[ubuntu/artful-proposed] bind9 1:9.10.3.dfsg.P4-12.5ubuntu1 (Accepted)
Andreas Hasenack
andreas at canonical.com
Wed Aug 16 00:09:19 UTC 2017
bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium
* Merge with Debian unstable (LP: #1701687). Remaining changes:
- Add RemainAfterExit to bind9-resolvconf unit configuration file
(LP #1536181).
- rules: Fix path to libsofthsm2.so. (LP #1685780)
* Drop:
- SECURITY UPDATE: denial of service via assertion failure
+ debian/patches/CVE-2016-2776.patch: properly handle lengths in
lib/dns/message.c.
+ CVE-2016-2776
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: assertion failure via class mismatch
+ debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
records in lib/dns/resolver.c.
+ CVE-2016-9131
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
+ debian/patches/CVE-2016-9147.patch: fix logic when records are
returned without the requested data in lib/dns/resolver.c.
+ CVE-2016-9147
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: assertion failure via unusually-formed DS record
+ debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
lib/dns/message.c, lib/dns/resolver.c.
+ CVE-2016-9444
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: regression in CVE-2016-8864
+ debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
responses in lib/dns/resolver.c, added tests to
bin/tests/system/dname/ns2/example.db,
bin/tests/system/dname/tests.sh.
+ No CVE number
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
- SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
a NULL pointer
+ debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
combination in bin/named/query.c, lib/dns/message.c,
lib/dns/rdataset.c.
+ CVE-2017-3135
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12]
- SECURITY UPDATE: regression in CVE-2016-8864
+ debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
was still being cached when it should have been in lib/dns/resolver.c,
added tests to bin/tests/system/dname/ans3/ans.pl,
bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
+ No CVE number
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12]
- SECURITY UPDATE: Denial of Service due to an error handling
synthesized records when using DNS64 with "break-dnssec yes;"
+ debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
called.
+ CVE-2017-3136
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
- SECURITY UPDATE: Denial of Service due to resolver terminating when
processing a response packet containing a CNAME or DNAME
+ debian/patches/CVE-2017-3137.patch: don't expect a specific
ordering of answer components; add testcases.
+ CVE-2017-3137
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
- SECURITY UPDATE: Denial of Service when receiving a null command on
the control channel
+ debian/patches/CVE-2017-3138.patch: don't throw an assert if no
command token is given; add testcase.
+ CVE-2017-3138
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
- SECURITY UPDATE: TSIG authentication issues
+ debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
+ CVE-2017-3142
+ CVE-2017-3143
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.4]
* d/p/CVE-2016-8864-regression-test.patch: tests for the regression
introduced with the CVE-2016-8864.patch and fixed in
CVE-2016-8864-regression.patch.
* d/p/CVE-2016-8864-regression2-test.patch: tests for the second
regression (RT #44318) introduced with the CVE-2016-8864.patch
and fixed in CVE-2016-8864-regression2.patch.
* d/control, d/rules: add json support for the statistics channels.
(LP: #1669193)
Date: Fri, 11 Aug 2017 17:12:09 -0300
Changed-By: Andreas Hasenack <andreas at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Nish Aravamudan <nish.aravamudan at canonical.com>
https://launchpad.net/ubuntu/+source/bind9/1:9.10.3.dfsg.P4-12.5ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 11 Aug 2017 17:12:09 -0300
Source: bind9
Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-140 libdns162 libirs141 libisc160 liblwres141 libisccc140 libisccfg140 dnsutils lwresd libbind-export-dev libdns-export162 libdns-export162-udeb libisc-export160 libisc-export160-udeb libisccfg-export140 libisccc-export140 libisccc-export140-udeb libisccfg-export140-udeb libirs-export141 libirs-export141-udeb
Architecture: source
Version: 1:9.10.3.dfsg.P4-12.5ubuntu1
Distribution: artful
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Andreas Hasenack <andreas at canonical.com>
Description:
bind9 - Internet Domain Name Server
bind9-doc - Documentation for BIND
bind9-host - Version of 'host' bundled with BIND 9.X
bind9utils - Utilities for BIND
dnsutils - Clients provided with BIND
host - Transitional package
libbind-dev - Static Libraries and Headers used by BIND
libbind-export-dev - Development files for the exported BIND libraries
libbind9-140 - BIND9 Shared Library used by BIND
libdns-export162 - Exported DNS Shared Library
libdns-export162-udeb - Exported DNS library for debian-installer (udeb)
libdns162 - DNS Shared Library used by BIND
libirs-export141 - Exported IRS Shared Library
libirs-export141-udeb - Exported IRS library for debian-installer (udeb)
libirs141 - DNS Shared Library used by BIND
libisc-export160 - Exported ISC Shared Library
libisc-export160-udeb - Exported ISC library for debian-installer (udeb)
libisc160 - ISC Shared Library used by BIND
libisccc-export140 - Command Channel Library used by BIND
libisccc-export140-udeb - Command Channel Library used by BIND (udeb)
libisccc140 - Command Channel Library used by BIND
libisccfg-export140 - Exported ISC CFG Shared Library
libisccfg-export140-udeb - Exported ISC CFG library for debian-installer (udeb)
libisccfg140 - Config File Handling Library used by BIND
liblwres141 - Lightweight Resolver Library used by BIND
lwresd - Lightweight Resolver Daemon
Launchpad-Bugs-Fixed: 1669193 1701687
Changes:
bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium
.
* Merge with Debian unstable (LP: #1701687). Remaining changes:
- Add RemainAfterExit to bind9-resolvconf unit configuration file
(LP #1536181).
- rules: Fix path to libsofthsm2.so. (LP #1685780)
* Drop:
- SECURITY UPDATE: denial of service via assertion failure
+ debian/patches/CVE-2016-2776.patch: properly handle lengths in
lib/dns/message.c.
