diff options
Diffstat (limited to '')
-rw-r--r-- | debian/changelog | 2965 |
1 files changed, 2965 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..4a0cfd0 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,2965 @@ +bind9 (1:9.11.5.P4+dfsg-5.1+deb10u7) buster-security; urgency=high + + * CVE-2021-25220: The rules for acceptance of records into the cache + have been tightened to prevent the possibility of poisoning if + forwarders send records outside the configured bailiwick. + + -- Ondřej Surý <ondrej@debian.org> Mon, 14 Mar 2022 15:21:48 +0100 + +bind9 (1:9.11.5.P4+dfsg-5.1+deb10u6) buster-security; urgency=high + + * CVE-2021-25219: The "lame-ttl" option is now forcibly set to 0. This + effectively disables the lame server cache, as it could previously be + abused by an attacker to significantly degrade resolver performance. + + -- Ondřej Surý <ondrej@debian.org> Mon, 25 Oct 2021 13:42:31 +0200 + +bind9 (1:9.11.5.P4+dfsg-5.1+deb10u5) buster-security; urgency=high + + * CVE-2021-25214: A malformed incoming IXFR transfer could trigger + an assertion failure in ``named``, causing it to quit abnormally. + * CVE-2021-25215: ``named`` crashed when a DNAME record placed in + the ANSWER section during DNAME chasing turned out to be the final + answer to a client query. + * CVE-2021-25216: Compile with system provided SPNEGO + * Ensure all resources are properly cleaned up when a call to + gss_accept_sec_context() fails. + + -- Ondřej Surý <ondrej@debian.org> Thu, 29 Apr 2021 12:42:26 +0200 + +bind9 (1:9.11.5.P4+dfsg-5.1+deb10u3) buster-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Buffer overflow in GSSAPI security policy negotiation (CVE-2020-8625) + + -- Salvatore Bonaccorso <carnil@debian.org> Mon, 15 Feb 2021 08:51:28 +0100 + +bind9 (1:9.11.5.P4+dfsg-5.1+deb10u2) buster-security; urgency=high + + [ Salvatore Bonaccorso ] + * [CVE-2020-8622] Properly handle malformed truncated responses to TSIG + queries + * [CVE-2020-8623] Fix crash in pk11_numbits() with crafted packet when + native-pkcs11 is used + * Wait more than 1 second for NSEC3 chain changes + * [CVE-2020-8624] Fix processing of "update-policy" rules of type + "subdomain" (Closes: #966497) + + [ Ondřej Surý ] + * [CVE-2020-8619]: It was possible to trigger a INSIST when a zone with + interior (non-leaf) wildcard label + + -- Salvatore Bonaccorso <carnil@debian.org> Tue, 25 Aug 2020 10:10:23 +0200 + +bind9 (1:9.11.5.P4+dfsg-5.1+deb10u1) buster-security; urgency=high + + * [CVE-2019-6477]: TCP-pipelined queries can bypass tcp-clients limit. + (Closes: #945171) + * [CVE-2020-8616]: Fix NXNSATTACK amplification attack on BIND 9 + * [CVE-2020-8617]: Fix assertion failure in TSIG processing code + + -- Ondřej Surý <ondrej@debian.org> Mon, 18 May 2020 10:02:41 +0200 + +bind9 (1:9.11.5.P4+dfsg-5.1) unstable; urgency=high + + * Non-maintainer upload. + * move item_out test inside lock in dns_dispatch_getnext() (CVE-2019-6471) + (Closes: #930746) + + -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jun 2019 11:24:31 +0200 + +bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium + + * AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ. + Thanks to Steven Monai (Closes: 928398) + + -- Bernhard Schmidt <berni@debian.org> Fri, 03 May 2019 19:44:57 +0200 + +bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium + + [ Bernhard Schmidt ] + * AppArmor: Also add /var/lib/samba/bind-dns/dns/** (Closes: #927827) + + [ Ondřej Surý ] + * [CVE-2018-5743]: Limiting simultaneous TCP clients is ineffective + (Closes: #927932) + * Update symbols file for new symbol in libisc + * Enable EDDSA again, but disable broken Ed448 support (Closes: #927962) + + -- Ondřej Surý <ondrej@debian.org> Fri, 26 Apr 2019 08:33:13 +0000 + +bind9 (1:9.11.5.P4+dfsg-3) unstable; urgency=medium + + * More fixes to the AppArmor policy for Samba AD DLZ + - allow access to /dev/urandom + - allow locking for dns.keytab + - fix path to smb.conf + + -- Bernhard Schmidt <berni@debian.org> Mon, 22 Apr 2019 22:31:06 +0200 + +bind9 (1:9.11.5.P4+dfsg-2) unstable; urgency=medium + + [ Ondřej Surý ] + * Update d/gbp.conf for Debian Buster + + [ Bernhard Schmidt ] + * Cherry-Pick upstream commit to prevent dnssec-keymgr from immediately + expiring and deleting old DNSSEC keys when being run for the first + time (Closes: #923984) + * Update AppArmor policy for Samba AD DLZ + - Add changed default location for named.conf + - Allow read/mmap on some Samba libraries + Thanks to Steven Monai (Closes: #920530) + + [ Andreas Beckmann ] + * bind9.preinst: cope with ancient conffile named.conf.options + (Closes: #905177) + + -- Bernhard Schmidt <berni@debian.org> Tue, 02 Apr 2019 21:12:50 +0200 + +bind9 (1:9.11.5.P4+dfsg-1) unstable; urgency=high + + [ Bernhard Schmidt ] + * New upstream version 9.11.5.P4+dfsg + - CVE-2018-5744: A specially crafted packet can cause named to leak memory + - CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over + to an unsupported key algorithm when using managed-keys + - CVE-2019-6465: Controls for zone transfers might not be properly applied + to Dynamically Loadable Zones (DLZs) if the zones are writable. + * d/watch: Do not use beta or RC versions + * d/libdns1104.symbols: fix symbols-file-contains-debian-revision for dnstap + symbols + + [ Ondřej Surý ] + * Add new upstream GPG signing-key + + -- Bernhard Schmidt <berni@debian.org> Fri, 22 Feb 2019 17:54:10 +0100 + +bind9 (1:9.11.5.P1+dfsg-2) unstable; urgency=medium + + [ Dominik George ] + * Support dyndb modules with apparmor. (Closes: #900879) + + [ Bernhard Schmidt ] + * apparmor-policy: permit locking of the allow-new-zones database + (Closes: #922065) + * apparmor-policy: allow access to Samba DLZ files (Closes: #920530) + + -- Bernhard Schmidt <berni@debian.org> Tue, 12 Feb 2019 00:34:21 +0100 + +bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium + + * New upstream version 9.11.5.P1+dfsg + + -- Ondřej Surý <ondrej@debian.org> Tue, 18 Dec 2018 13:59:25 +0000 + +bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium + + * Use team+dns@tracker.debian.org as Maintainer address + * New upstream version 9.11.5+dfsg + * Add EXTENSIONS= to version file programmatically, not with the patch + * Rebase patches for BIND 9.11.5 + * Adjust package names for new SONAMEs + + -- Ondřej Surý <ondrej@debian.org> Mon, 22 Oct 2018 10:30:28 +0000 + +bind9 (1:9.11.4.P2+dfsg-3) unstable; urgency=medium + + * Also avoid OpenSSL 1.1.1 in udebs. + Thanks to KiBi for the hint + * autopkgtest: Make an external query and check for DNSSEC + + -- Bernhard Schmidt <berni@debian.org> Wed, 26 Sep 2018 11:21:35 +0200 + +bind9 (1:9.11.4.P2+dfsg-2) unstable; urgency=medium + + * Temporarily disable EDDSA to relax OpenSSL version requirement + + -- Bernhard Schmidt <berni@debian.org> Mon, 24 Sep 2018 11:08:15 +0200 + +bind9 (1:9.11.4.P2+dfsg-1) unstable; urgency=medium + + [ Bernhard Schmidt ] + * Add a very simple autopkgtest (dig @127.0.0.1) + + [ Ondřej Surý ] + * New upstream version 9.11.4.P2+dfsg + * Rebase patches for BIND 9.11.4-P2 + + -- Ondřej Surý <ondrej@debian.org> Mon, 10 Sep 2018 08:36:06 +0000 + +bind9 (1:9.11.4.P1+dfsg-1) unstable; urgency=medium + + [ Timo Aaltonen ] + * skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11 + crashing on startup. (LP: #1769440) + + [ Bernhard Schmidt ] + * Add gbp.conf for pristine-tar usage + * d/watch: Properly deal with -P patch releases + + [ Ondřej Surý ] + * Don't fail to start if /etc/default/bind9 doesn't exist + * New upstream version 9.11.4.P1+dfsg + * Rebase patches for BIND 9.11.4-P1 + * Add new dst__openssleddsa_init optional symbol (it depends on OpenSSL version) (Closes: #897643) + * Put aside named.conf.option from stretch when upgrading (Closes: #905177) + + -- Ondřej Surý <ondrej@debian.org> Fri, 31 Aug 2018 09:53:27 +0000 + +bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium + + * Brown-paper-bag release :-( + * Fix missing colon in AppArmor profile (Closes: #904983) + + -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200 + +bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium + + * Enable IDN support for dig+host using libidn2 (Closes: #459010) + * Use root.hints from dns-root-data (Closes: #888491) + + -- Bernhard Schmidt <berni@debian.org> Sun, 29 Jul 2018 23:26:09 +0200 + +bind9 (1:9.11.4+dfsg-2) unstable; urgency=medium + + * Enable dnstap support (Courtesy of Richard James Salts) (Closes: #890483) + * Remove auth-nxdomain no; from named.conf.options (Closes: #896889) + + -- Ondřej Surý <ondrej@debian.org> Mon, 16 Jul 2018 18:49:50 +0000 + +bind9 (1:9.11.4+dfsg-1) unstable; urgency=medium + + [ Bernhard Schmidt ] + * Use systemd Type=forking to signal daemon init. + Thanks to Elie Roudninski (Closes: #900788) + + [ Ondřej Surý ] + * New upstream version 9.11.4+dfsg + * Rebase patches for 9.11.4+dfsg release + * Bump libdns SONAME to libdns.so.1102 + * Add a SONAME version check early in a build process + * Use debian/getapi to dynamically pick soversions for dh_makeshlibs + * Update the symbols in libdns and libisccfg packages + + -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000 + +bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium + + * [CVE-2018-5738]: Add upstream fix to close the default open recursion + (Closes: #901483) + * Change the maintainer address (Closes: #899959) + + -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000 + +bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium + + [ Bernhard Schmidt ] + * New upstream version 9.11.3+dfsg + (Closes: #867570, #888463) + - Refresh patches + - Drop stdatomic.h patches applied upstream + * Follow SONAME bump of libdns + * Follow SONAME bump of libisc + * Add missing symbols for libisccfg160 + * Add python3-distutils Build-Dependency + * Drop Priority: standard for library packages + * Fix apparmor profile name (Closes: #893005) + Thanks to Andreas Hasenack + * Update bind9-host description (Closes: #729561) + * Add flags=(attach_disconnected) to AppArmor profile to prepare + to use more systemd hardening options, see #863841 + * Add myself to Uploaders + + [ Ondřej Surý ] + * Update Vcs-* links to salsa.d.o + + -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100 + +bind9 (1:9.11.2.P1-1) unstable; urgency=medium + + * New upstream version 9.11.2-P1 + * Refresh patches for new release + + -- Ondřej Surý <ondrej@debian.org> Wed, 17 Jan 2018 06:06:04 +0000 + +bind9 (1:9.11.2+dfsg-10) unstable; urgency=medium + + * Disable lmdb usage in export version of libraries (Closes: #887407) + + -- Ondřej Surý <ondrej@debian.org> Tue, 16 Jan 2018 05:59:31 +0000 + +bind9 (1:9.11.2+dfsg-9) unstable; urgency=medium + + * Fix various mistakes in bind9 conffiles (Closes: #887398) + + -- Ondřej Surý <ondrej@debian.org> Mon, 15 Jan 2018 23:12:43 +0000 + +bind9 (1:9.11.2+dfsg-8) unstable; urgency=medium + + * Pull more stdatomic patch to fix builds on 32-bit architectures + * Remove extra native pkcs11 patch (it has been replaced by sed rules) + + -- Ondřej Surý <ondrej@debian.org> Mon, 15 Jan 2018 21:02:30 +0000 + +bind9 (1:9.11.2+dfsg-7) unstable; urgency=medium + + * Pull upstream patch to use C11 stdatomic where available (Closes: #778720) + + -- Ondřej Surý <ondrej@debian.org> Mon, 15 Jan 2018 15:59:48 +0000 + +bind9 (1:9.11.2+dfsg-6) unstable; urgency=medium + + * Add named-nzd2nzf to bind9 package + * Simplify installation rules + * Enable lmdb (to actually build named-nzd2nzf) + * Move delv from bind9 to dnsutils package (Closes: #887326) + + -- Ondřej Surý <ondrej@debian.org> Mon, 15 Jan 2018 14:19:31 +0000 + +bind9 (1:9.11.2+dfsg-5) unstable; urgency=medium + + * Remove duplicate invoke-rc.d start invocation (Closes: #883575) + * Don't fail in postrm when /var/lib/bind cannot be removed (Closes: #882999) + * Use dh-apparmor for profile management + * apparmor-profile: allow changing thread name (Closes: #883228) + * Bump debhelper compat level to 10 + * Bump Standards-Version to 4.1.2, no changes necessary + + -- Bernhard Schmidt <berni@debian.org> Sun, 10 Dec 2017 20:23:12 +0100 + +bind9 (1:9.11.2+dfsg-4) unstable; urgency=medium + + * Team upload. + * Fix symlinks in libbind-export-dev to point to /lib (Closes: #883536) + + -- Bernhard Schmidt <berni@debian.org> Tue, 05 Dec 2017 00:09:25 +0100 + +bind9 (1:9.11.2+dfsg-3) unstable; urgency=medium + + * Team upload. + * Only install files into bind9:any on arch-any builds (Closes: #883448) + * Adjust dependencies for udeb packages (Closes: #883449) + + -- Bernhard Schmidt <berni@debian.org> Mon, 04 Dec 2017 10:56:58 +0100 + +bind9 (1:9.11.2+dfsg-2) unstable; urgency=medium + + * Team upload. + * Workaround for FTBFS on binary-any builds (Closes: #883159) + + -- Bernhard Schmidt <berni@debian.org> Sun, 03 Dec 2017 20:36:32 +0100 + +bind9 (1:9.11.2+dfsg-1) unstable; urgency=low + + * d/watch: Bump the BIND version to 9.11.x + * Remove 'order random_1' patch, it was a horrible deviation from standards + * Modernize d/rules using debhelper + * New upstream version 9.11.2+dfsg + * Delete dyndb patch, as dyndb is now included in upstream sources + * Rebase patches for new upstream release. + * Add python3-ply to Build-Depends + * Restore the native pkcs11 patch + * Fix the Debian version parsing + * Remove lwresd as it has been deprecated by upstream anyway + * Add new tools: mdig to dnsutils and dnssec-keymgr to bind9utils + * Update the SONAMEs of BIND libraries + * Fix python3 packaging errors + * Bump the standards version to 4.1.1.1 (no change) + * Add support for dh_missing + + -- Ondřej Surý <ondrej@debian.org> Tue, 28 Nov 2017 22:59:30 +0000 + +bind9 (1:9.10.6+dfsg-5) unstable; urgency=medium + + [ Chris Lamb ] + * Make the build reproducible (Closes: #828012) + + [ Micah Cowan ] + * Try not to be fragile to varying value of LIBS make var. (Closes: #833307) + + [ Ondřej Surý ] + * Update the softhsm2.so non-MA path (Closes: #860722) + * Enable JSON output in the statistics channel (Closes: #860722) + * Merge NMUs' changelogs (Closes: #880077) + * Use /dev/urandom to avoid blocking in the server process. (Closes: #854243) + + -- Ondřej Surý <ondrej@debian.org> Thu, 02 Nov 2017 10:31:01 +0000 + +bind9 (1:9.10.6+dfsg-4) unstable; urgency=medium + + [ Michael Biebl ] + * Improve bind9-resolvconf.service (Closes: #826353) + + [ Ondřej Surý ] + * Add insserv.conf.d configuration (Closes: #650538) + * Change bind9-resolvconf.server to Type=oneshot + RemainAfterExit=yes (Closes: #832040) + * Only add static and development symlinks for *-export.{a,so} libraries (Closes: #857522) + * Update Vcs-* fields to standard variants + * Rebuild with newer debhelper (Closes: #879542) + + -- Ondřej Surý <ondrej@debian.org> Mon, 23 Oct 2017 07:02:50 +0000 + +bind9 (1:9.10.6+dfsg-3) unstable; urgency=medium + + * Make lwresd hard depend on bind9 package (Closes: #879127) + + -- Ondřej Surý <ondrej@debian.org> Sun, 22 Oct 2017 11:08:20 +0000 + +bind9 (1:9.10.6+dfsg-2) unstable; urgency=medium + + [ Timo Aaltonen ] + * d/copyright: Add Bv9ARM.pdf to Files-Excluded. + + [ Ondřej Surý ] + * Replace lwresd with symlink instead of hard copy (Closes: #868538) + * Fix the symbols file to compensate for missing bsdcompat symbol on kFreeBSD (Closes: #879017) + * Re-enable threading support on kFreeBSD (Closes: #879018) + * Drop Multi-Arch: same header from libbind-dev (Closes: #874232) + * Remove transitional host package (Closes: #645437, #878228) + + -- Ondřej Surý <ondrej@debian.org> Thu, 19 Oct 2017 09:35:03 +0000 + +bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium + + * New upstream version 9.10.6+dfsg + * Use OpenSSL 1.1.0 for crypto + * Add support for downloading upstream sources using d/watch + + Make d/copyright machine readable for Files-Excluded: support + + Update Files-Exclude: * to remove obsolete software dropped in + contrib/, but not really used + * Add initial README.source + * Limit the d/watch to 9.10.x (aka stable) for now + * Update patches for BIND 9.10.6 release + * Update PKCS11 patch + * Move under pkg-dns umbrella + * Reformat files in debian/ with wrap-and-sort -a for better maintainability + * Update the d/export.diff for BIND 9.10.6 + * Remove FAQ from d/bind9.docs + * Bump SONAME versions for BIND libraries + * Add symbols files for libraries and enable strict symbol checks + * arpaname and named-rrchecker has been moved to /usr/bin + * Install required python library into bind9utils to accompany + dnssec-checkds and dnssec-coverage + * Change Vcs-* to pkg-dns/bind9 + * Also exclude idnkit from upstream tarball + * Finish the debian/copyright update into machine readable format + * Enable Multi-Arch on libirs-export189 + * Cleanup maintainer scripts + * Add lintian override for false positive on full-path command + * Remove unnecessary complexity when generating ${Description} to d/control + + -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000 + +bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium + + [ Bernhard Schmidt ] + * Import upcoming DNSSEC KSK-2017 from 9.10.5 + + [ Ondřej Surý ] + * Non-maintainer upload. + + -- Ondřej Surý <ondrej@debian.org> Mon, 28 Aug 2017 09:36:28 +0200 + +bind9 (1:9.10.3.dfsg.P4-12.3+deb9u2) stretch-security; urgency=high + + * Non-maintainer upload by the Security Team. + * debian/patches: + - CVE-2017-3142_regression added, fix a regression introduced in with the + correction for CVE-2017-3142. + + -- Yves-Alexis Perez <corsac@debian.org> Sat, 22 Jul 2017 21:24:54 +0200 + +bind9 (1:9.10.3.dfsg.P4-12.3+deb9u1) stretch-security; urgency=high + + * Non-maintainer upload by the Security Team. + * debian/patches: + - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses + CVE-2017-3142: error in TSIG authentication can permit unauthorized zone + transfers. An attacker may be able to circumvent TSIG authentication of + AXFR and Notify requests. + CVE-2017-3143: error in TSIG authentication can permit unauthorized + dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) + signature for a dynamic update. + + -- Yves-Alexis Perez <corsac@debian.org> Fri, 30 Jun 2017 16:20:29 +0200 + +bind9 (1:9.10.3.dfsg.P4-12.3) unstable; urgency=high + + * Non-maintainer upload. + * Dns64 with "break-dnssec yes;" can result in a assertion failure + (CVE-2017-3136) (Closes: #860224) + * Some chaining (CNAME or DNAME) responses to upstream queries could trigger + assertion failures (CVE-2017-3137) (Closes: #860225) + * 'rndc ""' could trigger a assertion failure in named (CVE-2017-3138) + (Closes: #860226) + + -- Salvatore Bonaccorso <carnil@debian.org> Sun, 07 May 2017 15:22:46 +0200 + +bind9 (1:9.10.3.dfsg.P4-12.2) unstable; urgency=medium + + * Non-maintainer upload. + * Replace 32_mips_atomic.diff with a version that uses C11 atomics. Fixes + hangs and crashes on MIPS. (Closes: #778720) + + -- James Cowgill <jcowgill@debian.org> Tue, 18 Apr 2017 16:42:50 +0100 + +bind9 (1:9.10.3.dfsg.P4-12.1) unstable; urgency=medium + + * Non-maintainer upload. + * Use /dev/urandom to avoid blocking in the server process. + (closes: #854243) + + -- Bastian Blank <waldi@debian.org> Fri, 17 Mar 2017 19:07:16 +0100 + +bind9 (1:9.10.3.dfsg.P4-12) unstable; urgency=high + + * Merge and accept the non-maintainer upload. + * Fix regression caused by the fix for CVE-2016-8864 (closes: #855540). + * Fix CVE-2017-3135: a malicously crafted query can cause named to crash if + both DNS64 and RPZ are being used (closes: #855520). + + -- Michael Gilbert <mgilbert@debian.org> Sun, 19 Feb 2017 22:39:32 +0000 + +bind9 (1:9.10.3.dfsg.P4-11.1) unstable; urgency=medium + + * Non-maintainer upload. + * Disable GOST to prevent ENGINE_by_id failed (crypto failure) in chroot. + Patch by Marc Haber <mh+debian-bugs@zugschlus.de> (Closes: #820974). + + -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 07 Feb 2017 10:42:00 +0100 + +bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium + + * Fix some lintian warnings. + * Add lsb-base dependency to lwresd (closes: #848519). + * Fix CVE-2016-2775: crash in lwresd due to a long query name + (closes: #831796). + * Fix CVE-2016-2776: maliciously crafted query can cause named to crash + (closes: #839010). + * Fix CVE-2016-8864: incorrect handling of a DNAME record can cause + named to crash (closes: #842858). + * Fix CVE-2016-9131: maliciously crafted response to an ANY query can + cause named to crash (closes: #851065). + * Fix CVE-2016-9147: query with contradictory DNSSEC information can + cause named to crash (closes: #851063). + * Fix CVE-2016-9444: maliciously formed DNSSEC Delegation Signer (DS) + record can cause named to crash (closes: #851062). + * Openssl 1.1 is not yet supported, so build with openssl 1.0 for now + (closes: #828082). + + [ LaMont Jones ] + * Update VCS fields in control. + * -DDIG_SIGCHASE got dropped by the change in hardening. + + [ Stefan Bader ] + * Use the defaults file in systemd. + + -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000 + +bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium + + * Non-maintainer upload. + * Add explicit ordering for nss-lookup.target in bind9.service, + lwresd.service. Patches by Michael Biebl <biebl@debian.org>. + (Closes: #826243, #826245) + + -- Christian Hofstaedtler <zeha@debian.org> Sat, 02 Jul 2016 14:32:50 +0200 + +bind9 (1:9.10.3.dfsg.P4-10) unstable; urgency=medium + + * Use python3 + + -- LaMont Jones <lamont@debian.org> Tue, 03 May 2016 17:39:49 -0600 + +bind9 (1:9.10.3.dfsg.P4-9) unstable; urgency=medium + + * Fix bad patch from when we switched to quilt. Closes: #820847 LP: + #1552801, #1549788, #1553460 + * freshen patch to remove fuzz. + + -- LaMont Jones <lamont@debian.org> Tue, 26 Apr 2016 15:17:58 -0600 + +bind9 (1:9.10.3.dfsg.P4-8) unstable; urgency=medium + + [Timo Aaltonen] + + * Fix bind9-resolvconf.service installation. + * Add support for native pkcs11. LP: #1565392 + + [Samuel Thibault] + + * Detect in6_pktinfo on hurd-i386. Closes: #820404 + + -- LaMont Jones <lamont@debian.org> Wed, 13 Apr 2016 13:19:37 -0600 + +bind9 (1:9.10.3.dfsg.P4-7) unstable; urgency=medium + + * Fix libisccc-export dependencies. Closes: #820043 + + -- Michael Gilbert <mgilbert@debian.org> Tue, 05 Apr 2016 02:53:22 +0000 + +bind9 (1:9.10.3.dfsg.P4-6) unstable; urgency=medium + + * Upload 9.10 to unstable. Closes: #781739 + * Add -DNO_VERSION_DATE to CFLAGS. Closes: #783885 + + -- Michael Gilbert <mgilbert@debian.org> Mon, 04 Apr 2016 00:39:57 +0000 + +bind9 (1:9.10.3.dfsg.P4-5) experimental; urgency=medium + + * Drop dead code in bind9.preinst. + * move from /var/run to /run for policy. + + -- LaMont Jones <lamont@debian.org> Sat, 19 Mar 2016 19:52:04 -0600 + +bind9 (1:9.10.3.dfsg.P4-4) experimental; urgency=medium + + * use multiarch path in udebs + * Updated root cache file. Closes: #806954 + + -- LaMont Jones <lamont@debian.org> Fri, 18 Mar 2016 20:50:49 -0600 + +bind9 (1:9.10.3.dfsg.P4-3) experimental; urgency=medium + + * Fix vcs links + * build in debian/tmp, use bind9.install + + -- LaMont Jones <lamont@debian.org> Fri, 18 Mar 2016 14:46:30 -0600 + +bind9 (1:9.10.3.dfsg.P4-2) experimental; urgency=medium + + * updated precise_time patch + * add RT#s to some patches + * Merge ubuntu changes + * Fix debian/rules to properly remove files from bind9 that are delivered + elsewhere. LP: #1559090 + + -- LaMont Jones <lamont@canonical.com> Fri, 18 Mar 2016 10:58:07 -0600 + +bind9 (1:9.10.3.dfsg.P4-1ubuntu2) xenial; urgency=medium + + * Bump debhelper to v9 to use dh-exec. + * libbind-export-dev: Fix the libbind.so symlink. + * Move static libs to the multiarch libdir again. + + -- Matthias Klose <doko@ubuntu.com> Fri, 18 Mar 2016 13:30:03 +0100 + +bind9 (1:9.10.3.dfsg.P4-1ubuntu1) xenial; urgency=medium + + * Fix udeb dependencies. + + -- Matthias Klose <doko@ubuntu.com> Fri, 18 Mar 2016 12:47:02 +0100 + +bind9 (1:9.10.3.dfsg.P4-1) experimental; urgency=medium + + [ ISC ] + * New upstream: 9.10.3-P3 + - Specific APL data could trigger a INSIST. (CVE-2015-8704) [RT #41396] + - render_ecs errors were mishandled when printing out a OPT record + resulting in a assertion failure. (CVE-2015-8705) [RT #41397] + - Fixed a regression in resolver.c:possibly_mark() which caused + known-bogus servers to be queried anyway. [RT #41321] + * New upstream: 9.10.3-P4 + - Malformed control messages can trigger assertions in named and rndc. + (CVE-2016-1285) [RT #41666] + - Fix resolver assertion failure due to improper DNAME handling when + parsing fetch reply messages. (CVE-2016-1286) [RT #41753] + - Duplicate EDNS COOKIE options in a response could trigger an + assertion failure. (CVE-2016-2088) [RT #41809] + + [LaMont Jones] + + * Do not build -export libs for libbind90 and liblwres. Relates in part + to, and is the last fix to LP: #1551351 + * update patches for 9.10.3.dfsg.P4. Drop 50_CVE_2015-8704.diff + + [ Stefan Bader ] + + * Do not modify signal handlers for external apps. LP: #1556175 + + -- LaMont Jones <lamont@debian.org> Thu, 17 Mar 2016 14:53:36 -0600 + +bind9 (1:9.10.3.dfsg.P2-7) experimental; urgency=medium + + * Fix my bad merge of autoreconf workaround. + * Re-implement -export libraries. LP: #1556175 + * Deliver libisccc-export library. + + -- LaMont Jones <lamont@debian.org> Wed, 16 Mar 2016 15:14:48 -0600 + +bind9 (1:9.10.3.dfsg.P2-5) experimental; urgency=medium + + [Timo Aaltonen] + + * Sync 30_dynamic_db.diff from Fedora. + * rules: Backup some files which dh_autoreconf_clean would remove, restore + on clean. + + [Jamie Strandboge] + + * apparmor: use @{PROC} instead of /proc, allow read on + sys.net.ipv4.ip_local_port_range. LP: #1552441 + + [LaMont Jones] + + * Return nanosecond-precise time for files, so that we more-correctly know + when we can skip loading a zonefile. (Bug introduced 9.9.3b2) + + -- LaMont Jones <lamont@debian.org> Thu, 03 Mar 2016 18:17:06 -0700 + +bind9 (1:9.10.3.dfsg.P2-4) experimental; urgency=medium + + [Matthias Klose] + + * Fix .so symlinks. + * libbind-dev: Depend on libirs141. + * For the udeb's, use a separate build with a reduced feature set, drop the + name difference, and do both builds in a separate directory. + + [Filip Pytloun] + + * Add apparmor rules needed by freeipa-server. Closes: #814314 + + [LaMont Jones] + + * Do not deliver libraries (left in /lib) as part of bind9. LP: #1547052 + * clean up library path for libirs. + + -- LaMont Jones <lamont@debian.org> Fri, 19 Feb 2016 14:26:08 -0700 + +bind9 (1:9.10.3.dfsg.P2-3ubuntu3) xenial; urgency=medium + + * For the udeb's, use a separate build with a reduced feature set. + * Don't call the reduced build "export"; it was used by isc-dhcp as well. + * Do both builds in a separate builddir. + + -- Matthias Klose <doko@ubuntu.com> Fri, 19 Feb 2016 15:01:16 +0100 + +bind9 (1:9.10.3.dfsg.P2-3~ubuntu2) xenial; urgency=medium + + * libbind-dev: Depend on libirs141. + * Ship libirs.{a,so} in libbind-dev. + * Remove obsolete debian/*.dirs files. + + -- Matthias Klose <doko@ubuntu.com> Fri, 19 Feb 2016 15:01:16 +0100 + +bind9 (1:9.10.3.dfsg.P2-3~ubuntu1) xenial; urgency=medium + + * Fix .so symlinks. + + -- Matthias Klose <doko@ubuntu.com> Thu, 18 Feb 2016 13:55:19 +0100 + +bind9 (1:9.10.3.dfsg.P2-3) experimental; urgency=medium + + [Marc Deslauriers] + + * SECURITY UPDATE: denial of service via string formatting operations. + CVE-2015-8704 + + [Matthias Klose] + + * Add multiarch support. Closes: #802584. + * Standards cleanup. + + [LaMont Jones] + + * Properly finish converting to 3.0 (quilt) format. + * Drop geoip_acl patch temporarily while we evaluate the upstream geoip + changes. + * Prechroot init appears to have been taken upstream. + + -- LaMont Jones <lamont@debian.org> Wed, 17 Feb 2016 10:34:24 -0700 + +bind9 (1:9.10.3.dfsg.P2-1) experimental; urgency=medium + + * New upstream, no need for export packages with 9.10 + * Fix sonames + * Update how we do hardening. + * Add Robie Basak as an uploader + * Migrate quilt patches from 9.9.5 branch, and incorporate Michael Gilbert's + changes. + + -- LaMont Jones <lamont@debian.org> Thu, 31 Dec 2015 18:41:31 -0700 + +bind9 (1:9.9.5.dfsg-12.1) unstable; urgency=high + + * Non-maintainer upload. + * Add patch to fix CVE-2015-8000. + CVE-2015-8000: Insufficient testing when parsing a message allowed + records with an incorrect class to be accepted, triggering a REQUIRE + failure when those records were subsequently cached. (Closes: #808081) + + -- Salvatore Bonaccorso <carnil@debian.org> Wed, 16 Dec 2015 15:01:39 +0100 + +bind9 (1:9.9.5.dfsg-12) unstable; urgency=high + + * Fix CVE-2015-5722: maliciously crafted DNSSEC key can cause named to crash. + + -- Michael Gilbert <mgilbert@debian.org> Thu, 03 Sep 2015 01:16:32 +0000 + +bind9 (1:9.9.5.dfsg-11) unstable; urgency=high + + * Fix CVE-2015-5477: maliciously crafted TKEY query can cause named to exit + (closes: #793903). + + -- Michael Gilbert <mgilbert@debian.org> Wed, 29 Jul 2015 23:46:48 +0000 + +bind9 (1:9.9.5.dfsg-10) unstable; urgency=high + + * Fix CVE-2015-4620: DNSSEC validation of a malicously crafted zone can + cause the resolver to crash (closes: #791715). + + -- Michael Gilbert <mgilbert@debian.org> Thu, 09 Jul 2015 00:43:38 +0000 + +bind9 (1:9.9.5.dfsg-9) unstable; urgency=high + + * Fix CVE-2015-1349: named crash due to managed key rollover, primarily only + affecting setups using DNSSEC (closes: #778733). + + -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Feb 2015 03:42:21 +0000 + +bind9 (1:9.9.5.dfsg-8) unstable; urgency=medium + + * Launch rndc command in the background in networking scripts to avoid a + hang in named from bringing down the entire network (closes: #760555). + + -- Michael Gilbert <mgilbert@debian.org> Thu, 01 Jan 2015 17:51:52 +0000 + +bind9 (1:9.9.5.dfsg-7) unstable; urgency=medium + + * Fix CVE-2014-8500: limit recursion in order to avoid memory consuption + issues that can lead to denial-of-service (closes: #772610). + + -- Michael Gilbert <mgilbert@debian.org> Sun, 14 Dec 2014 05:05:48 +0000 + +bind9 (1:9.9.5.dfsg-6) unstable; urgency=medium + + * Include dlz_dlopen.h in libbind-dev (closes: #769117). + + -- Michael Gilbert <mgilbert@debian.org> Sun, 30 Nov 2014 22:53:50 +0000 + +bind9 (1:9.9.5.dfsg-6) unstable; urgency=medium + + * Include dlz_dlopen.h in libbind-dev (closes: #769117). + + -- Michael Gilbert <mgilbert@debian.org> Sun, 30 Nov 2014 22:53:50 +0000 + +bind9 (1:9.9.5.dfsg-5) unstable; urgency=medium + + * Avoid libnsl dependency on non-linux architectures. Closes: #766430 + * Install export libraries to /lib instead of /usr/lib. Closes: #766544 + * Add myself to the maintainer team with approval from LaMont and Bdale. + + -- Michael Gilbert <mgilbert@debian.org> Thu, 30 Oct 2014 02:42:17 +0000 + +bind9 (1:9.9.5.dfsg-4.3) unstable; urgency=medium + + * Non-maintainer upload. + * Mark critical section as not parallel in the makefile. Closes: #762766 + + -- Michael Gilbert <mgilbert@debian.org> Mon, 13 Oct 2014 04:37:55 +0000 + +bind9 (1:9.9.5.dfsg-4.2) unstable; urgency=low + + * Non-maintainer upload. + * Fix intermittent parallel build failure. Closes: #762766 + * Set -fno-delete-null-pointer-checks. Closes: #750760 + * Use separate packages for the udebs. Closes: #762762 + * Don't install configuration files to /usr. Closes: #762948 + + -- Michael Gilbert <mgilbert@debian.org> Mon, 06 Oct 2014 01:23:57 +0000 + +bind9 (1:9.9.5.dfsg-4.1) unstable; urgency=low + + * Non-maintainer upload. + * Add support for hurd. Closes: #746540 + * Provide shared libraries for isc-dhcp. Closes: #656150 + + -- Michael Gilbert <mgilbert@debian.org> Sun, 14 Sep 2014 00:58:06 +0000 + +bind9 (1:9.9.5.dfsg-4) unstable; urgency=low + + [Julien Cristau] + + * FTBFS on kfreebsd. Closes: #741285 + + [LaMont Jones] + + * revert aclocal.m4 expansion from earlier merge + + -- LaMont Jones <lamont@debian.org> Tue, 29 Apr 2014 14:48:50 -0600 + +bind9 (1:9.9.5.dfsg-3) unstable; urgency=low + + * Re-enable rrl (now a configure option). Closes: #741059 LP: #1288823 + + -- LaMont Jones <lamont@debian.org> Mon, 24 Mar 2014 06:55:55 -0600 + +bind9 (1:9.9.5.dfsg-2) unstable; urgency=low + + * merge in ubuntu 1:9.9.3.dfsg.P2-4ubuntu3 + * move dnssec-coverage to bind9utils. Closes: #739994 + * dnssec-{checkds,verify} manpages in wrong package. Closes: #739995 + + -- LaMont Jones <lamont@debian.org> Wed, 26 Feb 2014 09:30:31 -0700 + +bind9 (1:9.9.5.dfsg-1) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * New upstream version: 9.9.5 Closes: #735190 + + [Martin Nagy] + + * dynamic loading of database backends. See: + http://pkgs.fedoraproject.org/cgit/bind.git/tree/bind-96-dyndb.patch. + Closes: #722669 + + [LaMont Jones] + + * fix sonames + * merge ubuntu changes + * Deliver dns/rrl.h. Closes: #724844 + * rules tweak to make backports to pre-dh-systemd releases easier + + -- LaMont Jones <lamont@debian.org> Tue, 11 Feb 2014 09:16:05 -0700 + +bind9 (1:9.9.4.dfsg-0.3) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * Upstream version 9.9.4 + + [LaMont Jones] + + * fix sonames + * merge ubuntu change + * Deliver dns/rrl.h. Closes: #724844 + + -- LaMont Jones <lamont@debian.org> Wed, 06 Nov 2013 13:27:37 -0700 + +bind9 (1:9.9.3.dfsg.P2-4ubuntu3) trusty; urgency=low + + * SECURITY UPDATE: denial of service when processing NSEC3-signed zone + queries + - debian/patches/CVE-2014-0591.patch: don't call memcpy with + overlapping ranges in bin/named/query.c. + - patch backported from 9.9.4-P2. + - CVE-2014-0591 + + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 10 Jan 2014 09:36:55 -0500 + +bind9 (1:9.9.3.dfsg.P2-4ubuntu2) trusty; urgency=medium + + * Use dh-autoreconf to update libtool and configure for new ports. + + -- Adam Conrad <adconrad@ubuntu.com> Wed, 18 Dec 2013 04:42:22 -0700 + +bind9 (1:9.9.3.dfsg.P2-4ubuntu1) saucy; urgency=low + + * Use dh_autotools-dev to update config.{sub,guess} for new ports. + + -- Adam Conrad <adconrad@ubuntu.com> Mon, 07 Oct 2013 23:09:45 -0600 + +bind9 (1:9.9.3.dfsg.P2-4) unstable; urgency=low + + [Peter Marschall] + + * If rndc.conf exists, skip creation of rndc.key. Closes: #620394 + + [Al Tarakanoff] + + * properly quote check of pid in bind9 init.d. LP: #1092243 + + [LaMont Jones] + + * include distro and package version in version string + * apparmor: allow GeoIP data file access. LP: #834901 + * enable filter-aaaa. Closes: #701704 LP: #1115168 + + -- LaMont Jones <lamont@debian.org> Thu, 29 Aug 2013 16:22:29 -0600 + +bind9 (1:9.9.3.dfsg.P2-3) unstable; urgency=low + + [Michael Stapelberg] + + * add systemd service file. Closes: #718212 + + [LaMont Jones] + + * deliver more dnssec-* tools in bind9utils. Closes: #713026 + * support parallel=N DEB_BUILD_OPTIONS, fix -j build. Closes: #713025 + * deliver rrl.h and stat.h Closes: #692483, #720813 + + -- LaMont Jones <lamont@debian.org> Tue, 27 Aug 2013 10:06:37 -0600 + +bind9 (1:9.9.3.dfsg.P2-2build1) saucy; urgency=low + + [Marc Deslauriers] + + * 9.9.2.dfsg.P1-2ubuntu1: fixed in 9.9.3b1 + * 9.9.2.dfsg.P1-2ubuntu3: fixed in 9.9.3-P2 + + [Robie Basak] + + * 9.9.2.dfsg.P1-2ubuntu2: fixed in 9.9.3b1 + + [LaMont Jones] + + * Merge ubuntu changes, except: autoconf files are generated as part + of the source packagee creation, not on the build host. NAK + * deliver more dnssec-* tools in bind9utils. Closes: #713026 + * support parallel=N DEB_BUILD_OPTIONS, fix -j build + + [Michael Stapelberg] + + * add systemd service file. Closes: #718212 + + -- LaMont Jones <lamont@debian.org> Thu, 22 Aug 2013 10:57:17 -0600 + +bind9 (1:9.9.3.dfsg.P2-2) unstable; urgency=low + + * ack NMUs of 9.8.4 + - upstream 9.9.3-P2 fixes: CVE-2013-4854, CVE-2012-5689, + CVE-2013-2266 + - deliver rrl.h + + [LaMont Jones] + + * Use ISC's bin/tests + * Diff cleanup and rationalization to 9.9.3 upstream + + -- LaMont Jones <lamont@debian.org> Sat, 17 Aug 2013 07:09:54 -0600 + +bind9 (1:9.9.3.dfsg.P2-1) unstable; urgency=low + + + [Internet Software Consortium, Inc] + + * 9.9.3-P2 + + [Ben Hutchings] + + * Initialise OpenSSL before calling chroot(). Closes: #696661 + + [LaMont Jones] + + * soname changes + + [Paul Vixie] + + * Reapply rpz/rrl patches from http://www.redbarn.org/dns/ratelimits + + -- LaMont Jones <lamont@debian.org> Wed, 14 Aug 2013 10:38:59 -0600 + +bind9 (1:9.9.2.dfsg.P1-3) experimental; urgency=low + + [LaMont Jones] + + * Merge 1:9.8.4.dfsg.P1-6 + + [Ben Hutchings] + + * Initialise OpenSSL before calling chroot(). Closes: #696661 + + -- LaMont Jones <lamont@debian.org> Mon, 04 Mar 2013 09:30:50 -0700 + +bind9 (1:9.9.2.dfsg.P1-2ubuntu3) saucy; urgency=low + + * SECURITY UPDATE: denial of service via incorrect bounds checking on + private type 'keydata' + - lib/dns/rdata/generic/keydata_65533.c: check for correct length. + - Patch backported from 9.9.3-P2 + - CVE-2013-4854 + + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Sun, 28 Jul 2013 10:13:06 -0400 + +bind9 (1:9.9.2.dfsg.P1-2ubuntu2) raring; urgency=low + + * configure.in: detect libxml 2.9 as well as 2.