Package: bind9 / 1:9.11.5.P4+dfsg-5.1+deb10u3

Metadata

Package Version Patches format
bind9 1:9.11.5.P4+dfsg-5.1+deb10u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 non linux.diff | (download)

configure.in | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

 _non-linux

    FTBFS on kfreebsd, hurd

    Addresses-Debian-Bug: 741285, 746540
    Signed-off-by: LaMont Jones <lamont@debian.org>

0002 multiarch.diff | (download)

isc-config.sh.in | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 _multiarch


0003 min cache ttl.diff | (download)

bin/named/config.c | 2 2 + 0 - 0 !
bin/named/server.c | 12 12 + 0 - 0 !
bin/tests/named.conf | 2 2 + 0 - 0 !
lib/dns/include/dns/ncache.h | 6 4 + 2 - 0 !
lib/dns/include/dns/view.h | 2 2 + 0 - 0 !
lib/dns/ncache.c | 18 12 + 6 - 0 !
lib/dns/resolver.c | 22 16 + 6 - 0 !
lib/isccfg/namedconf.c | 2 2 + 0 - 0 !
8 files changed, 52 insertions(+), 14 deletions(-)

 _min-cache-ttl

    Add min-cache-ttl and min-ncache-ttl keywords

    Sometimes it is useful to set a 'floor' on the TTL for records
    to be cached.  Some sites like to use ridiculously low TTLs for
    some reason, and that often is not compatible with slow links.

    Signed-off-by: Michael Milligan <milli@acmeps.com>
    Signed-off-by: LaMont Jones <lamont@debian.org>

0004 library_paths.diff | (download)

lib/dns/Makefile.in | 4 3 + 1 - 0 !
lib/irs/Makefile.in | 4 3 + 1 - 0 !
lib/isc/Makefile.in | 3 3 + 0 - 0 !
lib/isccc/Makefile.in | 4 3 + 1 - 0 !
lib/isccfg/Makefile.in | 2 1 + 1 - 0 !
5 files changed, 13 insertions(+), 4 deletions(-)

 _library_paths

    Makefile.in: be explicit about library paths

    Debian policy requires that all dependent libs be in the .so, not just the
    immediately depended ones.

    Signed-off-by: LaMont Jones <lamont@debian.org>

0005 resource_missing_include.diff | (download)

lib/isc/unix/resource.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 _resource_missing_include

    lib/isc/unix/resource.c was missing inttypes.h include.

    Addresses-Ubuntu-Bug: 674199
    Signed-off-by: LaMont Jones <lamont@debian.org>

0006 prepare_native_pkcs11.diff | (download)

bin/Makefile.in | 2 1 + 1 - 0 !
bin/dnssec/Makefile.in | 2 1 + 1 - 0 !
bin/named/Makefile.in | 2 1 + 1 - 0 !
bin/pkcs11/Makefile.in | 6 3 + 3 - 0 !
configure.in | 51 36 + 15 - 0 !
lib/Makefile.in | 2 1 + 1 - 0 !
make/includes.in | 10 10 + 0 - 0 !
7 files changed, 53 insertions(+), 22 deletions(-)

 _prepare_native_pkcs11


0007 ctxstart_no_sighandling.diff | (download)

lib/isc/unix/app.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 _ctxstart_no_sighandling


0008 reproducible_build.diff | (download)

lib/dns/gen.c | 35 33 + 2 - 0 !
1 file changed, 33 insertions(+), 2 deletions(-)

 _reproducible_build


0009 Add_ install layout=deb_to_setup.py_call.patch | (download)

bin/python/Makefile.in | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 add_--install-layout=deb_to_setup.py_call


0010 skip rtld deepbind for dyndb.diff | (download)

lib/dns/dyndb.c | 3 0 + 3 - 0 !
1 file changed, 3 deletions(-)

 skip-rtld-deepbind-for-dyndb

https://bugzilla.redhat.com/show_bug.cgi?id=1410433
https://bugs.launchpad.net/bugs/1769440

0011 keymgr dont immediately delete.diff | (download)

bin/python/isc/keyseries.py.in | 28 26 + 2 - 0 !
bin/tests/system/keymgr/19-old-keys/README | 7 7 + 0 - 0 !
bin/tests/system/keymgr/19-old-keys/expect | 12 12 + 0 - 0 !
bin/tests/system/keymgr/19-old-keys/extra.sh | 19 19 + 0 - 0 !
bin/tests/system/keymgr/19-old-keys/policy.conf | 18 18 + 0 - 0 !
bin/tests/system/keymgr/clean.sh | 2 2 + 0 - 0 !
bin/tests/system/keymgr/setup.sh | 10 10 + 0 - 0 !
bin/tests/system/keymgr/tests.sh | 34 20 + 14 - 0 !
8 files changed, 114 insertions(+), 16 deletions(-)

 keymgr-dont-immediately-delete


0012 CVE 2018 5743 Limiting simultaneous TCP clients is i.patch | (download)

bin/named/client.c | 427 334 + 93 - 0 !
bin/named/include/named/client.h | 23 14 + 9 - 0 !
bin/named/include/named/interfacemgr.h | 13 8 + 5 - 0 !
bin/named/interfacemgr.c | 9 4 + 5 - 0 !
doc/arm/Bv9ARM-book.xml | 3 2 + 1 - 0 !
lib/isc/include/isc/quota.h | 7 7 + 0 - 0 !
lib/isc/quota.c | 33 26 + 7 - 0 !
lib/isc/win32/libisc.def.in | 1 1 + 0 - 0 !
8 files changed, 396 insertions(+), 120 deletions(-)

