-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.19) xenial-security; urgency=medium
* SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
- debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
- CVE-2021-25214
* SECURITY UPDATE: assert via answering certain queries for DNAME records
- debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
- CVE-2021-25215
* SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
- debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
- CVE-2021-25216
-- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 07:18:12 -0400
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.18) xenial-security; urgency=medium
* SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
- debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
- CVE-2020-8625
-- Marc Deslauriers <email address hidden> Mon, 15 Feb 2021 08:09:41 -0500
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.17) xenial-security; urgency=medium
* SECURITY UPDATE: A truncated TSIG response can lead to an assertion
failure
- debian/patches/CVE-2020-8622.patch: move code in lib/dns/message.c.
- CVE-2020-8622
* SECURITY UPDATE: A flaw in native PKCS#11 code can lead to a remotely
triggerable assertion failure
- debian/patches/CVE-2020-8623.patch: add extra checks in
lib/dns/pkcs11dh_link.c, lib/dns/pkcs11dsa_link.c,
lib/dns/pkcs11rsa_link.c, lib/isc/include/pk11/internal.h,
lib/isc/pk11.c.
- CVE-2020-8623
-- Marc Deslauriers <email address hidden> Tue, 18 Aug 2020 08:18:25 -0400
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.16) xenial-security; urgency=medium
* SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
performed when processing referrals
- debian/patches/CVE-2020-8616.patch: further limit the number of
queries that can be triggered from a request in lib/dns/adb.c,
lib/dns/include/dns/adb.h, lib/dns/resolver.c.
- CVE-2020-8616
* SECURITY UPDATE: A logic error in code which checks TSIG validity can
be used to trigger an assertion failure in tsig.c
- debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
BADTIME response in lib/dns/tsig.c.
- CVE-2020-8617
-- Marc Deslauriers <email address hidden> Fri, 15 May 2020 08:23:59 -0400
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.15) xenial; urgency=medium
* d/p/ubuntu//lp-1833400*: fix race on shutdown (LP: #1833400)
* d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
close to a query timeout (LP: #1797926)
-- Christian Ehrhardt <email address hidden> Mon, 05 Aug 2019 07:30:49 +0200
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.14) xenial-security; urgency=medium
* SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
- debian/patches/CVE-2018-5743.patch: add reference counting in
bin/named/client.c, bin/named/include/named/client.h,
bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
lib/isc/include/isc/quota.h, lib/isc/quota.c,
lib/isc/win32/libisc.def.in.
- debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
operations with isc_refcount reference counting in
bin/named/client.c, bin/named/include/named/interfacemgr.h,
bin/named/interfacemgr.c.
- CVE-2018-5743
-- Marc Deslauriers <email address hidden> Wed, 24 Apr 2019 06:17:28 -0400
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.12) xenial-security; urgency=medium
* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- debian/patches/CVE-2018-5745-pre.patch: enhance rfc 5011 logging in
lib/dns/zone.c,
- debian/patches/CVE-2018-5745.patch: properly handle situations when
the key tag cannot be computed in lib/dns/include/dst/dst.h,
lib/dns/zone.c.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
the zone table as a DLZ zone bin/named/xfrout.c.
- CVE-2019-6465
-- Marc Deslauriers <email address hidden> Wed, 20 Feb 2019 10:07:28 +0100
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.11) xenial-security; urgency=medium
* SECURITY UPDATE: denial of service crash when deny-answer-aliases
option is used
- debian/patches/CVE-2018-5740.patch: explicit DNAME query could
trigger a crash if deny-answer-aliases was set
- CVE-2018-5740
-- Marc Deslauriers <email address hidden> Wed, 19 Sep 2018 14:18:30 +0200
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.10) xenial-security; urgency=medium
* SECURITY UPDATE: assertion failure via improper cleanup
- debian/patches/CVE-2017-3145.patch: fix cleanup handling in
lib/dns/resolver.c.
- CVE-2017-3145
-- Marc Deslauriers <email address hidden> Tue, 16 Jan 2018 07:27:16 -0500
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.9) xenial; urgency=medium
* d/bind9.service: source the defaults file and start the daemon with the
options set there (LP: #1565060).
