diff --git a/debian/bind9.install b/debian/bind9.install index 26d595e..fd7f0f5 100644 --- a/debian/bind9.install +++ b/debian/bind9.install @@ -16,7 +16,6 @@ usr/sbin/genrandom usr/sbin/isc-hmac-fixup usr/sbin/named usr/sbin/named-journalprint -usr/sbin/named-nzd2nzf usr/sbin/named-pkcs11 usr/sbin/nsec3hash usr/sbin/tsig-keygen @@ -32,7 +31,6 @@ usr/share/man/man8/dnssec-importkey.8 usr/share/man/man8/genrandom.8 usr/share/man/man8/isc-hmac-fixup.8 usr/share/man/man8/named-journalprint.8 -usr/share/man/man8/named-nzd2nzf.8 usr/share/man/man8/named.8 usr/share/man/man8/nsec3hash.8 usr/share/man/man8/tsig-keygen.8 diff --git a/debian/changelog b/debian/changelog index caf5655..2492244 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,26 @@ +bind9 (1:9.11.5.P4+dfsg-5ubuntu1) eoan; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Build without lmdb support as that package is in Universe + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line + option (LP #1804648) + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted + close to a query timeout (LP #1797926) + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + - SECURITY UPDATE: DoS via malformed packets + + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c + + CVE-2019-6471 + + -- Rafael David Tinoco Fri, 21 Jun 2019 18:06:22 +0000 + bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium * AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ. @@ -5,6 +28,69 @@ bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium -- Bernhard Schmidt Fri, 03 May 2019 19:44:57 +0200 +bind9 (1:9.11.5.P4+dfsg-4ubuntu2) eoan; urgency=medium + + * SECURITY UPDATE: DoS via malformed packets + - debian/patches/CVE-2019-6471.patch: fix race condition in + lib/dns/dispatch.c. + - CVE-2019-6471 + + -- Marc Deslauriers Thu, 20 Jun 2019 08:15:00 -0400 + +bind9 (1:9.11.5.P4+dfsg-4ubuntu1) eoan; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Build without lmdb support as that package is in Universe + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line + option (LP #1804648) + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted + close to a query timeout (LP #1797926) + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + * Dropped: + - SECURITY UPDATE: memory leak via specially crafted packet + + debian/patches/CVE-2018-5744.patch: silently drop additional keytag + options in bin/named/client.c. + + CVE-2018-5744 + [Fixed upstream in 9.11.5-P2] + - SECURITY UPDATE: assertion failure when a trust anchor rolls over to an + unsupported key algorithm when using managed-keys + + debian/patches/CVE-2018-5745.patch: properly handle situations when + the key tag cannot be computed in lib/dns/include/dst/dst.h, + lib/dns/zone.c. + + CVE-2018-5745 + [Fixed upstream in 9.11.5-P2] + - SECURITY UPDATE: Controls for zone transfers may not be properly + applied to Dynamically Loadable Zones (DLZs) if the zones are writable + + debian/patches/CVE-2019-6465.patch: handle zone transfers marked in + the zone table as a DLZ zone bin/named/xfrout.c. + + CVE-2019-6465 + [Fixed upstream in 9.11.5-P3] + - SECURITY UPDATE: limiting simultaneous TCP clients is ineffective + + debian/patches/CVE-2018-5743.patch: add reference counting in + bin/named/client.c, bin/named/include/named/client.h, + bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c, + lib/isc/include/isc/quota.h, lib/isc/quota.c, + lib/isc/win32/libisc.def.in. + + debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic + operations with isc_refcount reference counting in + bin/named/client.c, bin/named/include/named/interfacemgr.h, + bin/named/interfacemgr.c. + + debian/libisc1100.symbols: added new symbols. + + CVE-2018-5743 + [Fixed in 1:9.11.5.P4+dfsg-4] + - d/rules: add back EdDSA support (LP #1825712) + [Fixed in 1:9.11.5.P4+dfsg-4] + + -- Andreas Hasenack Thu, 02 May 2019 13:35:59 -0300 + bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium [ Bernhard Schmidt ] @@ -77,12 +163,114 @@ bind9 (1:9.11.5.P1+dfsg-2) unstable; urgency=medium -- Bernhard Schmidt Tue, 12 Feb 2019 00:34:21 +0100 +bind9 (1:9.11.5.P1+dfsg-1ubuntu4) eoan; urgency=medium + + * d/rules: add back EdDSA support (LP: #1825712) + + -- Andreas Hasenack Fri, 26 Apr 2019 14:04:37 +0000 + +bind9 (1:9.11.5.P1+dfsg-1ubuntu3) eoan; urgency=medium + + * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective + - debian/patches/CVE-2018-5743.patch: add reference counting in + bin/named/client.c, bin/named/include/named/client.h, + bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c, + lib/isc/include/isc/quota.h, lib/isc/quota.c, + lib/isc/win32/libisc.def.in. + - debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic + operations with isc_refcount reference counting in + bin/named/client.c, bin/named/include/named/interfacemgr.h, + bin/named/interfacemgr.c. + - debian/libisc1100.symbols: added new symbols. + - CVE-2018-5743 + + -- Marc Deslauriers Wed, 24 Apr 2019 05:00:07 -0400 + +bind9 (1:9.11.5.P1+dfsg-1ubuntu2) disco; urgency=medium + + * SECURITY UPDATE: memory leak via specially crafted packet + - debian/patches/CVE-2018-5744.patch: silently drop additional keytag + options in bin/named/client.c. + - CVE-2018-5744 + * SECURITY UPDATE: assertion failure when a trust anchor rolls over to an + unsupported key algorithm when using managed-keys + - debian/patches/CVE-2018-5745.patch: properly handle situations when + the key tag cannot be computed in lib/dns/include/dst/dst.h, + lib/dns/zone.c. + - CVE-2018-5745 + * SECURITY UPDATE: Controls for zone transfers may not be properly + applied to Dynamically Loadable Zones (DLZs) if the zones are writable + - debian/patches/CVE-2019-6465.patch: handle zone transfers marked in + the zone table as a DLZ zone bin/named/xfrout.c. + - CVE-2019-6465 + + -- Marc Deslauriers Fri, 22 Feb 2019 10:52:30 +0100 + +bind9 (1:9.11.5.P1+dfsg-1ubuntu1) disco; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Build without lmdb support as that package is in Universe + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line + option (LP #1804648) + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted + close to a query timeout (LP #1797926) + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + + -- Andreas Hasenack Thu, 17 Jan 2019 18:59:25 -0200 + bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium * New upstream version 9.11.5.P1+dfsg -- Ondřej Surý Tue, 18 Dec 2018 13:59:25 +0000 +bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Build without lmdb support as that package is in Universe + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1104.symbols: don't include dnstap symbols + + d/rules: don't build dnstap nor install dnstap.proto + * Dropped: + - SECURITY UPDATE: denial of service crash when deny-answer-aliases + option is used + + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could + trigger a crash if deny-answer-aliases was set + + debian/patches/CVE-2018-5740-2.patch: add tests + + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set + chainingp correctly, add test + + CVE-2018-5740 + [Fixed in new upstream version 9.11.5] + - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the + line (Closes: #904983) + [Fixed in 1:9.11.4+dfsg-4] + - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440) + [Fixed in 1:9.11.4.P1+dfsg-1] + - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol + (it depends on OpenSSL version) (Closes: #897643) + [Fixed in 1:9.11.4.P1+dfsg-1] + * Added: + - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line + option (LP: #1804648) + - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted + close to a query timeout (LP: #1797926) + - d/t/simpletest: drop the internetsociety.org test as it requires + network egress access that is not available in the Ubuntu autopkgtest + farm. + + -- Andreas Hasenack Thu, 13 Dec 2018 19:40:23 -0200 + bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium * Use team+dns@tracker.debian.org as Maintainer address @@ -144,6 +332,55 @@ bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium -- Bernhard Schmidt Mon, 30 Jul 2018 16:28:21 +0200 +bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high + + * No change rebuild against openssl 1.1.1 with TLS 1.3 support. + + -- Dimitri John Ledkov Sat, 29 Sep 2018 01:36:45 +0100 + +bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium + + * SECURITY UPDATE: denial of service crash when deny-answer-aliases + option is used + - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could + trigger a crash if deny-answer-aliases was set + - debian/patches/CVE-2018-5740-2.patch: add tests + - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set + chainingp correctly, add test + - CVE-2018-5740 + + -- Marc Deslauriers Thu, 20 Sep 2018 11:11:05 +0200 + +bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium + + * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol + (it depends on OpenSSL version) (Closes: #897643) + + -- Dimitri John Ledkov Tue, 18 Sep 2018 10:39:12 +0200 + +bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium + + * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11 + crashing on startup. (LP: #1769440) + + -- Karl Stenerud Thu, 30 Aug 2018 07:11:39 -0700 + +bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium + + * Merge with Debian unstable. Remaining changes: + - Build without lmdb support as that package is in Universe + * Added: + - Don't build dnstap as it depends on universe packages: + + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and + protobuf-c-compiler (universe packages) + + d/dnsutils.install: don't install dnstap + + d/libdns1102.symbols: don't include dnstap symbols + + d/rules: don't build dnstap + - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the + line (Closes: #904983) + + -- Andreas Hasenack Mon, 30 Jul 2018 10:56:04 -0300 + bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium * Enable IDN support for dig+host using libidn2 (Closes: #459010) @@ -174,6 +411,19 @@ bind9 (1:9.11.4+dfsg-1) unstable; urgency=medium -- Ondřej Surý Sat, 14 Jul 2018 12:27:56 +0000 +bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium + + * Merge with Debian unstable (LP: #1777935). Remaining changes: + - Build without lmdb support as that package is in Universe + * Drop: + - SECURITY UPDATE: improperly permits recursive query service + + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling + in bin/named/server.c. + + CVE-2018-5738 + [Applied in Debian's 1:9.11.3+dfsg-2] + + -- Andreas Hasenack Wed, 20 Jun 2018 17:42:16 -0300 + bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium * [CVE-2018-5738]: Add upstream fix to close the default open recursion @@ -182,6 +432,24 @@ bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium -- Ondřej Surý Thu, 14 Jun 2018 13:01:47 +0000 +bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium + + * SECURITY UPDATE: improperly permits recursive query service + - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling + in bin/named/server.c. + - CVE-2018-5738 + + -- Marc Deslauriers Mon, 11 Jun 2018 09:41:51 -0400 + +bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low + + * New upstream release. (LP: #1763572) + - fix a crash when configured with ipa-dns-install + * Merge from Debian unstable. Remaining changes: + - Build without lmdb support as that package is in Universe + + -- Timo Aaltonen Fri, 13 Apr 2018 07:40:47 +0300 + bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium [ Bernhard Schmidt ] @@ -206,6 +474,61 @@ bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium -- Bernhard Schmidt Fri, 23 Mar 2018 00:09:58 +0100 +bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium + + * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating + DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews + . (LP: #1755439) + + -- Andreas Hasenack Fri, 16 Mar 2018 09:38:46 -0300 + +bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium + + * Fix apparmor profile filename (LP: #1754981) + + -- Andreas Hasenack Thu, 15 Mar 2018 10:06:57 -0300 + +bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high + + * No change rebuild against openssl1.1. + + -- Dimitri John Ledkov Tue, 06 Feb 2018 12:14:22 +0000 + +bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium + + * Build without lmdb support as that package is in Universe (LP: #1746296) + - d/control: remove Build-Depends on liblmdb-dev + - d/rules: configure --without-lmdb + - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires + lmdb. + + -- Andreas Hasenack Tue, 30 Jan 2018 15:21:23 -0200 + +bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium + + * Merge with Debian unstable (LP: #1744930). + * Drop: + - Add RemainAfterExit to bind9-resolvconf unit configuration file + (LP #1536181). + [fixed in 1:9.10.6+dfsg-4] + - rules: Fix path to libsofthsm2.so. (LP #1685780) + [adopted in 1:9.10.6+dfsg-5] + - d/p/CVE-2016-8864-regression-test.patch: tests for the regression + introduced with the CVE-2016-8864.patch and fixed in + CVE-2016-8864-regression.patch. + [applied upstream] + - d/p/CVE-2016-8864-regression2-test.patch: tests for the second + regression (RT #44318) introduced with the CVE-2016-8864.patch + and fixed in CVE-2016-8864-regression2.patch. + [applied upstream] + - d/control, d/rules: add json support for the statistics channels. + (LP #1669193) + [adopted in 1:9.10.6+dfsg-5] + * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing + listing the python ply module as a dependency (Closes: #888463) + + -- Andreas Hasenack Fri, 26 Jan 2018 11:20:33 -0200 + bind9 (1:9.11.2.P1-1) unstable; urgency=medium * New upstream version 9.11.2-P1 @@ -381,6 +704,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium -- Ondřej Surý Fri, 06 Oct 2017 06:18:21 +0000 +bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium + + * Merge with Debian unstable (LP: #1712920). Remaining changes: + - Add RemainAfterExit to bind9-resolvconf unit configuration file + (LP #1536181). + - rules: Fix path to libsofthsm2.so. (LP #1685780) + - d/p/CVE-2016-8864-regression-test.patch: tests for the regression + introduced with the CVE-2016-8864.patch and fixed in + CVE-2016-8864-regression.patch. + - d/p/CVE-2016-8864-regression2-test.patch: tests for the second + regression (RT #44318) introduced with the CVE-2016-8864.patch + and fixed in CVE-2016-8864-regression2.patch. + - d/control, d/rules: add json support for the statistics channels. + (LP #1669193) + + -- Andreas Hasenack Thu, 24 Aug 2017 18:28:00 -0300 + +bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium + + * Non-maintainer upload. + * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794) + + -- Bernhard Schmidt Fri, 11 Aug 2017 19:10:07 +0200 + +bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium + + * Merge with Debian unstable (LP: #1701687). Remaining changes: + - Add RemainAfterExit to bind9-resolvconf unit configuration file + (LP #1536181). + - rules: Fix path to libsofthsm2.so. (LP #1685780) + * Drop: + - SECURITY UPDATE: denial of service via assertion failure + + debian/patches/CVE-2016-2776.patch: properly handle lengths in + lib/dns/message.c. + + CVE-2016-2776 + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] + - SECURITY UPDATE: assertion failure via class mismatch + + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY + records in lib/dns/resolver.c. + + CVE-2016-9131 + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] + - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information + + debian/patches/CVE-2016-9147.patch: fix logic when records are + returned without the requested data in lib/dns/resolver.c. + + CVE-2016-9147 + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] + - SECURITY UPDATE: assertion failure via unusually-formed DS record + + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in + lib/dns/message.c, lib/dns/resolver.c. + + CVE-2016-9444 + + [Fixed in Debian 1:9.10.3.dfsg.P4-11] + - SECURITY UPDATE: regression in CVE-2016-8864 + + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in + responses in lib/dns/resolver.c, added tests to + bin/tests/system/dname/ns2/example.db, + bin/tests/system/dname/tests.sh. + + No CVE number + + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12] + - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing + a NULL pointer + + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz + combination in bin/named/query.c, lib/dns/message.c, + lib/dns/rdataset.c. + + CVE-2017-3135 + + [Fixed in Debian 1:9.10.3.dfsg.P4-12] + - SECURITY UPDATE: regression in CVE-2016-8864 + + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME + was still being cached when it should have been in lib/dns/resolver.c, + added tests to bin/tests/system/dname/ans3/ans.pl, + bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. + + No CVE number + + [Fixed in Debian 1:9.10.3.dfsg.P4-12] + - SECURITY UPDATE: Denial of Service due to an error handling + synthesized records when using DNS64 with "break-dnssec yes;" + + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() + called. + + CVE-2017-3136 + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] + - SECURITY