Package: bind9 | Debian Sources

Package: bind9 / 1:9.11.5.P4+dfsg-5.1+deb10u3

Metadata

Package	Version	Patches format
bind9	1:9.11.5.P4+dfsg-5.1+deb10u3	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
0001 non linux.diff \| (download)	configure.in \| 5 2 + 3 - 0 ! 1 file changed, 2 insertions(+), 3 deletions(-)	_non-linux FTBFS on kfreebsd, hurd Addresses-Debian-Bug: 741285, 746540 Signed-off-by: LaMont Jones <lamont@debian.org>
0002 multiarch.diff \| (download)	isc-config.sh.in \| 3 1 + 2 - 0 ! 1 file changed, 1 insertion(+), 2 deletions(-)	_multiarch
0003 min cache ttl.diff \| (download)	bin/named/config.c \| 2 2 + 0 - 0 ! bin/named/server.c \| 12 12 + 0 - 0 ! bin/tests/named.conf \| 2 2 + 0 - 0 ! lib/dns/include/dns/ncache.h \| 6 4 + 2 - 0 ! lib/dns/include/dns/view.h \| 2 2 + 0 - 0 ! lib/dns/ncache.c \| 18 12 + 6 - 0 ! lib/dns/resolver.c \| 22 16 + 6 - 0 ! lib/isccfg/namedconf.c \| 2 2 + 0 - 0 ! 8 files changed, 52 insertions(+), 14 deletions(-)	_min-cache-ttl Add min-cache-ttl and min-ncache-ttl keywords Sometimes it is useful to set a 'floor' on the TTL for records to be cached. Some sites like to use ridiculously low TTLs for some reason, and that often is not compatible with slow links. Signed-off-by: Michael Milligan <milli@acmeps.com> Signed-off-by: LaMont Jones <lamont@debian.org>
0004 library_paths.diff \| (download)	lib/dns/Makefile.in \| 4 3 + 1 - 0 ! lib/irs/Makefile.in \| 4 3 + 1 - 0 ! lib/isc/Makefile.in \| 3 3 + 0 - 0 ! lib/isccc/Makefile.in \| 4 3 + 1 - 0 ! lib/isccfg/Makefile.in \| 2 1 + 1 - 0 ! 5 files changed, 13 insertions(+), 4 deletions(-)	_library_paths Makefile.in: be explicit about library paths Debian policy requires that all dependent libs be in the .so, not just the immediately depended ones. Signed-off-by: LaMont Jones <lamont@debian.org>
0005 resource_missing_include.diff \| (download)	lib/isc/unix/resource.c \| 1 1 + 0 - 0 ! 1 file changed, 1 insertion(+)	_resource_missing_include lib/isc/unix/resource.c was missing inttypes.h include. Addresses-Ubuntu-Bug: 674199 Signed-off-by: LaMont Jones <lamont@debian.org>
0006 prepare_native_pkcs11.diff \| (download)	bin/Makefile.in \| 2 1 + 1 - 0 ! bin/dnssec/Makefile.in \| 2 1 + 1 - 0 ! bin/named/Makefile.in \| 2 1 + 1 - 0 ! bin/pkcs11/Makefile.in \| 6 3 + 3 - 0 ! configure.in \| 51 36 + 15 - 0 ! lib/Makefile.in \| 2 1 + 1 - 0 ! make/includes.in \| 10 10 + 0 - 0 ! 7 files changed, 53 insertions(+), 22 deletions(-)	_prepare_native_pkcs11
0007 ctxstart_no_sighandling.diff \| (download)	lib/isc/unix/app.c \| 3 3 + 0 - 0 ! 1 file changed, 3 insertions(+)	_ctxstart_no_sighandling
0008 reproducible_build.diff \| (download)	lib/dns/gen.c \| 35 33 + 2 - 0 ! 1 file changed, 33 insertions(+), 2 deletions(-)	_reproducible_build
