[ubuntu/impish-proposed] bind9 1:9.16.15-1ubuntu1 (Accepted)

Athos Ribeiro athos.ribeiro at canonical.com
Wed Jul 14 15:10:13 UTC 2021


bind9 (1:9.16.15-1ubuntu1) impish; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - Don't build dnstap as it depends on universe packages:
      + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
        protobuf-c-compiler (universe packages)
      + d/dnsutils.install: don't install dnstap
      + d/libdns1104.symbols: don't include dnstap symbols
      + d/rules: don't build dnstap nor install dnstap.proto
    - Add back apport:
      + d/bind9.apport: add back old bind9 apport hook, but without calling
        attach_conffiles() since that is already done by apport itself, with
        confirmation from the user.
      + d/control, d/rules: buil-depends on dh-apport and use it
    - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
    - d/bind9.named.service: use systemd Type=forking to signal daemon init.
      This fixes a regression of #900788 where services whose startup depend
      on name resolutions may fail due to bind9 not being ready (LP #1899902).
  * Drop changes:
    - d/t/simpletest: drop the internetsociety.org test as it requires
      network egress access that is not available in the Ubuntu autopkgtest
      farm.
      [Fixed in 1:9.16.11-3]
    - SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
      + debian/patches/CVE-2020-8625.patch: properly calculate length in
        lib/dns/spnego.c.
      + CVE-2020-8625
      [Fixed in 1:9.16.12-1]
    - SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
      + debian/patches/CVE-2021-25214.patch: immediately reject the entire
        transfer for certain RR in lib/dns/xfrin.c.
      + CVE-2021-25214
      [Fixed in 1:9.16.15-1]
    - SECURITY UPDATE: assert via answering certain queries for DNAME records
      + debian/patches/CVE-2021-25215.patch: fix assert checks in
        lib/ns/query.c.
      + CVE-2021-25215
      [Fixed in 1:9.16.15-1]
    - SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
      + debian/rules: build with --disable-isc-spnego to disable internal
        SPNEGO and use the one from the kerberos libraries.
      + CVE-2021-25216
      [Fixed in 1:9.16.15-1]

bind9 (1:9.16.15-1) unstable; urgency=high

  * New upstream version 9.16.15 (Closes: #987741, #987742, #987743)
   + CVE-2021-25214: A malformed incoming IXFR transfer could trigger an
     assertion failure in ``named``, causing it to quit abnormally.
   + CVE-2021-25215: ``named`` crashed when a DNAME record placed in the
     ANSWER section during DNAME chasing turned out to be the final
     answer to a client query.
   + CVE-2021-25216: When a server's configuration set the
    ``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` option, a
    specially crafted GSS-TSIG query could cause a buffer overflow in
    the ISC implementation of SPNEGO (a protocol enabling negotiation of
    the security mechanism used for GSSAPI authentication).
  * Add patches to implement I-D draft-hardaker-dnsop-nsec3-guidance

bind9 (1:9.16.13-1) unstable; urgency=medium

  * New upstream version 9.16.13
  * Add upstream patches to fix TCP timeouts firing too early

bind9 (1:9.16.12-3) unstable; urgency=medium

  * Add most important patches from upcoming 9.16.13 release

bind9 (1:9.16.12-2) unstable; urgency=medium

  * Add patch to fix sphinx-build failure on Ubuntu Xenial

bind9 (1:9.16.12-1) unstable; urgency=high

  * New upstream version 9.16.12
   + [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation.
     (Closes: #983004)
  * Adjust the bind9-libs and bind9-dev packages for new upstream library
    names

bind9 (1:9.16.11-3) unstable; urgency=medium

  * Split the simple validation test to separate file and mark it as flaky
    (Closes: #976045)

bind9 (1:9.16.11-2) unstable; urgency=medium

  * Cherry-pick upstream commit to fix segfault with named ACLs used in
    allow-update (Closes: #980786)

