Package: bind9 / 1:9.10.3.dfsg.P4-12.3+deb9u5

Metadata

Package Version Patches format
bind9 1:9.10.3.dfsg.P4-12.3+deb9u5 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
02_version.diff | (download)

version | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
05_non linux.diff | (download)

configure.in | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

---
07_multiarch.diff | (download)

isc-config.sh.in | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

---
10_min cache ttl.diff | (download)

bin/named/config.c | 2 2 + 0 - 0 !
bin/named/server.c | 12 12 + 0 - 0 !
bin/tests/named.conf | 2 2 + 0 - 0 !
lib/dns/include/dns/ncache.h | 4 2 + 2 - 0 !
lib/dns/include/dns/view.h | 2 2 + 0 - 0 !
lib/dns/ncache.c | 14 8 + 6 - 0 !
lib/dns/resolver.c | 20 14 + 6 - 0 !
lib/isccfg/namedconf.c | 2 2 + 0 - 0 !
8 files changed, 44 insertions(+), 14 deletions(-)

---
20_random_1.diff | (download)

bin/named/server.c | 2 2 + 0 - 0 !
lib/bind9/check.c | 1 1 + 0 - 0 !
lib/dns/include/dns/rdataset.h | 2 2 + 0 - 0 !
lib/dns/order.c | 1 1 + 0 - 0 !
lib/dns/rdataset.c | 10 8 + 2 - 0 !
5 files changed, 14 insertions(+), 2 deletions(-)

---
25_library_paths.diff | (download)

lib/dns/Makefile.in | 4 3 + 1 - 0 !
lib/irs/Makefile.in | 4 3 + 1 - 0 !
lib/isc/Makefile.in | 3 3 + 0 - 0 !
lib/isccc/Makefile.in | 4 3 + 1 - 0 !
lib/isccfg/Makefile.in | 2 1 + 1 - 0 !
5 files changed, 13 insertions(+), 4 deletions(-)

---
30_dynamic_db.diff | (download)

bin/named/main.c | 1 1 + 0 - 0 !
bin/named/server.c | 100 100 + 0 - 0 !
lib/dns/Makefile.in | 10 8 + 2 - 0 !
lib/dns/dynamic_db.c | 367 367 + 0 - 0 !
lib/dns/include/dns/Makefile.in | 2 1 + 1 - 0 !
lib/dns/include/dns/dynamic_db.h | 51 51 + 0 - 0 !
lib/dns/include/dns/log.h | 1 1 + 0 - 0 !
lib/dns/include/dns/types.h | 1 1 + 0 - 0 !
lib/dns/log.c | 1 1 + 0 - 0 !
lib/isccfg/namedconf.c | 36 36 + 0 - 0 !
10 files changed, 567 insertions(+), 3 deletions(-)

---
32_mips_atomic.diff | (download)

lib/isc/mips/include/isc/atomic.h | 54 6 + 48 - 0 !
1 file changed, 6 insertions(+), 48 deletions(-)

 replace mips atomics assembly with calls to c11 atomic functions
 This fixes various hangs and crashes on MIPS.
33_resource_missing_include.diff | (download)

lib/isc/unix/resource.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

---
34_prepare_native_pkcs11.diff | (download)

bin/Makefile.in | 2 1 + 1 - 0 !
bin/dnssec/Makefile.in | 2 1 + 1 - 0 !
bin/named/Makefile.in | 2 1 + 1 - 0 !
bin/pkcs11/Makefile.in | 6 3 + 3 - 0 !
configure.in | 61 46 + 15 - 0 !
lib/Makefile.in | 2 1 + 1 - 0 !
make/includes.in | 10 10 + 0 - 0 !
7 files changed, 63 insertions(+), 22 deletions(-)

---
70_precise_time.diff | (download)

lib/isc/unix/file.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 return the nanoseconds portion of file timestamps.  available
 from Linux since 2.6.
75_ctxstart_no_sighandling.diff | (download)

lib/isc/unix/app.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 do not modify signal handling for external isc apps
 Not sure this is a un-fix but it looks like before the change there was
 no modification of signal handlers when being called via appmethods
 ctxstart.
CVE 2016 2775.patch | (download)

bin/named/lwdgrbn.c | 16 10 + 6 - 0 !
1 file changed, 10 insertions(+), 6 deletions(-)

---
CVE 2016 2776.patch | (download)

lib/dns/message.c | 42 31 + 11 - 0 !
1 file changed, 31 insertions(+), 11 deletions(-)