-- Andreas Hasenack <email address hidden> Mon, 06 Nov 2017 17:26:27 -0200
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.8) xenial-security; urgency=medium
* SECURITY REGRESSION: regression in last security update
- debian/patches/CVE-2017-3142-regression.patch: fix verification of
TSIG signed TCP message sequences where not all the messages contain
TSIG records in lib/dns/tsig.c, aded test to
lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
* debian/patches/update_keys.patch: Update the built in managed keys to
include the upcoming root KSK in bind.keys, bind.keys.h.
-- Marc Deslauriers <email address hidden> Fri, 15 Sep 2017 07:50:24 -0400
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.7) xenial-security; urgency=medium
* SECURITY UPDATE: TSIG authentication issues
- debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
- CVE-2017-3142
- CVE-2017-3143
-- Marc Deslauriers <email address hidden> Thu, 29 Jun 2017 07:51:25 -0400
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.6) xenial-security; urgency=medium
* SECURITY UPDATE: Denial of Service due to an error handling
synthesized records when using DNS64 with "break-dnssec yes;"
- debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
called.
- CVE-2017-3136
* SECURITY UPDATE: Denial of Service due to resolver terminating when
processing a response packet containing a CNAME or DNAME
- debian/patches/CVE-2017-3137.patch: don't expect a specific
ordering of answer components; add testcases.
- CVE-2017-3137
* SECURITY UPDATE: Denial of Service when receiving a null command on
the control channel
- debian/patches/CVE-2017-3138.patch: don't throw an assert if no
command token is given; add testcase.
- CVE-2017-3138
-- Steve Beattie <email address hidden> Wed, 12 Apr 2017 00:57:50 -0700
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.5) xenial-security; urgency=medium
* SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
a NULL pointer
- debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
combination in bin/named/query.c, lib/dns/message.c,
lib/dns/rdataset.c.
- CVE-2017-3135
* SECURITY UPDATE: regression in CVE-2016-8864
- debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
was still being cached when it should have been in lib/dns/resolver.c,
added tests to bin/tests/system/dname/ans3/ans.pl,
bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
- No CVE number
-- Marc Deslauriers <email address hidden> Wed, 15 Feb 2017 10:29:00 -0500
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.4) xenial-security; urgency=medium
* SECURITY UPDATE: assertion failure via class mismatch
- debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
records in lib/dns/resolver.c.
- CVE-2016-9131
* SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
- debian/patches/CVE-2016-9147.patch: fix logic when records are
returned without the requested data in lib/dns/resolver.c.
- CVE-2016-9147
* SECURITY UPDATE: assertion failure via unusually-formed DS record
- debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
lib/dns/message.c, lib/dns/resolver.c.
- CVE-2016-9444
* SECURITY UPDATE: regression in CVE-2016-8864
- debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
responses in lib/dns/resolver.c, added tests to
bin/tests/system/dname/ns2/example.db,
bin/tests/system/dname/tests.sh.
- No CVE number
-- Marc Deslauriers <email address hidden> Mon, 09 Jan 2017 08:50:20 -0500
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.3) xenial; urgency=medium
* Add RemainAfterExit to bind9-resolvconf unit configuration file
(LP: #1536181).
-- Nishanth Aravamudan <email address hidden> Tue, 15 Nov 2016 08:30:31 -0800
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.2) xenial-security; urgency=medium
* SECURITY UPDATE: denial of service via responses containing a DNAME
answer
- debian/patches/CVE-2016-8864.patch: remove assertion failure in
lib/dns/resolver.c.
- CVE-2016-8864
-- Marc Deslauriers <email address hidden> Mon, 31 Oct 2016 08:56:39 -0400
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.1) xenial-security; urgency=medium
* SECURITY UPDATE: denial of service via assertion failure
- debian/patches/CVE-2016-2776.patch: properly handle lengths in
lib/dns/message.c.
