** Description changed:
- Scheduled-For: 22.12
Upstream: 9.16.21
- Debian: 1:9.16.15-1
+ Debian: 1:9.16.15-1
Ubuntu: 1:9.16.15-1ubuntu1
Debian typically updates bind9 every 1 months on average, but it was
last updated 21.04 and looks overdue. Check back in on this monthly.
No release expected for bind9 this cycle
-
### New Debian Changes ###
bind9 (1:9.16.15-1) unstable; urgency=high
- * New upstream version 9.16.15 (Closes: #987741, #987742, #987743)
- + CVE-2021-25214: A malformed incoming IXFR transfer could trigger an
- assertion failure in ``named``, causing it to quit abnormally.
- + CVE-2021-25215: ``named`` crashed when a DNAME record placed in the
- ANSWER section during DNAME chasing turned out to be the final
- answer to a client query.
- + CVE-2021-25216: When a server's configuration set the
- ``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` option, a
- specially crafted GSS-TSIG query could cause a buffer overflow in
- the ISC implementation of SPNEGO (a protocol enabling negotiation of
- the security mechanism used for GSSAPI authentication).
- * Add patches to implement I-D draft-hardaker-dnsop-nsec3-guidance
+ * New upstream version 9.16.15 (Closes: #987741, #987742, #987743)
+ + CVE-2021-25214: A malformed incoming IXFR transfer could trigger an
+ assertion failure in ``named``, causing it to quit abnormally.
+ + CVE-2021-25215: ``named`` crashed when a DNAME record placed in the
+ ANSWER section during DNAME chasing turned out to be the final
+ answer to a client query.
+ + CVE-2021-25216: When a server's configuration set the
+ ``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` option, a
+ specially crafted GSS-TSIG query could cause a buffer overflow in
+ the ISC implementation of SPNEGO (a protocol enabling negotiation of
+ the security mechanism used for GSSAPI authentication).
+ * Add patches to implement I-D draft-hardaker-dnsop-nsec3-guidance
- -- Ondřej Surý <[email protected]> Thu, 29 Apr 2021 09:11:32 +0200
+ -- Ondřej Surý <[email protected]> Thu, 29 Apr 2021 09:11:32 +0200
bind9 (1:9.16.13-1) unstable; urgency=medium
- * New upstream version 9.16.13
- * Add upstream patches to fix TCP timeouts firing too early
+ * New upstream version 9.16.13
+ * Add upstream patches to fix TCP timeouts firing too early
- -- Ondřej Surý <[email protected]> Thu, 18 Mar 2021 14:23:49 +0100
+ -- Ondřej Surý <[email protected]> Thu, 18 Mar 2021 14:23:49 +0100
bind9 (1:9.16.12-3) unstable; urgency=medium
- * Add most important patches from upcoming 9.16.13 release
+ * Add most important patches from upcoming 9.16.13 release
- -- Ondřej Surý <[email protected]> Fri, 12 Mar 2021 09:59:49 +0100
+ -- Ondřej Surý <[email protected]> Fri, 12 Mar 2021 09:59:49 +0100
bind9 (1:9.16.12-2) unstable; urgency=medium
- * Add patch to fix sphinx-build failure on Ubuntu Xenial
+ * Add patch to fix sphinx-build failure on Ubuntu Xenial
- -- Ondřej Surý <[email protected]> Thu, 18 Feb 2021 12:26:09 +0100
+ -- Ondřej Surý <[email protected]> Thu, 18 Feb 2021 12:26:09 +0100
bind9 (1:9.16.12-1) unstable; urgency=high
- * New upstream version 9.16.12
- + [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation.
- (Closes: #983004)
- * Adjust the bind9-libs and bind9-dev packages for new upstream library
- names
+ * New upstream version 9.16.12
+ + [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation.
