[ubuntu/groovy-proposed] bind9 1:9.16.3-1ubuntu1 (Accepted)

Andreas Hasenack andreas at canonical.com
Mon Jun 8 13:24:13 UTC 2020 

bind9 (1:9.16.3-1ubuntu1) groovy; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - Don't build dnstap as it depends on universe packages:
      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
        protobuf-c-compiler (universe packages)
      + d/dnsutils.install: don't install dnstap
      + d/libdns1104.symbols: don't include dnstap symbols
      + d/rules: don't build dnstap nor install dnstap.proto
    - Add back apport:
      + d/bind9.apport: add back old bind9 apport hook, but without calling
        attach_conffiles() since that is already done by apport itself, with
        confirmation from the user.
      + d/control, d/rules: buil-depends on dh-apport and use it
    - d/t/simpletest: drop the internetsociety.org test as it requires
      network egress access that is not available in the Ubuntu autopkgtest
      farm.
    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
    - d/t/control: change the dep8 test dependency to be on the real
      bind9-dnsutils package, and not the transitional one (LP #1864761)
    - d/rules: change deprecated --with-libjson-c configure argument to
      --with-json-c
  * Dropped:
    - d/control: make bind9-dnsutils multi-arch foreign as another step
      towards fixing LP #1864761
      [The correct fix was to change the dep8 dependency to be on the real
      package, and not the transitional one]
    - SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
      performed when processing referrals
      + debian/patches/CVE-2020-8616.patch: further limit the number of
        queries that can be triggered from a request in lib/dns/adb.c,
        lib/dns/include/dns/adb.h, lib/dns/resolver.c.
      + CVE-2020-8616
      [Fixed upstream]
    - SECURITY UPDATE: A logic error in code which checks TSIG validity can
      be used to trigger an assertion failure in tsig.c
      + debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
        BADTIME response in lib/dns/tsig.c.
      + CVE-2020-8617
      [Fixed upstream]

