[ubuntu/eoan-proposed] bind9 1:9.11.5.P4+dfsg-4ubuntu1 (Accepted)
Andreas Hasenack
andreas at canonical.com
Fri May 3 12:31:18 UTC 2019
bind9 (1:9.11.5.P4+dfsg-4ubuntu1) eoan; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Build without lmdb support as that package is in Universe
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
option (LP #1804648)
- d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
close to a query timeout (LP #1797926)
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
* Dropped:
- SECURITY UPDATE: memory leak via specially crafted packet
+ debian/patches/CVE-2018-5744.patch: silently drop additional keytag
options in bin/named/client.c.
+ CVE-2018-5744
[Fixed upstream in 9.11.5-P2]
- SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
+ debian/patches/CVE-2018-5745.patch: properly handle situations when
the key tag cannot be computed in lib/dns/include/dst/dst.h,
lib/dns/zone.c.
+ CVE-2018-5745
[Fixed upstream in 9.11.5-P2]
- SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
+ debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
the zone table as a DLZ zone bin/named/xfrout.c.
+ CVE-2019-6465
[Fixed upstream in 9.11.5-P3]
- SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
+ debian/patches/CVE-2018-5743.patch: add reference counting in
bin/named/client.c, bin/named/include/named/client.h,
bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
lib/isc/include/isc/quota.h, lib/isc/quota.c,
lib/isc/win32/libisc.def.in.
+ debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
operations with isc_refcount reference counting in
bin/named/client.c, bin/named/include/named/interfacemgr.h,
bin/named/interfacemgr.c.
+ debian/libisc1100.symbols: added new symbols.
+ CVE-2018-5743
[Fixed in 1:9.11.5.P4+dfsg-4]
- d/rules: add back EdDSA support (LP #1825712)
[Fixed in 1:9.11.5.P4+dfsg-4]
bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium
[ Bernhard Schmidt ]
* AppArmor: Also add /var/lib/samba/bind-dns/dns/** (Closes: #927827)
[ Ondřej Surý ]
* [CVE-2018-5743]: Limiting simultaneous TCP clients is ineffective
(Closes: #927932)
* Update symbols file for new symbol in libisc
* Enable EDDSA again, but disable broken Ed448 support (Closes: #927962)
bind9 (1:9.11.5.P4+dfsg-3) unstable; urgency=medium
* More fixes to the AppArmor policy for Samba AD DLZ
- allow access to /dev/urandom
- allow locking for dns.keytab
- fix path to smb.conf
bind9 (1:9.11.5.P4+dfsg-2) unstable; urgency=medium
[ Ondřej Surý ]
* Update d/gbp.conf for Debian Buster
[ Bernhard Schmidt ]
* Cherry-Pick upstream commit to prevent dnssec-keymgr from immediately
expiring and deleting old DNSSEC keys when being run for the first
time (Closes: #923984)
* Update AppArmor policy for Samba AD DLZ
- Add changed default location for named.conf
- Allow read/mmap on some Samba libraries
Thanks to Steven Monai (Closes: #920530)
[ Andreas Beckmann ]
* bind9.preinst: cope with ancient conffile named.conf.options
(Closes: #905177)
bind9 (1:9.11.5.P4+dfsg-1) unstable; urgency=high
[ Bernhard Schmidt ]
* New upstream version 9.11.5.P4+dfsg
- CVE-2018-5744: A specially crafted packet can cause named to leak memory
- CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over
to an unsupported key algorithm when using managed-keys
- CVE-2019-6465: Controls for zone transfers might not be properly applied
to Dynamically Loadable Zones (DLZs) if the zones are writable.
* d/watch: Do not use beta or RC versions
* d/libdns1104.symbols: fix symbols-file-contains-debian-revision for dnstap
symbols
[ Ondřej Surý ]
* Add new upstream GPG signing-key
bind9 (1:9.11.5.P1+dfsg-2) unstable; urgency=medium
[ Dominik George ]
* Support dyndb modules with apparmor. (Closes: #900879)
[ Bernhard Schmidt ]
* apparmor-policy: permit locking of the allow-new-zones database
(Closes: #922065)
* apparmor-policy: allow access to Samba DLZ files (Closes: #920530)
Date: Thu, 02 May 2019 13:35:59 -0300
Changed-By: Andreas Hasenack <andreas at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/bind9/1:9.11.5.P4+dfsg-4ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 May 2019 13:35:59 -0300
Source: bind9
Architecture: source
Version: 1:9.11.5.P4+dfsg-4ubuntu1
Distribution: eoan
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Andreas Hasenack <andreas at canonical.com>
Closes: 900879 905177 920530 922065 923984 927827 927932 927962
Changes:
bind9 (1:9.11.5.P4+dfsg-4ubuntu1) eoan; urgency=medium
.
