[ubuntu/groovy-proposed] bind9 1:9.16.2-3ubuntu1 (Accepted)
Andreas Hasenack
andreas at canonical.com
Fri May 22 14:41:14 UTC 2020
bind9 (1:9.16.2-3ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP #1864761)
- d/control: make bind9-dnsutils multi-arch foreign as another step
towards fixing LP #1864761
- d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
- SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
performed when processing referrals
+ debian/patches/CVE-2020-8616.patch: further limit the number of
queries that can be triggered from a request in lib/dns/adb.c,
lib/dns/include/dns/adb.h, lib/dns/resolver.c.
+ CVE-2020-8616
- SECURITY UPDATE: A logic error in code which checks TSIG validity can
be used to trigger an assertion failure in tsig.c
+ debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
BADTIME response in lib/dns/tsig.c.
+ CVE-2020-8617
* Dropped:
- use iproute2 instead of net-tools (LP #1850699):
+ d/control: replace net-tools depends with iproute2
+ d/bind9.init: use ip instead of ifconfig
[In 1:9.16.1-2]
- d/control: Enable readline-like support in dnsutils (nslookup and nsupdate)
via libedit-dev (libreadline has a license conflict with bind)
[In 1:9.16.1-2]
- d/control: drop hardcoded python3 dependency
(LP #1856211, Closes #946643)
[In 1:9.16.1-2]
- d/extras/apparmor.d/usr.sbin.named:
+ Add flags=(attach_disconnected) to AppArmor profile
+ AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ
(Closes: #928398)
[In 1:9.16.1-2]
- d/rules: fix typo in the apparmor profile installation
[In 1:9.16.1-2]
- d/control: create transitional packages for dnsutils, bind9utils
[In 1:9.16.1-2]
- d/p/fix-rebinding-protection.patch: fix rebinding protection bug
when using forwarder setups (LP #1873046)
[Fixed upstream]
bind9 (1:9.16.2-3) unstable; urgency=medium
[ Simon Deziel ]
* apparmor: use profile name specifier
bind9 (1:9.16.2-2) unstable; urgency=medium
* Update gbp.conf to debian/master and upstream/latest
* Reintroduce the bind9-dev package (Closes: #954906)
bind9 (1:9.16.2-1) unstable; urgency=medium
* Update d/copyright (Closes: #947978)
* New upstream version 9.16.2 (Closes: #952946, #954919)
bind9 (1:9.16.1-2) unstable; urgency=medium
[ Andreas Hasenack ]
* Bring back the DEP8 test from sid
* Use iproute2 instead of net-tools
* d/control: drop hardcoded python3 dependency
[ Bernhard Schmidt ]
* Fix apparmor profile name.
Thanks to Andreas Hasenack
* Enable readline support
[ Andreas Hasenack ]
* Update apparmor profile with what is in sid
* Create the missing transitional packages for dnsutils, bind9utils
* There is a licensing conflict with adding libreadline and we should
use libedit-dev instead.
[ Ondřej Surý ]
* Add Breaks: freeipa, so the package doesn't migrate to testing before freeipa is fixed
bind9 (1:9.16.1-1) experimental; urgency=medium
* New upstream version 9.16.1
Date: Fri, 22 May 2020 09:52:13 -0300
Changed-By: Andreas Hasenack <andreas at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/bind9/1:9.16.2-3ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 22 May 2020 09:52:13 -0300
Source: bind9
Architecture: source
Version: 1:9.16.2-3ubuntu1
Distribution: groovy
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Andreas Hasenack <andreas at canonical.com>
Closes: 928398 947978 952946 954906 954919
Changes:
bind9 (1:9.16.2-3ubuntu1) groovy; urgency=medium
.
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP #1864761)
- d/control: make bind9-dnsutils multi-arch foreign as another step
towards fixing LP #1864761
- d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
- SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
performed when processing referrals
+ debian/patches/CVE-2020-8616.patch: further limit the number of
queries that can be triggered from a request in lib/dns/adb.c,
lib/dns/include/dns/adb.h, lib/dns/resolver.c.
+ CVE-2020-8616
- SECURITY UPDATE: A logic error in code which checks TSIG validity can
be used to trigger an assertion failure in tsig.c
+ debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
BADTIME response in lib/dns/tsig.c.
+ CVE-2020-8617
* Dropped:
- use iproute2 instead of net-tools (LP #1850699):
+ d/control: replace net-tools depends with iproute2
+ d/bind9.init: use ip instead of ifconfig
[In 1:9.16.1-2]
- d/control: Enable readline-like support in dnsutils (nslookup and nsupdate)
via libedit-dev (libreadline has a license conflict with bind)
[In 1:9.16.1-2]
- d/control: drop hardcoded python3 dependency
(LP #1856211, Closes #946643)
[In 1:9.16.1-2]
- d/extras/apparmor.d/usr.sbin.named:
+ Add flags=(attach_disconnected) to AppArmor profile
+ AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ
(Closes: #928398)
[In 1:9.16.1-2]
- d/rules: fix typo in the apparmor profile installation
[In 1:9.16.1-2]
- d/control: create transitional packages for dnsutils, bind9utils
[In 1:9.16.1-2]
- d/p/fix-rebinding-protection.patch: fix rebinding protection bug
when using forwarder setups (LP #1873046)
[Fixed upstream]
.
bind9 (1:9.16.2-3) unstable; urgency=medium
.
