bind9 (1:9.18.39-0ubuntu0.24.04.2) noble-security; urgency=medium
* SECURITY UPDATE: Resource exhaustion via malformed DNSKEY handling
- debian/patches/CVE-2025-8677.patch: count invalid keys as validation
failures in lib/dns/validator.c.
- CVE-2025-8677
* SECURITY UPDATE: Cache poisoning attacks with unsolicited RRs
- debian/patches/CVE-2025-40778.patch: no longer accept DNAME records
or extraneous NS records in the AUTHORITY section unless these are
received via spoofing-resistant transport in
lib/dns/include/dns/message.h, lib/dns/message.c, lib/dns/resolver.c.
- CVE-2025-40778
* SECURITY UPDATE: Cache poisoning due to weak PRNG
- debian/patches/CVE-2025-40780.patch: change internal random generator
to a cryptographically secure pseudo-random generator in
lib/isc/include/isc/random.h, lib/isc/random.c,
tests/isc/random_test.c.
- CVE-2025-40780
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 21 Oct 2025 08:33:24 -0400
bind9 (1:9.18.39-0ubuntu0.24.04.1) noble; urgency=medium
* New upstream release 9.18.39 (LP: #2112520)
- Features:
+ Add support for parsing the DSYNC record.
+ Add support for the CO flag to dig.
+ Add a new option to configure the maximum number of outgoing queries
per client request.
+ Add WALLET type.
- Updates:
+ Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest type 1.
+ Make TLS data processing more reliable in various network conditions.
+ Print the expiration time of the stale records.
+ Remove –with-tuning=small/large configuration option.
+ Update built-in bind.keys file with the new 2025 IANA root key.
+ Move contributed DLZ modules into a separate repository.
+ Emit more helpful log messages for exceeding max-records-per-type.
+ Harden key management when key files have become unavailable.
+ Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
- Bug Fixes:
+ Fix a possible crash when adding a zone while recursing.
+ Clean enough memory when adding new ADB names/entries under memory pressure.
+ Prevent spurious validation failures.
+ Rescan the interfaces again when reconfiguring the server.
+ Fix the default interface-interval from 60s to 60m.
+ Fix purge-keys bug when using views.
+ Set name for all the isc_mem contexts.
+ Stop caching lack of EDNS support.
+ Fix resolver statistics counters for timed-out responses.
+ Don’t enforce NOAUTH/NOCONF flags in DNSKEYs.
+ Fix inconsistency in CNAME/DNAME handling during resolution.
+ Fix deferred validation of unsigned DS and DNSKEY records.
+ Fix RPZ race condition during a reconfiguration.
+ Fix “CNAME and other data check” not being applied to all types.
+ Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
+ Fix rndc flushname for longer name server names.
+ Fix recently expired records sending timestamps in the future.
+ Fix YAML string not terminated in negative response in delv.
+ Apply the memory limit only to ADB database items.
+ Avoid unnecessary locking in the zone/cache database.
+ Improve the resolver performance under attack.
+ Fix nsupdate hang when processing a large update.
+ Fix possible assertion failure when reloading server while processing
update policy rules.
+ Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys.
+ Fix improper handling of unknown directives in resolv.conf.
+ Fix dig parsing of {&dns}.
+ Fix NSEC3 closest encloser lookup for names with empty non-terminals.
+ Fix display of dig options with format form [+-]option=<value>.
+ Provide more visibility into TLS configuration errors by logging
+ Fix a statistics channel counter bug when “forward only” zones are
used.
+ Fix wrong address queries in the static-stub implementation.
+ Limit the outgoing UDP send queue size.
+ Do not set SO_INCOMING_CPU.
- See https://bind9.readthedocs.io/en/v9.18.39/notes.html for additional
information.
* d/p/CVE-2024-11187.patch, d/p/CVE-2024-12705.patch - Remove - fixed
upstream in 9.18.33.
* d/p/0002-Add-support-for-reporting-status-via-sd_notify.patch: Refresh for
new version.
* d/bind9.postinst: Perform postinst config check. (LP: #1492212)
* Clean up terminal after SIGINT call in interactive tools. (LP: #2112278)
- d/p/add-sigint-on-interactive-cleanup.patch: Run rl_reset_terminal before
SIGINT exit.
- d/rules: Link with libedit to use readline command in base library.
-- Lena Voytek <lena.voytek@canonical.com> Thu, 21 Aug 2025 10:46:13 -0400
bind9 (1:9.18.30-0ubuntu0.24.04.2) noble-security; urgency=medium
* SECURITY UPDATE: Many records in the additional section cause CPU
exhaustion
- debian/patches/CVE-2024-11187.patch: limit the additional processing
for large RDATA sets in bin/tests/*, lib/dns/include/dns/rdataset.h,
lib/dns/rbtdb.c, lib/dns/rdataset.c, lib/dns/resolver.c,
lib/ns/query.c.
- CVE-2024-11187
* SECURITY UPDATE: DNS-over-HTTPS implementation suffers from multiple
issues under heavy query load
- debian/patches/CVE-2024-12705.patch: fix flooding issues in
lib/isc/netmgr/http.c, lib/isc/netmgr/netmgr-int.h,
lib/isc/netmgr/netmgr.c, lib/isc/netmgr/tcp.c,
lib/isc/netmgr/tlsstream.c.
- CVE-2024-12705
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 28 Jan 2025 09:26:30 -0500
bind9 (1:9.18.30-0ubuntu0.24.04.1) noble; urgency=medium
* New upstream release 9.18.30 (LP: #2073310)
- Features:
+ Print initial working directory during named startup, and changed
working directory when loading or reloading the configuration file
+ Add max-query-restarts configuration statement
- Updates:
+ Restrain named to specified number of cores when running via taskset,
cpuset, or numactl
+ Reduce default max-recursion-queries value from 100 to 32
+ Raise the log level of priming failures
- Bug Fixes:
+ Fix privacy verification of EDDSA keys
+ Fix algorithm rollover bug when there are two keys with the same keytag
+ Return SERVFAIL for a too long CNAME chain
+ Reconfigure catz member zones during named reconfiguration
+ Update key lifetime and metadata after dnssec-policy reconfiguration
+ Fix generation of 6to4-self name expansion from IPv4 address
+ Fix invalid dig +yaml output
+ Reject zero-length ALPN during SVBC ALPN text parsing
+ Fix false QNAME minimisation error being reported
+ Fix dig +timeout argument when using +http
- See https://bind9.readthedocs.io/en/v9.18.30/notes.html for additional
information.
* d/p/0002-Add-support-for-reporting-status-via-sd_notify.patch: Refresh for
new version
-- Lena Voytek <lena.voytek@canonical.com> Mon, 23 Sep 2024 17:02:05 -0400
bind9 (1:9.18.28-0ubuntu0.24.04.1) noble-security; urgency=medium
* Updated to 9.18.28 to fix multiple security issues.
- CVE-2024-0760: A flood of DNS messages over TCP may make the server
unstable
- CVE-2024-1737: BIND's database will be slow if a very large number of
RRs exist at the same name
- CVE-2024-1975: SIG(0) can be used to exhaust CPU resources
- CVE-2024-4076: Assertion failure when serving both stale cache data
and authoritative zone content
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 16 Jul 2024 14:16:20 -0400
bind9 (1:9.18.24-0ubuntu5) noble; urgency=high
* No change rebuild against libssl3t64, libuv1t64.
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 08 Apr 2024 16:37:41 +0200
bind9 (1:9.18.24-0ubuntu4) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 31 Mar 2024 00:04:23 +0000
bind9 (1:9.18.24-0ubuntu3) noble; urgency=medium
* bind9-libs: Hard-code libuv1t64 instead of libuv1.
-- Matthias Klose <doko@ubuntu.com> Wed, 06 Mar 2024 12:35:21 +0100
bind9 (1:9.18.24-0ubuntu2) noble; urgency=medium
* No-change rebuild against libssl3t64
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Mar 2024 17:27:42 +0000
bind9 (1:9.18.24-0ubuntu1) noble; urgency=medium
* Updated to 9.18.21 to fix security issues.