bind9 (1:9.16.11-1) unstable; urgency=medium

  * Add the ISC code-signing key for 2021-2022
  * New upstream version 9.16.11

bind9 (1:9.16.10-1) unstable; urgency=medium

  * New upstream version 9.16.10

bind9 (1:9.16.9-1) unstable; urgency=medium

  * New upstream version 9.16.9

Date: Mon, 12 Jul 2021 20:26:40 -0300
Changed-By: Athos Ribeiro <athos.ribeiro at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Christian Ehrhardt  <christian.ehrhardt at canonical.com>
https://launchpad.net/ubuntu/+source/bind9/1:9.16.15-1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Mon, 12 Jul 2021 20:26:40 -0300
Source: bind9
Architecture: source
Version: 1:9.16.15-1ubuntu1
Distribution: impish
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Athos Ribeiro <athos.ribeiro at canonical.com>
Closes: 976045 980786 983004 987741 987742 987743
Changes:
 bind9 (1:9.16.15-1ubuntu1) impish; urgency=medium
 .
   * Merge with Debian unstable. Remaining changes:
     - Don't build dnstap as it depends on universe packages:
       + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
         protobuf-c-compiler (universe packages)
       + d/dnsutils.install: don't install dnstap
       + d/libdns1104.symbols: don't include dnstap symbols
       + d/rules: don't build dnstap nor install dnstap.proto
     - Add back apport:
       + d/bind9.apport: add back old bind9 apport hook, but without calling
         attach_conffiles() since that is already done by apport itself, with
         confirmation from the user.
       + d/control, d/rules: buil-depends on dh-apport and use it
     - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
     - d/bind9.named.service: use systemd Type=forking to signal daemon init.
       This fixes a regression of #900788 where services whose startup depend
       on name resolutions may fail due to bind9 not being ready (LP #1899902).
   * Drop changes:
     - d/t/simpletest: drop the internetsociety.org test as it requires
       network egress access that is not available in the Ubuntu autopkgtest
       farm.
       [Fixed in 1:9.16.11-3]
     - SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
       + debian/patches/CVE-2020-8625.patch: properly calculate length in
         lib/dns/spnego.c.
       + CVE-2020-8625
       [Fixed in 1:9.16.12-1]
     - SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
       + debian/patches/CVE-2021-25214.patch: immediately reject the entire
         transfer for certain RR in lib/dns/xfrin.c.
       + CVE-2021-25214
       [Fixed in 1:9.16.15-1]
     - SECURITY UPDATE: assert via answering certain queries for DNAME records
       + debian/patches/CVE-2021-25215.patch: fix assert checks in
         lib/ns/query.c.
       + CVE-2021-25215
       [Fixed in 1:9.16.15-1]
     - SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
       + debian/rules: build with --disable-isc-spnego to disable internal
         SPNEGO and use the one from the kerberos libraries.
       + CVE-2021-25216
       [Fixed in 1:9.16.15-1]
 .
 bind9 (1:9.16.15-1) unstable; urgency=high
 .
   * New upstream version 9.16.15 (Closes: #987741, #987742, #987743)
    + CVE-2021-25214: A malformed incoming IXFR transfer could trigger an
      assertion failure in ``named``, causing it to quit abnormally.
    + CVE-2021-25215: ``named`` crashed when a DNAME record placed in the
      ANSWER section during DNAME chasing turned out to be the final
      answer to a client query.
    + CVE-2021-25216: When a server's configuration set the
     ``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` option, a
     specially crafted GSS-TSIG query could cause a buffer overflow in
     the ISC implementation of SPNEGO (a protocol enabling negotiation of
     the security mechanism used for GSSAPI authentication).
   * Add patches to implement I-D draft-hardaker-dnsop-nsec3-guidance
 .
 bind9 (1:9.16.13-1) unstable; urgency=medium
 .
   * New upstream version 9.16.13
   * Add upstream patches to fix TCP timeouts firing too early
 .
 bind9 (1:9.16.12-3) unstable; urgency=medium
 .
   * Add most important patches from upcoming 9.16.13 release
 .
 bind9 (1:9.16.12-2) unstable; urgency=medium
 .
   * Add patch to fix sphinx-build failure on Ubuntu Xenial
 .
 bind9 (1:9.16.12-1) unstable; urgency=high
 .
   * New upstream version 9.16.12
    + [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation.
      (Closes: #983004)
   * Adjust the bind9-libs and bind9-dev packages for new upstream library
     names
 .
 bind9 (1:9.16.11-3) unstable; urgency=medium
 .
   * Split the simple validation test to separate file and mark it as flaky
     (Closes: #976045)
 .
 bind9 (1:9.16.11-2) unstable; urgency=medium
 .
   * Cherry-pick upstream commit to fix segfault with named ACLs used in
     allow-update (Closes: #980786)
 .
 bind9 (1:9.16.11-1) unstable; urgency=medium
 .
   * Add the ISC code-signing key for 2021-2022
   * New upstream version 9.16.11
 .
 bind9 (1:9.16.10-1) unstable; urgency=medium
 .
   * New upstream version 9.16.10
 .
 bind9 (1:9.16.9-1) unstable; urgency=medium
 .
   * New upstream version 9.16.9
Checksums-Sha1:
 8e50a06dfc41d39721a35463b4d789b8962e1746 3170 bind9_9.16.15-1ubuntu1.dsc
 5d68bbd1ff452708d45f2d4ef832faa3a1690fc7 5025688 bind9_9.16.15.orig.tar.xz
 4926e0c0f0f2b667cf021a1f857f97b6280c8d1c 833 bind9_9.16.15.orig.tar.xz.asc
 8477eb6af3635cc75550200b06586c6872209925 96232 bind9_9.16.15-1ubuntu1.debian.tar.xz
 664af77eb343194ba5307a16acc559468dc4b074 7622 bind9_9.16.15-1ubuntu1_source.buildinfo
Checksums-Sha256:
 3068fe47ec3bfcdc802f4458046c53266db44a2f8a7373fd1484d0e97f218c4d 3170 bind9_9.16.15-1ubuntu1.dsc
 98b6f432d878a7bf8f57eb7b3c28be27278cf6b9989154bfe6c81104b38e7839 5025688 bind9_9.16.15.orig.tar.xz
 55628031d8c5697707e1f8ad3d8033f72ffb987cdc392d578ec4bc89c968822e 833 bind9_9.16.15.orig.tar.xz.asc
 f138d12560f030e68bb321ae9c17f546d6e1ac399bf6806ee6931c5cb34d59ad 96232 bind9_9.16.15-1ubuntu1.debian.tar.xz
 8acd00c0a735d15929d31a62c4d8b8411baa9d30316e870fa2894558dbec8710 7622 bind9_9.16.15-1ubuntu1_source.buildinfo
Files:
 e48447e177b4b0a8002fb400121d9f91 3170 net optional bind9_9.16.15-1ubuntu1.dsc
 6c6e5bb21763161bc68665b8729b3630 5025688 net optional bind9_9.16.15.orig.tar.xz
 a2e6a9234cd8726fd389e82dea656fec 833 net optional bind9_9.16.15.orig.tar.xz.asc
 4db6a57070c9bcefe1ba02bd090a4774 96232 net optional bind9_9.16.15-1ubuntu1.debian.tar.xz
 7fa82f5e9a619c740fb0c3c3fcc7006f 7622 net optional bind9_9.16.15-1ubuntu1_source.buildinfo
Original-Maintainer: Debian DNS Team <team+dns at tracker.debian.org>


More information about the impish-changes mailing list