Please merge 1:9.10.3.dfsg.P4-10.1ubuntu7 -> 1:9.10.3.dfsg.P4-12.5

Bug #1701687 reported by Andreas Hasenack on 2017-06-30
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Low
Andreas Hasenack

Bug Description

bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium

  * Non-maintainer upload.
  * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
    signed TCP message sequences where not all the messages contain TSIG
    records. These may be used in AXFR and IXFR responses.
    (Closes: #868952)

 -- Salvatore Bonaccorso Fri, 21 Jul 2017 22:28:32 +0200

bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high

  * Non-maintainer upload.

  [ Yves-Alexis Perez ]
  * debian/patches:
    - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
      CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
      transfers. An attacker may be able to circumvent TSIG authentication of
      AXFR and Notify requests.
      CVE-2017-3143: error in TSIG authentication can permit unauthorized
      dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
      signature for a dynamic update.
      (Closes: #866564)

 -- Salvatore Bonaccorso Sun, 16 Jul 2017 22:13:21 +0200

bind9 (1:9.10.3.dfsg.P4-12.3) unstable; urgency=high

  * Non-maintainer upload.
  * Dns64 with "break-dnssec yes;" can result in a assertion failure
    (CVE-2017-3136) (Closes: #860224)
  * Some chaining (CNAME or DNAME) responses to upstream queries could trigger
    assertion failures (CVE-2017-3137) (Closes: #860225)
  * 'rndc ""' could trigger a assertion failure in named (CVE-2017-3138)
    (Closes: #860226)

 -- Salvatore Bonaccorso Sun, 07 May 2017 15:22:46 +0200

bind9 (1:9.10.3.dfsg.P4-12.2) unstable; urgency=medium

  * Non-maintainer upload.
  * Replace 32_mips_atomic.diff with a version that uses C11 atomics. Fixes
    hangs and crashes on MIPS. (Closes: #778720)

 -- James Cowgill Tue, 18 Apr 2017 16:42:50 +0100

bind9 (1:9.10.3.dfsg.P4-12.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Use /dev/urandom to avoid blocking in the server process.
    (closes: #854243)

 -- Bastian Blank Fri, 17 Mar 2017 19:07:16 +0100

bind9 (1:9.10.3.dfsg.P4-12) unstable; urgency=high

  * Merge and accept the non-maintainer upload.
  * Fix regression caused by the fix for CVE-2016-8864 (closes: #855540).
  * Fix CVE-2017-3135: a malicously crafted query can cause named to crash if
    both DNS64 and RPZ are being used (closes: #855520).

 -- Michael Gilbert Sun, 19 Feb 2017 22:39:32 +0000

bind9 (1:9.10.3.dfsg.P4-11.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Disable GOST to prevent ENGINE_by_id failed (crypto failure) in chroot.
    Patch by Marc Haber (Closes: #820974).

 -- Arturo Borrero Gonzalez Tue, 07 Feb 2017 10:42:00 +0100

bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium

  * Fix some lintian warnings.
  * Add lsb-base dependency to lwresd (closes: #848519).
  * Fix CVE-2016-2775: crash in lwresd due to a long query name
    (closes: #831796).
  * Fix CVE-2016-2776: maliciously crafted query can cause named to crash
    (closes: #839010).
  * Fix CVE-2016-8864: incorrect handling of a DNAME record can cause
    named to crash (closes: #842858).
  * Fix CVE-2016-9131: maliciously crafted response to an ANY query can
    cause named to crash (closes: #851065).
  * Fix CVE-2016-9147: query with contradictory DNSSEC information can
    cause named to crash (closes: #851063).
  * Fix CVE-2016-9444: maliciously formed DNSSEC Delegation Signer (DS)
    record can cause named to crash (closes: #851062).
  * Openssl 1.1 is not yet supported, so build with openssl 1.0 for now
    (closes: #828082).

  [ LaMont Jones ]
  * Update VCS fields in control.
  * -DDIG_SIGCHASE got dropped by the change in hardening.

  [ Stefan Bader ]
  * Use the defaults file in systemd.

 -- Michael Gilbert Thu, 19 Jan 2017 04:03:28 +0000

bridge-utils 1.5-9ubuntu2 -> 1.5-14

* Last Uploader: Ryan Harper (sponsored by Mathieu Trudel-Lapierre)

Debian changes newer than ubuntu version:

bridge-utils (1.5-14) unstable; urgency=low

  * Fix a problem with some vlan interfaces not being created.

