[ubuntu/impish-proposed] bind9 1:9.16.15-1ubuntu1 (Accepted)
Athos Ribeiro
athos.ribeiro at canonical.com
Wed Jul 14 15:10:13 UTC 2021
bind9 (1:9.16.15-1ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.named.service: use systemd Type=forking to signal daemon init.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
* Drop changes:
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
[Fixed in 1:9.16.11-3]
- SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
+ debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
+ CVE-2020-8625
[Fixed in 1:9.16.12-1]
- SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
+ debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
+ CVE-2021-25214
[Fixed in 1:9.16.15-1]
- SECURITY UPDATE: assert via answering certain queries for DNAME records
+ debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
+ CVE-2021-25215
[Fixed in 1:9.16.15-1]
- SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
+ debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
+ CVE-2021-25216
[Fixed in 1:9.16.15-1]
bind9 (1:9.16.15-1) unstable; urgency=high
* New upstream version 9.16.15 (Closes: #987741, #987742, #987743)
+ CVE-2021-25214: A malformed incoming IXFR transfer could trigger an
assertion failure in ``named``, causing it to quit abnormally.
+ CVE-2021-25215: ``named`` crashed when a DNAME record placed in the
ANSWER section during DNAME chasing turned out to be the final
answer to a client query.
+ CVE-2021-25216: When a server's configuration set the
``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` option, a
specially crafted GSS-TSIG query could cause a buffer overflow in
the ISC implementation of SPNEGO (a protocol enabling negotiation of
the security mechanism used for GSSAPI authentication).
* Add patches to implement I-D draft-hardaker-dnsop-nsec3-guidance
bind9 (1:9.16.13-1) unstable; urgency=medium
* New upstream version 9.16.13
* Add upstream patches to fix TCP timeouts firing too early
bind9 (1:9.16.12-3) unstable; urgency=medium
* Add most important patches from upcoming 9.16.13 release
bind9 (1:9.16.12-2) unstable; urgency=medium
* Add patch to fix sphinx-build failure on Ubuntu Xenial
bind9 (1:9.16.12-1) unstable; urgency=high
* New upstream version 9.16.12
+ [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation.
(Closes: #983004)
* Adjust the bind9-libs and bind9-dev packages for new upstream library
names
bind9 (1:9.16.11-3) unstable; urgency=medium
* Split the simple validation test to separate file and mark it as flaky
(Closes: #976045)
bind9 (1:9.16.11-2) unstable; urgency=medium
* Cherry-pick upstream commit to fix segfault with named ACLs used in
allow-update (Closes: #980786)
bind9 (1:9.16.11-1) unstable; urgency=medium
* Add the ISC code-signing key for 2021-2022
* New upstream version 9.16.11
bind9 (1:9.16.10-1) unstable; urgency=medium
* New upstream version 9.16.10
bind9 (1:9.16.9-1) unstable; urgency=medium
* New upstream version 9.16.9
Date: Mon, 12 Jul 2021 20:26:40 -0300
Changed-By: Athos Ribeiro <athos.ribeiro at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Christian Ehrhardt <christian.ehrhardt at canonical.com>
https://launchpad.net/ubuntu/+source/bind9/1:9.16.15-1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Mon, 12 Jul 2021 20:26:40 -0300
Source: bind9
Architecture: source
Version: 1:9.16.15-1ubuntu1
Distribution: impish
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Athos Ribeiro <athos.ribeiro at canonical.com>
Closes: 976045 980786 983004 987741 987742 987743
Changes:
bind9 (1:9.16.15-1ubuntu1) impish; urgency=medium
.
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.named.service: use systemd Type=forking to signal daemon init.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
* Drop changes:
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
[Fixed in 1:9.16.11-3]
- SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
+ debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
+ CVE-2020-8625
[Fixed in 1:9.16.12-1]
- SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
+ debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
+ CVE-2021-25214
[Fixed in 1:9.16.15-1]
- SECURITY UPDATE: assert via answering certain queries for DNAME records
+ debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
+ CVE-2021-25215
[Fixed in 1:9.16.15-1]
- SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
+ debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
+ CVE-2021-25216
[Fixed in 1:9.16.15-1]
.
bind9 (1:9.16.15-1) unstable; urgency=high
.
