[Bug 1701687] Re: Please merge 1:9.10.3.dfsg.P4-10.1ubuntu7 -> 1:9.10.3.dfsg.P4-12.5
This bug was fixed in the package bind9 - 1:9.10.3.dfsg.P4-12.5ubuntu1 --- bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium * Merge with Debian unstable (LP: #1701687). Remaining changes: - Add RemainAfterExit to bind9-resolvconf unit configuration file (LP #1536181). - rules: Fix path to libsofthsm2.so. (LP #1685780) * Drop: - SECURITY UPDATE: denial of service via assertion failure + debian/patches/CVE-2016-2776.patch: properly handle lengths in lib/dns/message.c. + CVE-2016-2776 + [Fixed in Debian 1:9.10.3.dfsg.P4-11] - SECURITY UPDATE: assertion failure via class mismatch + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY records in lib/dns/resolver.c. + CVE-2016-9131 + [Fixed in Debian 1:9.10.3.dfsg.P4-11] - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information + debian/patches/CVE-2016-9147.patch: fix logic when records are returned without the requested data in lib/dns/resolver.c. + CVE-2016-9147 + [Fixed in Debian 1:9.10.3.dfsg.P4-11] - SECURITY UPDATE: assertion failure via unusually-formed DS record + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in lib/dns/message.c, lib/dns/resolver.c. + CVE-2016-9444 + [Fixed in Debian 1:9.10.3.dfsg.P4-11] - SECURITY UPDATE: regression in CVE-2016-8864 + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in responses in lib/dns/resolver.c, added tests to bin/tests/system/dname/ns2/example.db, bin/tests/system/dname/tests.sh. + No CVE number + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12] - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing a NULL pointer + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz combination in bin/named/query.c, lib/dns/message.c, lib/dns/rdataset.c. + CVE-2017-3135 + [Fixed in Debian 1:9.10.3.dfsg.P4-12] - SECURITY UPDATE: regression in CVE-2016-8864 + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME was still being cached when it should have been in lib/dns/resolver.c, added tests to bin/tests/system/dname/ans3/ans.pl, bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. + No CVE number + [Fixed in Debian 1:9.10.3.dfsg.P4-12] - SECURITY UPDATE: Denial of Service due to an error handling synthesized records when using DNS64 with "break-dnssec yes;" + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() called. + CVE-2017-3136 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] - SECURITY UPDATE: Denial of Service due to resolver terminating when processing a response packet containing a CNAME or DNAME + debian/patches/CVE-2017-3137.patch: don't expect a specific ordering of answer components; add testcases. + CVE-2017-3137 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files] - SECURITY UPDATE: Denial of Service when receiving a null command on the control channel + debian/patches/CVE-2017-3138.patch: don't throw an assert if no command token is given; add testcase. + CVE-2017-3138 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] - SECURITY UPDATE: TSIG authentication issues + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. + CVE-2017-3142 + CVE-2017-3143 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4] * d/p/CVE-2016-8864-regression-test.patch: tests for the regression introduced with the CVE-2016-8864.patch and fixed in CVE-2016-8864-regression.patch. * d/p/CVE-2016-8864-regression2-test.patch: tests for the second regression (RT #44318) introduced with the CVE-2016-8864.patch and fixed in CVE-2016-8864-regression2.patch. * d/control, d/rules: add json support for the statistics channels. (LP: #1669193) -- Andreas Hasenack Fri, 11 Aug 2017 17:12:09 -0300 ** Changed in: bind9 (Ubuntu) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2776 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-8864 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-9131 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-9147 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-9444 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3042 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3135 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3136 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3137 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3138 ** CVE added: https://cve.mitre.or
[Bug 1701687] Re: Please merge 1:9.10.3.dfsg.P4-10.1ubuntu7 -> 1:9.10.3.dfsg.P4-12.5
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/328944 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1701687 Title: Please merge 1:9.10.3.dfsg.P4-10.1ubuntu7 -> 1:9.10.3.dfsg.P4-12.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1701687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1701687] Re: Please merge 1:9.10.3.dfsg.P4-10.1ubuntu7 -> 1:9.10.3.dfsg.P4-12.5