0009 Add_ install layout=deb_to_setup.py_call.patch \| (download)	bin/python/Makefile.in \| 4 2 + 2 - 0 ! 1 file changed, 2 insertions(+), 2 deletions(-)	add_--install-layout=deb_to_setup.py_call
0010 skip rtld deepbind for dyndb.diff \| (download)	lib/dns/dyndb.c \| 3 0 + 3 - 0 ! 1 file changed, 3 deletions(-)	skip-rtld-deepbind-for-dyndb https://bugzilla.redhat.com/show_bug.cgi?id=1410433 https://bugs.launchpad.net/bugs/1769440
0011 keymgr dont immediately delete.diff \| (download)	bin/python/isc/keyseries.py.in \| 28 26 + 2 - 0 ! bin/tests/system/keymgr/19-old-keys/README \| 7 7 + 0 - 0 ! bin/tests/system/keymgr/19-old-keys/expect \| 12 12 + 0 - 0 ! bin/tests/system/keymgr/19-old-keys/extra.sh \| 19 19 + 0 - 0 ! bin/tests/system/keymgr/19-old-keys/policy.conf \| 18 18 + 0 - 0 ! bin/tests/system/keymgr/clean.sh \| 2 2 + 0 - 0 ! bin/tests/system/keymgr/setup.sh \| 10 10 + 0 - 0 ! bin/tests/system/keymgr/tests.sh \| 34 20 + 14 - 0 ! 8 files changed, 114 insertions(+), 16 deletions(-)	keymgr-dont-immediately-delete
0012 CVE 2018 5743 Limiting simultaneous TCP clients is i.patch \| (download)	bin/named/client.c \| 427 334 + 93 - 0 ! bin/named/include/named/client.h \| 23 14 + 9 - 0 ! bin/named/include/named/interfacemgr.h \| 13 8 + 5 - 0 ! bin/named/interfacemgr.c \| 9 4 + 5 - 0 ! doc/arm/Bv9ARM-book.xml \| 3 2 + 1 - 0 ! lib/isc/include/isc/quota.h \| 7 7 + 0 - 0 ! lib/isc/quota.c \| 33 26 + 7 - 0 ! lib/isc/win32/libisc.def.in \| 1 1 + 0 - 0 ! 8 files changed, 396 insertions(+), 120 deletions(-)	[cve-2018-5743]: limiting simultaneous tcp clients is ineffective
0013 Replace atomic operations in bin named client.c with.patch \| (download)	bin/named/client.c \| 18 7 + 11 - 0 ! bin/named/include/named/interfacemgr.h \| 5 3 + 2 - 0 ! bin/named/interfacemgr.c \| 7 5 + 2 - 0 ! 3 files changed, 15 insertions(+), 15 deletions(-)	replace atomic operations in bin/named/client.c with isc_refcount reference counting
0014 Disable broken Ed448 support.patch \| (download)	config.h.in \| 3 0 + 3 - 0 ! configure \| 201 75 + 126 - 0 ! configure.in \| 33 0 + 33 - 0 ! 3 files changed, 75 insertions(+), 162 deletions(-)	disable broken ed448 support
0015 move item_out test inside lock in dns_dispatch_getne.patch \| (download)	lib/dns/dispatch.c \| 12 8 + 4 - 0 ! 1 file changed, 8 insertions(+), 4 deletions(-)	move item_out test inside lock in dns_dispatch_getnext()
0016 Set a limit on number of simultaneous pipelined TCP .patch \| (download)	bin/named/client.c \| 57 38 + 19 - 0 ! bin/named/include/named/client.h \| 5 4 + 1 - 0 ! 2 files changed, 42 insertions(+), 20 deletions(-)	set a limit on number of simultaneous pipelined tcp queries There was no limit on concurrently served queries served over one pipelined TCP connection, thus it was possible to send thousands queries over a single TCP connection, possibly exhausting the server resources. (cherry picked from commit efaa67749de825073cd7f19778386d0815c4ce29)
