Public bug reported:
Scheduled-For: 22.12
Upstream: 9.16.21
Debian: 1:9.16.15-1
Ubuntu: 1:9.16.15-1ubuntu1
Debian typically updates bind9 every 1 months on average, but it was
last updated 21.04 and looks overdue. Check back in on this monthly.
### New Debian Changes ###
bind9
bind9 (1:9.16.15-1) unstable; urgency=high
* New upstream version 9.16.15 (Closes: #987741, #987742, #987743)
+ CVE-2021-25214: A malformed incoming IXFR transfer could trigger an
assertion failure in ``named``, causing it to quit abnormally.
+ CVE-2021-25215: ``named`` crashed when a DNAME record placed in the
ANSWER section during DNAME chasing turned out to be the final
answer to a client query.
+ CVE-2021-25216: When a server's configuration set the
``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` option, a
specially crafted GSS-TSIG query could cause a buffer overflow in
the ISC implementation of SPNEGO (a protocol enabling negotiation of
the security mechanism used for GSSAPI authentication).
* Add patches to implement I-D draft-hardaker-dnsop-nsec3-guidance
-- Ondřej Surý <[email protected]> Thu, 29 Apr 2021 09:11:32 +0200
bind9 (1:9.16.13-1) unstable; urgency=medium
* New upstream version 9.16.13
* Add upstream patches to fix TCP timeouts firing too early
-- Ondřej Surý <[email protected]> Thu, 18 Mar 2021 14:23:49 +0100
bind9 (1:9.16.12-3) unstable; urgency=medium
* Add most important patches from upcoming 9.16.13 release
-- Ondřej Surý <[email protected]> Fri, 12 Mar 2021 09:59:49 +0100
bind9 (1:9.16.12-2) unstable; urgency=medium
* Add patch to fix sphinx-build failure on Ubuntu Xenial
-- Ondřej Surý <[email protected]> Thu, 18 Feb 2021 12:26:09 +0100
bind9 (1:9.16.12-1) unstable; urgency=high
* New upstream version 9.16.12
+ [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation.
(Closes: #983004)
* Adjust the bind9-libs and bind9-dev packages for new upstream library
names
-- Ondřej Surý <[email protected]> Thu, 18 Feb 2021 08:13:58 +0100
bind9 (1:9.16.11-3) unstable; urgency=medium
* Split the simple validation test to separate file and mark it as flaky
(Closes: #976045)
-- Ondřej Surý <[email protected]> Sun, 14 Feb 2021 20:04:39 +0100
bind9 (1:9.16.11-2) unstable; urgency=medium
* Cherry-pick upstream commit to fix segfault with named ACLs used in
allow-update (Closes: #980786)
-- Bernhard Schmidt <[email protected]> Fri, 29 Jan 2021 08:27:31 +0100
bind9 (1:9.16.11-1) unstable; urgency=medium
* Add the ISC code-signing key for 2021-2022
* New upstream version 9.16.11
-- Ondřej Surý <[email protected]> Thu, 21 Jan 2021 09:58:33 +0100
bind9 (1:9.16.10-1) unstable; urgency=medium
* New upstream version 9.16.10
-- Ondřej Surý <[email protected]> Wed, 16 Dec 2020 22:22:25 +0100
bind9 (1:9.16.9-1) unstable; urgency=medium
* New upstream version 9.16.9
-- Ondřej Surý <[email protected]> Thu, 26 Nov 2020 12:52:28 +0100
bind9 (1:9.16.8-1) unstable; urgency=medium
[ Ondřej Surý ]
* New upstream version 9.16.8
[ Bernhard Schmidt ]
* d/t/control:
- tag autopkgtest with needs-internet (Closes: #973955)
- depend on bind9-dnsutils insead of the transitional dnsutils
* d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
-- Bernhard Schmidt <[email protected]> Mon, 09 Nov 2020 23:03:53 +0100
bind9 (1:9.16.7-1) unstable; urgency=medium
* New upstream version 9.16.7
-- Ondřej Surý <[email protected]> Thu, 17 Sep 2020 10:36:51 +0200
bind9 (1:9.16.6-3) unstable; urgency=medium
### Old Ubuntu Delta ###
bind9 (1:9.16.15-1ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.named.service: use systemd Type=forking to signal daemon init.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
* Drop changes:
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
[Fixed in 1:9.16.11-3]
- SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
+ debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
+ CVE-2020-8625
[Fixed in 1:9.16.12-1]
- SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
+ debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
+ CVE-2021-25214
[Fixed in 1:9.16.15-1]
- SECURITY UPDATE: assert via answering certain queries for DNAME records
+ debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
+ CVE-2021-25215
[Fixed in 1:9.16.15-1]
- SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
+ debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
+ CVE-2021-25216
[Fixed in 1:9.16.15-1]
-- Athos Ribeiro <[email protected]> Mon, 12 Jul 2021
20:26:40 -0300
** Affects: bind9 (Ubuntu)
Importance: Undecided
Status: New
** Tags: needs-merge
** Tags added: needs-merge
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946273
Title:
Merge bind9 from Debian unstable for 22.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1946273/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
