Comment 1 for bug 1701687

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bind9 - 1:9.10.3.dfsg.P4-12.5ubuntu1

---------------
bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium

  * Merge with Debian unstable (LP: #1701687). Remaining changes:
    - Add RemainAfterExit to bind9-resolvconf unit configuration file
      (LP #1536181).
    - rules: Fix path to libsofthsm2.so. (LP #1685780)
  * Drop:
    - SECURITY UPDATE: denial of service via assertion failure
      + debian/patches/CVE-2016-2776.patch: properly handle lengths in
        lib/dns/message.c.
      + CVE-2016-2776
      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
    - SECURITY UPDATE: assertion failure via class mismatch
      + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
        records in lib/dns/resolver.c.
      + CVE-2016-9131
      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
    - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
      + debian/patches/CVE-2016-9147.patch: fix logic when records are
        returned without the requested data in lib/dns/resolver.c.
      + CVE-2016-9147
      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
    - SECURITY UPDATE: assertion failure via unusually-formed DS record
      + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
        lib/dns/message.c, lib/dns/resolver.c.
      + CVE-2016-9444
      + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
    - SECURITY UPDATE: regression in CVE-2016-8864
      + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
        responses in lib/dns/resolver.c, added tests to
        bin/tests/system/dname/ns2/example.db,
        bin/tests/system/dname/tests.sh.
      + No CVE number
      + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
    - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
      a NULL pointer
      + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
        combination in bin/named/query.c, lib/dns/message.c,
        lib/dns/rdataset.c.
      + CVE-2017-3135
      + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
    - SECURITY UPDATE: regression in CVE-2016-8864
      + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
        was still being cached when it should have been in lib/dns/resolver.c,
        added tests to bin/tests/system/dname/ans3/ans.pl,
        bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
      + No CVE number
      + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
    - SECURITY UPDATE: Denial of Service due to an error handling
      synthesized records when using DNS64 with "break-dnssec yes;"
      + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
        called.
      + CVE-2017-3136
      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
    - SECURITY UPDATE: Denial of Service due to resolver terminating when
      processing a response packet containing a CNAME or DNAME
      + debian/patches/CVE-2017-3137.patch: don't expect a specific
        ordering of answer components; add testcases.
      + CVE-2017-3137
      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
    - SECURITY UPDATE: Denial of Service when receiving a null command on
      the control channel
      + debian/patches/CVE-2017-3138.patch: don't throw an assert if no
        command token is given; add testcase.
      + CVE-2017-3138
      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
    - SECURITY UPDATE: TSIG authentication issues
      + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
        lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
      + CVE-2017-3142
      + CVE-2017-3143
      + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4]
  * d/p/CVE-2016-8864-regression-test.patch: tests for the regression
    introduced with the CVE-2016-8864.patch and fixed in
    CVE-2016-8864-regression.patch.
  * d/p/CVE-2016-8864-regression2-test.patch: tests for the second
    regression (RT #44318) introduced with the CVE-2016-8864.patch
    and fixed in CVE-2016-8864-regression2.patch.
  * d/control, d/rules: add json support for the statistics channels.
    (LP: #1669193)

 -- Andreas Hasenack <email address hidden> Fri, 11 Aug 2017 17:12:09 -0300