UPDATE: Denial of Service due to resolver terminating when + processing a response packet containing a CNAME or DNAME + + debian/patches/CVE-2017-3137.patch: don't expect a specific + ordering of answer components; add testcases. + + CVE-2017-3137 + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files] + - SECURITY UPDATE: Denial of Service when receiving a null command on + the control channel + + debian/patches/CVE-2017-3138.patch: don't throw an assert if no + command token is given; add testcase. + + CVE-2017-3138 + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] + - SECURITY UPDATE: TSIG authentication issues + + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in + lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. + + CVE-2017-3142 + + CVE-2017-3143 + + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4] + * d/p/CVE-2016-8864-regression-test.patch: tests for the regression + introduced with the CVE-2016-8864.patch and fixed in + CVE-2016-8864-regression.patch. + * d/p/CVE-2016-8864-regression2-test.patch: tests for the second + regression (RT #44318) introduced with the CVE-2016-8864.patch + and fixed in CVE-2016-8864-regression2.patch. + * d/control, d/rules: add json support for the statistics channels. + (LP: #1669193) + + -- Andreas Hasenack Fri, 11 Aug 2017 17:12:09 -0300 + +bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium + + * Non-maintainer upload. + * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG + signed TCP message sequences where not all the messages contain TSIG + records. These may be used in AXFR and IXFR responses. + (Closes: #868952) + + -- Salvatore Bonaccorso Fri, 21 Jul 2017 22:28:32 +0200 + +bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high + + * Non-maintainer upload. + + [ Yves-Alexis Perez ] + * debian/patches: + - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses + CVE-2017-3142: error in TSIG authentication can permit unauthorized zone + transfers. An attacker may be able to circumvent TSIG authentication of + AXFR and Notify requests. + CVE-2017-3143: error in TSIG authentication can permit unauthorized + dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) + signature for a dynamic update. + (Closes: #866564) + + -- Salvatore Bonaccorso Sun, 16 Jul 2017 22:13:21 +0200 + bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium [ Bernhard Schmidt ] @@ -487,6 +944,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium -- Michael Gilbert Thu, 19 Jan 2017 04:03:28 +0000 +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium + + * SECURITY UPDATE: TSIG authentication issues + - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in + lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. + - CVE-2017-3142 + - CVE-2017-3143 + + -- Marc Deslauriers Mon, 03 Jul 2017 09:48:13 -0400 + +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium + + * rules: Fix path to libsofthsm2.so. (LP: #1685780) + + -- Timo Aaltonen Mon, 24 Apr 2017 15:01:30 +0300 + +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium + + * SECURITY UPDATE: Denial of Service due to an error handling + synthesized records when using DNS64 with "break-dnssec yes;" + - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() + called. + - CVE-2017-3136 + * SECURITY UPDATE: Denial of Service due to resolver terminating when + processing a response packet containing a CNAME or DNAME + - debian/patches/CVE-2017-3137.patch: don't expect a specific + ordering of answer components; add testcases. + - CVE-2017-3137 + * SECURITY UPDATE: Denial of Service when receiving a null command on + the control channel + - debian/patches/CVE-2017-3138.patch: don't throw an assert if no + command token is given; add testcase. + - CVE-2017-3138 + + -- Steve Beattie Wed, 12 Apr 2017 01:32:15 -0700 + +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium + + * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing + a NULL pointer + - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz + combination in bin/named/query.c, lib/dns/message.c, + lib/dns/rdataset.c. + - CVE-2017-3135 + * SECURITY UPDATE: regression in CVE-2016-8864 + - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME + was still being cached when it should have been in