- Security Fixes:
+ Validating DNS messages containing a lot of DNSSEC signatures could
cause excessive CPU load, leading to a denial-of-service condition.
This has been fixed. (CVE-2023-50387)
+ Preparing an NSEC3 closest encloser proof could cause excessive CPU
load, leading to a denial-of-service condition. This has been
fixed. (CVE-2023-50868)
+ Parsing DNS messages with many different names could cause
excessive CPU load. This has been fixed. (CVE-2023-4408)
+ Specific queries could cause named to crash with an assertion
failure when nxdomain-redirect was enabled. This has been fixed.
(CVE-2023-5517)
+ A bad interaction between DNS64 and serve-stale could cause named
to crash with an assertion failure, when both of these features
were enabled. This has been fixed. (CVE-2023-5679)
+ Under certain circumstances, the DNS-over-TLS client code
incorrectly attempted to process more than one DNS message at a
time, which could cause named to crash with an assertion failure.
This has been fixed.
- Bug Fixes:
+ The counters exported via the statistics channel were changed back
to 64-bit signed values; they were being inadvertently truncated to
unsigned 32-bit values since BIND 9.15.0.
- See https://bind9.readthedocs.io/en/v9.18.24/notes.html for
additional information
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 14 Feb 2024 14:31:05 -0500
bind9 (1:9.18.21-0ubuntu1) noble; urgency=medium
* New upstream release 9.18.21 (LP: #2040359)
- Updates:
+ Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and
2801:1b8:10::b.
+ Honor nsupdate -v option when server command specified by sending both
the UPDATE request and the initial query over TCP.
+ Mark cookie-algorithm aes as deprecated, use SipHash-2-4, instead.
+ Mark resolver-nonbackoff-tries and resolver-retry-interval as
deprecated.
+ Mark dnssec-must-be-secure as deprecated.
- Bug Fixes:
+ Do not schedule unsigned versions of inline-signed zones containing
DNSSEC records for resigning.
+ Take local authoritative data into account when looking up stale cache
data.
+ Fix use of named -X and lock-file at the same time.
+ Fix improper lock-file removal.
+ Fix bound checking in Content-Length header in the statistics channel.
+ Fix memory leaks from not clearing the OpenSSL error stack.
+ Fix SERVFAIL responses from introduction of krb5-subdomain-self-rhs and
ms-subdomain-self-rhs update policies.
+ Fix stale-refresh-time feature being disabled by cache flush.
+ Fix DNS message corruption from partial writes.
- See https://bind9.readthedocs.io/en/v9.18.21/notes.html for additional
information
* d/p/CVE-2023-3341.patch, d/p/CVE-2023-4236.patch: Remove - fixed by
upstream in version 9.18.19
* d/p/always-use-standard-library-stdatomic.patch: Maintain use of the
standard library stdatomic.h
-- Lena Voytek <lena.voytek@canonical.com> Thu, 25 Jan 2024 08:37:15 -0700
bind9 (1:9.18.18-0ubuntu2) mantic; urgency=medium
* SECURITY UPDATE: DoS via recusive packet parsing
- debian/patches/CVE-2023-3341.patch: add a max depth check to
lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c.
- CVE-2023-3341
* SECURITY UPDATE: Dos via DNS-over-TLS queries
- debian/patches/CVE-2023-4236.patch: check return code in
lib/isc/netmgr/tlsdns.c.
- CVE-2023-4236
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 20 Sep 2023 12:45:21 -0400
bind9 (1:9.18.18-0ubuntu1) mantic; urgency=medium
* New upstream release 9.18.18 (LP: #2034367)
- Updates:
+ Mark a primary server as temporarily unreachable when a TCP connection
response to an SOA query times out, matching behavior of a refused TCP
connection.
+ Mark dialup and heartbeat-interval options as deprecated.
+ Retry DNS queries without an EDNS COOKIE when the first response is
FORMERR with the EDNS COOKIE that was sent originally.
+ Use NS records for the relaxed QNAME minimization mode to reduce the
number of queries from named.
- Bug Fixes:
+ Fix assertion failure from processing already-queued queries while
server is being reconfigured or cache is being flushed.
+ Fix failure to load zones containing resource records with a TTL value
larger than 86400 seconds when dnssec-policy is set to insecure.
+ Fix the ability to read HMAC-MD5 key files (LP: #2015176).
+ Fix stability issues with the catalog zone implementation.
- See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional
information.
-- Lena Voytek <lena.voytek@canonical.com> Tue, 05 Sep 2023 13:20:06 -0700
bind9 (1:9.18.16-1ubuntu4) mantic; urgency=medium
* d/t/dyndb-ldap: allow writing to the dns tree (LP: #2034250)
-- Andreas Hasenack <andreas@canonical.com> Tue, 05 Sep 2023 10:20:27 -0300
bind9 (1:9.18.16-1ubuntu3) mantic; urgency=medium
* d/t/control: exclude the i386 architecture for the dyndb-ldap test,
since bind9-dyndb-ldap is not available there on Ubuntu
* d/t/dyndb-ldap: fix for the ldap bind9 dn entry
-- Andreas Hasenack <andreas@canonical.com> Wed, 30 Aug 2023 10:14:04 -0300
bind9 (1:9.18.16-1ubuntu2) mantic; urgency=medium
* d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650)
-- Andreas Hasenack <andreas@canonical.com> Tue, 22 Aug 2023 09:24:02 -0300
bind9 (1:9.18.16-1ubuntu1) mantic; urgency=medium
* Merge with Debian unstable (LP: #2018050). Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: build-depends on dh-apport and use it
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
- d/NEWS: mention relevant packaging changes
- Improve dep-8 test suite (LP #2003584):
+ d/t/zonetest: Add dep8 test for checking the domain zone creation
process
+ d/t/control: Add new test outline
* Added Changes:
- d/po/de.po: Fix German UTF-8 encoding
- d/copyright: Fix lintian warnings
+ Remove the entry for lib/isc/hp.c lib/isc/include/isc/hp.h as they were
deleted in 9.18.2
+ Remove the entry for lib/isc/include/pkcs11/pkcs11.h as it is no longer
bundled as of 9.17.19
+ Update the location of random_test.c and add info about its public
domain section
+ Add wildcards to folders as needed
+ Note that m4/ uses the FSFAP license
- d/control: Remove lsb-base dependency as it is no longer needed
+ See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019851
-- Lena Voytek <lena.voytek@canonical.com> Mon, 26 Jun 2023 14:25:50 -0700
bind9 (1:9.18.16-1) unstable; urgency=medium
* New upstream version 9.18.16
- CVE-2023-2828: The overmem cleaning process has been improved,
to prevent the cache from significantly exceeding the configured
max-cache-size limit.
- CVE-2023-2911: A query that prioritizes stale data over lookup
triggers a fetch to refresh the stale data in cache. If the fetch
is aborted for exceeding the recursion quota, it was possible for
named to enter an infinite callback loop and crash due to stack
overflow. This has been fixed.
-- Ondřej Surý <ondrej@debian.org> Wed, 21 Jun 2023 20:43:16 +0200
bind9 (1:9.18.15-1) unstable; urgency=medium
* New upstream version 9.18.15
-- Ondřej Surý <ondrej@debian.org> Wed, 17 May 2023 17:47:33 +0200
bind9 (1:9.18.14-1) unstable; urgency=medium
* New upstream version 9.18.14
-- Ondřej Surý <ondrej@debian.org> Wed, 19 Apr 2023 14:47:56 +0200
bind9 (1:9.18.13-1) unstable; urgency=medium
* New upstream version 9.18.13
-- Ondřej Surý <ondrej@debian.org> Wed, 15 Mar 2023 18:11:29 +0100
bind9 (1:9.18.12-1ubuntu1) lunar; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: build-depends on dh-apport and use it
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
- d/NEWS: mention relevant packaging changes
- Improve dep-8 test suite (LP #2003584):
+ d/t/zonetest: Add dep8 test for checking the domain zone creation process
+ d/t/control: Add new test outline
-- Lena Voytek <lena.voytek@canonical.com> Wed, 22 Feb 2023 10:10:14 -0700
bind9 (1:9.18.12-1) unstable; urgency=medium
* New upstream version 9.18.12
* Drop libtool-bin from B-D (Closes: #1022968)
-- Ondřej Surý <ondrej@debian.org> Fri, 10 Feb 2023 15:15:49 +0100
bind9 (1:9.18.11-2ubuntu1) lunar; urgency=medium
* Merge with Debian unstable (LP: #2004172). Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: build-depends on dh-apport and use it
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
- d/NEWS: mention relevant packaging changes
- Improve dep-8 test suite (LP #2003584):
+ d/t/zonetest: Add dep8 test for checking the domain zone creation process
+ d/t/control: Add new test outline
* Dropped Changes:
- d/extras/apparmor.d/usr.sbin.named: Allow systemd notify access in
apparmor for named
[Fixed in Debian 1:9.18.11-2]
-- Lena Voytek <lena.voytek@canonical.com> Mon, 30 Jan 2023 08:37:28 -0700
bind9 (1:9.18.11-2) unstable; urgency=medium
* Allow the named to use systemd notify service
-- Ondřej Surý <ondrej@debian.org> Thu, 26 Jan 2023 21:13:55 +0100
bind9 (1:9.18.11-1) unstable; urgency=medium
* New upstream version 9.18.11
-- Ondřej Surý <ondrej@debian.org> Wed, 25 Jan 2023 15:51:35 +0100
bind9 (1:9.18.10-2ubuntu2) lunar; urgency=medium
* Improve dep-8 test suite (LP: #2003584):
- d/t/zonetest: Add dep8 test for checking the domain zone creation process
- d/t/control: Add new test outline
-- Lena Voytek <lena.voytek@canonical.com> Fri, 27 Jan 2023 09:16:29 -0700
bind9 (1:9.18.10-2ubuntu1) lunar; urgency=medium
* Merge with Debian unstable (LP: #1993375). Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: build-depends on dh-apport and use it
- d/NEWS: mention relevant packaging changes
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
* Added Changes:
- d/extras/apparmor.d/usr.sbin.named: Allow systemd notify access in
apparmor for named
* Dropped Changes:
- fixed upstream:
+ debian/patches/CVE-2022-2795.patch
+ debian/patches/CVE-2022-2881.patch
+ debian/patches/CVE-2022-2906.patch
+ debian/patches/CVE-2022-3080.patch
+ debian/patches/CVE-2022-38178.patch
- d/bind9.named.service: use systemd Type=forking to signal daemon init.
+ Changed to Type=notify with sd_notify patch in debian
-- Lena Voytek <lena.voytek@canonical.com> Tue, 10 Jan 2023 15:24:45 -0700
bind9 (1:9.18.10-2) unstable; urgency=medium
* Backport upstream feature to use sd_notify()
* Use systemd notify for service readyness check (Closes: #994696)
* apparmor.d: Allow named to read all OpenSSL config files.
(Closes: #1025519)
* apparmor.d: Allow named to query for hugepages support.
(Closes: #1020315)
* Fix path to README.Debian (Closes: #1016646)
-- Bernhard Schmidt <berni@debian.org> Thu, 22 Dec 2022 17:12:17 +0100
bind9 (1:9.18.10-1) unstable; urgency=medium
* New upstream version 9.18.10
-- Ondřej Surý <ondrej@debian.org> Wed, 21 Dec 2022 18:00:33 +0100
bind9 (1:9.18.9-1) unstable; urgency=medium
* New upstream version 9.18.9
-- Ondřej Surý <ondrej@debian.org> Wed, 16 Nov 2022 14:00:05 +0100
bind9 (1:9.18.8-1) unstable; urgency=medium
* New upstream version 9.18.8
-- Ondřej Surý <ondrej@debian.org> Wed, 19 Oct 2022 14:58:38 +0200
bind9 (1:9.18.7-1) unstable; urgency=medium
* New upstream version 9.18.7
- CVE-2022-2795: Processing large delegations may severely degrade
resolver performance
- CVE-2022-2881: Buffer overread in statistics channel code
- CVE-2022-2906: Memory leaks in code handling Diffie-Hellman key
exchange via TKEY RRs (OpenSSL 3.0.0+ only)
- CVE-2022-3080: BIND 9 resolvers configured to answer from stale
cache with zero stale-answer-client-timeout may terminate unexpectedly
- CVE-2022-38177: Memory leak in ECDSA DNSSEC verification code
- CVE-2022-38178: Memory leaks in EdDSA DNSSEC verification code
-- Ondřej Surý <ondrej@debian.org> Wed, 21 Sep 2022 12:48:36 +0200
bind9 (1:9.18.6-2) unstable; urgency=medium
* No-change source-only upload
-- Bernhard Schmidt <berni@debian.org> Mon, 05 Sep 2022 21:30:08 +0200
bind9 (1:9.18.6-1) unstable; urgency=medium
* Disable treat-warnings-as-errors in sphinx-build
* New upstream version 9.18.6
-- Ondřej Surý <ondrej@debian.org> Thu, 18 Aug 2022 09:39:20 +0200
bind9 (1:9.18.5-1) unstable; urgency=medium
* New upstream version 9.18.5
-- Ondřej Surý <ondrej@debian.org> Wed, 20 Jul 2022 16:40:31 +0200
bind9 (1:9.18.4-2ubuntu2) kinetic; urgency=medium
* SECURITY UPDATE: Processing large delegations may severely degrade
resolver performance
- debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c.
- CVE-2022-2795
* SECURITY UPDATE: Buffer overread in statistics channel code
- debian/patches/CVE-2022-2881.patch: clear buffer in lib/isc/httpd.c.
- CVE-2022-2881
* SECURITY UPDATE: Memory leaks in code handling Diffie-Hellman key
exchange via TKEY RRs
- debian/patches/CVE-2022-2906.patch: adjust return code handling in
lib/dns/openssldh_link.c.
- CVE-2022-2906
* SECURITY UPDATE: resolvers configured to answer from cache with zero
stale-answer-timeout may terminate unexpectedly
- debian/patches/CVE-2022-3080.patch: refactor stale RRset handling in
lib/ns/include/ns/query.h, lib/ns/query.c.
- CVE-2022-3080
* SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code
- debian/patches/CVE-2022-38178.patch: fix return handling in
lib/dns/openssleddsa_link.c.
- CVE-2022-38178
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 21 Sep 2022 09:18:42 -0400
bind9 (1:9.18.4-2ubuntu1) kinetic; urgency=medium
* Merge with Debian unstable (LP: #1971250)
Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: build-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.named.service: use systemd Type=forking to signal daemon init.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
- d/NEWS: mention some of the relevant changes in 9.18.0 packaging
or functionality that may affect usability.
* Dropped changes:
- d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe.patch,
d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo.patch,
d/p/lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-.patch,
d/p/lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh.patch,
d/p/lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv.patch,
d/p/lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC.patch,
d/p/lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the.patch:
Fix dig error when trying the next server after a TCP connection
failure. This upstream patchset also fixes a crash when using
the "host" command for numeric lookups (LP #1964400) and an
infinite hang when passing a non-existent hostname to "host" (LP
#1964686).
[ Incorporated by upstream. ]
- SECURITY UPDATE: Destroying a TLS session early causes assertion
failure
+ debian/patches/CVE-2022-1183.patch: fix destroying logic in
lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/tlsstream.c.
[ Incorporated by upstream. ]
-- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 20 Jul 2022 05:28:13 -0400
bind9 (1:9.18.4-2) unstable; urgency=medium
[ Simon Deziel ]
* debian/extras/etc/db.0: correct descriptive comment
[ Bernhard Schmidt ]
* Add sleep workaround in tests/simpletests (Closes: #1012059)
-- Ondřej Surý <ondrej@debian.org> Tue, 05 Jul 2022 12:58:06 +0200
bind9 (1:9.18.4-1) unstable; urgency=medium
* Disable treat-warnings-as-errors in sphinx-build
* New upstream version 9.18.4
-- Ondřej Surý <ondrej@debian.org> Wed, 15 Jun 2022 14:36:44 +0200
bind9 (1:9.18.3-1) unstable; urgency=medium
* New upstream version 9.18.3
-- Ondřej Surý <ondrej@debian.org> Wed, 18 May 2022 16:53:01 +0200
bind9 (1:9.18.2-1) unstable; urgency=medium
* Drop libldap2-dev from Build-Depends (Closes: #1008021)
* New upstream version 9.18.2
* Add runtime dependency on libuv1 >= 1.40.0 (Closes: #1009889)
-- Ondřej Surý <ondrej@debian.org> Tue, 26 Apr 2022 11:03:35 +0200
bind9 (1:9.18.1-1ubuntu2) kinetic; urgency=medium
* SECURITY UPDATE: Destroying a TLS session early causes assertion
failure
- debian/patches/CVE-2022-1183.patch: fix destroying logic in
lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/tlsstream.c.
- CVE-2022-1183
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 17 May 2022 07:38:24 -0400
bind9 (1:9.18.1-1ubuntu1) jammy; urgency=medium
* Merge with Debian unstable (LP: #1965981). Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: build-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.named.service: use systemd Type=forking to signal daemon init.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
- d/NEWS: mention some of the relevant changes in 9.18.0 packaging
or functionality that may affect usability.
* Dropped changes:
- d/p/0003-Remove-spurious-debugging-true.patch: remove development leftover
debugging flag from nslookup code (LP: #1961556).
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: cache poisoning via bogus NS records
+ debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of
records into the cache in lib/dns/resolver.c.
+ CVE-2021-25220
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: DoS via specially crafted TCP stream
+ debian/patches/CVE-2022-0396.patch: ensure correct ordering in
lib/isc/netmgr/netmgr.c.
+ CVE-2022-0396
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: DNAME insist with synth-from-dnssec enabled
+ debian/patches/CVE-2022-0635.patch: fix logic in lib/dns/rbtdb.c.
+ CVE-2022-0635
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: Assertion failure on delayed DS lookup
+ debian/patches/CVE-2022-0667.patch: fix logic in lib/dns/resolver.c.
+ CVE-2022-0667
[ Incorporated in 9.18.1. ]
* Added changes:
- d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe.patch,
d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo.patch,
d/p/lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-.patch,
d/p/lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh.patch,
d/p/lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv.patch,
d/p/lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC.patch,
d/p/lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the.patch:
Fix dig error when trying the next server after a TCP connection
failure. This upstream patchset also fixes a crash when using
the "host" command for numeric lookups (LP: #1964400) and an
infinite hang when passing a non-existent hostname to "host" (LP:
#1964686).
-- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 23 Mar 2022 13:48:30 -0400
bind9 (1:9.18.1-1) unstable; urgency=high
* New upstream version 9.18.1
* CVE-2021-25220: The rules for acceptance of records into the cache
have been tightened to prevent the possibility of poisoning if
forwarders send records outside the configured bailiwick.
* CVE-2022-0396: TCP connections with 'keep-response-order' enabled
could leave the TCP sockets in the 'CLOSE_WAIT' state when the client
did not properly shut down the connection.
* CVE-2022-0635: Lookups involving a DNAME could trigger an assertion
failure when 'synth-from-dnssec' was enabled (which is the default)
* CVE-2022-0667: When chasing DS records, a timed out or artificially
delayed fetch could cause 'named' to crash while resuming a DS lookup.
-- Ondřej Surý <ondrej@debian.org> Mon, 14 Mar 2022 15:29:31 +0100
bind9 (1:9.18.0-2ubuntu3) jammy; urgency=medium
* SECURITY UPDATE: cache poisoning via bogus NS records
- debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of
records into the cache in lib/dns/resolver.c.
- CVE-2021-25220
* SECURITY UPDATE: DoS via specially crafted TCP stream
- debian/patches/CVE-2022-0396.patch: ensure correct ordering in
lib/isc/netmgr/netmgr.c.
- CVE-2022-0396
* SECURITY UPDATE: DNAME insist with synth-from-dnssec enabled
- debian/patches/CVE-2022-0635.patch: fix logic in lib/dns/rbtdb.c.
- CVE-2022-0635
* SECURITY UPDATE: Assertion failure on delayed DS lookup
- debian/patches/CVE-2022-0667.patch: fix logic in lib/dns/resolver.c.
- CVE-2022-0667
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Mar 2022 09:33:36 -0400
bind9 (1:9.18.0-2ubuntu2) jammy; urgency=medium
* d/p/0003-Remove-spurious-debugging-true.patch: remove development leftover
debugging flag from nslookup code (LP: #1961556).
-- Athos Ribeiro <athos.ribeiro@canonical.com> Tue, 22 Feb 2022 17:04:03 -0300
bind9 (1:9.18.0-2ubuntu1) jammy; urgency=medium
* Merge with Debian unstable (LP: #1946833). Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: build-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.named.service: use systemd Type=forking to signal daemon init.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
* Dropped Changes:
- SECURITY UPDATE: resolver performance degradation via lame cache abuse
+ debian/patches/CVE-2021-25219.patch: disable lame cache in
bin/named/config.c, bin/named/server.c, lib/dns/resolver.c.
+ CVE-2021-25219
[ Fixed in 9.17.19 ]
* New Changes:
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
- d/NEWS: mention some of the relevant changes in 9.18.0 packaging
or functionality that may affect usability.
-- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 14 Feb 2022 17:40:31 -0300
bind9 (1:9.18.0-2) unstable; urgency=medium
* Add patch to use detected L1 cache-line size instead of hard-coded
value, this should fix architectures with 128-byte L1 cache.
-- Ondřej Surý <ondrej@debian.org> Thu, 27 Jan 2022 13:16:04 +0100
bind9 (1:9.18.0-1) unstable; urgency=medium
* Bump the upstream version in debian/ to 9.18
* New upstream version 9.18.0
-- Ondřej Surý <ondrej@debian.org> Wed, 26 Jan 2022 12:31:55 +0100
bind9 (1:9.18.0~0+git28350c-1) unstable; urgency=medium
* New upstream version 9.18.0~0+git28350c
+ Pull the 9.18.0 pre-release git to have the L1 cache line
fix (Closes: #1004271)
* Fix the typo when backing up and restoring configure{,.ac}
(Closes: #903586)
* Remove some prehistoring conffile no longer in use
(Closes: #942377)
* Pick UTC date for release_date variable (Closes: #1000893)
-- Ondřej Surý <ondrej@debian.org> Mon, 24 Jan 2022 16:00:49 +0100
bind9 (1:9.17.22-1) unstable; urgency=medium
* New upstream version 9.17.22
-- Ondřej Surý <ondrej@debian.org> Wed, 19 Jan 2022 18:38:13 +0100
bind9 (1:9.17.21-1) unstable; urgency=medium
* New upstream version 9.17.21
-- Ondřej Surý <ondrej@debian.org> Wed, 15 Dec 2021 15:22:46 +0100
bind9 (1:9.17.20-3) unstable; urgency=medium
* Retain bind9-resolvconf.service alias (Closes: #1000565)
-- Ondřej Surý <ondrej@debian.org> Thu, 25 Nov 2021 10:10:50 +0100
bind9 (1:9.17.20-2) unstable; urgency=medium
* Tighten the dependencies on bind9-libs for the utils too
(Closes: #1000354)
-- Ondřej Surý <ondrej@debian.org> Mon, 22 Nov 2021 08:58:22 +0100
bind9 (1:9.17.20-1) unstable; urgency=medium
* New upstream version 9.17.20
* Remove the sphinx-patch, the role has been fixed upstream
-- Ondřej Surý <ondrej@debian.org> Thu, 18 Nov 2021 07:49:14 +0100
bind9 (1:9.17.19-3) unstable; urgency=medium
* Remove the .so libraries from excluded files
-- Ondřej Surý <ondrej@debian.org> Fri, 12 Nov 2021 14:24:13 +0100
bind9 (1:9.17.19-2) unstable; urgency=medium
* Add libjemalloc-dev to Build-Depends
* Sync the packaging between BIND 9.16 and BIND 9.17 branches
* Don't install static libraries to bind9-dev, they are not built
-- Ondřej Surý <ondrej@debian.org> Tue, 09 Nov 2021 10:42:43 +0100
bind9 (1:9.17.19-1) unstable; urgency=medium
* New upstream version 9.17.19
-- Ondřej Surý <ondrej@debian.org> Mon, 25 Oct 2021 14:29:06 +0200
bind9 (1:9.17.18-1) experimental; urgency=medium
* New upstream version 9.17.18
-- Ondřej Surý <ondrej@debian.org> Thu, 16 Sep 2021 10:03:31 +0200
bind9 (1:9.17.17-2) experimental; urgency=medium
* Bump MAPAPI to 3.0
-- Ondřej Surý <ondrej@debian.org> Fri, 20 Aug 2021 14:34:56 +0200
bind9 (1:9.17.17-1) experimental; urgency=medium
* New upstream version 9.17.17
-- Ondřej Surý <ondrej@debian.org> Wed, 18 Aug 2021 18:31:14 +0200
bind9 (1:9.17.16-1) experimental; urgency=medium
* New upstream version 9.17.16
-- Ondřej Surý <ondrej@debian.org> Wed, 21 Jul 2021 20:31:56 +0200
bind9 (1:9.17.15-1) experimental; urgency=medium
* New upstream version 9.17.15
-- Ondřej Surý <ondrej@debian.org> Fri, 18 Jun 2021 15:13:26 +0200
bind9 (1:9.17.14-3) experimental; urgency=medium
* Add upstream patch to address 'Checking of key-directory and
dnssec-policy was broken'
-- Ondřej Surý <ondrej@debian.org> Fri, 18 Jun 2021 09:08:52 +0200
bind9 (1:9.17.14-2) experimental; urgency=medium
* Add upstream patch to fix: 'W' in wildcard expansions was being mapped
to '\000'.
-- Ondřej Surý <ondrej@debian.org> Fri, 18 Jun 2021 06:49:25 +0200
bind9 (1:9.17.14-1) experimental; urgency=medium
* New upstream version 9.17.14
-- Ondřej Surý <ondrej@debian.org> Thu, 17 Jun 2021 00:26:38 +0200
bind9 (1:9.17.13-2) experimental; urgency=medium
* Revert upstream 'Add a Sphinx role for linking GitLab issues/MRs'
-- Ondřej Surý <ondrej@debian.org> Thu, 20 May 2021 11:30:01 +0200
bind9 (1:9.17.13-1) experimental; urgency=medium
* New upstream version 9.17.13
-- Ondřej Surý <ondrej@debian.org> Thu, 20 May 2021 11:05:32 +0200
bind9 (1:9.17.12-2) experimental; urgency=medium
* Add filter-a.so plugin into main package
-- Ondřej Surý <ondrej@debian.org> Sat, 01 May 2021 13:15:40 +0200
bind9 (1:9.17.12-1) experimental; urgency=medium
* New upstream version 9.17.12
* Add patches to implement I-D draft-hardaker-dnsop-nsec3-guidance
-- Ondřej Surý <ondrej@debian.org> Thu, 29 Apr 2021 10:49:07 +0200
bind9 (1:9.17.11-1) experimental; urgency=medium
* New upstream version 9.17.11
* Add upstream patches to fix TCP timeouts firing too early
-- Ondřej Surý <ondrej@debian.org> Thu, 18 Mar 2021 14:43:40 +0100
bind9 (1:9.17.10-1) experimental; urgency=high
* New upstream version 9.17.10
+ [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation.
* Adjust the bind9-libs package for new upstream library names
* Add libnghttp2-dev to Build-Depends
* Update the way how we ignore development libraries, so the real ones
gets installed
-- Ondřej Surý <ondrej@debian.org> Thu, 18 Feb 2021 09:27:46 +0100
bind9 (1:9.17.9-1) experimental; urgency=medium
* Exclude test-async.so from dh_install
* Update the ISC code-signing key
* New upstream version 9.17.9
-- Ondřej Surý <ondrej@debian.org> Thu, 21 Jan 2021 11:29:33 +0100
bind9 (1:9.17.8-1) experimental; urgency=medium
* New upstream version 9.17.8
-- Ondřej Surý <ondrej@debian.org> Wed, 16 Dec 2020 22:35:50 +0100
bind9 (1:9.17.7-1) experimental; urgency=medium
* New upstream version 9.17.7
-- Ondřej Surý <ondrej@debian.org> Thu, 26 Nov 2020 15:58:54 +0100
bind9 (1:9.17.6-1) experimental; urgency=medium
* New upstream version 9.17.6
-- Ondřej Surý <ondrej@debian.org> Fri, 23 Oct 2020 15:11:42 +0200
bind9 (1:9.17.5-2) experimental; urgency=medium
[ Bernhard Schmidt ]
* Move Build-Depends for documentation to Build-Depends-Indep
* Set Restart=on-failure in systemd unit
-- Ondřej Surý <ondrej@debian.org> Thu, 17 Sep 2020 13:53:04 +0200
bind9 (1:9.17.5-1) experimental; urgency=medium
* New upstream version 9.17.5
-- Ondřej Surý <ondrej@debian.org> Thu, 17 Sep 2020 10:40:29 +0200
bind9 (1:9.17.4-1) experimental; urgency=medium
* Add libtool-bin to Build-Depends
* Disable static linking
* New upstream version 9.17.4
-- Ondřej Surý <ondrej@debian.org> Thu, 20 Aug 2020 21:35:16 +0200
bind9 (1:9.17.3-1) experimental; urgency=medium
* New upstream version 9.17.2
* Adjust d/*.install files after upstream moved binaries from sbin to bin
* Remove rfc-compliance from docs, it's gone
* New upstream version 9.17.3
* Add fonts-freefont-otf, latexmk, texlive-fonts-extra,
texlive-latex-recommended, texlive-xetex, and xindy to Build-Depends
* Install man pages for tsig-gen and named-compilezone
-- Ondřej Surý <ondrej@debian.org> Thu, 16 Jul 2020 00:38:43 +0200
bind9 (1:9.17.1+git20200519-1) experimental; urgency=medium
* New upstream version 9.17.1+git20200519
* Update Debian packaging for autoconf/automake and sphinx-doc
-- Ondřej Surý <ondrej@debian.org> Tue, 19 May 2020 22:02:19 +0200
bind9 (1:9.17.1-1) experimental; urgency=medium
* Update d/copyright (Closes: #947978)
* New upstream version 9.17.1
-- Ondřej Surý <ondrej@debian.org> Thu, 16 Apr 2020 10:34:10 +0200
bind9 (1:9.17.0-1) experimental; urgency=medium
[ Andreas Hasenack ]
* Bring back the DEP8 test from sid
* Use iproute2 instead of net-tools
* d/control: drop hardcoded python3 dependency
[ Bernhard Schmidt ]
* Fix apparmor profile name.
Thanks to Andreas Hasenack
* Enable readline support
[ Andreas Hasenack ]
* Update apparmor profile with what is in sid
* Create the missing transitional packages for dnsutils, bind9utils
* There is a licensing conflict with adding libreadline and we should
use libedit-dev instead.
[ Ondřej Surý ]
* Switch to BIND 9.17 for the -dev packages
* New upstream version 9.17.0
-- Ondřej Surý <ondrej@debian.org> Fri, 20 Mar 2020 14:23:38 +0100
bind9 (1:9.16.22-1) unstable; urgency=medium
* New upstream version 9.16.22
-- Ondřej Surý <ondrej@debian.org> Mon, 25 Oct 2021 14:27:31 +0200
bind9 (1:9.16.21-1) unstable; urgency=medium
* New upstream version 9.16.21
-- Ondřej Surý <ondrej@debian.org> Thu, 16 Sep 2021 09:54:17 +0200
bind9 (1:9.16.20-2) unstable; urgency=medium
* Bump MAPAPI to 3.0
-- Ondřej Surý <ondrej@debian.org> Fri, 20 Aug 2021 14:40:11 +0200
bind9 (1:9.16.20-1) unstable; urgency=medium
* New upstream version 9.16.20
-- Ondřej Surý <ondrej@debian.org> Wed, 18 Aug 2021 18:27:37 +0200
bind9 (1:9.16.19-1) unstable; urgency=medium
* New upstream version 9.16.19
-- Ondřej Surý <ondrej@debian.org> Wed, 21 Jul 2021 20:27:13 +0200
bind9 (1:9.16.18-1) unstable; urgency=medium
* New upstream version 9.16.18
-- Ondřej Surý <ondrej@debian.org> Fri, 18 Jun 2021 15:06:55 +0200
bind9 (1:9.16.17-3) unstable; urgency=medium
* Add upstream patch to address 'Checking of key-directory and
dnssec-policy was broken'
-- Ondřej Surý <ondrej@debian.org> Fri, 18 Jun 2021 09:07:09 +0200
bind9 (1:9.16.17-2) unstable; urgency=high
* Add upstream patch to fix: 'W' in wildcard expansions was being mapped
to '\000'.
-- Ondřej Surý <ondrej@debian.org> Fri, 18 Jun 2021 06:45:25 +0200
bind9 (1:9.16.17-1) unstable; urgency=medium
* New upstream version 9.16.17
-- Ondřej Surý <ondrej@debian.org> Thu, 17 Jun 2021 00:10:22 +0200
bind9 (1:9.16.16-2) unstable; urgency=medium
* Revert upstream 'Add a Sphinx role for linking GitLab issues/MRs'
-- Ondřej Surý <ondrej@debian.org> Thu, 20 May 2021 11:28:18 +0200
bind9 (1:9.16.16-1) unstable; urgency=medium
* New upstream version 9.16.16
* Patches to implement I-D draft-hardaker-dnsop-nsec3-guidance were
merged upstream; remove them from the package.
-- Ondřej Surý <ondrej@debian.org> Thu, 20 May 2021 10:00:00 +0200
bind9 (1:9.16.15-1ubuntu3) jammy; urgency=medium
* No-change rebuild against openssl3
-- Simon Chopin <simon.chopin@canonical.com> Wed, 01 Dec 2021 16:06:43 +0000
bind9 (1:9.16.15-1ubuntu2) jammy; urgency=medium
* SECURITY UPDATE: resolver performance degradation via lame cache abuse
- debian/patches/CVE-2021-25219.patch: disable lame cache in
bin/named/config.c, bin/named/server.c, lib/dns/resolver.c.
- CVE-2021-25219
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 01 Nov 2021 18:56:43 -0400
bind9 (1:9.16.15-1ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.named.service: use systemd Type=forking to signal daemon init.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
* Drop changes:
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
[Fixed in 1:9.16.11-3]
- SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
+ debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
+ CVE-2020-8625
[Fixed in 1:9.16.12-1]
- SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
+ debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
+ CVE-2021-25214
[Fixed in 1:9.16.15-1]
- SECURITY UPDATE: assert via answering certain queries for DNAME records
+ debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
+ CVE-2021-25215
[Fixed in 1:9.16.15-1]
- SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
+ debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
+ CVE-2021-25216
[Fixed in 1:9.16.15-1]
-- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 12 Jul 2021 20:26:40 -0300
bind9 (1:9.16.15-1) unstable; urgency=high
* New upstream version 9.16.15 (Closes: #987741, #987742, #987743)
+ CVE-2021-25214: A malformed incoming IXFR transfer could trigger an
assertion failure in ``named``, causing it to quit abnormally.
+ CVE-2021-25215: ``named`` crashed when a DNAME record placed in the
ANSWER section during DNAME chasing turned out to be the final
answer to a client query.
+ CVE-2021-25216: When a server's configuration set the
``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` option, a
specially crafted GSS-TSIG query could cause a buffer overflow in
the ISC implementation of SPNEGO (a protocol enabling negotiation of
the security mechanism used for GSSAPI authentication).
* Add patches to implement I-D draft-hardaker-dnsop-nsec3-guidance
-- Ondřej Surý <ondrej@debian.org> Thu, 29 Apr 2021 09:11:32 +0200
bind9 (1:9.16.13-1) unstable; urgency=medium
* New upstream version 9.16.13
* Add upstream patches to fix TCP timeouts firing too early
-- Ondřej Surý <ondrej@debian.org> Thu, 18 Mar 2021 14:23:49 +0100
bind9 (1:9.16.12-3) unstable; urgency=medium
* Add most important patches from upcoming 9.16.13 release
-- Ondřej Surý <ondrej@debian.org> Fri, 12 Mar 2021 09:59:49 +0100
bind9 (1:9.16.12-2) unstable; urgency=medium
* Add patch to fix sphinx-build failure on Ubuntu Xenial
-- Ondřej Surý <ondrej@debian.org> Thu, 18 Feb 2021 12:26:09 +0100
bind9 (1:9.16.12-1) unstable; urgency=high
* New upstream version 9.16.12
+ [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation.
(Closes: #983004)
* Adjust the bind9-libs and bind9-dev packages for new upstream library
names
-- Ondřej Surý <ondrej@debian.org> Thu, 18 Feb 2021 08:13:58 +0100
bind9 (1:9.16.11-3) unstable; urgency=medium
* Split the simple validation test to separate file and mark it as flaky
(Closes: #976045)
-- Ondřej Surý <ondrej@debian.org> Sun, 14 Feb 2021 20:04:39 +0100
bind9 (1:9.16.11-2) unstable; urgency=medium
* Cherry-pick upstream commit to fix segfault with named ACLs used in
allow-update (Closes: #980786)
-- Bernhard Schmidt <berni@debian.org> Fri, 29 Jan 2021 08:27:31 +0100
bind9 (1:9.16.11-1) unstable; urgency=medium
* Add the ISC code-signing key for 2021-2022
* New upstream version 9.16.11
-- Ondřej Surý <ondrej@debian.org> Thu, 21 Jan 2021 09:58:33 +0100
bind9 (1:9.16.10-1) unstable; urgency=medium
* New upstream version 9.16.10
-- Ondřej Surý <ondrej@debian.org> Wed, 16 Dec 2020 22:22:25 +0100
bind9 (1:9.16.9-1) unstable; urgency=medium
* New upstream version 9.16.9
-- Ondřej Surý <ondrej@debian.org> Thu, 26 Nov 2020 12:52:28 +0100
bind9 (1:9.16.8-1ubuntu3.2) impish; urgency=medium
* d/bind9.named.service: use systemd Type=forking to signal daemon init. This
fixes a regression of #900788 where services whose startup depend on name
resolutions may fail due to bind9 not being ready (LP: #1899902).
-- Athos Ribeiro <athos.ribeiro@canonical.com> Fri, 18 Jun 2021 09:24:39 -0300
bind9 (1:9.16.8-1ubuntu3.1) hirsute-security; urgency=medium
* SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
- debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
- CVE-2021-25214
* SECURITY UPDATE: assert via answering certain queries for DNAME records
- debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
- CVE-2021-25215
* SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
- debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
- CVE-2021-25216
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 27 Apr 2021 07:07:30 -0400
bind9 (1:9.16.8-1ubuntu3) hirsute; urgency=medium
* SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
- debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
- CVE-2020-8625
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 25 Feb 2021 07:29:46 -0500
bind9 (1:9.16.8-1ubuntu2) hirsute; urgency=medium
* No-change rebuild to drop the udeb package.
-- Matthias Klose <doko@ubuntu.com> Mon, 22 Feb 2021 10:44:18 +0100
bind9 (1:9.16.8-1ubuntu1) hirsute; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
* Dropped changes (merged in Debian):
- d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP #1864761)
- d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
-- Paride Legovini <paride.legovini@canonical.com> Sun, 06 Dec 2020 17:10:15 +0100
bind9 (1:9.16.8-1) unstable; urgency=medium
[ Ondřej Surý ]
* New upstream version 9.16.8
[ Bernhard Schmidt ]
* d/t/control:
- tag autopkgtest with needs-internet (Closes: #973955)
- depend on bind9-dnsutils insead of the transitional dnsutils
* d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
-- Bernhard Schmidt <berni@debian.org> Mon, 09 Nov 2020 23:03:53 +0100
bind9 (1:9.16.7-1) unstable; urgency=medium
* New upstream version 9.16.7
-- Ondřej Surý <ondrej@debian.org> Thu, 17 Sep 2020 10:36:51 +0200
bind9 (1:9.16.6-3ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP #1864761)
- d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
-- Andreas Hasenack <andreas@canonical.com> Tue, 15 Sep 2020 10:46:52 -0300
bind9 (1:9.16.6-3) unstable; urgency=medium
[ Ondřej Surý ]
* Add upstream patches to fix some rare conditions (Closes: #969448)
[ Bernhard Schmidt ]
* Set Restart=on-failure in systemd unit
-- Bernhard Schmidt <berni@debian.org> Tue, 15 Sep 2020 00:26:14 +0200
bind9 (1:9.16.6-2ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP #1864761)
- d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
* Dropped:
- d/not-installed: list dnstap-read.1 manpage, which is being
installed by the makefile even when dnstap is disabled.
[Fixed upstream]
-- Andreas Hasenack <andreas@canonical.com> Mon, 24 Aug 2020 10:57:08 -0300
bind9 (1:9.16.6-2) unstable; urgency=medium
* Move Build-Depends for documentation to Build-Depends-Indep, this
should fix the arch-any build on s390x where xindy is not available.
-- Bernhard Schmidt <berni@debian.org> Sat, 22 Aug 2020 20:06:00 +0200
bind9 (1:9.16.6-1) unstable; urgency=medium
* New upstream version 9.16.6
-- Ondřej Surý <ondrej@debian.org> Thu, 20 Aug 2020 21:32:46 +0200
bind9 (1:9.16.5-1) unstable; urgency=medium
* New upstream version 9.16.5
* Add fonts-freefont-otf, latexmk, texlive-fonts-recommended,
texlive-latex-recommended, texlive-xetex, xindy to Build-Depends
* Install man pages for tsig-gen and named-compilezone
-- Ondřej Surý <ondrej@debian.org> Thu, 16 Jul 2020 00:29:57 +0200
bind9 (1:9.16.4-1ubuntu2) groovy; urgency=medium
* No change rebuild against new json-c ABI.
-- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 28 Jul 2020 17:42:17 +0100
bind9 (1:9.16.4-1ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP #1864761)
- d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
* Dropped:
- SECURITY UPDATE: assertion when attempting to fill oversized TCP buffer
+ debian/patches/CVE-2020-8618.patch: add fix to lib/ns/client.c,
lib/ns/include/ns/client.h, lib/ns/xfrout.c.
+ CVE-2020-8618
[Fixed upstream]
- SECURITY UPDATE: INSIST failure when a zone with an interior wildcard
label was queried in a certain pattern
+ debian/patches/CVE-2020-8619.patch: add fix to lib/dns/rbtdb.c.
+ CVE-2020-8619
[Fixed upstream]
* Added changes:
- d/not-installed: list dnstap-read.1 manpage, which is being
installed by the makefile even when dnstap is disabled.
-- Andreas Hasenack <andreas@canonical.com> Mon, 06 Jul 2020 15:22:36 -0300
bind9 (1:9.16.4-1) unstable; urgency=medium
* New upstream version 9.16.4
* Update Debian packaging for sphinx-doc documentation
-- Ondřej Surý <ondrej@debian.org> Wed, 17 Jun 2020 09:27:29 +0200
bind9 (1:9.16.3-1ubuntu2) groovy; urgency=medium
* SECURITY UPDATE: assertion when attempting to fill oversized TCP buffer
- debian/patches/CVE-2020-8618.patch: add fix to lib/ns/client.c,
lib/ns/include/ns/client.h, lib/ns/xfrout.c.
- CVE-2020-8618
* SECURITY UPDATE: INSIST failure when a zone with an interior wildcard
label was queried in a certain pattern
- debian/patches/CVE-2020-8619.patch: add fix to lib/dns/rbtdb.c.
- CVE-2020-8619
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Jun 2020 08:29:47 -0400
bind9 (1:9.16.3-1ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP #1864761)
- d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
* Dropped:
- d/control: make bind9-dnsutils multi-arch foreign as another step
towards fixing LP #1864761
[The correct fix was to change the dep8 dependency to be on the real
package, and not the transitional one]
- SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
performed when processing referrals
+ debian/patches/CVE-2020-8616.patch: further limit the number of
queries that can be triggered from a request in lib/dns/adb.c,
lib/dns/include/dns/adb.h, lib/dns/resolver.c.
+ CVE-2020-8616
[Fixed upstream]
- SECURITY UPDATE: A logic error in code which checks TSIG validity can
be used to trigger an assertion failure in tsig.c
+ debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
BADTIME response in lib/dns/tsig.c.
+ CVE-2020-8617
[Fixed upstream]
-- Andreas Hasenack <andreas@canonical.com> Tue, 02 Jun 2020 17:37:44 -0300
bind9 (1:9.16.3-1) unstable; urgency=medium
* New upstream version 9.16.3
-- Ondřej Surý <ondrej@debian.org> Tue, 19 May 2020 14:14:35 +0200
bind9 (1:9.16.2-3ubuntu1) groovy; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP #1864761)
- d/control: make bind9-dnsutils multi-arch foreign as another step
towards fixing LP #1864761
- d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
- SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
performed when processing referrals
+ debian/patches/CVE-2020-8616.patch: further limit the number of
queries that can be triggered from a request in lib/dns/adb.c,
lib/dns/include/dns/adb.h, lib/dns/resolver.c.
+ CVE-2020-8616
- SECURITY UPDATE: A logic error in code which checks TSIG validity can
be used to trigger an assertion failure in tsig.c
+ debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
BADTIME response in lib/dns/tsig.c.
+ CVE-2020-8617
* Dropped:
- use iproute2 instead of net-tools (LP #1850699):
+ d/control: replace net-tools depends with iproute2
+ d/bind9.init: use ip instead of ifconfig
[In 1:9.16.1-2]
- d/control: Enable readline-like support in dnsutils (nslookup and nsupdate)
via libedit-dev (libreadline has a license conflict with bind)
[In 1:9.16.1-2]
- d/control: drop hardcoded python3 dependency
(LP #1856211, Closes #946643)
[In 1:9.16.1-2]
- d/extras/apparmor.d/usr.sbin.named:
+ Add flags=(attach_disconnected) to AppArmor profile
+ AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ
(Closes: #928398)
[In 1:9.16.1-2]
- d/rules: fix typo in the apparmor profile installation
[In 1:9.16.1-2]
- d/control: create transitional packages for dnsutils, bind9utils
[In 1:9.16.1-2]
- d/p/fix-rebinding-protection.patch: fix rebinding protection bug
when using forwarder setups (LP #1873046)
[Fixed upstream]
-- Andreas Hasenack <andreas@canonical.com> Fri, 22 May 2020 09:52:13 -0300
bind9 (1:9.16.2-3) unstable; urgency=medium
[ Simon Deziel ]
* apparmor: use profile name specifier
-- Bernhard Schmidt <berni@debian.org> Thu, 23 Apr 2020 11:45:43 +0200
bind9 (1:9.16.2-2) unstable; urgency=medium
* Update gbp.conf to debian/master and upstream/latest
* Reintroduce the bind9-dev package (Closes: #954906)
-- Ondřej Surý <ondrej@debian.org> Thu, 16 Apr 2020 12:14:44 +0200
bind9 (1:9.16.2-1) unstable; urgency=medium
* Update d/copyright (Closes: #947978)
* New upstream version 9.16.2 (Closes: #952946, #954919)
-- Ondřej Surý <ondrej@debian.org> Thu, 16 Apr 2020 10:07:07 +0200
bind9 (1:9.16.1-2) unstable; urgency=medium
[ Andreas Hasenack ]
* Bring back the DEP8 test from sid
* Use iproute2 instead of net-tools
* d/control: drop hardcoded python3 dependency
[ Bernhard Schmidt ]
* Fix apparmor profile name.
Thanks to Andreas Hasenack
* Enable readline support
[ Andreas Hasenack ]
* Update apparmor profile with what is in sid
* Create the missing transitional packages for dnsutils, bind9utils
* There is a licensing conflict with adding libreadline and we should
use libedit-dev instead.
[ Ondřej Surý ]
* Add Breaks: freeipa, so the package doesn't migrate to testing before freeipa is fixed
-- Ondřej Surý <ondrej@debian.org> Sun, 22 Mar 2020 09:21:21 +0100
bind9 (1:9.16.1-1) experimental; urgency=medium
* New upstream version 9.16.1
-- Ondřej Surý <ondrej@debian.org> Fri, 20 Mar 2020 13:59:34 +0100
bind9 (1:9.16.1-0ubuntu3) groovy; urgency=medium
* SECURITY UPDATE: BIND does not sufficiently limit the number of fetches
performed when processing referrals
- debian/patches/CVE-2020-8616.patch: further limit the number of
queries that can be triggered from a request in lib/dns/adb.c,
lib/dns/include/dns/adb.h, lib/dns/resolver.c.
- CVE-2020-8616
* SECURITY UPDATE: A logic error in code which checks TSIG validity can
be used to trigger an assertion failure in tsig.c
- debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG
BADTIME response in lib/dns/tsig.c.
- CVE-2020-8617
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 19 May 2020 09:03:32 -0400
bind9 (1:9.16.1-0ubuntu2) focal; urgency=medium
* d/p/fix-rebinding-protection.patch: fix rebinding protection bug
when using forwarder setups (LP: #1873046)
-- Andreas Hasenack <andreas@canonical.com> Wed, 15 Apr 2020 14:59:51 -0300
bind9 (1:9.16.1-0ubuntu1) focal; urgency=medium
* New upstream release: 19.16.1 (LP: #1868272)
- drop d/p/bind-v9.16.0-tcp_quota_fix.patch, fixed upstream
- drop d/p/Fix-dns_client_addtrustedkey.patch, fixed upstream
* d/rules: change deprecated --with-libjson-c configure argument to
--with-json-c
-- Andreas Hasenack <andreas@canonical.com> Tue, 24 Mar 2020 11:44:46 -0300
bind9 (1:9.16.0-1ubuntu5) focal; urgency=medium
* d/control, d/rules: enable GeoIP2 support, since libmaxminddb is now
in main (LP: #1866875)
-- Andreas Hasenack <andreas@canonical.com> Mon, 16 Mar 2020 16:17:47 -0300
bind9 (1:9.16.0-1ubuntu4) focal; urgency=medium
* d/p/bind-v9.16.0-tcp_quota_fix.patch: fix error in handling TCP
client quota limits (LP: #1866378)
* d/p/Fix-dns_client_addtrustedkey.patch: fix buffer size in
dns_client_addtrustedkey (LP: #1866384)
-- Andreas Hasenack <andreas@canonical.com> Fri, 06 Mar 2020 15:12:56 -0300
bind9 (1:9.16.0-1ubuntu3) focal; urgency=medium
* d/control: make bind9-dnsutils multi-arch foreign as another step
towards fixing LP: #1864761
-- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 20:19:40 -0300
bind9 (1:9.16.0-1ubuntu2) focal; urgency=medium
* d/t/control: change the dep8 test dependency to be on the real
bind9-dnsutils package, and not the transitional one (LP: #1864761)
-- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 14:16:04 -0300
bind9 (1:9.16.0-1ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/control, d/rules: go back to old geoip support, since
libmaxminddb (for GeoIP2) is in universe
* Added back from sid packaging:
- d/t/control, d/t/simpletest: bring back the dep8 test from
debian/sid, with our delta to not query external hosts
- use iproute2 instead of net-tools (LP #1850699):
+ d/control: replace net-tools depends with iproute2
+ d/bind9.init: use ip instead of ifconfig
- d/control: drop hardcoded python3 dependency
(LP #1856211, Closes #946643)
- d/extras/apparmor.d/usr.sbin.named:
+ Add flags=(attach_disconnected) to AppArmor profile
+ AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ
(Closes: #928398)
- d/rules: fix typo in the apparmor profile installation
* Added:
- d/control: create transitional packages for dnsutils, bind9utils
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/control: Enable readline-like support in dnsutils (nslookup and nsupdate)
via libedit-dev (libreadline has a license conflict with bind)
-- Andreas Hasenack <andreas@canonical.com> Mon, 24 Feb 2020 11:51:37 -0300
bind9 (1:9.16.0-1) experimental; urgency=medium
* Change the branch to 9.16
* New upstream version 9.16.0
-- Ondřej Surý <ondrej@debian.org> Thu, 20 Feb 2020 10:54:34 +0100
bind9 (1:9.15.8-1) experimental; urgency=medium
* New upstream version 9.15.8
-- Ondřej Surý <ondrej@debian.org> Thu, 23 Jan 2020 14:58:01 +0100
bind9 (1:9.15.7-1) experimental; urgency=medium
* Add libuv1-dev, libcmocka-dev, libedit-dev and zlib1g-dev to B-D
* Update d/watch to use tar.xz
* New upstream version 9.15.7
-- Ondřej Surý <ondrej@debian.org> Thu, 19 Dec 2019 09:40:52 +0100
bind9 (1:9.15.6-1) experimental; urgency=medium
* Remove useless patches
* New upstream version 9.15.6
-- Ondřej Surý <ondrej@debian.org> Wed, 20 Nov 2019 21:58:06 +0100
bind9 (1:9.15.5-1) experimental; urgency=medium
* New upstream version 9.15.5
* Install python files to dist-packages (Courtesy of Jim Popovitch)
* Remove GPL licensed apport file until one with better license is available
* Remove debian/nslookup.1
* Remove 4-clause BSD content from the package
-- Ondřej Surý <ondrej@sury.org> Thu, 17 Oct 2019 08:41:55 +0200
bind9 (1:9.15.4-1) unstable; urgency=medium
* New upstream version 9.15.4
-- Ondřej Surý <ondrej@sury.org> Mon, 23 Sep 2019 11:54:32 +0200
bind9 (1:9.15.3-2) unstable; urgency=medium
* Fix the section for bind9 alias in the systemd unit [GL #1193]
-- Ondřej Surý <ondrej@sury.org> Wed, 28 Aug 2019 21:35:44 +0200
bind9 (1:9.15.3-1) unstable; urgency=medium
* New upstream version 9.15.3
* isc-config has been removed, remove it from the debian/
-- Ondřej Surý <ondrej@sury.org> Mon, 26 Aug 2019 10:26:41 +0200
bind9 (1:9.15.2-2) unstable; urgency=medium
* Tighten libmaxminddb-dev dependency
* Install the tmpfile for named service again
-- Ondřej Surý <ondrej@sury.org> Wed, 07 Aug 2019 11:11:13 +0200
bind9 (1:9.15.2-1) unstable; urgency=medium
* New upstream version 9.15.2
* Disable old GeoIP and enable new GeoIP2
-- Ondřej Surý <ondrej@sury.org> Thu, 18 Jul 2019 10:09:29 +0200
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog bind9-libs`.
Generated by dwww version 1.16 on Sat Dec 13 16:25:44 CET 2025.