[ Simon Deziel ]
* apparmor: use profile name specifier
.
bind9 (1:9.16.2-2) unstable; urgency=medium
.
* Update gbp.conf to debian/master and upstream/latest
* Reintroduce the bind9-dev package (Closes: #954906)
.
bind9 (1:9.16.2-1) unstable; urgency=medium
.
* Update d/copyright (Closes: #947978)
* New upstream version 9.16.2 (Closes: #952946, #954919)
.
bind9 (1:9.16.1-2) unstable; urgency=medium
.
[ Andreas Hasenack ]
* Bring back the DEP8 test from sid
* Use iproute2 instead of net-tools
* d/control: drop hardcoded python3 dependency
.
[ Bernhard Schmidt ]
* Fix apparmor profile name.
Thanks to Andreas Hasenack
* Enable readline support
.
[ Andreas Hasenack ]
* Update apparmor profile with what is in sid
* Create the missing transitional packages for dnsutils, bind9utils
* There is a licensing conflict with adding libreadline and we should
use libedit-dev instead.
.
[ Ondřej Surý ]
* Add Breaks: freeipa, so the package doesn't migrate to testing before freeipa is fixed
.
bind9 (1:9.16.1-1) experimental; urgency=medium
.
* New upstream version 9.16.1
Checksums-Sha1:
116a5a76ef26b41572cf8524478c9b583ebe8fdb 2778 bind9_9.16.2-3ubuntu1.dsc
985a6ac0ef8242bfb5e3d11794b612d910f860ac 4559216 bind9_9.16.2.orig.tar.xz
33ba542ac7f7f8a8d8e05fc29032fa04a86d72dd 69456 bind9_9.16.2-3ubuntu1.debian.tar.xz
06d6332d469bb8fe8cd613684f6cab5369d3c447 7697 bind9_9.16.2-3ubuntu1_source.buildinfo
Checksums-Sha256:
0b17dad47962687444ba256370c54b0766f6140fa8b3dfe7567ca784dbd3b1c2 2778 bind9_9.16.2-3ubuntu1.dsc
d9e5b77cfca5ccad97f19cddc87128758ec15c16e6585000c6b2f84fc225993f 4559216 bind9_9.16.2.orig.tar.xz
53feed1e52454b63eda3191595ed8a5e7aa421a406fcfb2b2b5b410ef7970178 69456 bind9_9.16.2-3ubuntu1.debian.tar.xz
160b03173b91b153e6a74cf71c0a47cda15a9419f7a32ee18410cadf258e8718 7697 bind9_9.16.2-3ubuntu1_source.buildinfo
Files:
5be68c41f7a72367e2a487b8c56e21fc 2778 net optional bind9_9.16.2-3ubuntu1.dsc
2f65f53ad0eab3701138332282b9b526 4559216 net optional bind9_9.16.2.orig.tar.xz
0bf9125fcda0584d355d64dd277f30f0 69456 net optional bind9_9.16.2-3ubuntu1.debian.tar.xz
fab39e5eab566a4eb49b654f2b2d09b7 7697 net optional bind9_9.16.2-3ubuntu1_source.buildinfo
Original-Maintainer: Debian DNS Team <team+dns at tracker.debian.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEiGZB1jWM2kalbBxyrJg+tb9ry6kFAl7H5BUACgkQrJg+tb9r
y6nxBQ//eAuTPDXsh+EkLatL5btMTh/TSkasmqPx9kmtZhgWOnsbQ2x3qbYeBhxF
ZUTXJri7GcpItW7WGp4BckOzdDa5JUwW88dIWxuMlDzS0VeSuJRBwf85Vrv6LvV8
oeaa7T2YszYNDz8DtvWZkjKQqF82x9vLjWtw/uoptES2QAPA+hYqCHRUMnx3zBRj
6manE0rDHo7ae2Y6ht09RdXdKwm3Dib/0LtPG5oreOZo8iJLeFs9fukGmZ4QiQWf
9lh4FFuBuuwBCscV3tH0gcYUcLIecxwAg7+qLVIPdvgNYRfpt4bvYR22KuDC3YwY
Glp9KwTA8/EHSOXx/ORDUVUGlBVg2TYnKm1ZYc5pr5d4H1xjT3DXOwUx9QevgZw1
y/eDbi0vKzOXJ6IJzlM8ft5kNIbDjRWK95X8s4nibTUyFXDkYU1faAKA8wxOjF5w
KLcnmLDRDUTtJXGCS+599Xn8/1q16G9K/2VLkuzyUU07Q4tGt4bvgCg0PhUCEp+L
gB8VvdRHrviSSP1zXAG6Sy2Hws66T1EmWe9+uzDNjVck4vdO6SMZa8+S2S6wUTi7
DTao24/8MFh3fMF9cDnEHZ58Palwiip7S3b8y90Uuvwd+UQZBewCscE8aCGaRY5Y
sjnBPpOA2pv6FD2wE6DOF0Jd7Wppcr79AcJtAJRDOV9ctQ3074M=
=5Y28
-----END PGP SIGNATURE-----
More information about the Groovy-changes
mailing list