lib/dns/resolver.c, + added tests to bin/tests/system/dname/ans3/ans.pl, + bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. + - No CVE number + + -- Marc Deslauriers Wed, 15 Feb 2017 09:37:39 -0500 + +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium + + * SECURITY UPDATE: assertion failure via class mismatch + - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY + records in lib/dns/resolver.c. + - CVE-2016-9131 + * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information + - debian/patches/CVE-2016-9147.patch: fix logic when records are + returned without the requested data in lib/dns/resolver.c. + - CVE-2016-9147 + * SECURITY UPDATE: assertion failure via unusually-formed DS record + - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in + lib/dns/message.c, lib/dns/resolver.c. + - CVE-2016-9444 + * SECURITY UPDATE: regression in CVE-2016-8864 + - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in + responses in lib/dns/resolver.c, added tests to + bin/tests/system/dname/ns2/example.db, + bin/tests/system/dname/tests.sh. + - No CVE number + + -- Marc Deslauriers Wed, 25 Jan 2017 09:28:10 -0500 + +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium + + * Add RemainAfterExit to bind9-resolvconf unit configuration file + (LP: #1536181). + + -- Nishanth Aravamudan Tue, 15 Nov 2016 08:24:58 -0800 + +bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium + + * SECURITY UPDATE: denial of service via assertion failure + - debian/patches/CVE-2016-2776.patch: properly handle lengths in + lib/dns/message.c. + - CVE-2016-2776 + + -- Marc Deslauriers Tue, 04 Oct 2016 14:31:17 -0400 + bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium * Non-maintainer upload. diff --git a/debian/control b/debian/control index 73c2a17..3d7f03d 100644 --- a/debian/control +++ b/debian/control @@ -1,7 +1,8 @@ Source: bind9 Section: net Priority: optional -Maintainer: Debian DNS Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian DNS Team Uploaders: LaMont Jones , Michael Gilbert , Robie Basak , @@ -15,18 +16,14 @@ Build-Depends: bison, dpkg-dev (>= 1.16.1~), libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], libdb-dev (>>4.6), - libfstrm-dev, libgeoip-dev (>= 1.4.6.dfsg-5), libidn2-dev, libjson-c-dev, libkrb5-dev, libldap2-dev, - liblmdb-dev, - libprotobuf-c-dev, libssl-dev, libtool, libxml2-dev, - protobuf-c-compiler, python3, python3-distutils, python3-ply diff --git a/debian/dnsutils.install b/debian/dnsutils.install index 90e4fba..5e6b7d9 100644 --- a/debian/dnsutils.install +++ b/debian/dnsutils.install @@ -1,12 +1,10 @@ usr/bin/delv usr/bin/dig -usr/bin/dnstap-read usr/bin/mdig usr/bin/nslookup usr/bin/nsupdate usr/share/man/man1/delv.1 usr/share/man/man1/dig.1 -usr/share/man/man1/dnstap-read.1 usr/share/man/man1/mdig.1 usr/share/man/man1/nslookup.1 usr/share/man/man1/nsupdate.1 diff --git a/debian/libdns1104.symbols b/debian/libdns1104.symbols index d7c98d4..7b6020e 100644 --- a/debian/libdns1104.symbols +++ b/debian/libdns1104.symbols @@ -358,21 +358,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER# dns_dsdigest_format@Base 1:9.11.3+dfsg dns_dsdigest_fromtext@Base 1:9.11.3+dfsg dns_dsdigest_totext@Base 1:9.11.3+dfsg - dns_dt_attach@Base 1:9.11.4.P1 - dns_dt_close@Base 1:9.11.4.P1 - dns_dt_create@Base 1:9.11.4.P1 - dns_dt_datatotext@Base 1:9.11.4.P1 - dns_dt_detach@Base 1:9.11.4.P1 - dns_dt_getframe@Base 1:9.11.4.P1 - dns_dt_getstats@Base 1:9.11.4.P1 - dns_dt_open@Base 1:9.11.4.P1 - dns_dt_parse@Base 1:9.11.4.P1 - dns_dt_reopen@Base 1:9.11.4.P1 - dns_dt_send@Base 1:9.11.4.P1 - dns_dt_setidentity@Base 1:9.11.4.P1 - dns_dt_setversion@Base 1:9.11.4.P1 - dns_dt_shutdown@Base 1:9.11.4.P1 - dns_dtdata_free@Base 1:9.11.4.P1 dns_dumpctx_attach@Base 1:9.11.3+dfsg dns_dumpctx_cancel@Base 1:9.11.3+dfsg dns_dumpctx_db@Base 1:9.11.3+dfsg @@ -1443,24 +1428,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER# dns_zt_setviewcommit@Base 1:9.11.3+dfsg dns_zt_setviewrevert@Base 1:9.11.3+dfsg dns_zt_unmount@Base 1:9.11.3+dfsg - dnstap__dnstap__descriptor@Base 1:9.11.4.P1 - dnstap__dnstap__free_unpacked@Base 1:9.11.4.P1 - dnstap__dnstap__get_packed_size@Base 1:9.11.4.P1 - dnstap__dnstap__init@Base 1:9.11.4.P1 - dnstap__dnstap__pack@Base 1:9.11.4.P1 - dnstap__dnstap__pack_to_buffer@Base 