0017 libns Rename ns_tcpconn refs member to clients.patch \| (download)	bin/named/client.c \| 16 8 + 8 - 0 ! bin/named/include/named/client.h \| 2 1 + 1 - 0 ! 2 files changed, 9 insertions(+), 9 deletions(-)	libns: rename ns_tcpconn refs member to clients (cherry picked from commit b6d6b50c997b3a00fdde9e0d32c4594ffe94f369)
0018 CVE 2020 8616.patch \| (download)	lib/dns/adb.c \| 33 19 + 14 - 0 ! lib/dns/include/dns/adb.h \| 4 4 + 0 - 0 ! lib/dns/resolver.c \| 55 37 + 18 - 0 ! 3 files changed, 60 insertions(+), 32 deletions(-)	cve-2020-8616
0019 CVE 2020 8617.patch \| (download)	lib/dns/tsig.c \| 7 4 + 3 - 0 ! 1 file changed, 4 insertions(+), 3 deletions(-)	cve-2020-8617
0020 Remove INSIST from from new_reference.patch \| (download)	lib/dns/rbtdb.c \| 238 142 + 96 - 0 ! 1 file changed, 142 insertions(+), 96 deletions(-)	remove insist from from new_reference RBTDB node can now appear on the deadnodes lists following the changes to decrement_reference in 176b23b6cd98e5b58f832902fdbe964ee5f762d0 to defer checking of node->down when the tree write lock is not held. The node should be unlinked instead. (cherry picked from commit b8c4efb10fc8ef1489120a8169fea42adf97025e)
0021 Always keep a copy of the message.patch \| (download)	lib/dns/message.c \| 24 13 + 11 - 0 ! 1 file changed, 13 insertions(+), 11 deletions(-)	always keep a copy of the message
0022 Fix crash in pk11_numbits when native pkcs11 is used.patch \| (download)	lib/dns/pkcs11dh_link.c \| 15 13 + 2 - 0 ! lib/dns/pkcs11dsa_link.c \| 8 7 + 1 - 0 ! lib/dns/pkcs11rsa_link.c \| 79 60 + 19 - 0 ! lib/isc/include/pk11/internal.h \| 3 2 + 1 - 0 ! lib/isc/pk11.c \| 60 39 + 21 - 0 ! 5 files changed, 121 insertions(+), 44 deletions(-)	fix crash in pk11_numbits() when native-pkcs11 is used
0023 Wait more than 1 second for NSEC3 chain changes.patch \| (download)	bin/tests/system/nsupdate/tests.sh \| 30 21 + 9 - 0 ! 1 file changed, 21 insertions(+), 9 deletions(-)	wait more than 1 second for nsec3 chain changes
0024 Update policy subdomain was incorrectly treated as z.patch \| (download)	bin/named/zoneconf.c \| 3 2 + 1 - 0 ! 1 file changed, 2 insertions(+), 1 deletion(-)	[1/3] update-policy 'subdomain' was incorrectly treated as 'zonesub'
0025 Add a test for update policy subdomain.patch \| (download)	bin/tests/system/nsupdate/ns1/named.conf.in \| 6 6 + 0 - 0 ! bin/tests/system/nsupdate/tests.sh \| 25 25 + 0 - 0 ! 2 files changed, 31 insertions(+)	[2/3] add a test for update-policy 'subdomain'
0026 Add a test for update policy zonesub.patch \| (download)	bin/tests/system/nsupdate/ns1/named.conf.in \| 6 6 + 0 - 0 ! bin/tests/system/nsupdate/tests.sh \| 35 31 + 4 - 0 ! 2 files changed, 37 insertions(+), 4 deletions(-)	[3/3] add a test for update-policy 'zonesub'