 [cve-2018-5743]: limiting simultaneous tcp clients is ineffective


0013 Replace atomic operations in bin named client.c with.patch | (download)

bin/named/client.c | 18 7 + 11 - 0 !
bin/named/include/named/interfacemgr.h | 5 3 + 2 - 0 !
bin/named/interfacemgr.c | 7 5 + 2 - 0 !
3 files changed, 15 insertions(+), 15 deletions(-)

 replace atomic operations in bin/named/client.c with isc_refcount
 reference counting


0014 Disable broken Ed448 support.patch | (download)

config.h.in | 3 0 + 3 - 0 !
configure | 201 75 + 126 - 0 !
configure.in | 33 0 + 33 - 0 !
3 files changed, 75 insertions(+), 162 deletions(-)

 disable broken ed448 support


0015 move item_out test inside lock in dns_dispatch_getne.patch | (download)

lib/dns/dispatch.c | 12 8 + 4 - 0 !
1 file changed, 8 insertions(+), 4 deletions(-)

 move item_out test inside lock in dns_dispatch_getnext()

0016 Set a limit on number of simultaneous pipelined TCP .patch | (download)

bin/named/client.c | 57 38 + 19 - 0 !
bin/named/include/named/client.h | 5 4 + 1 - 0 !
2 files changed, 42 insertions(+), 20 deletions(-)

 set a limit on number of simultaneous pipelined tcp queries

There was no limit on concurrently served queries served over one pipelined TCP
connection, thus it was possible to send thousands queries over a single TCP
connection, possibly exhausting the server resources.

(cherry picked from commit efaa67749de825073cd7f19778386d0815c4ce29)

0017 libns Rename ns_tcpconn refs member to clients.patch | (download)

bin/named/client.c | 16 8 + 8 - 0 !
bin/named/include/named/client.h | 2 1 + 1 - 0 !
2 files changed, 9 insertions(+), 9 deletions(-)

 libns: rename ns_tcpconn refs member to clients

(cherry picked from commit b6d6b50c997b3a00fdde9e0d32c4594ffe94f369)

0018 CVE 2020 8616.patch | (download)

lib/dns/adb.c | 33 19 + 14 - 0 !
lib/dns/include/dns/adb.h | 4 4 + 0 - 0 !
lib/dns/resolver.c | 55 37 + 18 - 0 !
3 files changed, 60 insertions(+), 32 deletions(-)

 cve-2020-8616


0019 CVE 2020 8617.patch | (download)

lib/dns/tsig.c | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 cve-2020-8617


0020 Remove INSIST from from new_reference.patch | (download)

lib/dns/rbtdb.c | 238 142 + 96 - 0 !
1 file changed, 142 insertions(+), 96 deletions(-)

 remove insist from from new_reference

RBTDB node can now appear on the deadnodes lists following the changes
to decrement_reference in 176b23b6cd98e5b58f832902fdbe964ee5f762d0 to
defer checking of node->down when the tree write lock is not held.  The
node should be unlinked instead.

(cherry picked from commit b8c4efb10fc8ef1489120a8169fea42adf97025e)

0021 Always keep a copy of the message.patch | (download)

lib/dns/message.c | 24 13 + 11 - 0 !
1 file changed, 13 insertions(+), 11 deletions(-)

 always keep a copy of the message
0022 Fix crash in pk11_numbits when native pkcs11 is used.patch | (download)

lib/dns/pkcs11dh_link.c | 15 13 + 2 - 0 !
lib/dns/pkcs11dsa_link.c | 8 7 + 1 - 0 !
lib/dns/pkcs11rsa_link.c | 79 60 + 19 - 0 !
lib/isc/include/pk11/internal.h | 3 2 + 1 - 0 !
lib/isc/pk11.c | 60 39 + 21 - 0 !
5 files changed, 121 insertions(+), 44 deletions(-)

 fix crash in pk11_numbits() when native-pkcs11 is used
0023 Wait more than 1 second for NSEC3 chain changes.patch | (download)

bin/tests/system/nsupdate/tests.sh | 30 21 + 9 - 0 !
1 file changed, 21 insertions(+), 9 deletions(-)

 wait more than 1 second for nsec3 chain changes
0024 Update policy subdomain was incorrectly treated as z.patch | (download)

bin/named/zoneconf.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [1/3] update-policy 'subdomain' was incorrectly treated as 'zonesub'
0025 Add a test for update policy subdomain.patch | (download)

bin/tests/system/nsupdate/ns1/named.conf.in | 6 6 + 0 - 0 !
bin/tests/system/nsupdate/tests.sh | 25 25 + 0 - 0 !
2 files changed, 31 insertions(+)

 [2/3] add a test for update-policy 'subdomain'
0026 Add a test for update policy zonesub.patch | (download)

bin/tests/system/nsupdate/ns1/named.conf.in | 6 6 + 0 - 0 !
bin/tests/system/nsupdate/tests.sh | 35 31 + 4 - 0 !
2 files changed, 37 insertions(+), 4 deletions(-)

 [3/3] add a test for update-policy 'zonesub'
0027 CVE 2020 8625.patch | (download)

lib/dns/spnego.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 buffer overflow in  gssapi security policy negotiation (cve-2020-8625)