---
CVE 2016 8864.patch | (download)

lib/dns/resolver.c | 69 47 + 22 - 0 !
1 file changed, 47 insertions(+), 22 deletions(-)

---
CVE 2016 9131.patch | (download)

lib/dns/resolver.c | 19 19 + 0 - 0 !
1 file changed, 19 insertions(+)

---
CVE 2016 9147.patch | (download)

lib/dns/resolver.c | 18 11 + 7 - 0 !
1 file changed, 11 insertions(+), 7 deletions(-)

---
CVE 2016 9444.patch | (download)

lib/dns/message.c | 76 73 + 3 - 0 !
lib/dns/resolver.c | 21 8 + 13 - 0 !
2 files changed, 81 insertions(+), 16 deletions(-)

---
CVE 2016 8864 regression.patch | (download)

lib/dns/resolver.c | 37 23 + 14 - 0 !
1 file changed, 23 insertions(+), 14 deletions(-)

---
CVE 2016 8864 regression2.patch | (download)

lib/dns/resolver.c | 150 104 + 46 - 0 !
1 file changed, 104 insertions(+), 46 deletions(-)

---
CVE 2017 3135.patch | (download)

bin/named/query.c | 59 27 + 32 - 0 !
lib/dns/message.c | 6 3 + 3 - 0 !
lib/dns/rdataset.c | 1 1 + 0 - 0 !
3 files changed, 31 insertions(+), 35 deletions(-)

---
CVE 2017 3136.patch | (download)

bin/named/query.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] 4575.   [security]      dns64 with break-dnssec yes; can
 result in a                         assertion failure. (CVE-2017-3136) [RT
 #44653]

(cherry picked from commit 3bce12e4b6d37f570ffc7747b499f8b90e8521ac)

CVE 2017 3137 1.patch | (download)

lib/dns/resolver.c | 38 12 + 26 - 0 !
1 file changed, 12 insertions(+), 26 deletions(-)

 [patch] [v9_10] remove unnecessary insist and prep 9.10.5rc2

4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]

(cherry picked from commit a1365a0042db8c1cd0ee4dbd0c91ce65ae09e098)
(cherry picked from commit 559cbe04e73cf601784a371e09554c20407a6c7b)

CVE 2017 3137 2.patch | (download)

bin/tests/system/dname/ns2/example.db | 1 1 + 0 - 0 !
bin/tests/system/dname/tests.sh | 15 12 + 3 - 0 !
bin/tests/system/rpz/tests.sh | 2 1 + 1 - 0 !
lib/dns/resolver.c | 813 306 + 507 - 0 !
4 files changed, 320 insertions(+), 511 deletions(-)

 [patch] reimplement: 4578.   [security]      some chaining (cname or
 DNAME) responses to upstream                         queries could trigger
 assertion failures.                         (CVE-2017-3137) [RT #44734]

(cherry picked from commit f240f4a5decae09cdabb83f824e0fd339377ad7e)

CVE 2017 3137 3.patch | (download)

lib/dns/resolver.c | 39 23 + 16 - 0 !
1 file changed, 23 insertions(+), 16 deletions(-)

 [patch] 4580.   [bug]           4578 introduced a regression when
 handling CNAME to                         referral below the current domain.
 [RT #44850]

(cherry picked from commit 638c7c635ddab0b717a675f49b1180dbf8ef803e)

CVE 2017 3138.patch | (download)

bin/tests/system/rndc/tests.sh | 8 8 + 0 - 0 !
lib/isc/include/isc/lex.h | 2 0 + 2 - 0 !
lib/isc/lex.c | 5 3 + 2 - 0 !
3 files changed, 11 insertions(+), 4 deletions(-)

 [patch] 4582.   [security]      'rndc ""' could trigger a assertion
 failure in named.                         (CVE-2017-3138) [RT #44924]

(cherry picked from commit 8e8dfc5941e2375f2f8dadf3706258dd0db5f2e6)

CVE 2017 3142+CVE 2017 3143.patch | (download)

lib/dns/dnssec.c | 3 3 + 0 - 0 !
lib/dns/message.c | 15 11 + 4 - 0 !
lib/dns/tsig.c | 291 225 + 66 - 0 !
3 files changed, 239 insertions(+), 70 deletions(-)

