This bug was fixed in the package bind9 - 1:9.10.3.dfsg.P4-12.5ubuntu1 --------------- bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium * Merge with Debian unstable (LP: #1701687). Remaining changes: - Add RemainAfterExit to bind9-resolvconf unit configuration file (LP #1536181). - rules: Fix path to libsofthsm2.so. (LP #1685780) * Drop: - SECURITY UPDATE: denial of service via assertion failure + debian/patches/CVE-2016-2776.patch: properly handle lengths in lib/dns/message.c. + CVE-2016-2776 + [Fixed in Debian 1:9.10.3.dfsg.P4-11] - SECURITY UPDATE: assertion failure via class mismatch + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY records in lib/dns/resolver.c. + CVE-2016-9131 + [Fixed in Debian 1:9.10.3.dfsg.P4-11] - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information + debian/patches/CVE-2016-9147.patch: fix logic when records are returned without the requested data in lib/dns/resolver.c. + CVE-2016-9147 + [Fixed in Debian 1:9.10.3.dfsg.P4-11] - SECURITY UPDATE: assertion failure via unusually-formed DS record + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in lib/dns/message.c, lib/dns/resolver.c. + CVE-2016-9444 + [Fixed in Debian 1:9.10.3.dfsg.P4-11] - SECURITY UPDATE: regression in CVE-2016-8864 + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in responses in lib/dns/resolver.c, added tests to bin/tests/system/dname/ns2/example.db, bin/tests/system/dname/tests.sh. + No CVE number + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12] - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing a NULL pointer + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz combination in bin/named/query.c, lib/dns/message.c, lib/dns/rdataset.c. + CVE-2017-3135 + [Fixed in Debian 1:9.10.3.dfsg.P4-12] - SECURITY UPDATE: regression in CVE-2016-8864 + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME was still being cached when it should have been in lib/dns/resolver.c, added tests to bin/tests/system/dname/ans3/ans.pl, bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. + No CVE number + [Fixed in Debian 1:9.10.3.dfsg.P4-12] - SECURITY UPDATE: Denial of Service due to an error handling synthesized records when using DNS64 with "break-dnssec yes;" + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64() called. + CVE-2017-3136 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] - SECURITY UPDATE: Denial of Service due to resolver terminating when processing a response packet containing a CNAME or DNAME + debian/patches/CVE-2017-3137.patch: don't expect a specific ordering of answer components; add testcases. + CVE-2017-3137 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files] - SECURITY UPDATE: Denial of Service when receiving a null command on the control channel + debian/patches/CVE-2017-3138.patch: don't throw an assert if no command token is given; add testcase. + CVE-2017-3138 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3] - SECURITY UPDATE: TSIG authentication issues + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c. + CVE-2017-3142 + CVE-2017-3143 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4] * d/p/CVE-2016-8864-regression-test.patch: tests for the regression introduced with the CVE-2016-8864.patch and fixed in CVE-2016-8864-regression.patch. * d/p/CVE-2016-8864-regression2-test.patch: tests for the second regression (RT #44318) introduced with the CVE-2016-8864.patch and fixed in CVE-2016-8864-regression2.patch. * d/control, d/rules: add json support for the statistics channels. (LP: #1669193) -- Andreas Hasenack