[678] (LP: #1164475). + * debian/control: add Build-Depends on dh-autoreconf. + * debian/rules: use dh_autoreconf and dh_autoreconf_clean. + + -- Robie Basak <robie.basak@canonical.com> Wed, 10 Apr 2013 16:50:28 +0000 + +bind9 (1:9.9.2.dfsg.P1-2ubuntu1) raring; urgency=low + + * SECURITY UPDATE: denial of service via regex syntax checking + - configure,configure.in,config.h.in: remove check for regex.h to + disable regex syntax checking. + - CVE-2013-2266 + + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 28 Mar 2013 15:04:57 -0400 + +bind9 (1:9.9.2.dfsg.P1-2) experimental; urgency=low + + [Michael Gilbert] + + * Use /var/lib/bind for state file. Closes: #689332 + + [LaMont Jones] + + * zone transfers now involve link(), update the apparmor profile + * Update db.root with new IP for D.root-servers.net. Closes: #697352 + * re-drop dlzexternal test + * Reduce log level for "sucessfully validated after lower casing" dnssec + based on mail from Mark Andrews. Closes: #697681 + * remove /var/lib/bind/bind9-default.md5sum in postrm + * remove /etc/bind/named.conf.options on purge. Closes: #668801 + + [Sebastian Wiesinger] + + * Build and deliver dnssec-checkds and dnssec-verify in bind9utils + + -- LaMont Jones <lamont@debian.org> Wed, 09 Jan 2013 10:09:40 -0700 + +bind9 (1:9.8.4.dfsg.P1-6+nmu3) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2013-4854: A specially crafted query that includes malformed rdata can + cause named to terminate with an assertion failure while rejecting the + malformed query. (Closes: #717936). + + -- Salvatore Bonaccorso <carnil@debian.org> Sat, 27 Jul 2013 10:24:07 +0200 + +bind9 (1:9.8.4.dfsg.P1-6+nmu2) unstable; urgency=medium + + * Non-maintainer upload. + * Install /usr/include/dns/rrl.h (closes: #699834). + + -- Michael Gilbert <mgilbert@debian.org> Tue, 16 Apr 2013 01:59:05 +0000 + +bind9 (1:9.8.4.dfsg.P1-6+nmu1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix cve-2012-5689: issue in nameservers using DNS64 to perform a AAAA + lookup for a record with an A record overwrite rule in a Response Policy + Zone (closes: #699145). + * Fix cve-2013-2266: issues in regular expression handling (closes: #704174). + + -- Michael Gilbert <mgilbert@debian.org> Fri, 29 Mar 2013 00:47:25 +0000 + +bind9 (1:9.8.4.dfsg.P1-6) unstable; urgency=low + + [Ben Hutchings] + + * Initialise OpenSSL before calling chroot(). Closes: #696661 + + -- LaMont Jones <lamont@debian.org> Fri, 01 Mar 2013 08:23:27 -0700 + +bind9 (1:9.8.4.dfsg.P1-5) unstable; urgency=low + + [LaMont Jones] + + * Properly acknowledge 1:9.8.1.dfsg.P1-4.4: [Philipp Kern] + - Fix CVE-2012-4244. Thanks to Moritz Mühlenhoff for providing the patch. + + [Paul Vixie] + + * Include rpz/rrl patches from http://www.redbarn.org/dns/ratelimits. + Closes: #698641 + + -- LaMont Jones <lamont@debian.org> Wed, 30 Jan 2013 14:04:35 -0700 + +bind9 (1:9.8.4.dfsg.P1-4) unstable; urgency=high + + * The rest of the dnssec validation logspam removal. Closes: #697681 + + -- LaMont Jones <lamont@debian.org> Mon, 21 Jan 2013 13:18:53 -0700 + +bind9 (1:9.8.4.dfsg.P1-3) unstable; urgency=low + + [Marc Deslauriers] + + * debian/bind9.apport: Add AppArmor info and logs to apport hook. + + [LaMont Jones] + + * Reduce log level for "sucessfully validated after lower casing" dnssec + based on mail from Mark Andrews. Closes: #697681 + * remove /var/lib/bind/bind9-default.md5sum in postrm + * remove /etc/bind/named.conf.options on purge. Closes: #668801 + + -- LaMont Jones <lamont@debian.org> Wed, 09 Jan 2013 09:47:24 -0700 + +bind9 (1:9.9.2.dfsg.P1-1) experimental; urgency=low + + * Named could die on specific queries with dns64 enabled. + [Addressed in change #3388 for BIND 9.8.5 and 9.9.3.] + CVE-2012-5688 Closes: #695192 + + -- LaMont Jones <lamont@debian.org> Wed, 05 Dec 2012 05:27:18 -0700 + +bind9 (1:9.8.4.dfsg.P1-2) unstable; urgency=low + + [Michael Gilbert] + + * Use /var/lib/bind for state file. Closes: #689332 + + [LaMont Jones] + + * Re-enable dlopen, do not build the test that fails. Closes: #692416 + * Update db.root with new IP for D.root-servers.net. Closes: #697352 + + -- LaMont Jones <lamont@debian.org> Mon, 07 Jan 2013 06:50:25 -0700 + +bind9 (1:9.8.4.dfsg.P1-1) unstable; urgency=low + + * Named could die on specific queries with dns64 enabled. + [Addressed in change #3388 for BIND 9.8.5 and 9.9.3.] + CVE-2012-5688 Closes: #695192 + + -- LaMont Jones <lamont@debian.org> Wed, 05 Dec 2012 05:22:06 -0700 + +bind9 (1:9.9.2.dfsg-1) experimental; urgency=low + + [Matthew Grant] + + * Turn off dlopen as it was causing test compile failures. + * Add missing library .postrm files for debhelper + + [LaMont Jones] + + * New upstream version 9.9.2 + * soname fixes + + -- LaMont Jones <lamont@debian.org> Thu, 01 Nov 2012 08:59:57 -0600 + +bind9 (1:9.9.1.dfsg.P1-1) unstable; urgency=low + + [LaMont Jones] + + * New upstream 9.9.1-P1 + + -- LaMont Jones <lamont@debian.org> Wed, 13 Jun 2012 08:22:15 -0600 + +bind9 (1:9.9.0.dfsg-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.9.0 release + + [Christoph Egger] + + * define _GNU_SOURCE on kfreebsd et al. Closes: #658201 + + [LaMont Jones] + + * chmod typo in postinst. LP: #980798 + * Correctly order debhelper bits in postrm. Closes: #661040 + + -- LaMont Jones <lamont@debian.org> Mon, 23 Apr 2012 09:52:51 -0600 + +bind9 (1:9.9.0.dfsg~rc4-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * New upstream release + + [LaMont Jones] + + * soname changes for new release + + -- LaMont Jones <lamont@debian.org> Fri, 17 Feb 2012 17:51:39 -0700 + +bind9 (1:9.8.4.dfsg-1ubuntu2) raring; urgency=low + + * SECURITY UPDATE: denial of service via DNS64 and crafted query + - bin/named/query.c: init rdataset before cleanup. + - Patch backported from 9.8.4-P1 + - CVE-2012-5688 + + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 05 Dec 2012 15:42:08 -0500 + +bind9 (1:9.8.4.dfsg-1ubuntu1) raring; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/bind9.apport: Add AppArmor info and logs to apport hook. + + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 23 Nov 2012 08:13:50 -0500 + +bind9 (1:9.8.4.dfsg-1) unstable; urgency=low + + [Matthew Grant] + + * Turn off dlopen as it was causing test compile failures. + * Add missing library .postrm files for debhelper + + [LaMont Jones] + + * New upstream version + * soname fixup + * Ack NMUs + + -- LaMont Jones <lamont@debian.org> Mon, 29 Oct 2012 08:37:49 -0600 + +bind9 (1:9.8.1.dfsg.P1-4.4) testing-proposed-updates; urgency=low + + * Non-maintainer upload. + * Fix CVE-2012-4244. Thanks to Moritz Mühlenhoff for providing + the patch. + + -- Philipp Kern <pkern@debian.org> Sat, 03 Nov 2012 20:43:43 +0100 + +bind9 (1:9.8.1.dfsg.P1-4.3) unstable; urgency=medium + + [ Philipp Kern ] + * Non-maintainer upload. + + [ Marc Deslauriers ] + * SECURITY UPDATE: denial of service via specific combinations of RDATA + - bin/named/query.c: fix logic + - Patch backported from 9.8.3-P4 + - CVE-2012-5166 + + -- Philipp Kern <pkern@debian.org> Sun, 28 Oct 2012 20:28:11 +0100 + +bind9 (1:9.8.1.dfsg.P1-4.2) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix denial of service vulnerability triggered + through an assert because of using bad cache + (CVE-2012-3817; Closes: #683259). + + -- Nico Golde <nion@debian.org> Mon, 30 Jul 2012 20:56:10 +0200 + +bind9 (1:9.8.1.dfsg.P1-4.