---
CVE 2017 3142_regression.patch | (download)

lib/dns/tests/Makefile.in | 7 7 + 0 - 0 !
lib/dns/tests/tsig_test.c | 489 489 + 0 - 0 !
lib/dns/tsig.c | 10 8 + 2 - 0 !
3 files changed, 504 insertions(+), 2 deletions(-)

 [patch] 4647.   [bug]           change 4643 broke verification of
 TSIG signed TCP                         message sequences where not all the
 messages contain                         TSIG records.  These may be used in
 AXFR and IXFR                         responses.  [RT #45509]


860794 new dnssec keys.patch | (download)

bind.keys | 67 45 + 22 - 0 !
bind.keys.h | 140 92 + 48 - 0 !
2 files changed, 137 insertions(+), 70 deletions(-)

 add upcoming dnssec ksk-2017 root key
 .
 4564.   [maint]         Update the built in managed keys to include the
                         upcoming root KSK. [RT #44579]
CVE 2017 3145.patch | (download)

lib/dns/resolver.c | 37 23 + 14 - 0 !
1 file changed, 23 insertions(+), 14 deletions(-)

 fix cve-2017-3145
 Addresses could be referenced after being freed in
 resolver.c, causing an assertion failure.
0031 denied axfr requests were not effective for writable.patch | (download)

bin/named/xfrout.c | 8 4 + 4 - 0 !
bin/tests/system/dlzexternal/driver.c | 12 9 + 3 - 0 !
2 files changed, 13 insertions(+), 7 deletions(-)

 denied axfr requests were not effective for writable dlz zones

(cherry picked from commit 048e3acfdd19189bf927cb3431a28d4da2d09ac7)
(cherry picked from commit bf045b387c2eef0cdb9b89526c8d281f76f754db)
(cherry picked from commit 5a1ae8e14a7f43ce21d891001c626c6be9f589da)
(cherry picked from commit f8748d00dd866d47174d8650e6ef30539f2411ef)

0032 Don t free key in compute_tag in case of failure.patch | (download)

lib/dns/zone.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 don't free key in compute_tag in case of failure

If `dns_dnssec_keyfromrdata` failed we don't need to call
`dst_key_free` because no `dstkey` was created.  Doing so
nevertheless will result in an assertion failure.

This can happen if the key uses an unsupported algorithm.

(cherry picked from commit 7a1ca39b950b7d5230b605ac60f15a1cb94e3d69)
(cherry picked from commit f2f688d8240adbb068b0abcb4e504af640f3c69d)
(cherry picked from commit 5c79917e4d8ba0f14724b33192ba5b86babc43d2)
(cherry picked from commit 52d5b62818fb4a86e779757cddb154d8a07358f2)

0033 Update keyfetch_done compute_tag check.patch | (download)

lib/dns/include/dst/dst.h | 3 1 + 2 - 0 !
lib/dns/zone.c | 32 32 + 0 - 0 !
2 files changed, 33 insertions(+), 2 deletions(-)

 update keyfetch_done compute_tag check

If in keyfetch_done the compute_tag fails (because for example the
algorithm is not supported), don't crash, but instead ignore the
key.

(cherry picked from commit b1d5411569ae10830b63f07560091193646cc739)
(cherry picked from commit ebe76bbaaf57a0dfb1666eb12c7266411c778580)
(cherry picked from commit 5ce2709dca32055c9f7985ee24acf27d58cba9f9)
(cherry picked from commit 5ebf5035ad550711ae3507cd791d18340011e4a9)

CVE 2018 5743.patch | (download)

bin/named/client.c | 357 292 + 65 - 0 !
bin/named/include/named/client.h | 14 10 + 4 - 0 !
bin/named/include/named/interfacemgr.h | 13 8 + 5 - 0 !
bin/named/interfacemgr.c | 9 4 + 5 - 0 !
lib/isc/include/isc/quota.h | 7 7 + 0 - 0 !
lib/isc/quota.c | 33 26 + 7 - 0 !
lib/isc/win32/libisc.def.in | 1 1 + 0 - 0 !
7 files changed, 348 insertions(+), 86 deletions(-)

 fix limiting simultaneous tcp clients is ineffective
CVE 2018 5743 atomic fix.patch | (download)

bin/named/client.c | 18 7 + 11 - 0 !
bin/named/include/named/interfacemgr.h | 5 3 + 2 - 0 !
bin/named/interfacemgr.c | 7 5 + 2 - 0 !
3 files changed, 15 insertions(+), 15 deletions(-)

 [patch] replace atomic operations in bin/named/client.c with
 isc_refcount reference counting