+ (Closes: #983004)
+ * Adjust the bind9-libs and bind9-dev packages for new upstream library
+ names
- -- Ondřej Surý <[email protected]> Thu, 18 Feb 2021 08:13:58 +0100
+ -- Ondřej Surý <[email protected]> Thu, 18 Feb 2021 08:13:58 +0100
bind9 (1:9.16.11-3) unstable; urgency=medium
- * Split the simple validation test to separate file and mark it as flaky
- (Closes: #976045)
+ * Split the simple validation test to separate file and mark it as flaky
+ (Closes: #976045)
- -- Ondřej Surý <[email protected]> Sun, 14 Feb 2021 20:04:39 +0100
+ -- Ondřej Surý <[email protected]> Sun, 14 Feb 2021 20:04:39 +0100
bind9 (1:9.16.11-2) unstable; urgency=medium
- * Cherry-pick upstream commit to fix segfault with named ACLs used in
- allow-update (Closes: #980786)
+ * Cherry-pick upstream commit to fix segfault with named ACLs used in
+ allow-update (Closes: #980786)
- -- Bernhard Schmidt <[email protected]> Fri, 29 Jan 2021 08:27:31 +0100
+ -- Bernhard Schmidt <[email protected]> Fri, 29 Jan 2021 08:27:31 +0100
bind9 (1:9.16.11-1) unstable; urgency=medium
- * Add the ISC code-signing key for 2021-2022
- * New upstream version 9.16.11
+ * Add the ISC code-signing key for 2021-2022
+ * New upstream version 9.16.11
- -- Ondřej Surý <[email protected]> Thu, 21 Jan 2021 09:58:33 +0100
+ -- Ondřej Surý <[email protected]> Thu, 21 Jan 2021 09:58:33 +0100
bind9 (1:9.16.10-1) unstable; urgency=medium
- * New upstream version 9.16.10
+ * New upstream version 9.16.10
- -- Ondřej Surý <[email protected]> Wed, 16 Dec 2020 22:22:25 +0100
+ -- Ondřej Surý <[email protected]> Wed, 16 Dec 2020 22:22:25 +0100
bind9 (1:9.16.9-1) unstable; urgency=medium
- * New upstream version 9.16.9
+ * New upstream version 9.16.9
- -- Ondřej Surý <[email protected]> Thu, 26 Nov 2020 12:52:28 +0100
+ -- Ondřej Surý <[email protected]> Thu, 26 Nov 2020 12:52:28 +0100
bind9 (1:9.16.8-1) unstable; urgency=medium
- [ Ondřej Surý ]
- * New upstream version 9.16.8
+ [ Ondřej Surý ]
+ * New upstream version 9.16.8
- [ Bernhard Schmidt ]
- * d/t/control:
- - tag autopkgtest with needs-internet (Closes: #973955)
- - depend on bind9-dnsutils insead of the transitional dnsutils
- * d/rules: change deprecated --with-libjson-c configure argument to
- --with-json-c
+ [ Bernhard Schmidt ]
+ * d/t/control:
+ - tag autopkgtest with needs-internet (Closes: #973955)
+ - depend on bind9-dnsutils insead of the transitional dnsutils
+ * d/rules: change deprecated --with-libjson-c configure argument to
+ --with-json-c
- -- Bernhard Schmidt <[email protected]> Mon, 09 Nov 2020 23:03:53 +0100
+ -- Bernhard Schmidt <[email protected]> Mon, 09 Nov 2020 23:03:53 +0100
bind9 (1:9.16.7-1) unstable; urgency=medium
- * New upstream version 9.16.7
+ * New upstream version 9.16.7
- -- Ondřej Surý <[email protected]> Thu, 17 Sep 2020 10:36:51 +0200
+ -- Ondřej Surý <[email protected]> Thu, 17 Sep 2020 10:36:51 +0200
bind9 (1:9.16.6-3) unstable; urgency=medium
-
### Old Ubuntu Delta ###
bind9 (1:9.16.15-1ubuntu1) impish; urgency=medium
- * Merge with Debian unstable. Remaining changes:
- - Don't build dnstap as it depends on universe packages:
- + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
- protobuf-c-compiler (universe packages)
- + d/dnsutils.install: don't install dnstap
- + d/libdns1104.symbols: don't include dnstap symbols
- + d/rules: don't build dnstap nor install dnstap.proto
- - Add back apport:
- + d/bind9.apport: add back old bind9 apport hook, but without calling
- attach_conffiles() since that is already done by apport itself, with
- confirmation from the user.