* Merge with Debian unstable. Remaining changes:
- Build without lmdb support as that package is in Universe
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
option (LP #1804648)
- d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
close to a query timeout (LP #1797926)
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
* Dropped:
- SECURITY UPDATE: memory leak via specially crafted packet
+ debian/patches/CVE-2018-5744.patch: silently drop additional keytag
options in bin/named/client.c.
+ CVE-2018-5744
[Fixed upstream in 9.11.5-P2]
- SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
+ debian/patches/CVE-2018-5745.patch: properly handle situations when
the key tag cannot be computed in lib/dns/include/dst/dst.h,
lib/dns/zone.c.
+ CVE-2018-5745
[Fixed upstream in 9.11.5-P2]
- SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
+ debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
the zone table as a DLZ zone bin/named/xfrout.c.
+ CVE-2019-6465
[Fixed upstream in 9.11.5-P3]
- SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
+ debian/patches/CVE-2018-5743.patch: add reference counting in
bin/named/client.c, bin/named/include/named/client.h,
bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
lib/isc/include/isc/quota.h, lib/isc/quota.c,
lib/isc/win32/libisc.def.in.
+ debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
operations with isc_refcount reference counting in
bin/named/client.c, bin/named/include/named/interfacemgr.h,
bin/named/interfacemgr.c.
+ debian/libisc1100.symbols: added new symbols.
+ CVE-2018-5743
[Fixed in 1:9.11.5.P4+dfsg-4]
- d/rules: add back EdDSA support (LP #1825712)
[Fixed in 1:9.11.5.P4+dfsg-4]
.
bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium
.
[ Bernhard Schmidt ]
* AppArmor: Also add /var/lib/samba/bind-dns/dns/** (Closes: #927827)
.
[ Ondřej Surý ]
* [CVE-2018-5743]: Limiting simultaneous TCP clients is ineffective
(Closes: #927932)
* Update symbols file for new symbol in libisc
* Enable EDDSA again, but disable broken Ed448 support (Closes: #927962)
.
bind9 (1:9.11.5.P4+dfsg-3) unstable; urgency=medium
.
* More fixes to the AppArmor policy for Samba AD DLZ
- allow access to /dev/urandom
- allow locking for dns.keytab
- fix path to smb.conf
.
bind9 (1:9.11.5.P4+dfsg-2) unstable; urgency=medium
.
[ Ondřej Surý ]
* Update d/gbp.conf for Debian Buster
.
[ Bernhard Schmidt ]
* Cherry-Pick upstream commit to prevent dnssec-keymgr from immediately
expiring and deleting old DNSSEC keys when being run for the first
time (Closes: #923984)
* Update AppArmor policy for Samba AD DLZ
- Add changed default location for named.conf
- Allow read/mmap on some Samba libraries
Thanks to Steven Monai (Closes: #920530)
.
[ Andreas Beckmann ]
* bind9.preinst: cope with ancient conffile named.conf.options
(Closes: #905177)
.
bind9 (1:9.11.5.P4+dfsg-1) unstable; urgency=high
.
[ Bernhard Schmidt ]
* New upstream version 9.11.5.P4+dfsg
- CVE-2018-5744: A specially crafted packet can cause named to leak memory
- CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over
to an unsupported key algorithm when using managed-keys
- CVE-2019-6465: Controls for zone transfers might not be properly applied
to Dynamically Loadable Zones (DLZs) if the zones are writable.
* d/watch: Do not use beta or RC versions
* d/libdns1104.symbols: fix symbols-file-contains-debian-revision for dnstap
symbols
.
[ Ondřej Surý ]
* Add new upstream GPG signing-key
.
bind9 (1:9.11.5.P1+dfsg-2) unstable; urgency=medium
.
[ Dominik George ]
* Support dyndb modules with apparmor. (Closes: #900879)
.
