.
+ CVE-2018-5743
[Fixed in 1:9.11.5.P4+dfsg-4]
- d/rules: add back EdDSA support (LP #1825712)
[Fixed in 1:9.11.5.P4+dfsg-4]
bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium
[ Bernhard Schmidt ]
* AppArmor: Also add /var/lib/samba/bind-dns/dns/** (Closes: #927827)
[ Ondřej Surý ]
* [CVE-2018-5743]: Limiting simultaneous TCP clients is ineffective
(Closes: #927932)
* Update symbols file for new symbol in libisc
* Enable EDDSA again, but disable broken Ed448 support (Closes: #927962)
bind9 (1:9.11.5.P4+dfsg-3) unstable; urgency=medium
* More fixes to the AppArmor policy for Samba AD DLZ
- allow access to /dev/urandom
- allow locking for dns.keytab
- fix path to smb.conf
bind9 (1:9.11.5.P4+dfsg-2) unstable; urgency=medium
[ Ondřej Surý ]
* Update d/gbp.conf for Debian Buster
[ Bernhard Schmidt ]
* Cherry-Pick upstream commit to prevent dnssec-keymgr from immediately
expiring and deleting old DNSSEC keys when being run for the first
time (Closes: #923984)
* Update AppArmor policy for Samba AD DLZ
- Add changed default location for named.conf
- Allow read/mmap on some Samba libraries
Thanks to Steven Monai (Closes: #920530)
[ Andreas Beckmann ]
* bind9.preinst: cope with ancient conffile named.conf.options
(Closes: #905177)
bind9 (1:9.11.5.P4+dfsg-1) unstable; urgency=high
[ Bernhard Schmidt ]
* New upstream version 9.11.5.P4+dfsg
- CVE-2018-5744: A specially crafted packet can cause named to leak memory
- CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over
to an unsupported key algorithm when using managed-keys
- CVE-2019-6465: Controls for zone transfers might not be properly applied
to Dynamically Loadable Zones (DLZs) if the zones are writable.
* d/watch: Do not use beta or RC versions
* d/libdns1104.symbols: fix symbols-file-contains-debian-revision for dnstap
symbols
[ Ondřej Surý ]
* Add new upstream GPG signing-key
bind9 (1:9.11.5.P1+dfsg-2) unstable; urgency=medium
[ Dominik George ]
* Support dyndb modules with apparmor. (Closes: #900879)
[ Bernhard Schmidt ]
* apparmor-policy: permit locking of the allow-new-zones database
(Closes: #922065)
* apparmor-policy: allow access to Samba DLZ files (Closes: #920530)
-- Andreas Hasenack <email address hidden> Thu, 02 May 2019 13:35:59 -0300
-
bind9 (1:9.11.5.P1+dfsg-1ubuntu4) eoan; urgency=medium
* d/rules: add back EdDSA support (LP: #1825712)
-- Andreas Hasenack <email address hidden> Fri, 26 Apr 2019 14:04:37 +0000
-
bind9 (1:9.11.5.P1+dfsg-1ubuntu3) eoan; urgency=medium
* SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
- debian/patches/CVE-2018-5743.patch: add reference counting in
bin/named/client.c, bin/named/include/named/client.h,
bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
lib/isc/include/isc/quota.h, lib/isc/quota.c,
lib/isc/win32/libisc.def.in.
- debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
operations with isc_refcount reference counting in
bin/named/client.c, bin/named/include/named/interfacemgr.h,
bin/named/interfacemgr.c.
- debian/libisc1100.symbols: added new symbols.
- CVE-2018-5743
-- Marc Deslauriers <email address hidden> Wed, 24 Apr 2019 05:00:07 -0400
-
bind9 (1:9.11.5.P1+dfsg-1ubuntu2) disco; urgency=medium
* SECURITY UPDATE: memory leak via specially crafted packet
- debian/patches/CVE-2018-5744.patch: silently drop additional keytag
options in bin/named/client.c.
- CVE-2018-5744
* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- debian/patches/CVE-2018-5745.patch: properly handle situations when
the key tag cannot be computed in lib/dns/include/dst/dst.h,
lib/dns/zone.c.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
the zone table as a DLZ zone bin/named/xfrout.c.
- CVE-2019-6465
-- Marc Deslauriers <email address hidden> Fri, 22 Feb 2019 10:52:30 +0100