1:9.11.4.P1 - dnstap__dnstap__type__descriptor@Base 1:9.11.4.P1 - dnstap__dnstap__unpack@Base 1:9.11.4.P1 - dnstap__message__descriptor@Base 1:9.11.4.P1 - dnstap__message__free_unpacked@Base 1:9.11.4.P1 - dnstap__message__get_packed_size@Base 1:9.11.4.P1 - dnstap__message__init@Base 1:9.11.4.P1 - dnstap__message__pack@Base 1:9.11.4.P1 - dnstap__message__pack_to_buffer@Base 1:9.11.4.P1 - dnstap__message__type__descriptor@Base 1:9.11.4.P1 - dnstap__message__unpack@Base 1:9.11.4.P1 - dnstap__socket_family__descriptor@Base 1:9.11.4.P1 - dnstap__socket_protocol__descriptor@Base 1:9.11.4.P1 dst__entropy_getdata@Base 1:9.11.3+dfsg dst__entropy_status@Base 1:9.11.3+dfsg dst__gssapi_init@Base 1:9.11.3+dfsg @@ -1940,21 +1907,6 @@ libdns.so.1104 libdns1104 #MINVER# dns_dsdigest_format@Base 1:9.11.3+dfsg dns_dsdigest_fromtext@Base 1:9.11.3+dfsg dns_dsdigest_totext@Base 1:9.11.3+dfsg - dns_dt_attach@Base 1:9.11.4.P1 - dns_dt_close@Base 1:9.11.4.P1 - dns_dt_create@Base 1:9.11.4.P1 - dns_dt_datatotext@Base 1:9.11.4.P1 - dns_dt_detach@Base 1:9.11.4.P1 - dns_dt_getframe@Base 1:9.11.4.P1 - dns_dt_getstats@Base 1:9.11.4.P1 - dns_dt_open@Base 1:9.11.4.P1 - dns_dt_parse@Base 1:9.11.4.P1 - dns_dt_reopen@Base 1:9.11.4.P1 - dns_dt_send@Base 1:9.11.4.P1 - dns_dt_setidentity@Base 1:9.11.4.P1 - dns_dt_setversion@Base 1:9.11.4.P1 - dns_dt_shutdown@Base 1:9.11.4.P1 - dns_dtdata_free@Base 1:9.11.4.P1 dns_dumpctx_attach@Base 1:9.11.3+dfsg dns_dumpctx_cancel@Base 1:9.11.3+dfsg dns_dumpctx_db@Base 1:9.11.3+dfsg @@ -3032,24 +2984,6 @@ libdns.so.1104 libdns1104 #MINVER# dns_zt_setviewcommit@Base 1:9.11.3+dfsg dns_zt_setviewrevert@Base 1:9.11.3+dfsg dns_zt_unmount@Base 1:9.11.3+dfsg - dnstap__dnstap__descriptor@Base 1:9.11.4.P1 - dnstap__dnstap__free_unpacked@Base 1:9.11.4.P1 - dnstap__dnstap__get_packed_size@Base 1:9.11.4.P1 - dnstap__dnstap__init@Base 1:9.11.4.P1 - dnstap__dnstap__pack@Base 1:9.11.4.P1 - dnstap__dnstap__pack_to_buffer@Base 1:9.11.4.P1 - dnstap__dnstap__type__descriptor@Base 1:9.11.4.P1 - dnstap__dnstap__unpack@Base 1:9.11.4.P1 - dnstap__message__descriptor@Base 1:9.11.4.P1 - dnstap__message__free_unpacked@Base 1:9.11.4.P1 - dnstap__message__get_packed_size@Base 1:9.11.4.P1 - dnstap__message__init@Base 1:9.11.4.P1 - dnstap__message__pack@Base 1:9.11.4.P1 - dnstap__message__pack_to_buffer@Base 1:9.11.4.P1 - dnstap__message__type__descriptor@Base 1:9.11.4.P1 - dnstap__message__unpack@Base 1:9.11.4.P1 - dnstap__socket_family__descriptor@Base 1:9.11.4.P1 - dnstap__socket_protocol__descriptor@Base 1:9.11.4.P1 dst__entropy_getdata@Base 1:9.11.3+dfsg dst__entropy_status@Base 1:9.11.3+dfsg dst__gssapi_init@Base 1:9.11.3+dfsg diff --git a/debian/patches/CVE-2019-6471.patch b/debian/patches/CVE-2019-6471.patch new file mode 100644 index 0000000..43a176b --- /dev/null +++ b/debian/patches/CVE-2019-6471.patch @@ -0,0 +1,44 @@ +Description: fix race condition +Origin: provided by ISC + +diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c +index 408beda..3278db4 100644 +--- a/lib/dns/dispatch.c ++++ b/lib/dns/dispatch.c +@@ -134,7 +134,7 @@ struct dns_dispentry { + isc_task_t *task; + isc_taskaction_t action; + void *arg; +- bool item_out; ++ bool item_out; + dispsocket_t *dispsocket; + ISC_LIST(dns_dispatchevent_t) items; + ISC_LINK(dns_dispentry_t) link; +@@ -3422,13 +3422,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) { + disp = resp->disp; + REQUIRE(VALID_DISPATCH(disp)); + +- REQUIRE(resp->item_out == true); +- resp->item_out = false; +- + ev = *sockevent; + *sockevent = NULL; + + LOCK(&disp->lock); ++ ++ REQUIRE(resp->item_out == true); ++ resp->item_out = false; ++ + if (ev->buffer.base != NULL) + free_buffer(disp, ev->buffer.base, ev->buffer.length); + free_devent(disp, ev); +@@ -3573,6 +3574,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp, + isc_task_send(disp->task[0], &disp->ctlevent); + } + ++/* ++ * disp must be locked. ++ */ + static void + do_cancel(dns_dispatch_t *disp) { + dns_dispatchevent_t *ev; diff --git a/debian/patches/enable-udp-in-host-command.diff b/debian/patches/enable-udp-in-host-command.diff new file mode 100644 index 0000000..5444ae7 --- /dev/null +++ b/debian/patches/enable-udp-in-host-command.diff @@ -0,0 +1,26 @@ +Description: Fix parsing of host(1)'s -U command line option +Author: Andreas Hasenack +Bug: https://gitlab.isc.org/isc-projects/bind9/issues/769 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1804648 +Applied-Upstream: https://gitlab.isc.org/isc-projects/bind9/commit/5e2cd91321cdda1707411c4e268d364f03f63935 +Last-Update: 2018-12-06 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/bin/dig/host.c ++++ b/bin/dig/host.c +@@ -158,6 +158,7 @@ + " -s a SERVFAIL response should stop query\n" + " -t specifies the query type\n" + " -T enables TCP/IP mode\n" ++" -U enables UDP mode\n" + " -v enables verbose output\n" + " -V print version number and exit\n" + " -w specifies to wait forever for a reply\n" +@@ -657,6 +658,7 @@ + case 'N': break; + case 'R': break; + case 'T': break; ++ case 'U': break; + case 'W': break; + default: + show_usage(); diff --git a/debian/patches/fix-shutdown-race.diff b/debian/patches/fix-shutdown-race.diff new file mode 100644 index 0000000..f10f51f --- /dev/null +++ b/debian/patches/fix-shutdown-race.diff @@ -0,0 +1,41 @@ +From f2ca287330110993609fa0443d3bdb17629bd979 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Tue, 13 Nov 2018 13:50:47 +0100 +Subject: [PATCH 1/2] Fix a shutdown race in bin/dig/dighost.c + +If a tool using the routines defined in bin/dig/dighost.c is sent an +interruption signal around the time a connection timeout is scheduled to +fire, connect_timeout() may be executed after destroy_libs() detaches +from the global task (setting 'global_task' to NULL), which results in a +crash upon a UDP retry due to bringup_timer() attempting to create a +timer with 'task' set to NULL. Fix by preventing connect_timeout() from +attempting a retry when shutdown is in progress. + +(cherry picked from commit 462175659674a10c0d39c7c328f1a5324ce2e38b) + +Origin: https://gitlab.isc.org/isc-projects/bind9/merge_requests/1040/diffs +Bug: https://gitlab.isc.org/isc-projects/bind9/issues/599 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1797926 +Last-Update: 2018-12-06 + +--- + bin/dig/dighost.c | 5 +++++ + 1 file changed, 5 insertions(+) +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index 39abb9d0fd..17e0328228 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -3240,6 +3240,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) { + + INSIST(!free_now); + ++ if (cancel_now) { ++ UNLOCK_LOOKUP; ++ return; ++ } ++ + if ((query != NULL) && (query->lookup->current_query != NULL) && + ISC_LINK_LINKED(query->lookup->current_query, link) && + (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) { +-- +2.18.1 diff --git a/debian/patches/series b/debian/patches/series index b8cde78..bd7121f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -12,3 +12,6 @@ keymgr-dont-immediately-delete.diff 0012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch 0013-Replace-atomic-operations-in-bin-named-client.c-with.patch 0014-Disable-broken-Ed448-support.patch +enable-udp-in-host-command.diff +fix-shutdown-race.diff +CVE-2019-6471.patch diff --git a/debian/rules b/debian/rules index c8d745c..717ecb9 100755 --- a/debian/rules +++ b/debian/rules @@ -91,7 +91,7 @@ override_dh_auto_configure: --with-gssapi=/usr \ --with-libidn2 \ --with-libjson=/usr \ - --with-lmdb=/usr \ + --without-lmdb \ --with-gnu-ld \ --with-geoip=/usr \ --with-atf=no \ @@ -101,7 +101,6 @@ override_dh_auto_configure: --enable-native-pkcs11 \ --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \ --with-randomdev=/dev/urandom \ - --enable-dnstap \ $(EXTRA_FEATURES) dh_auto_configure -B build-udeb -- \ --sysconfdir=/etc/bind \ @@ -126,8 +125,6 @@ override_dh_auto_configure: # no need to build these targets here sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile - cp lib/dns/dnstap.proto build/lib/dns - cp lib/dns-pkcs11/dnstap.proto build/lib/dns-pkcs11 override_dh_auto_build: dh_auto_build -B build diff --git a/debian/tests/simpletest b/debian/tests/simpletest index 468a7c5..34b0b25 100755 --- a/debian/tests/simpletest +++ b/debian/tests/simpletest @@ -10,10 +10,6 @@ setup() { run() { # Make a query against a local zone dig -x 127.0.0.1 @127.0.0.1 - - # Make a query against an external nameserver and check for DNSSEC validation - echo "Checking for DNSSEC validation status of internetsociety.org" - dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY' } teardown() {