Ubuntu
bind9 package

Please merge 1:9.10.3.dfsg.P4-10.1ubuntu7 -> 1:9.10.3.dfsg.P4-12.5

Bug #1701687 reported by Andreas Hasenack
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Fix Released
Low
Andreas Hasenack

Bug Description

bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium

  * Non-maintainer upload.
  * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
    signed TCP message sequences where not all the messages contain TSIG
    records. These may be used in AXFR and IXFR responses.
    (Closes: #868952)

 -- Salvatore Bonaccorso Fri, 21 Jul 2017 22:28:32 +0200

bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high

  * Non-maintainer upload.

  [ Yves-Alexis Perez ]
  * debian/patches:
    - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
      CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
      transfers. An attacker may be able to circumvent TSIG authentication of
      AXFR and Notify requests.
      CVE-2017-3143: error in TSIG authentication can permit unauthorized
      dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
      signature for a dynamic update.
      (Closes: #866564)

 -- Salvatore Bonaccorso Sun, 16 Jul 2017 22:13:21 +0200

bind9 (1:9.10.3.dfsg.P4-12.3) unstable; urgency=high

  * Non-maintainer upload.
  * Dns64 with "break-dnssec yes;" can result in a assertion failure
    (CVE-2017-3136) (Closes: #860224)
  * Some chaining (CNAME or DNAME) responses to upstream queries could trigger
    assertion failures (CVE-2017-3137) (Closes: #860225)
  * 'rndc ""' could trigger a assertion failure in named (CVE-2017-3138)
    (Closes: #860226)

 -- Salvatore Bonaccorso Sun, 07 May 2017 15:22:46 +0200

bind9 (1:9.10.3.dfsg.P4-12.2) unstable; urgency=medium

  * Non-maintainer upload.
  * Replace 32_mips_atomic.diff with a version that uses C11 atomics. Fixes
    hangs and crashes on MIPS. (Closes: #778720)

 -- James Cowgill Tue, 18 Apr 2017 16:42:50 +0100

bind9 (1:9.10.3.dfsg.P4-12.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Use /dev/urandom to avoid blocking in the server process.
    (closes: #854243)

 -- Bastian Blank Fri, 17 Mar 2017 19:07:16 +0100

bind9 (1:9.10.3.dfsg.P4-12) unstable; urgency=high

  * Merge and accept the non-maintainer upload.
  * Fix regression caused by the fix for CVE-2016-8864 (closes: #855540).
  * Fix CVE-2017-3135: a malicously crafted query can cause named to crash if
    both DNS64 and RPZ are being used (closes: #855520).

 -- Michael Gilbert Sun, 19 Feb 2017 22:39:32 +0000

bind9 (1:9.10.3.dfsg.P4-11.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Disable GOST to prevent ENGINE_by_id failed (crypto failure) in chroot.
    Patch by Marc Haber (Closes: #820974).

 -- Arturo Borrero Gonzalez Tue, 07 Feb 2017 10:42:00 +0100

bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium

  * Fix some lintian warnings.
  * Add lsb-base dependency to lwresd (closes: #848519).
  * Fix CVE-2016-2775: crash in lwresd due to a long query name
    (closes: #831796).
  * Fix CVE-2016-2776: maliciously crafted query can cause named to crash
    (closes: #839010).
  * Fix CVE-2016-8864: incorrect handling of a DNAME record can cause
    named to crash (closes: #842858).
  * Fix CVE-2016-9131: maliciously crafted response to an ANY query can
    cause named to crash (closes: #851065).
  * Fix CVE-2016-9147: query with contradictory DNSSEC information can
    cause named to crash (closes: #851063).
  * Fix CVE-2016-9444: maliciously formed DNSSEC Delegation Signer (DS)
    record can cause named to crash (closes: #851062).
  * Openssl 1.1 is not yet supported, so build with openssl 1.0 for now
    (closes: #828082).

  [ LaMont Jones ]
  * Update VCS fields in control.
  * -DDIG_SIGCHASE got dropped by the change in hardening.

  [ Stefan Bader ]
  * Use the defaults file in systemd.

 -- Michael Gilbert Thu, 19 Jan 2017 04:03:28 +0000

bridge-utils 1.5-9ubuntu2 -> 1.5-14

* Last Uploader: Ryan Harper (sponsored by Mathieu Trudel-Lapierre)

Debian changes newer than ubuntu version:

bridge-utils (1.5-14) unstable; urgency=low

  * Fix a problem with some vlan interfaces not being created.