[ Bernhard Schmidt ]
* apparmor-policy: permit locking of the allow-new-zones database
(Closes: #922065)
* apparmor-policy: allow access to Samba DLZ files (Closes: #920530)
Checksums-Sha1:
47626f1dd85812dee1134dc000badaa00f71276a 3966 bind9_9.11.5.P4+dfsg-4ubuntu1.dsc
5f3c14b760a987b5353c04d939fa0f91533a0c57 3956484 bind9_9.11.5.P4+dfsg.orig.tar.xz
f8be85fd3af03f208041443dd8600ce51196dc18 107140 bind9_9.11.5.P4+dfsg-4ubuntu1.debian.tar.xz
d3511c9d4fd422137ac8778d513fb9d6a6fb4fa9 7234 bind9_9.11.5.P4+dfsg-4ubuntu1_source.buildinfo
Checksums-Sha256:
f40cdf2535adeae7cdcd373bbc5115dbf475e3a713cec36dc74e5a874cb362f0 3966 bind9_9.11.5.P4+dfsg-4ubuntu1.dsc
34b20e4e17875d5c4280d52264bae08f527e38eb6bcfca431432b0cafcd03c6d 3956484 bind9_9.11.5.P4+dfsg.orig.tar.xz
334711ad3e963027fa068d3c13b23ca924542533fb3461036e39322fb7c4f0ff 107140 bind9_9.11.5.P4+dfsg-4ubuntu1.debian.tar.xz
d1ef5d80fe2103a45bd05f3e279c1663de8eb4f749bf535603729cd191381767 7234 bind9_9.11.5.P4+dfsg-4ubuntu1_source.buildinfo
Files:
0c9a382210f3029b8d8f37c7966f3be2 3966 net optional bind9_9.11.5.P4+dfsg-4ubuntu1.dsc
b59921f04a722b0a30fab88dcf256449 3956484 net optional bind9_9.11.5.P4+dfsg.orig.tar.xz
05e4f20ded12e26d6f1427c34e4da3ba 107140 net optional bind9_9.11.5.P4+dfsg-4ubuntu1.debian.tar.xz
fe2701561bc390907dcd4efa9d167d12 7234 net optional bind9_9.11.5.P4+dfsg-4ubuntu1_source.buildinfo
Original-Maintainer: Debian DNS Team <team+dns at tracker.debian.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEiGZB1jWM2kalbBxyrJg+tb9ry6kFAlzMNFwACgkQrJg+tb9r
y6k3PBAAqUS9ACNBIlWwWbKbP6MKtKMh5tSjtBJd2rf79KfnmpnBTzU5gCX7a8N1
cltIjPRlsy9VNKHBN+mmWjURG4DLWjpSjbv1EhmhtMfJCfTrU4CtVK7XAfCrCQrd
bQ+CcmTm58DtfE7BuFGERvaIh/Tgx/8umW3lXAwvdmZqtfuT5Sf9lQgvZ5lckXFz
s3QWdeFrtfpecLsLu9qfMIhRFKi77cqeavvbKMsRagRVpSNfXfjY0FluHSswVhzd
rdW0tMJkRBBtOQnlO7+O72NlD3xaVm3KXaa9YfkDTb7veIyzqv3EoaZzdWWQGwR3
xVEEdgSvSiEufjqHWJQAryCRRubvgYrm+nTl8S/nZvyAY6dm1nRE2Hf1JtC9Jqit
1a/FpF9K7pnxj2QSZwcXMwhmCjmEIrlO3JT7onL9uNDHjzC8eHFxp1khPveZVWMH
LGNxXMZSlr/1ZlgShABjAHx7YKuVZpwdRnJ30deIyZCTzpNfAoIzteri6JrKnE0Z
SE3dd5S+NhOVItyMkABW+McuzO8/NnGEEHtKaxk8JuYR2HjIUb7u2fcTaax0/Y2U
8W09t3rnBJku72D1qVXL3YGJcZ2yThQ8taX75Ay1OAOaBRMrlBq5GBg4oamVRyn1
l54yVD/i5j4iMdxr20XrhthiBmYr0xo+PqSOUUQyYD5mfQ9d/e8=
=hX5t
-----END PGP SIGNATURE-----
More information about the Eoan-changes
mailing list