0027 CVE 2020 8625.patch \| (download)	lib/dns/spnego.c \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	buffer overflow in gssapi security policy negotiation (cve-2020-8625)

Patch	File delta	Description
0001 non linux.diff \| (download)	configure.in \| 5 2 + 3 - 0 ! 1 file changed, 2 insertions(+), 3 deletions(-)	_non-linux FTBFS on kfreebsd, hurd Addresses-Debian-Bug: 741285, 746540 Signed-off-by: LaMont Jones <lamont@debian.org>
0002 multiarch.diff \| (download)	isc-config.sh.in \| 3 1 + 2 - 0 ! 1 file changed, 1 insertion(+), 2 deletions(-)	_multiarch
0003 min cache ttl.diff \| (download)	bin/named/config.c \| 2 2 + 0 - 0 ! bin/named/server.c \| 12 12 + 0 - 0 ! bin/tests/named.conf \| 2 2 + 0 - 0 ! lib/dns/include/dns/ncache.h \| 6 4 + 2 - 0 ! lib/dns/include/dns/view.h \| 2 2 + 0 - 0 ! lib/dns/ncache.c \| 18 12 + 6 - 0 ! lib/dns/resolver.c \| 22 16 + 6 - 0 ! lib/isccfg/namedconf.c \| 2 2 + 0 - 0 ! 8 files changed, 52 insertions(+), 14 deletions(-)	_min-cache-ttl Add min-cache-ttl and min-ncache-ttl keywords Sometimes it is useful to set a 'floor' on the TTL for records to be cached. Some sites like to use ridiculously low TTLs for some reason, and that often is not compatible with slow links. Signed-off-by: Michael Milligan <milli@acmeps.com> Signed-off-by: LaMont Jones <lamont@debian.org>
0004 library_paths.diff \| (download)	lib/dns/Makefile.in \| 4 3 + 1 - 0 ! lib/irs/Makefile.in \| 4 3 + 1 - 0 ! lib/isc/Makefile.in \| 3 3 + 0 - 0 ! lib/isccc/Makefile.in \| 4 3 + 1 - 0 ! lib/isccfg/Makefile.in \| 2 1 + 1 - 0 ! 5 files changed, 13 insertions(+), 4 deletions(-)	_library_paths Makefile.in: be explicit about library paths Debian policy requires that all dependent libs be in the .so, not just the immediately depended ones. Signed-off-by: LaMont Jones <lamont@debian.org>
0005 resource_missing_include.diff \| (download)	lib/isc/unix/resource.c \| 1 1 + 0 - 0 ! 1 file changed, 1 insertion(+)	_resource_missing_include lib/isc/unix/resource.c was missing inttypes.h include. Addresses-Ubuntu-Bug: 674199 Signed-off-by: LaMont Jones <lamont@debian.org>
0006 prepare_native_pkcs11.diff \| (download)	bin/Makefile.in \| 2 1 + 1 - 0 ! bin/dnssec/Makefile.in \| 2 1 + 1 - 0 ! bin/named/Makefile.in \| 2 1 + 1 - 0 ! bin/pkcs11/Makefile.in \| 6 3 + 3 - 0 ! configure.in \| 51 36 + 15 - 0 ! lib/Makefile.in \| 2 1 + 1 - 0 ! make/includes.in \| 10 10 + 0 - 0 ! 7 files changed, 53 insertions(+), 22 deletions(-)	_prepare_native_pkcs11
0007 ctxstart_no_sighandling.diff \| (download)	lib/isc/unix/app.c \| 3 3 + 0 - 0 ! 1 file changed, 3 insertions(+)	_ctxstart_no_sighandling
0008 reproducible_build.diff \| (download)	lib/dns/gen.c \| 35 33 + 2 - 0 ! 1 file changed, 33 insertions(+), 2 deletions(-)	_reproducible_build
0009 Add_ install layout=deb_to_setup.py_call.patch \| (download)	bin/python/Makefile.in \| 4 2 + 2 - 0 ! 1 file changed, 2 insertions(+), 2 deletions(-)	add_--install-layout=deb_to_setup.py_call
