Please merge 1:9.10.3.dfsg.P4-10.1ubuntu7 -> 1:9.10.3.dfsg.P4-12.5
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
bind9 (Ubuntu) |
Fix Released
|
Low
|
Andreas Hasenack |
Bug Description
bind9 (1:9.10.
* Non-maintainer upload.
* Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
signed TCP message sequences where not all the messages contain TSIG
records. These may be used in AXFR and IXFR responses.
(Closes: #868952)
-- Salvatore Bonaccorso Fri, 21 Jul 2017 22:28:32 +0200
bind9 (1:9.10.
* Non-maintainer upload.
[ Yves-Alexis Perez ]
* debian/patches:
- debian/
CVE-
transfers. An attacker may be able to circumvent TSIG authentication of
AXFR and Notify requests.
CVE-
dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
signature for a dynamic update.
(Closes: #866564)
-- Salvatore Bonaccorso Sun, 16 Jul 2017 22:13:21 +0200
bind9 (1:9.10.
* Non-maintainer upload.
* Dns64 with "break-dnssec yes;" can result in a assertion failure
(CVE-2017-3136) (Closes: #860224)
* Some chaining (CNAME or DNAME) responses to upstream queries could trigger
assertion failures (CVE-2017-3137) (Closes: #860225)
* 'rndc ""' could trigger a assertion failure in named (CVE-2017-3138)
(Closes: #860226)
-- Salvatore Bonaccorso Sun, 07 May 2017 15:22:46 +0200
bind9 (1:9.10.
* Non-maintainer upload.
* Replace 32_mips_atomic.diff with a version that uses C11 atomics. Fixes
hangs and crashes on MIPS. (Closes: #778720)
-- James Cowgill Tue, 18 Apr 2017 16:42:50 +0100
bind9 (1:9.10.
* Non-maintainer upload.
* Use /dev/urandom to avoid blocking in the server process.
(closes: #854243)
-- Bastian Blank Fri, 17 Mar 2017 19:07:16 +0100
bind9 (1:9.10.
* Merge and accept the non-maintainer upload.
* Fix regression caused by the fix for CVE-2016-8864 (closes: #855540).
* Fix CVE-2017-3135: a malicously crafted query can cause named to crash if
both DNS64 and RPZ are being used (closes: #855520).
-- Michael Gilbert Sun, 19 Feb 2017 22:39:32 +0000
bind9 (1:9.10.
* Non-maintainer upload.
* Disable GOST to prevent ENGINE_by_id failed (crypto failure) in chroot.
Patch by Marc Haber (Closes: #820974).
-- Arturo Borrero Gonzalez Tue, 07 Feb 2017 10:42:00 +0100
bind9 (1:9.10.
* Fix some lintian warnings.
* Add lsb-base dependency to lwresd (closes: #848519).
* Fix CVE-2016-2775: crash in lwresd due to a long query name
(closes: #831796).
* Fix CVE-2016-2776: maliciously crafted query can cause named to crash
(closes: #839010).
* Fix CVE-2016-8864: incorrect handling of a DNAME record can cause
named to crash (closes: #842858).
* Fix CVE-2016-9131: maliciously crafted response to an ANY query can
cause named to crash (closes: #851065).
* Fix CVE-2016-9147: query with contradictory DNSSEC information can
cause named to crash (closes: #851063).
* Fix CVE-2016-9444: maliciously formed DNSSEC Delegation Signer (DS)
record can cause named to crash (closes: #851062).
* Openssl 1.1 is not yet supported, so build with openssl 1.0 for now
(closes: #828082).
[ LaMont Jones ]
* Update VCS fields in control.
* -DDIG_SIGCHASE got dropped by the change in hardening.
[ Stefan Bader ]
* Use the defaults file in systemd.
-- Michael Gilbert Thu, 19 Jan 2017 04:03:28 +0000
bridge-utils 1.5-9ubuntu2 -> 1.5-14
* Last Uploader: Ryan Harper (sponsored by Mathieu Trudel-Lapierre)
Debian changes newer than ubuntu version:
bridge-utils (1.5-14) unstable; urgency=low
* Fix a problem with some vlan interfaces not being created.
-- Santiago Garcia Mantinan Mon, 26 Jun 2017 17:48:37 +0200
bridge-utils (1.5-13) unstable; urgency=low
* Fix a hardcoded interface name on bridge-utils.sh. Closes: #854841.
-- Santiago Garcia Mantinan Sat, 11 Feb 2017 00:16:45 +0100
bridge-utils (1.5-12) unstable; urgency=medium
* Add vlan support so that old setups using vlans as ports don't break.