+ CVE-2016-2776
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: assertion failure via class mismatch
+ debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
records in lib/dns/resolver.c.
+ CVE-2016-9131
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
+ debian/patches/CVE-2016-9147.patch: fix logic when records are
returned without the requested data in lib/dns/resolver.c.
+ CVE-2016-9147
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: assertion failure via unusually-formed DS record
+ debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
lib/dns/message.c, lib/dns/resolver.c.
+ CVE-2016-9444
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: regression in CVE-2016-8864
+ debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
responses in lib/dns/resolver.c, added tests to
bin/tests/system/dname/ns2/example.db,
bin/tests/system/dname/tests.sh.
+ No CVE number
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
- SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
a NULL pointer
+ debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
combination in bin/named/query.c, lib/dns/message.c,
lib/dns/rdataset.c.
+ CVE-2017-3135
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12]
- SECURITY UPDATE: regression in CVE-2016-8864
+ debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
was still being cached when it should have been in lib/dns/resolver.c,
added tests to bin/tests/system/dname/ans3/ans.pl,
bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
+ No CVE number
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12]
- SECURITY UPDATE: Denial of Service due to an error handling
synthesized records when using DNS64 with "break-dnssec yes;"
+ debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
called.
+ CVE-2017-3136
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
- SECURITY UPDATE: Denial of Service due to resolver terminating when
processing a response packet containing a CNAME or DNAME
+ debian/patches/CVE-2017-3137.patch: don't expect a specific
ordering of answer components; add testcases.
+ CVE-2017-3137
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
- SECURITY UPDATE: Denial of Service when receiving a null command on
the control channel
+ debian/patches/CVE-2017-3138.patch: don't throw an assert if no
command token is given; add testcase.
+ CVE-2017-3138
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
- SECURITY UPDATE: TSIG authentication issues
+ debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
+ CVE-2017-3142
+ CVE-2017-3143
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.4]
* d/p/CVE-2016-8864-regression-test.patch: tests for the regression
introduced with the CVE-2016-8864.patch and fixed in
CVE-2016-8864-regression.patch.
* d/p/CVE-2016-8864-regression2-test.patch: tests for the second
regression (RT #44318) introduced with the CVE-2016-8864.patch
and fixed in CVE-2016-8864-regression2.patch.
* d/control, d/rules: add json support for the statistics channels.
(LP: #1669193)
Checksums-Sha1:
6057cd4484ea37b33ecaf4e50abda90f7822c8fc 3543 bind9_9.10.3.dfsg.P4-12.5ubuntu1.dsc
36d20fd54a67b1fbcb65277887bf150070207210 8641072 bind9_9.10.3.dfsg.P4.orig.tar.gz
2c282d5134e1663afaff3ce5b6452cd196b37dc5 89668 bind9_9.10.3.dfsg.P4-12.5ubuntu1.debian.tar.xz
7be72b7eb192139f019ee38d2972f1978aba21cc 6564 bind9_9.10.3.dfsg.P4-12.5ubuntu1_source.buildinfo
Checksums-Sha256:
6e42852d4621fcb4717c4a4e5fef27b36b0c2fde8c449811e92535881ad6c597 3543 bind9_9.10.3.dfsg.P4-12.5ubuntu1.dsc
895077c868d06eea39c1526624f2278a3b51a3358b5aa50f48a0f1c16a7ab6e6 8641072 bind9_9.10.3.dfsg.P4.orig.tar.gz
fc811c7ce7299ce9230ed580ba114b20fd2e2b6eb5ebe932ce660faba45d4ad2 89668 bind9_9.10.3.dfsg.P4-12.5ubuntu1.debian.tar.xz
b896006ef75143e7b2799cda171f41cf2a2026e240a840e1b69be00fbd464308 6564 bind9_9.10.3.dfsg.P4-12.5ubuntu1_source.buildinfo
Files:
9461ba274ffd29fce99a496cb9631a34 3543 net optional bind9_9.10.3.dfsg.P4-12.5ubuntu1.dsc
909aa9f0c48b7c2d0d604ea78d9fc607 8641072 net optional bind9_9.10.3.dfsg.P4.orig.tar.gz
8a3667f425f1075668aaf85531fc6a70 89668 net optional bind9_9.10.3.dfsg.P4-12.5ubuntu1.debian.tar.xz
a6ff1a870597c292d40fc3bf454a24d5 6564 net optional bind9_9.10.3.dfsg.P4-12.5ubuntu1_source.buildinfo
Original-Maintainer: LaMont Jones <lamont at debian.org>
-----BEGIN PGP SIGNATURE-----
iQE7BAEBCAAlBQJZk4yNHhxuaXNoLmFyYXZhbXVkYW5AY2Fub25pY2FsLmNvbQAK
CRADRGyeZjIE+IUGB/0ajbId58/mFp5vtQf4wYTXHbw0VEua2CXTBQfOaqJpywWy
qme+zZ46qH995tTXXC4YDGiUUQCO/VoQZIiQiTtuUXPWIcaIg2FBbYd8IFk9BHbg
b0MTZfUglqqxoSGYjlb25X3CSEOuiecBje6xst8Isg/vsR+HyA4voKv3KMGYtJKs
fVtJor34dHW44FyY/8ZpPKTkCBL688jg8D6kb3KZRag7g86r9odSNv+9PoDXqUs0
0g6GOTltcmnlMA1Row2SlHXKflrMWMZj7mlOX96gKlBo0ZoUrv15ggwuMWdj9n54
LS3U78AQgd90iuMlJp/3iEAdiGPWbUcbC0dM2I7y
=nvrk
-----END PGP SIGNATURE-----
More information about the Artful-changes
mailing list