 -- Santiago Garcia Mantinan Mon, 26 Jun 2017 17:48:37 +0200

bridge-utils (1.5-13) unstable; urgency=low

  * Fix a hardcoded interface name on bridge-utils.sh. Closes: #854841.

 -- Santiago Garcia Mantinan Sat, 11 Feb 2017 00:16:45 +0100

bridge-utils (1.5-12) unstable; urgency=medium

  * Add vlan support so that old setups using vlans as ports don't break.

 -- Santiago Garcia Mantinan Sun, 22 Jan 2017 00:23:50 +0100

bridge-utils (1.5-11) unstable; urgency=low

  * Change /etc/default/bridge-utils to enable addition of hotplugged
    interfaces.
  * Integration with the vlan package is causing problems, we have
    removed it and rely on ifupdown implementing it. Closes: #818849.

 -- Santiago Garcia Mantinan Wed, 14 Dec 2016 23:26:05 +0100

bridge-utils (1.5-10) unstable; urgency=low

  * Fix wait when bridge is ready. Thanks Alexander. Closes: #779348.
  * Added some documentation on the README.Debian file to comment some
    config bugs. Closes: #765000, #815927.
  * Clarify pre-up commands changing an example on the man page for
    bridge-utils-interfaces. Closes: #783956.

 -- Santiago Garcia Mantinan Thu, 10 Nov 2016 22:23:49 +0100

Changed in bind9 (Ubuntu):
status: In Progress → Triaged
assignee: Andreas Hasenack (ahasenack) → nobody
Changed in bind9 (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
summary: - Please merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> 1:9.10.3.dfsg.P4-12.3
+ Please merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> 1:9.10.3.dfsg.P4-12.5
summary: - Please merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> 1:9.10.3.dfsg.P4-12.5
+ Please merge 1:9.10.3.dfsg.P4-10.1ubuntu7 -> 1:9.10.3.dfsg.P4-12.5
description: updated
Changed in bind9 (Ubuntu):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :
Download full text (4.1 KiB)

This bug was fixed in the package bind9 - 1:9.10.3.dfsg.P4-12.5ubuntu1

---------------
bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium

  * Merge with Debian unstable (LP: #1701687). Remaining changes:
    - Add RemainAfterExit to bind9-resolvconf unit configuration file
      (LP #1536181).
    - rules: Fix path to libsofthsm2.so. (LP #1685780)
  * Drop:
    - SECURITY UPDATE: denial of service via assertion failure
      + debian/patches/CVE-2016-2776.patch: properly handle lengths in
        lib/dns/message.c.
      + CVE-2016-2776
      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
    - SECURITY UPDATE: assertion failure via class mismatch
      + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
        records in lib/dns/resolver.c.
      + CVE-2016-9131
      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
    - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
      + debian/patches/CVE-2016-9147.patch: fix logic when records are
        returned without the requested data in lib/dns/resolver.c.
      + CVE-2016-9147
      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
    - SECURITY UPDATE: assertion failure via unusually-formed DS record
      + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
        lib/dns/message.c, lib/dns/resolver.c.
      + CVE-2016-9444
      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
    - SECURITY UPDATE: regression in CVE-2016-8864
      + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
        responses in lib/dns/resolver.c, added tests to
        bin/tests/system/dname/ns2/example.db,
        bin/tests/system/dname/tests.sh.
      + No CVE number
      + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
    - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
      a NULL pointer
      + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
        combination in bin/named/query.c, lib/dns/message.c,
        lib/dns/rdataset.c.
      + CVE-2017-3135
      + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
    - SECURITY UPDATE: regression in CVE-2016-8864
      + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
        was still being cached when it should have been in lib/dns/resolver.c,
        added tests to bin/tests/system/dname/ans3/ans.pl,
        bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
      + No CVE number
      + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
    - SECURITY UPDATE: Denial of Service due to an error handling
      synthesized records when using DNS64 with "break-dnssec yes;"
      + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
        called.
      + CVE-2017-3136
      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
    - SECURITY UPDATE: Denial of Service due to resolver terminating when
      processing a response packet containing a CNAME or DNAME
      + debian/patches/CVE-2017-3137.patch: don't expect a specific
        ordering of answer components; add testcases.
      + CVE-2017-3137
      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
    - SECURITY UPDATE: Denial of Service when receiving a null command on
      ...

Read more...

Changed in bind9 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers