-
bind9 (1:9.7.0.dfsg.P1-1ubuntu0.12) lucid-security; urgency=medium
* SECURITY UPDATE: denial of service via delegation handling defect
- limit max recursion in bin/named/config.c, bin/named/query.c,
bin/named/server.c, lib/dns/adb.c, lib/dns/include/dns/adb.h,
lib/dns/include/dns/resolver.h, lib/dns/resolver.c,
lib/export/isc/Makefile.in, lib/isc/Makefile.in, lib/isc/counter.c,
lib/isc/include/isc/counter.h, lib/isc/include/isc/Makefile.in,
lib/isc/include/isc/types.h, lib/isc/tests/counter_test.c,
lib/isccfg/namedconf.c.
- Based on patch provided by upstream.
- CVE-2014-8500
-- Marc Deslauriers <email address hidden> Tue, 09 Dec 2014 13:46:06 -0500
-
bind9 (1:9.7.0.dfsg.P1-1ubuntu0.11) lucid-security; urgency=low
* SECURITY UPDATE: denial of service when processing NSEC3-signed zone
queries
- debian/patches/CVE-2014-0591.patch: don't call memcpy with
overlapping ranges in bin/named/query.c.
- patch backported from 9.8.6-P2.
- CVE-2014-0591
-- Marc Deslauriers <email address hidden> Fri, 10 Jan 2014 09:45:07 -0500
-
bind9 (1:9.7.0.dfsg.P1-1ubuntu0.10) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via incorrect bounds checking on
private type 'keydata'
- lib/dns/rdata/generic/keydata_65533.c: check for correct length.
- Patch backported from 9.8.5-P2
- CVE-2013-4854
-- Marc Deslauriers <email address hidden> Fri, 26 Jul 2013 22:57:04 -0400
-
bind9 (1:9.7.0.dfsg.P1-1ubuntu0.9) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via regex syntax checking
- configure,configure.in,config.h.in: remove check for regex.h to
disable regex syntax checking.
- CVE-2013-2266
-- Marc Deslauriers <email address hidden> Thu, 28 Mar 2013 15:26:27 -0400
-
bind9 (1:9.7.0.dfsg.P1-1ubuntu0.8) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via specific combinations of RDATA
- bin/named/query.c: fix logic
- Patch backported from 9.8.3-P4
- CVE-2012-5166
-- Marc Deslauriers <email address hidden> Fri, 05 Oct 2012 10:55:09 -0400
-
bind9 (1:9.7.0.dfsg.P1-1ubuntu0.7) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via large crafted resource record
- check length in lib/dns/include/dns/rdata.h,
lib/dns/{master,rdata,rdataslab}.c.
- Patch backported from 9.7.6-P3
- CVE-2012-4244
-- Marc Deslauriers <email address hidden> Thu, 13 Sep 2012 07:57:13 -0400
-
bind9 (1:9.7.0.dfsg.P1-1ubuntu0.6) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via dnssec validation load
- lib/dns/resolver.c: don't use bad->expire before it has been set.
- Patch backported from 9.7.6-P2.
- CVE-2012-3817
-- Marc Deslauriers <email address hidden> Wed, 25 Jul 2012 16:27:13 -0400
-
bind9 (1:9.7.0.dfsg.P1-1ubuntu0.5) lucid-security; urgency=low
* SECURITY UPDATE: ghost domain names attack
- lib/dns/rbtdb.c: Restrict the TTL of NS RRset to no more than that
of the old NS RRset when replacing it.
- Patch backported from 9.7.5.
- CVE-2012-1033
* SECURITY UPDATE: denial of service via zero length rdata handling
- lib/dns/rdata.c,lib/dns/rdataslab.c: use sentinel pointer for
duplicate rdata.
- Patch backported from 9.7.6-P1.
- CVE-2012-1667
-- Marc Deslauriers <email address hidden> Mon, 04 Jun 2012 13:47:38 -0400
-
bind9 (1:9.7.0.dfsg.P1-1ubuntu0.4) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via specially crafted packet
- bin/named/query.c,lib/dns/rbtdb.c: correctly handle cache lookups
that return RRSIG data associated with nonexistent records.
- Patch backported from 9.7.4-P1.
- CVE-2011-4313
-- Marc Deslauriers <email address hidden> Wed, 16 Nov 2011 14:29:38 -0500
-
bind9 (1:9.7.0.dfsg.P1-1ubuntu0.3) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via specially crafted packet
- lib/dns/include/dns/rdataset.h, lib/dns/{masterdump,message,ncache,
nsec3,rbtdb,rdataset,resolver,validator}.c: Use an rdataset attribute
flag to indicate negative-cache records rather than using rrtype 0.
- Patch backported from 9.7.3-P3.
- CVE-2011-2464
-- Marc Deslauriers <email address hidden> Tue, 05 Jul 2011 09:15:54 -0400
-
bind9 (1:9.7.0.dfsg.P1-1ubuntu0.2) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via multiple trust anchors for a
single zone
- lib/dns/validator.c: fix arguments to dns_keytable_findnextkeynode().
- Upstream change 2869.
- CVE-2010-3762
* SECURITY UPDATE: denial of service via off-by-one
- lib/dns/ncache.c: correctly validate length.
- Patch backported from 9.7.3-P1.
- CVE-2011-1910
-- Marc Deslauriers <email address hidden> Fri, 27 May 2011 13:03:07 -0400
-
bind9 (1:9.7.0.dfsg.P1-1ubuntu0.1) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via ncache entry and a rrsig for the
same type
- lib/dns/rbtdb.c: properly mark existing RRSIG records as stale.
- bin/tests/system/resolver/*: added tests.
- CVE-2010-3613
* SECURITY UPDATE: answers incorrectly marked as insecure during key
algorithm rollover
- lib/dns/include/dns/types.h, lib/dns/validator.c: improve logic.
- bin/tests/system/dnssec/*: added tests.
- CVE-2010-3614
-- Marc Deslauriers <email address hidden> Fri, 26 Nov 2010 15:53:25 -0500
-
bind9 (1:9.7.0.dfsg.P1-1) unstable; urgency=low
[Internet Software Consortium, Inc]
* 9.7.0-P1
- 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
-- LaMont Jones <email address hidden> Mon, 22 Mar 2010 18:18:27 +0000
-
bind9 (1:9.7.0.dfsg.P1-1~build1) lucid; urgency=low
* build for upload
-- LaMont Jones <email address hidden> Wed, 17 Mar 2010 09:09:35 -0600
-
bind9 (1:9.7.0.dfsg.1-1~build1) lucid; urgency=low
* lucid port
-- LaMont Jones <email address hidden> Fri, 12 Mar 2010 15:16:53 -0700
-
bind9 (1:9.7.0.dfsg-2~build1) lucid; urgency=low
* no-change lucid-port.
-- LaMont Jones <email address hidden> Thu, 04 Mar 2010 10:46:42 -0700
-
bind9 (1:9.7.0.dfsg-1~build1) lucid; urgency=low
* upload of -1 to lucid, LP#530107
-- LaMont Jones <email address hidden> Mon, 01 Mar 2010 20:51:23 -0700
-
bind9 (1:9.6.1.dfsg.P3-1) unstable; urgency=low
* New upstream release. CVE-2010-0097
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 01 Feb 2010 23:57:18 +0000
-
bind9 (1:9.6.1.dfsg.P3-1~build1) lucid; urgency=low
* Ubuntu upload for early access to 9.6.1.dfsg.P3-1.
9.6.1.dfsg.P3-1 should sync over: no source changes present.
-- LaMont Jones <email address hidden> Tue, 19 Jan 2010 11:45:55 -0700
-
bind9 (1:9.6.1.dfsg.P2-1) unstable; urgency=low
[Internet Software Consortium, Inc]
* 9.6.1-P2
- When validating, track whether pending data was from the
additional section or not and only return it if validates
as secure. [RT #20438] CVE-2009-4022
[LaMont Jones]
* prerm: do not stop named on upgrade. Closes: #542888
* Drop some RFCs that crept into the diff.
* meta: add ${misc:Depends}
* lintian: update config.guess, config.sub in idnkit-1.0 tree
* dnsutils: remove pre-sarge dpkg-divert calls in postinst
* meta: soname changes
* l10n: missing newline in pofile.
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 14 Dec 2009 18:46:02 +0000
-
bind9 (1:9.6.1.dfsg.P2-1~1build1) lucid; urgency=low
* upload to lucid
bind9 (1:9.6.1.dfsg.P2-1) unstable; urgency=low
[Internet Software Consortium, Inc]
* 9.6.1-P2
- When validating, track whether pending data was from the
additional section or not and only return it if validates
as secure. [RT #20438] CVE-2009-4022
[LaMont Jones]
* prerm: do not stop named on upgrade. Closes: #542888
* Drop some RFCs that crept into the diff.
* meta: add ${misc:Depends}
* lintian: update config.guess, config.sub in idnkit-1.0 tree
* dnsutils: remove pre-sarge dpkg-divert calls in postinst
* meta: soname changes
* l10n: missing newline in pofile.
-- LaMont Jones <email address hidden> Fri, 27 Nov 2009 15:48:44 -0700
-
bind9 (1:9.6.1.dfsg.P1-3) unstable; urgency=low
* Build-Depend on the fixed libgeoip-dev. Closes: #540973
bind9 (1:9.6.1.dfsg.P1-2) unstable; urgency=low
[Jamie Strandboge]
* reload individual named profile, not all of apparmor. LP: #412751
[Guillaume Delacour]
* bind9 did not purge cleanly. Closes: #497959
[LaMont Jones]
* postinst: do not append a blank line to /etc/default/bind9.
Closes: #541469
* init.d stop needs to not error out. LP: #398033
* meta: fix build-depends. Closes: #539230
-- LaMont Jones <email address hidden> Wed, 19 Aug 2009 22:47:32 +0100