- + d/control, d/rules: buil-depends on dh-apport and use it
- - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- - d/bind9.named.service: use systemd Type=forking to signal daemon init.
- This fixes a regression of #900788 where services whose startup depend
- on name resolutions may fail due to bind9 not being ready (LP #1899902).
- * Drop changes:
- - d/t/simpletest: drop the internetsociety.org test as it requires
- network egress access that is not available in the Ubuntu autopkgtest
- farm.
- [Fixed in 1:9.16.11-3]
- - SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
- + debian/patches/CVE-2020-8625.patch: properly calculate length in
- lib/dns/spnego.c.
- + CVE-2020-8625
- [Fixed in 1:9.16.12-1]
- - SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
- + debian/patches/CVE-2021-25214.patch: immediately reject the entire
- transfer for certain RR in lib/dns/xfrin.c.
- + CVE-2021-25214
- [Fixed in 1:9.16.15-1]
- - SECURITY UPDATE: assert via answering certain queries for DNAME records
- + debian/patches/CVE-2021-25215.patch: fix assert checks in
- lib/ns/query.c.
- + CVE-2021-25215
- [Fixed in 1:9.16.15-1]
- - SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
- + debian/rules: build with --disable-isc-spnego to disable internal
- SPNEGO and use the one from the kerberos libraries.
- + CVE-2021-25216
- [Fixed in 1:9.16.15-1]
+ * Merge with Debian unstable. Remaining changes:
+ - Don't build dnstap as it depends on universe packages:
+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
+ protobuf-c-compiler (universe packages)
+ + d/dnsutils.install: don't install dnstap
+ + d/libdns1104.symbols: don't include dnstap symbols
+ + d/rules: don't build dnstap nor install dnstap.proto
+ - Add back apport:
+ + d/bind9.apport: add back old bind9 apport hook, but without calling
+ attach_conffiles() since that is already done by apport itself, with
+ confirmation from the user.
+ + d/control, d/rules: buil-depends on dh-apport and use it
+ - d/NEWS: mention some of the bigger changes in 9.16.0 packaging
+ - d/bind9.named.service: use systemd Type=forking to signal daemon init.
+ This fixes a regression of #900788 where services whose startup depend
+ on name resolutions may fail due to bind9 not being ready (LP #1899902).
+ * Drop changes:
+ - d/t/simpletest: drop the internetsociety.org test as it requires
+ network egress access that is not available in the Ubuntu autopkgtest
+ farm.
+ [Fixed in 1:9.16.11-3]
+ - SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
+ + debian/patches/CVE-2020-8625.patch: properly calculate length in
+ lib/dns/spnego.c.
+ + CVE-2020-8625
+ [Fixed in 1:9.16.12-1]
+ - SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
+ + debian/patches/CVE-2021-25214.patch: immediately reject the entire
+ transfer for certain RR in lib/dns/xfrin.c.
+ + CVE-2021-25214
+ [Fixed in 1:9.16.15-1]
+ - SECURITY UPDATE: assert via answering certain queries for DNAME records
+ + debian/patches/CVE-2021-25215.patch: fix assert checks in
+ lib/ns/query.c.
+ + CVE-2021-25215
+ [Fixed in 1:9.16.15-1]
+ - SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
+ + debian/rules: build with --disable-isc-spnego to disable internal
+ SPNEGO and use the one from the kerberos libraries.
+ + CVE-2021-25216
+ [Fixed in 1:9.16.15-1]
- -- Athos Ribeiro <[email protected]> Mon, 12 Jul 2021
+ -- Athos Ribeiro <[email protected]> Mon, 12 Jul 2021
20:26:40 -0300
** Changed in: bind9 (Ubuntu)
Milestone: None => ubuntu-21.12
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946833
Title:
Merge bind9 from Debian unstable for 22.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1946833/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