0010 skip rtld deepbind for dyndb.diff \| (download)	lib/dns/dyndb.c \| 3 0 + 3 - 0 ! 1 file changed, 3 deletions(-)	skip-rtld-deepbind-for-dyndb https://bugzilla.redhat.com/show_bug.cgi?id=1410433 https://bugs.launchpad.net/bugs/1769440
0011 keymgr dont immediately delete.diff \| (download)	bin/python/isc/keyseries.py.in \| 28 26 + 2 - 0 ! bin/tests/system/keymgr/19-old-keys/README \| 7 7 + 0 - 0 ! bin/tests/system/keymgr/19-old-keys/expect \| 12 12 + 0 - 0 ! bin/tests/system/keymgr/19-old-keys/extra.sh \| 19 19 + 0 - 0 ! bin/tests/system/keymgr/19-old-keys/policy.conf \| 18 18 + 0 - 0 ! bin/tests/system/keymgr/clean.sh \| 2 2 + 0 - 0 ! bin/tests/system/keymgr/setup.sh \| 10 10 + 0 - 0 ! bin/tests/system/keymgr/tests.sh \| 34 20 + 14 - 0 ! 8 files changed, 114 insertions(+), 16 deletions(-)	keymgr-dont-immediately-delete
0012 CVE 2018 5743 Limiting simultaneous TCP clients is i.patch \| (download)	bin/named/client.c \| 427 334 + 93 - 0 ! bin/named/include/named/client.h \| 23 14 + 9 - 0 ! bin/named/include/named/interfacemgr.h \| 13 8 + 5 - 0 ! bin/named/interfacemgr.c \| 9 4 + 5 - 0 ! doc/arm/Bv9ARM-book.xml \| 3 2 + 1 - 0 ! lib/isc/include/isc/quota.h \| 7 7 + 0 - 0 ! lib/isc/quota.c \| 33 26 + 7 - 0 ! lib/isc/win32/libisc.def.in \| 1 1 + 0 - 0 ! 8 files changed, 396 insertions(+), 120 deletions(-)	[cve-2018-5743]: limiting simultaneous tcp clients is ineffective
0013 Replace atomic operations in bin named client.c with.patch \| (download)	bin/named/client.c \| 18 7 + 11 - 0 ! bin/named/include/named/interfacemgr.h \| 5 3 + 2 - 0 ! bin/named/interfacemgr.c \| 7 5 + 2 - 0 ! 3 files changed, 15 insertions(+), 15 deletions(-)	replace atomic operations in bin/named/client.c with isc_refcount reference counting
0014 Disable broken Ed448 support.patch \| (download)	config.h.in \| 3 0 + 3 - 0 ! configure \| 201 75 + 126 - 0 ! configure.in \| 33 0 + 33 - 0 ! 3 files changed, 75 insertions(+), 162 deletions(-)	disable broken ed448 support
0015 move item_out test inside lock in dns_dispatch_getne.patch \| (download)	lib/dns/dispatch.c \| 12 8 + 4 - 0 ! 1 file changed, 8 insertions(+), 4 deletions(-)	move item_out test inside lock in dns_dispatch_getnext()
0016 Set a limit on number of simultaneous pipelined TCP .patch \| (download)	bin/named/client.c \| 57 38 + 19 - 0 ! bin/named/include/named/client.h \| 5 4 + 1 - 0 ! 2 files changed, 42 insertions(+), 20 deletions(-)	set a limit on number of simultaneous pipelined tcp queries There was no limit on concurrently served queries served over one pipelined TCP connection, thus it was possible to send thousands queries over a single TCP connection, possibly exhausting the server resources. (cherry picked from commit efaa67749de825073cd7f19778386d0815c4ce29)