 -- Santiago Garcia Mantinan Mon, 26 Jun 2017 17:48:37 +0200

bridge-utils (1.5-13) unstable; urgency=low

  * Fix a hardcoded interface name on bridge-utils.sh. Closes: #854841.

 -- Santiago Garcia Mantinan Sat, 11 Feb 2017 00:16:45 +0100

bridge-utils (1.5-12) unstable; urgency=medium

  * Add vlan support so that old setups using vlans as ports don't break.

 -- Santiago Garcia Mantinan Sun, 22 Jan 2017 00:23:50 +0100

bridge-utils (1.5-11) unstable; urgency=low

  * Change /etc/default/bridge-utils to enable addition of hotplugged
    interfaces.
  * Integration with the vlan package is causing problems, we have
    removed it and rely on ifupdown implementing it. Closes: #818849.

 -- Santiago Garcia Mantinan Wed, 14 Dec 2016 23:26:05 +0100

bridge-utils (1.5-10) unstable; urgency=low

  * Fix wait when bridge is ready. Thanks Alexander. Closes: #779348.
  * Added some documentation on the README.Debian file to comment some
    config bugs. Closes: #765000, #815927.
  * Clarify pre-up commands changing an example on the man page for
    bridge-utils-interfaces. Closes: #783956.

 -- Santiago Garcia Mantinan Thu, 10 Nov 2016 22:23:49 +0100

See original description
Andreas Hasenack (ahasenack)
Changed in bind9 (Ubuntu):
status: In Progress → Triaged
assignee: Andreas Hasenack (ahasenack) → nobody
Andreas Hasenack (ahasenack)
Changed in bind9 (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
summary: - Please merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> 1:9.10.3.dfsg.P4-12.3
+ Please merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> 1:9.10.3.dfsg.P4-12.5
Andreas Hasenack (ahasenack)
summary: - Please merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> 1:9.10.3.dfsg.P4-12.5
+ Please merge 1:9.10.3.dfsg.P4-10.1ubuntu7 -> 1:9.10.3.dfsg.P4-12.5
description: updated
Andreas Hasenack (ahasenack)
Changed in bind9 (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.1 KiB)

This bug was fixed in the package bind9 - 1:9.10.3.dfsg.P4-12.5ubuntu1

---------------
bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium

  * Merge with Debian unstable (LP: #1701687). Remaining changes:
    - Add RemainAfterExit to bind9-resolvconf unit configuration file
      (LP #1536181).
    - rules: Fix path to libsofthsm2.so. (LP #1685780)
  * Drop:
    - SECURITY UPDATE: denial of service via assertion failure
      + debian/patches/CVE-2016-2776.patch: properly handle lengths in
        lib/dns/message.c.
      + CVE-2016-2776
      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
    - SECURITY UPDATE: assertion failure via class mismatch
      + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
        records in lib/dns/resolver.c.
      + CVE-2016-9131
      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
    - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
      + debian/patches/CVE-2016-9147.patch: fix logic when records are
        returned without the requested data in lib/dns/resolver.c.
      + CVE-2016-9147
      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
    - SECURITY UPDATE: assertion failure via unusually-formed DS record
      + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
        lib/dns/message.c, lib/dns/resolver.c.
      + CVE-2016-9444
      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
    - SECURITY UPDATE: regression in CVE-2016-8864
      + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
        responses in lib/dns/resolver.c, added tests to
        bin/tests/system/dname/ns2/example.db,
        bin/tests/system/dname/tests.sh.
      + No CVE number
      + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
    - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
      a NULL pointer
      + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
        combination in bin/named/query.c, lib/dns/message.c,
        lib/dns/rdataset.c.
      + CVE-2017-3135
      + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
    - SECURITY UPDATE: regression in CVE-2016-8864
      + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
        was still being cached when it should have been in lib/dns/resolver.c,
        added tests to bin/tests/system/dname/ans3/ans.pl,
        bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
      + No CVE number
      + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
    - SECURITY UPDATE: Denial of Service due to an error handling
      synthesized records when using DNS64 with "break-dnssec yes;"
      + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
        called.
      + CVE-2017-3136
      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
    - SECURITY UPDATE: Denial of Service due to resolver terminating when
      processing a response packet containing a CNAME or DNAME
      + debian/patches/CVE-2017-3137.patch: don't expect a specific
        ordering of answer components; add testcases.
      + CVE-2017-3137
      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
    - SECURITY UPDATE: Denial of Service when receiving a null command on
      ...

Read more...

Changed in bind9 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.