Merge bind9 from Debian unstable for 22.04
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
bind9 (Ubuntu) |
Fix Released
|
Undecided
|
Athos Ribeiro |
Bug Description
Upstream: 9.18.0
Debian: 1:9.18.0-1
Ubuntu: 1:9.16.15-1ubuntu3
Debian typically updates bind9 every 1 months on average, but it was last updated 21.04 and looks overdue. Check back in on this monthly.
~~No release expected for bind9 this cycle~~
bind9 9.18 upstream release is scheduled for January 2022
### New Debian Changes ###
bind9 (1:9.16.15-1) unstable; urgency=high
* New upstream version 9.16.15 (Closes: #987741, #987742, #987743)
+ CVE-2021-25214: A malformed incoming IXFR transfer could trigger an
assertion failure in ``named``, causing it to quit abnormally.
+ CVE-2021-25215: ``named`` crashed when a DNAME record placed in the
ANSWER section during DNAME chasing turned out to be the final
answer to a client query.
+ CVE-2021-25216: When a server's configuration set the
``tkey-
specially crafted GSS-TSIG query could cause a buffer overflow in
the ISC implementation of SPNEGO (a protocol enabling negotiation of
the security mechanism used for GSSAPI authentication).
* Add patches to implement I-D draft-hardaker-
-- Ondřej Surý <email address hidden> Thu, 29 Apr 2021 09:11:32 +0200
bind9 (1:9.16.13-1) unstable; urgency=medium
* New upstream version 9.16.13
* Add upstream patches to fix TCP timeouts firing too early
-- Ondřej Surý <email address hidden> Thu, 18 Mar 2021 14:23:49 +0100
bind9 (1:9.16.12-3) unstable; urgency=medium
* Add most important patches from upcoming 9.16.13 release
-- Ondřej Surý <email address hidden> Fri, 12 Mar 2021 09:59:49 +0100
bind9 (1:9.16.12-2) unstable; urgency=medium
* Add patch to fix sphinx-build failure on Ubuntu Xenial
-- Ondřej Surý <email address hidden> Thu, 18 Feb 2021 12:26:09 +0100
bind9 (1:9.16.12-1) unstable; urgency=high
* New upstream version 9.16.12
+ [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation.
(Closes: #983004)
* Adjust the bind9-libs and bind9-dev packages for new upstream library
names
-- Ondřej Surý <email address hidden> Thu, 18 Feb 2021 08:13:58 +0100
bind9 (1:9.16.11-3) unstable; urgency=medium
* Split the simple validation test to separate file and mark it as flaky
(Closes: #976045)
-- Ondřej Surý <email address hidden> Sun, 14 Feb 2021 20:04:39 +0100
bind9 (1:9.16.11-2) unstable; urgency=medium
* Cherry-pick upstream commit to fix segfault with named ACLs used in
allow-update (Closes: #980786)
-- Bernhard Schmidt <email address hidden> Fri, 29 Jan 2021 08:27:31 +0100
bind9 (1:9.16.11-1) unstable; urgency=medium
* Add the ISC code-signing key for 2021-2022
* New upstream version 9.16.11
-- Ondřej Surý <email address hidden> Thu, 21 Jan 2021 09:58:33 +0100
bind9 (1:9.16.10-1) unstable; urgency=medium
* New upstream version 9.16.10
-- Ondřej Surý <email address hidden> Wed, 16 Dec 2020 22:22:25 +0100
bind9 (1:9.16.9-1) unstable; urgency=medium
* New upstream version 9.16.9
-- Ondřej Surý <email address hidden> Thu, 26 Nov 2020 12:52:28 +0100
bind9 (1:9.16.8-1) unstable; urgency=medium
[ Ondřej Surý ]
* New upstream version 9.16.8
[ Bernhard Schmidt ]
* d/t/control:
- tag autopkgtest with needs-internet (Closes: #973955)
- depend on bind9-dnsutils insead of the transitional dnsutils
* d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
-- Bernhard Schmidt <email address hidden> Mon, 09 Nov 2020 23:03:53 +0100
bind9 (1:9.16.7-1) unstable; urgency=medium
* New upstream version 9.16.7
-- Ondřej Surý <email address hidden> Thu, 17 Sep 2020 10:36:51 +0200
bind9 (1:9.16.6-3) unstable; urgency=medium
### Old Ubuntu Delta ###
bind9 (1:9.16.
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
* Drop changes:
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
[Fixed in 1:9.16.11-3]
- SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
+ debian/
+ CVE-2020-8625
[Fixed in 1:9.16.12-1]
- SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
+ debian/
transfer for certain RR in lib/dns/xfrin.c.
+ CVE-2021-25214
[Fixed in 1:9.16.15-1]
- SECURITY UPDATE: assert via answering certain queries for DNAME records
+ debian/
+ CVE-2021-25215
[Fixed in 1:9.16.15-1]
- SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
+ debian/rules: build with --disable-
SPNEGO and use the one from the kerberos libraries.
+ CVE-2021-25216
[Fixed in 1:9.16.15-1]
-- Athos Ribeiro <email address hidden> Mon, 12 Jul 2021 20:26:40 -0300
Related branches
- Bryce Harrington (community): Approve
- Andreas Hasenack: Needs Information
- git-ubuntu import: Pending requested
-
Diff: 1429 lines (+1243/-10)7 files modifieddebian/NEWS (+56/-0)
debian/bind9-dnsutils.install (+0/-2)
debian/bind9.apport (+24/-0)
debian/bind9.named.service (+2/-1)
debian/changelog (+1157/-0)
debian/control (+3/-5)
debian/rules (+1/-2)
CVE References
Changed in bind9 (Ubuntu): | |
assignee: | nobody → Athos Ribeiro (athos-ribeiro) |
description: | updated |
Changed in bind9 (Ubuntu): | |
milestone: | none → ubuntu-21.12 |
Changed in bind9 (Ubuntu): | |
milestone: | ubuntu-21.12 → ubuntu-22.01 |
description: | updated |
Note from Timo on ubuntu-server@:
Just a heads-up that the new version breaks bind-dyndb-ldap (again),
upstream has removed the api versioning information which the plugin
depends on, so please don't merge this until there's some understanding
on how b-d-l can be made to work with the new bind9.
https:/ /lists. ubuntu. com/archives/ ubuntu- server/ 2021-November/ 009035. html