bind9 (1:9.16.3-1) unstable; urgency=medium

  * New upstream version 9.16.3

Date: Tue, 02 Jun 2020 17:37:44 -0300
Changed-By: Andreas Hasenack <andreas at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/bind9/1:9.16.3-1ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 02 Jun 2020 17:37:44 -0300
Source: bind9
Architecture: source
Version: 1:9.16.3-1ubuntu1
Distribution: groovy
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Andreas Hasenack <andreas at canonical.com>
Changes:
 bind9 (1:9.16.3-1ubuntu1) groovy; urgency=medium
 .
   * Merge with Debian unstable. Remaining changes:
     - Don't build dnstap as it depends on universe packages:
       + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
         protobuf-c-compiler (universe packages)
       + d/dnsutils.install: don't install dnstap
       + d/libdns1104.symbols: don't include dnstap symbols
       + d/rules: don't build dnstap nor install dnstap.proto
     - Add back apport:
       + d/bind9.apport: add back old bind9 apport hook, but without calling
         attach_conffiles() since that is already done by apport itself, with
         confirmation from the user.
       + d/control, d/rules: buil-depends on dh-apport and use it
     - d/t/simpletest: drop the internetsociety.org test as it requires
       network egress access that is not available in the Ubuntu autopkgtest
       farm.
     - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
     - d/t/control: change the dep8 test dependency to be on the real
       bind9-dnsutils package, and not the transitional one (LP #1864761)
     - d/rules: change deprecated --with-libjson-c configure argument to
       --with-json-c
   * Dropped:
     - d/control: make bind9-dnsutils multi-arch foreign as another step
       towards fixing LP #1864761
       [The correct fix was to change the dep8 dependency to be on the real
       package, and not the transitional one]
     - SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
       performed when processing referrals
       + debian/patches/CVE-2020-8616.patch: further limit the number of
         queries that can be triggered from a request in lib/dns/adb.c,
         lib/dns/include/dns/adb.h, lib/dns/resolver.c.
       + CVE-2020-8616
       [Fixed upstream]
     - SECURITY UPDATE: A logic error in code which checks TSIG validity can
       be used to trigger an assertion failure in tsig.c
       + debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
         BADTIME response in lib/dns/tsig.c.
       + CVE-2020-8617
       [Fixed upstream]
 .
 bind9 (1:9.16.3-1) unstable; urgency=medium
 .
   * New upstream version 9.16.3
Checksums-Sha1:
 a2e089d60c29833e914aaf2a12265ea0404695f3 2778 bind9_9.16.3-1ubuntu1.dsc
 0329886be14da8654458057061d5bbfcd87bdf20 4573044 bind9_9.16.3.orig.tar.xz
 1b866bb934d359ae5ddae67f598474d7175ddf83 67788 bind9_9.16.3-1ubuntu1.debian.tar.xz
 75f3cb346a4bc6476d7d82fe61ef67a298b6d55c 8488 bind9_9.16.3-1ubuntu1_source.buildinfo
Checksums-Sha256:
 1a01a6d15135127b28fcdbbc48f66b4df3d02cabf962c6c558683f6a1f691fd2 2778 bind9_9.16.3-1ubuntu1.dsc
 27ac6513de5f8d0db34b9f241da53baa15a14b2ad21338d0cde0826eaf564f7e 4573044 bind9_9.16.3.orig.tar.xz
 5cadc2bca9c499c5cb2f56a4af19675014dee1f44ee78affd140699a1cc49885 67788 bind9_9.16.3-1ubuntu1.debian.tar.xz
 090445a0710fe1c3a6e14c7099d2529c11b89337bc34150c20b86724695b460f 8488 bind9_9.16.3-1ubuntu1_source.buildinfo
Files:
 29df278fbba8315d0b6f4387b4f1d363 2778 net optional bind9_9.16.3-1ubuntu1.dsc
 2b207d5699d7acb0a2e997b7cd53d9c2 4573044 net optional bind9_9.16.3.orig.tar.xz
 f66678b0d3fe6cfcfb43f165dcf3626f 67788 net optional bind9_9.16.3-1ubuntu1.debian.tar.xz
 59a215fb31639a0d02b6b6ed67a00075 8488 net optional bind9_9.16.3-1ubuntu1_source.buildinfo
Original-Maintainer: Debian DNS Team <team+dns at tracker.debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEiGZB1jWM2kalbBxyrJg+tb9ry6kFAl7eO8cACgkQrJg+tb9r
y6lDuxAAiET3n3RaOpTDQt5aQK3nV0Zk7BSu2KJoUxJcr5lnKgUm8ecxR3PXb7Jb
SYeKDP4y/ftYA3UlJ55Z5Z4dGWHeMM2mTEdU/robrRkZBv2+EyUmceIiK0eibNLM
52eaTeZXx2exRE+dzwPSamfwTQdEPOSZ9ZDq/PMBxa0aT8wXVv9wfeIwzKGPhCvi
ZXHtiWSkYHkok7RJt7/wtSbYlX212tEA8xQED93qB2lEEjIO+pEV0c2qlG92K0dC
MXVhrhQbLy/i4ipCfFTnVUPUR3OR8gVr2ndu02Fiz0oam5Ea9ruJUUlIklgrqMbm
VZ77YNHJxXQQOqGvzbRK2PvEReW/T/ap7nwHgcsDkzvsMluMBV7t8x1KytDxjq5t
IHImQVl/vZqtaZPFKBjf/+TkHHxRUNigFnmubftcqiqAOrpg5Eradoqgr4V0Ynki
rJFse7HrrP2pV+F4TqcBil87fc2LV+YxFWa6oa305jIJJhfmanGFHKQja8Xakio4
bVWrWBnRJ2WkkytTSkic00oZJVnVTVupBOOqB4oySJ9lx3t53DB6/oxRVXK0bM0h
a3ftpIBSBewzAtYt2IHZCr89KKlfv+4wnUCo1PuucodKtyDh9q6nyBR9+rjZM5nD
JRhqe9koO5bsXv6+wBD8FCMJGXOGbIV0DGDjzHh5Iqnwz6/zhbc=
=0bDI
-----END PGP SIGNATURE-----

More information about the Groovy-changes mailing list