** Changed in: bind9 (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1701687 Title: Please merge 1:9.10.3.dfsg.P4-10.1ubuntu7 -> 1:9.10.3.dfsg.P4-12.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1701687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1701687] Re: Please merge 1:9.10.3.dfsg.P4-10.1ubuntu7 -> 1:9.10.3.dfsg.P4-12.5
** Summary changed: - Please merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> 1:9.10.3.dfsg.P4-12.5 + Please merge 1:9.10.3.dfsg.P4-10.1ubuntu7 -> 1:9.10.3.dfsg.P4-12.5 ** Description changed: - Please sync with debian and merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> - 1:9.10.3.dfsg.P4-12.3 + bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium + + * Non-maintainer upload. + * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG + signed TCP message sequences where not all the messages contain TSIG + records. These may be used in AXFR and IXFR responses. + (Closes: #868952) + + -- Salvatore Bonaccorso Fri, 21 Jul 2017 22:28:32 +0200 + + bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high + + * Non-maintainer upload. + + [ Yves-Alexis Perez ] + * debian/patches: + - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses + CVE-2017-3142: error in TSIG authentication can permit unauthorized zone + transfers. An attacker may be able to circumvent TSIG authentication of + AXFR and Notify requests. + CVE-2017-3143: error in TSIG authentication can permit unauthorized + dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) + signature for a dynamic update. + (Closes: #866564) + + -- Salvatore Bonaccorso Sun, 16 Jul 2017 22:13:21 +0200 + + bind9 (1:9.10.3.dfsg.P4-12.3) unstable; urgency=high + + * Non-maintainer upload. + * Dns64 with "break-dnssec yes;" can result in a assertion failure + (CVE-2017-3136) (Closes: #860224) + * Some chaining (CNAME or DNAME) responses to upstream queries could trigger + assertion failures (CVE-2017-3137) (Closes: #860225) + * 'rndc ""' could trigger a assertion failure in named (CVE-2017-3138) + (Closes: #860226) + + -- Salvatore Bonaccorso Sun, 07 May 2017 15:22:46 +0200 + + bind9 (1:9.10.3.dfsg.P4-12.2) unstable; urgency=medium + + * Non-maintainer upload. + * Replace 32_mips_atomic.diff with a version that uses C11 atomics. Fixes + hangs and crashes on MIPS. (Closes: #778720) + + -- James Cowgill Tue, 18 Apr 2017 16:42:50 +0100 + + bind9 (1:9.10.3.dfsg.P4-12.1) unstable; urgency=medium + + * Non-maintainer upload. + * Use /dev/urandom to avoid blocking in the server process. + (closes: #854243) + + -- Bastian Blank Fri, 17 Mar 2017 19:07:16 +0100 + + bind9 (1:9.10.3.dfsg.P4-12) unstable; urgency=high + + * Merge and accept the non-maintainer upload. + * Fix regression caused by the fix for CVE-2016-8864 (closes: #855540). + * Fix CVE-2017-3135: a malicously crafted query can cause named to crash if + both DNS64 and RPZ are being used (closes: #855520). + + -- Michael Gilbert Sun, 19 Feb 2017 22:39:32 + + + bind9 (1:9.10.3.dfsg.P4-11.1) unstable; urgency=medium + + * Non-maintainer upload. + * Disable GOST to prevent ENGINE_by_id failed (crypto failure) in chroot. + Patch by Marc Haber (Closes: #820974). + + -- Arturo Borrero Gonzalez Tue, 07 Feb 2017 10:42:00 +0100 + + bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium + + * Fix some lintian warnings. + * Add lsb-base dependency to lwresd (closes: #848519). + * Fix CVE-2016-2775: crash in lwresd due to a long query name + (closes: #831796). + * Fix CVE-2016-2776: maliciously crafted query can cause named to crash + (closes: #839010). + * Fix CVE-2016-8864: incorrect handling of a DNAME record can cause + named to crash (closes: #842858). + * Fix CVE-2016-9131: maliciously crafted response to an ANY query can + cause named to crash (closes: #851065). + * Fix CVE-2016-9147: query with contradictory DNSSEC information can + cause named to crash (closes: #851063). + * Fix CVE-2016-9444: maliciously formed DNSSEC Delegation Signer (DS) + record can cause named to crash (closes: #851062). + * Openssl 1.1 is not yet supported, so build with openssl 1.0 for now + (closes: #828082). + + [ LaMont Jones ] + * Update VCS fields in control. + * -DDIG_SIGCHASE got dropped by the change in hardening. + + [ Stefan Bader ] + * Use the defaults file in systemd. + + -- Michael Gilbert Thu, 19 Jan 2017 04:03:28 + + + bridge-utils 1.5-9ubuntu2 -> 1.5-14 + + * Last Uploader: Ryan Harper (sponsored by Mathieu Trudel-Lapierre) + + Debian changes newer than ubuntu version: + + bridge-utils (1.5-14) unstable; urgency=low + + * Fix a problem with some vlan interfaces not being created. + + -- Santiago Garcia Mantinan Mon, 26 Jun 2017 17:48:37 +0200 + + bridge-utils (1.5-13) unstable; urgency=low + + * Fix a hardcoded interface name on bridge-utils.sh. Closes: #854841. + + -- Santiago Garcia Mantinan Sat, 11 Feb 2017 00:16:45 +0100 + + bridge-utils (1.5-12) unstable; urgency=medium + + * Add vlan support so that old setups using vlans as ports don't + break. + + -- Santiago Garcia Mantinan Sun, 22 Jan 2017 00:23:50 +0100 + + bridge-utils (1.5-11) unstable