* Merge with Debian unstable (LP: #1701687). Remaining changes:
- Add RemainAfterExit to bind9-resolvconf unit configuration file
(LP #1536181).
- rules: Fix path to libsofthsm2.so. (LP #1685780)
* Drop:
- SECURITY UPDATE: denial of service via assertion failure
+ debian/patches/CVE-2016-2776.patch: properly handle lengths in lib/dns/message.c.
+ CVE-2016-2776
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: assertion failure via class mismatch
+ debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
records in lib/dns/resolver.c.
+ CVE-2016-9131
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
+ debian/patches/CVE-2016-9147.patch: fix logic when records are
returned without the requested data in lib/dns/resolver.c.
+ CVE-2016-9147
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: assertion failure via unusually-formed DS record
+ debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in lib/dns/message.c, lib/dns/resolver.c.
+ CVE-2016-9444
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11]
- SECURITY UPDATE: regression in CVE-2016-8864
+ debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
responses in lib/dns/resolver.c, added tests to bin/tests/system/dname/ns2/example.db, bin/tests/system/dname/tests.sh.
+ No CVE number
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
- SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
a NULL pointer
+ debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
combination in bin/named/query.c, lib/dns/message.c, lib/dns/rdataset.c.
+ CVE-2017-3135
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12]
- SECURITY UPDATE: regression in CVE-2016-8864
+ debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
was still being cached when it should have been in lib/dns/resolver.c,
added tests to bin/tests/system/dname/ans3/ans.pl, bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
+ No CVE number
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12]
- SECURITY UPDATE: Denial of Service due to an error handling
synthesized records when using DNS64 with "break-dnssec yes;"
+ debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
called.
+ CVE-2017-3136
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
- SECURITY UPDATE: Denial of Service due to resolver terminating when
processing a response packet containing a CNAME or DNAME
+ debian/patches/CVE-2017-3137.patch: don't expect a specific
ordering of answer components; add testcases.
+ CVE-2017-3137
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
- SECURITY UPDATE: Denial of Service when receiving a null command on
the control channel
+ debian/patches/CVE-2017-3138.patch: don't throw an assert if no
command token is given; add testcase.
+ CVE-2017-3138
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
- SECURITY UPDATE: TSIG authentication issues
+ debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
+ CVE-2017-3142
+ CVE-2017-3143
+ [Fixed in Debian 1:9.10.3.dfsg.P4-12.4]
* d/p/CVE-2016-8864-regression-test.patch: tests for the regression
introduced with the CVE-2016-8864.patch and fixed in
CVE-2016-8864-regression.patch.
* d/p/CVE-2016-8864-regression2-test.patch: tests for the second
regression (RT #44318) introduced with the CVE-2016-8864.patch
and fixed in CVE-2016-8864-regression2.patch.
* d/control, d/rules: add json support for the statistics channels.
(LP: #1669193)
-- Andreas Hasenack <email address hidden> Fri, 11 Aug 2017 17:12:09 -0300
This bug was fixed in the package bind9 - 1:9.10. 3.dfsg. P4-12.5ubuntu1
--------------- 3.dfsg. P4-12.5ubuntu1) artful; urgency=medium
bind9 (1:9.10.
* Merge with Debian unstable (LP: #1701687). Remaining changes: patches/ CVE-2016- 2776.patch: properly handle lengths in
lib/dns/ message. c. 3.dfsg. P4-11] patches/ CVE-2016- 9131.patch: properly handle certain TKEY 3.dfsg. P4-11] patches/ CVE-2016- 9147.patch: fix logic when records are 3.dfsg. P4-11] patches/ CVE-2016- 9444.patch: handle missing RRSIGs in
lib/dns/ message. c, lib/dns/resolver.c. 3.dfsg. P4-11] patches/ rt43779. patch: properly handle CNAME -> DNAME in
bin/tests/ system/ dname/ns2/ example. db,
bin/tests/ system/ dname/tests. sh. 3.dfsg. P4-12] patches/ CVE-2017- 3135.patch: properly handle dns64 and rpz
lib/dns/ rdataset. c. 3.dfsg. P4-12] patches/ rt44318. patch: synthesised CNAME before matching DNAME system/ dname/ans3/ ans.pl,
bin/tests/ system/ dname/ns1/ root.db, bin/tests/ system/ dname/tests. sh. 3.dfsg. P4-12] patches/ CVE-2017- 3136.patch: reset noqname if query_dns64() 3.dfsg. P4-12.3] patches/ CVE-2017- 3137.patch: don't expect a specific 3.dfsg. P4-12.3 with 3 patch files] patches/ CVE-2017- 3138.patch: don't throw an assert if no 3.dfsg. P4-12.3] patches/ CVE-2017- 3042,3043. patch: fix TSIG logic in
lib/dns/ dnssec. c, lib/dns/message.c, lib/dns/tsig.c. 3.dfsg. P4-12.4] 2016-8864- regression- test.patch: tests for the regression 2016-8864- regression. patch. 2016-8864- regression2- test.patch: tests for the second 8864-regression 2.patch.
- Add RemainAfterExit to bind9-resolvconf unit configuration file
(LP #1536181).
- rules: Fix path to libsofthsm2.so. (LP #1685780)
* Drop:
- SECURITY UPDATE: denial of service via assertion failure
+ debian/
+ CVE-2016-2776
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: assertion failure via class mismatch
+ debian/
records in lib/dns/resolver.c.
+ CVE-2016-9131
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
+ debian/
returned without the requested data in lib/dns/resolver.c.
+ CVE-2016-9147
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: assertion failure via unusually-formed DS record
+ debian/
+ CVE-2016-9444
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: regression in CVE-2016-8864
+ debian/
responses in lib/dns/resolver.c, added tests to
+ No CVE number
+ [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.
- SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
a NULL pointer
+ debian/
combination in bin/named/query.c, lib/dns/message.c,
+ CVE-2017-3135
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: regression in CVE-2016-8864
+ debian/
was still being cached when it should have been in lib/dns/resolver.c,
added tests to bin/tests/
+ No CVE number
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: Denial of Service due to an error handling
synthesized records when using DNS64 with "break-dnssec yes;"
+ debian/
called.
+ CVE-2017-3136
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: Denial of Service due to resolver terminating when
processing a response packet containing a CNAME or DNAME
+ debian/
ordering of answer components; add testcases.
+ CVE-2017-3137
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: Denial of Service when receiving a null command on
the control channel
+ debian/
command token is given; add testcase.
+ CVE-2017-3138
+ [Fixed in Debian 1:9.10.
- SECURITY UPDATE: TSIG authentication issues
+ debian/
+ CVE-2017-3142
+ CVE-2017-3143
+ [Fixed in Debian 1:9.10.
* d/p/CVE-
introduced with the CVE-2016-8864.patch and fixed in
CVE-
* d/p/CVE-
regression (RT #44318) introduced with the CVE-2016-8864.patch
and fixed in CVE-2016-
* d/control, d/rules: add json support for the statistics channels.
(LP: #1669193)
-- Andreas Hasenack <email address hidden> Fri, 11 Aug 2017 17:12:09 -0300