* New upstream version 9.16.15 (Closes: #987741, #987742, #987743)
+ CVE-2021-25214: A malformed incoming IXFR transfer could trigger an
assertion failure in ``named``, causing it to quit abnormally.
+ CVE-2021-25215: ``named`` crashed when a DNAME record placed in the
ANSWER section during DNAME chasing turned out to be the final
answer to a client query.
+ CVE-2021-25216: When a server's configuration set the
``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` option, a
specially crafted GSS-TSIG query could cause a buffer overflow in
the ISC implementation of SPNEGO (a protocol enabling negotiation of
the security mechanism used for GSSAPI authentication).
* Add patches to implement I-D draft-hardaker-dnsop-nsec3-guidance
.
bind9 (1:9.16.13-1) unstable; urgency=medium
.
* New upstream version 9.16.13
* Add upstream patches to fix TCP timeouts firing too early
.
bind9 (1:9.16.12-3) unstable; urgency=medium
.
* Add most important patches from upcoming 9.16.13 release
.
bind9 (1:9.16.12-2) unstable; urgency=medium
.
* Add patch to fix sphinx-build failure on Ubuntu Xenial
.
bind9 (1:9.16.12-1) unstable; urgency=high
.
* New upstream version 9.16.12
+ [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation.
(Closes: #983004)
* Adjust the bind9-libs and bind9-dev packages for new upstream library
names
.
bind9 (1:9.16.11-3) unstable; urgency=medium
.
* Split the simple validation test to separate file and mark it as flaky
(Closes: #976045)
.
bind9 (1:9.16.11-2) unstable; urgency=medium
.
* Cherry-pick upstream commit to fix segfault with named ACLs used in
allow-update (Closes: #980786)
.
bind9 (1:9.16.11-1) unstable; urgency=medium
.
* Add the ISC code-signing key for 2021-2022
* New upstream version 9.16.11
.
bind9 (1:9.16.10-1) unstable; urgency=medium
.
* New upstream version 9.16.10
.
bind9 (1:9.16.9-1) unstable; urgency=medium
.
* New upstream version 9.16.9
Checksums-Sha1:
8e50a06dfc41d39721a35463b4d789b8962e1746 3170 bind9_9.16.15-1ubuntu1.dsc
5d68bbd1ff452708d45f2d4ef832faa3a1690fc7 5025688 bind9_9.16.15.orig.tar.xz
4926e0c0f0f2b667cf021a1f857f97b6280c8d1c 833 bind9_9.16.15.orig.tar.xz.asc
8477eb6af3635cc75550200b06586c6872209925 96232 bind9_9.16.15-1ubuntu1.debian.tar.xz
664af77eb343194ba5307a16acc559468dc4b074 7622 bind9_9.16.15-1ubuntu1_source.buildinfo
Checksums-Sha256:
3068fe47ec3bfcdc802f4458046c53266db44a2f8a7373fd1484d0e97f218c4d 3170 bind9_9.16.15-1ubuntu1.dsc
98b6f432d878a7bf8f57eb7b3c28be27278cf6b9989154bfe6c81104b38e7839 5025688 bind9_9.16.15.orig.tar.xz
55628031d8c5697707e1f8ad3d8033f72ffb987cdc392d578ec4bc89c968822e 833 bind9_9.16.15.orig.tar.xz.asc
f138d12560f030e68bb321ae9c17f546d6e1ac399bf6806ee6931c5cb34d59ad 96232 bind9_9.16.15-1ubuntu1.debian.tar.xz
8acd00c0a735d15929d31a62c4d8b8411baa9d30316e870fa2894558dbec8710 7622 bind9_9.16.15-1ubuntu1_source.buildinfo
Files:
e48447e177b4b0a8002fb400121d9f91 3170 net optional bind9_9.16.15-1ubuntu1.dsc
6c6e5bb21763161bc68665b8729b3630 5025688 net optional bind9_9.16.15.orig.tar.xz
a2e6a9234cd8726fd389e82dea656fec 833 net optional bind9_9.16.15.orig.tar.xz.asc
4db6a57070c9bcefe1ba02bd090a4774 96232 net optional bind9_9.16.15-1ubuntu1.debian.tar.xz
7fa82f5e9a619c740fb0c3c3fcc7006f 7622 net optional bind9_9.16.15-1ubuntu1_source.buildinfo
Original-Maintainer: Debian DNS Team <team+dns at tracker.debian.org>
More information about the impish-changes
mailing list