-- Santiago Garcia Mantinan Sun, 22 Jan 2017 00:23:50 +0100
bridge-utils (1.5-11) unstable; urgency=low
* Change /etc/default/
interfaces.
* Integration with the vlan package is causing problems, we have
removed it and rely on ifupdown implementing it. Closes: #818849.
-- Santiago Garcia Mantinan Wed, 14 Dec 2016 23:26:05 +0100
bridge-utils (1.5-10) unstable; urgency=low
* Fix wait when bridge is ready. Thanks Alexander. Closes: #779348.
* Added some documentation on the README.Debian file to comment some
config bugs. Closes: #765000, #815927.
* Clarify pre-up commands changing an example on the man page for
bridge-
-- Santiago Garcia Mantinan Thu, 10 Nov 2016 22:23:49 +0100
Changed in bind9 (Ubuntu): | |
status: | In Progress → Triaged |
assignee: | Andreas Hasenack (ahasenack) → nobody |
Changed in bind9 (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
summary: |
- Please merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> 1:9.10.3.dfsg.P4-12.3 + Please merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> 1:9.10.3.dfsg.P4-12.5 |
summary: |
- Please merge 1:9.10.3.dfsg.P4-10.1ubuntu6 -> 1:9.10.3.dfsg.P4-12.5 + Please merge 1:9.10.3.dfsg.P4-10.1ubuntu7 -> 1:9.10.3.dfsg.P4-12.5 |
description: | updated |
Changed in bind9 (Ubuntu): | |
status: | Triaged → In Progress |
This bug was fixed in the package bind9 - 1:9.10. 3.dfsg. P4-12.5ubuntu1
--------------- 3.dfsg. P4-12.5ubuntu1) artful; urgency=medium
bind9 (1:9.10.
* Merge with Debian unstable (LP: #1701687). Remaining changes: patches/ CVE-2016- 2776.patch: properly handle lengths in
lib/dns/ message. c. 3.dfsg. P4-11] patches/ CVE-2016- 9131.patch: properly handle certain TKEY 3.dfsg. P4-11] patches/ CVE-2016- 9147.patch: fix logic when records are 3.dfsg. P4-11] patches/ CVE-2016- 9444.patch: handle missing RRSIGs in
lib/dns/ message. c, lib/dns/resolver.c. 3.dfsg. P4-11] patches/ rt43779. patch: properly handle CNAME -> DNAME in
bin/tests/ system/ dname/ns2/ example. db,
bin/tests/ system/ dname/tests. sh. 3.dfsg. P4-12] patches/ CVE-2017- 3135.patch: properly handle dns64 and rpz
lib/dns/ rdataset. c. 3.dfsg. P4-12] patches/ rt44318. patch: synthesised CNAME before matching DNAME system/ dname/ans3/ ans.pl,
bin/tests/ system/ dname/ns1/ root.db, bin/tests/ system/ dname/tests. sh. 3.dfsg. P4-12] patches/ CVE-2017- 3136.patch: reset noqname if query_dns64() 3.dfsg. P4-12.3] patches/ CVE-2017- 3137.patch: don't expect a specific 3.dfsg. P4-12.3 with 3 patch files]
- Add RemainAfterExit to bind9-resolvconf unit configuration file
(LP #1536181).
- rules: Fix path to libsofthsm2.so. (LP #1685780)
* Drop:
- SECURITY UPDATE: denial of service via assertion failure
+ debian/
+ CVE-2016-2776
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: assertion failure via class mismatch
+ debian/
records in lib/dns/resolver.c.
+ CVE-2016-9131
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
+ debian/
returned without the requested data in lib/dns/resolver.c.
+ CVE-2016-9147
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: assertion failure via unusually-formed DS record
+ debian/
+ CVE-2016-9444
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: regression in CVE-2016-8864
+ debian/
responses in lib/dns/resolver.c, added tests to
+ No CVE number
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.
- SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
a NULL pointer
+ debian/
combination in bin/named/query.c, lib/dns/message.c,
+ CVE-2017-3135
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: regression in CVE-2016-8864
+ debian/
was still being cached when it should have been in lib/dns/resolver.c,
added tests to bin/tests/
+ No CVE number
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: Denial of Service due to an error handling
synthesized records when using DNS64 with "break-dnssec yes;"
+ debian/
called.
+ CVE-2017-3136
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: Denial of Service due to resolver terminating when
processing a response packet containing a CNAME or DNAME
+ debian/
ordering of answer components; add testcases.
+ CVE-2017-3137
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: Denial of Service when receiving a null command on
...