0017 libns Rename ns_tcpconn refs member to clients.patch \| (download)	bin/named/client.c \| 16 8 + 8 - 0 ! bin/named/include/named/client.h \| 2 1 + 1 - 0 ! 2 files changed, 9 insertions(+), 9 deletions(-)	libns: rename ns_tcpconn refs member to clients (cherry picked from commit b6d6b50c997b3a00fdde9e0d32c4594ffe94f369)
0018 CVE 2020 8616.patch \| (download)	lib/dns/adb.c \| 33 19 + 14 - 0 ! lib/dns/include/dns/adb.h \| 4 4 + 0 - 0 ! lib/dns/resolver.c \| 55 37 + 18 - 0 ! 3 files changed, 60 insertions(+), 32 deletions(-)	cve-2020-8616
0019 CVE 2020 8617.patch \| (download)	lib/dns/tsig.c \| 7 4 + 3 - 0 ! 1 file changed, 4 insertions(+), 3 deletions(-)	cve-2020-8617
0020 Remove INSIST from from new_reference.patch \| (download)	lib/dns/rbtdb.c \| 238 142 + 96 - 0 ! 1 file changed, 142 insertions(+), 96 deletions(-)	remove insist from from new_reference RBTDB node can now appear on the deadnodes lists following the changes to decrement_reference in 176b23b6cd98e5b58f832902fdbe964ee5f762d0 to defer checking of node->down when the tree write lock is not held. The node should be unlinked instead. (cherry picked from commit b8c4efb10fc8ef1489120a8169fea42adf97025e)
0021 Always keep a copy of the message.patch \| (download)	lib/dns/message.c \| 24 13 + 11 - 0 ! 1 file changed, 13 insertions(+), 11 deletions(-)	always keep a copy of the message
0022 Fix crash in pk11_numbits when native pkcs11 is used.patch \| (download)	lib/dns/pkcs11dh_link.c \| 15 13 + 2 - 0 ! lib/dns/pkcs11dsa_link.c \| 8 7 + 1 - 0 ! lib/dns/pkcs11rsa_link.c \| 79 60 + 19 - 0 ! lib/isc/include/pk11/internal.h \| 3 2 + 1 - 0 ! lib/isc/pk11.c \| 60 39 + 21 - 0 ! 5 files changed, 121 insertions(+), 44 deletions(-)	fix crash in pk11_numbits() when native-pkcs11 is used
0023 Wait more than 1 second for NSEC3 chain changes.patch \| (download)	bin/tests/system/nsupdate/tests.sh \| 30 21 + 9 - 0 ! 1 file changed, 21 insertions(+), 9 deletions(-)	wait more than 1 second for nsec3 chain changes
0024 Update policy subdomain was incorrectly treated as z.patch \| (download)	bin/named/zoneconf.c \| 3 2 + 1 - 0 ! 1 file changed, 2 insertions(+), 1 deletion(-)	[1/3] update-policy 'subdomain' was incorrectly treated as 'zonesub'
0025 Add a test for update policy subdomain.patch \| (download)	bin/tests/system/nsupdate/ns1/named.conf.in \| 6 6 + 0 - 0 ! bin/tests/system/nsupdate/tests.sh \| 25 25 + 0 - 0 ! 2 files changed, 31 insertions(+)	[2/3] add a test for update-policy 'subdomain'
0026 Add a test for update policy zonesub.patch \| (download)	bin/tests/system/nsupdate/ns1/named.conf.in \| 6 6 + 0 - 0 ! bin/tests/system/nsupdate/tests.sh \| 35 31 + 4 - 0 ! 2 files changed, 37 insertions(+), 4 deletions(-)	[3/3] add a test for update-policy 'zonesub'
0027 CVE 2020 8625.patch \| (download)	lib/dns/spnego.c \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	buffer overflow in gssapi security policy negotiation (cve-2020-8625)