- CVE-2016-2776
-- Marc Deslauriers <email address hidden> Mon, 26 Sep 2016 14:15:52 -0400
-
bind9 (1:9.10.3.dfsg.P4-8ubuntu1) xenial-proposed; urgency=medium
* Fix bad patch from when we switched to quilt. Closes: #820847 LP:
#1552801, #1549788, #1553460
-- LaMont Jones <email address hidden> Tue, 26 Apr 2016 16:30:06 -0600
-
bind9 (1:9.10.3.dfsg.P4-8) unstable; urgency=medium
[Timo Aaltonen]
* Fix bind9-resolvconf.service installation.
* Add support for native pkcs11. LP: #1565392
[Samuel Thibault]
* Detect in6_pktinfo on hurd-i386. Closes: #820404
-- LaMont Jones <email address hidden> Wed, 13 Apr 2016 13:19:37 -0600
-
bind9 (1:9.10.3.dfsg.P4-5) experimental; urgency=medium
* Drop dead code in bind9.preinst.
* move from /var/run to /run for policy.
-- LaMont Jones <email address hidden> Sat, 19 Mar 2016 19:52:04 -0600
-
bind9 (1:9.10.3.dfsg.P4-4) experimental; urgency=medium
* use multiarch path in udebs
* Updated root cache file. Closes: #806954
-- LaMont Jones <email address hidden> Fri, 18 Mar 2016 20:50:49 -0600
-
bind9 (1:9.10.3.dfsg.P4-3) experimental; urgency=medium
* Fix vcs links
* build in debian/tmp, use bind9.install
-- LaMont Jones <email address hidden> Fri, 18 Mar 2016 14:46:30 -0600
-
bind9 (1:9.10.3.dfsg.P4-2) experimental; urgency=medium
* updated precise_time patch
* add RT#s to some patches
* Merge ubuntu changes
* Fix debian/rules to properly remove files from bind9 that are delivered
elsewhere. LP: #1559090
-- LaMont Jones <email address hidden> Fri, 18 Mar 2016 10:58:07 -0600
-
bind9 (1:9.10.3.dfsg.P4-1ubuntu2) xenial; urgency=medium
* Bump debhelper to v9 to use dh-exec.
* libbind-export-dev: Fix the libbind.so symlink.
* Move static libs to the multiarch libdir again.
-- Matthias Klose <email address hidden> Fri, 18 Mar 2016 13:30:03 +0100
-
bind9 (1:9.10.3.dfsg.P4-1ubuntu1) xenial; urgency=medium
* Fix udeb dependencies.
-- Matthias Klose <email address hidden> Fri, 18 Mar 2016 12:47:02 +0100
-
bind9 (1:9.10.3.dfsg.P4-1) experimental; urgency=medium
[ ISC ]
* New upstream: 9.10.3-P3
- Specific APL data could trigger a INSIST. (CVE-2015-8704) [RT #41396]
- render_ecs errors were mishandled when printing out a OPT record
resulting in a assertion failure. (CVE-2015-8705) [RT #41397]
- Fixed a regression in resolver.c:possibly_mark() which caused
known-bogus servers to be queried anyway. [RT #41321]
* New upstream: 9.10.3-P4
- Malformed control messages can trigger assertions in named and rndc.
(CVE-2016-1285) [RT #41666]
- Fix resolver assertion failure due to improper DNAME handling when
parsing fetch reply messages. (CVE-2016-1286) [RT #41753]
- Duplicate EDNS COOKIE options in a response could trigger an
assertion failure. (CVE-2016-2088) [RT #41809]
[LaMont Jones]
* Do not build -export libs for libbind90 and liblwres. Relates in part
to, and is the last fix to LP: #1551351
* update patches for 9.10.3.dfsg.P4. Drop 50_CVE_2015-8704.diff
[ Stefan Bader ]
* Do not modify signal handlers for external apps. LP: #1556175
-- LaMont Jones <email address hidden> Thu, 17 Mar 2016 14:53:36 -0600
-
bind9 (1:9.10.3.dfsg.P2-5) experimental; urgency=medium
[Timo Aaltonen]
* Sync 30_dynamic_db.diff from Fedora.
* rules: Backup some files which dh_autoreconf_clean would remove, restore
on clean.
[Jamie Strandboge]
* apparmor: use @{PROC} instead of /proc, allow read on
sys.net.ipv4.ip_local_port_range. LP: #1552441
[LaMont Jones]
* Return nanosecond-precise time for files, so that we more-correctly know
when we can skip loading a zonefile. (Bug introduced 9.9.3b2)
-- LaMont Jones <email address hidden> Thu, 03 Mar 2016 18:17:06 -0700
-
bind9 (1:9.10.3.dfsg.P2-4) experimental; urgency=medium
[Matthias Klose]
* Fix .so symlinks.
* libbind-dev: Depend on libirs141.
* For the udeb's, use a separate build with a reduced feature set, drop the
name difference, and do both builds in a separate directory.
[Filip Pytloun]
* Add apparmor rules needed by freeipa-server. Closes: #814314
[LaMont Jones]
* Do not deliver libraries (left in /lib) as part of bind9. LP: #1547052
* clean up library path for libirs.
-- LaMont Jones <email address hidden> Fri, 19 Feb 2016 14:26:08 -0700
-
bind9 (1:9.10.3.dfsg.P2-3ubuntu3) xenial; urgency=medium
* For the udeb's, use a separate build with a reduced feature set.
* Don't call the reduced build "export"; it was used by isc-dhcp as well.
* Do both builds in a separate builddir.
-- Matthias Klose <email address hidden> Fri, 19 Feb 2016 15:01:16 +0100
-
bind9 (1:9.10.3.dfsg.P2-3~ubuntu2) xenial; urgency=medium
* libbind-dev: Depend on libirs141.
* Ship libirs.{a,so} in libbind-dev.
* Remove obsolete debian/*.dirs files.
-- Matthias Klose <email address hidden> Fri, 19 Feb 2016 15:01:16 +0100
-
bind9 (1:9.10.3.dfsg.P2-3~ubuntu1) xenial; urgency=medium
* Fix .so symlinks.
-- Matthias Klose <email address hidden> Thu, 18 Feb 2016 13:55:19 +0100
-
bind9 (1:9.10.3.dfsg.P2-3~build3) xenial; urgency=medium
* xenial copy of Debian upload
-- LaMont Jones <email address hidden> Wed, 17 Feb 2016 19:06:13 +0000
-
bind9 (1:9.9.5.dfsg-12.1ubuntu1) xenial; urgency=medium
* SECURITY UPDATE: denial of service via string formatting operations
- lib/dns/rdata/in_1/apl_42.c: use correct length.
- CVE-2015-8704
-- Marc Deslauriers <email address hidden> Thu, 28 Jan 2016 08:27:29 -0500
-
bind9 (1:9.9.5.dfsg-12.1) unstable; urgency=high
* Non-maintainer upload.
* Add patch to fix CVE-2015-8000.
CVE-2015-8000: Insufficient testing when parsing a message allowed
records with an incorrect class to be accepted, triggering a REQUIRE
failure when those records were subsequently cached. (Closes: #808081)
-- Salvatore Bonaccorso <email address hidden> Wed, 16 Dec 2015 15:01:39 +0100
-
bind9 (1:9.9.5.dfsg-12) unstable; urgency=high
* Fix CVE-2015-5722: maliciously crafted DNSSEC key can cause named to crash.
-- Michael Gilbert <email address hidden> Thu, 03 Sep 2015 01:16:32 +0000
-
bind9 (1:9.9.5.dfsg-11ubuntu1) wily; urgency=medium
* SECURITY UPDATE: denial of service in DNSSEC-signed record validation
via malformed keys
- fix validation inlib/dns/hmac_link.c, lib/dns/include/dst/dst.h,
lib/dns/ncache.c, lib/dns/openssldh_link.c,
lib/dns/openssldsa_link.c, lib/dns/opensslecdsa_link.c,
lib/dns/opensslrsa_link.c, lib/dns/resolver.c.
- CVE-2015-5722
-- Marc Deslauriers <email address hidden> Tue, 01 Sep 2015 13:54:11 -0400