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * SECURITY UPDATE: ghost domain names attack + - lib/dns/rbtdb.c: Restrict the TTL of NS RRset to no more than that + of the old NS RRset when replacing it. + - Patch backported from 9.8.2. + - CVE-2012-1033 + * SECURITY UPDATE: denial of service via zero length rdata handling + - lib/dns/rdata.c,lib/dns/rdataslab.c: use sentinel pointer for + duplicate rdata. + - Patch backported from 9.8.3-P1. + - CVE-2012-1667 + + -- Luk Claes <luk@debian.org> Wed, 20 Jun 2012 15:26:09 -0400 + +bind9 (1:9.8.1.dfsg.P1-4) unstable; urgency=low + + [Christoph Egger] + + * define _GNU_SOURCE on kfreebsd et al. Closes: #658201 + + [LaMont Jones] + + * chmod typo in postinst. LP: #980798 + * Correctly order debhelper bits in postrm. Closes: #661040 + + -- LaMont Jones <lamont@debian.org> Fri, 13 Apr 2012 12:09:24 -0600 + +bind9 (1:9.8.1.dfsg.P1-3) unstable; urgency=low + + [Zlatan Todoric] + + * fixed Serbian latin translation of debconf template. Closes: #634951 + + [Peter Eisentraut] + + * Add support for "status" action to lwresd init script. Closes: #651540 + + [Bjørn Steensrud] + + * NB Translations. Closes: #654454 + + [LaMont Jones] + + * Default to run_resolvconf=false. LP: #933723 + * Deliver named.conf.options on fresh install. Closes: #657042 LP: #920202 + * Do not deliver /usr/share/bind9/bind9-default.md5sum in the bind9 deb. + Closes: #620007 LP: #681536 + * Deliver and use /etc/apparmor.d/local/usr.sbin.named for local overrides. + LP: #929563 + + -- LaMont Jones <lamont@debian.org> Fri, 17 Feb 2012 14:40:29 -0800 + +bind9 (1:9.8.1.dfsg.P1-2) unstable; urgency=low + + * Deliver named.conf.options on fresh install. Closes: #657042 LP: #920202 + + -- LaMont Jones <lamont@debian.org> Wed, 25 Jan 2012 03:55:21 -0700 + +bind9 (1:9.8.1.dfsg.P1-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.8.1-P1 + - Cache lookup could return RRSIG data associated with nonexistent + records, leading to an assertion failure. + + [LaMont Jones] + + * add a readme entry for DNSSEC-by-default + * Failed to install due to chgrp on non-existant directory. Closes: #647598 + * ack NMU: l10n issues + + -- LaMont Jones <lamont@debian.org> Wed, 18 Jan 2012 10:44:14 -0700 + +bind9 (1:9.8.1.dfsg-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix pending l10n issues. Debconf translations: + - Danish (Joe Hansen). Closes: #619302 + - Korean (강민지). Closes: #632006, #632016 + - Serbian (FULL NAME). Closes: #634886 + + -- Christian Perrier <bubulle@debian.org> Sat, 03 Dec 2011 17:22:12 +0100 + +bind9 (1:9.8.1.dfsg-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * New upstream release + + [LaMont Jones] + + * cleanup the messages around killing named + * enable dnssec validation: deliver named.conf.options outside of + conffiledom, and update if able, complain and do not update if not + Closes: #516979 + * typo in min-ncache-ttl processing + * disable dlz until we get a patch to make it build again + + [Jay Ford] + + * Fix "waiting for pid $pid to die" loop to not be infinite. Closes: #570852 + + -- LaMont Jones <lamont@debian.org> Tue, 01 Nov 2011 16:39:19 -0600 + +bind9 (1:9.8.0.dfsg.P1-0) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.8.0-P1 + + [LaMont Jones] + + * soname changes + + -- LaMont Jones <lamont@debian.org> Fri, 13 May 2011 03:46:22 -0600 + +bind9 (1:9.7.4.dfsg-0) unstable; urgency=low + + * New upstream + + -- LaMont Jones <lamont@debian.org> Sun, 21 Aug 2011 04:43:16 -0600 + +bind9 (1:9.7.3.dfsg-1ubuntu4) oneiric; urgency=low + + * debian/apparmor-profile: Allow /var/run and /run. (LP: #810270) + + -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 14 Jul 2011 15:15:45 +0200 + +bind9 (1:9.7.3.dfsg-1ubuntu3) oneiric; urgency=low + + * SECURITY UPDATE: denial of service via specially crafted packet + - lib/dns/include/dns/rdataset.h, lib/dns/{masterdump,message,ncache, + nsec3,rbtdb,rdataset,resolver,validator}.c: Use an rdataset attribute + flag to indicate negative-cache records rather than using rrtype 0. + - Patch backported from 9.7.3-P3. + - CVE-2011-2464 + + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 05 Jul 2011 08:33:30 -0400 + +bind9 (1:9.7.3.dfsg-1ubuntu2.1) natty-security; urgency=low + + * SECURITY UPDATE: denial of service via off-by-one + - lib/dns/ncache.c: correctly validate length. + - Patch backported from 9.7.3-P1. + - CVE-2011-1910 + + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 27 May 2011 12:50:40 -0400 + +bind9 (1:9.7.3.dfsg-1ubuntu2) natty; urgency=low + + * debian/rules, configure, contrib/dlz/config.dlz.in: use + DEB_HOST_MULTIARCH so we can find multiarch libraries and fix FTBFS. + (LP: #745642) + + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 30 Mar 2011 10:19:37 -0400 + +bind9 (1:9.7.3.dfsg-1ubuntu1) natty; urgency=low + + * debian/bind9-default.md5sum: + - updated to reflect the default md5sum in maverick and natty, this + avoids a bogus /etc/default/bind9.dpkg-dist file + (LP: #556332) + + -- Michael Vogt <michael.vogt@ubuntu.com> Tue, 29 Mar 2011 10:13:11 +0200 + +bind9 (1:9.7.3.dfsg-1) unstable; urgency=low + + [Peter Palfrader] + + * Add db-4.6 to bdb_libnames in dlz/config.dlz.in so that it finds the right + db. + + [Internet Systems Consortium, Inc] + + * 9.7.3 - Closes: #612287 + + [Mahyuddin Susanto] + + * Updated Indonesian debconf templates. Closes: #608559 + + [LaMont Jones] + + * soname changes + + -- LaMont Jones <lamont@debian.org> Wed, 23 Feb 2011 09:14:36 -0700 + +bind9 (1:9.7.3.dfsg~rc1-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * New upstream + + [Peter Palfrader] + + * Add db-4.6 to bdb_libnames in dlz/config.dlz.in so that it finds the right + db. + + [Mahyuddin Susanto] + + * Updated Indonesian debconf templates. Closes: #608559 + + [LaMont Jones] + + * soname changes for new upstream + + -- LaMont Jones <lamont@debian.org> Fri, 04 Feb 2011 21:20:05 -0700 + +bind9 (1:9.7.2.dfsg.P3-1) unstable; urgency=high + + [ISC] + * Fix denial of service via ncache entry and a rrsig for the + same type (CVE-2010-3613) + * answers were incorrectly marked as insecure during key algorithm + rollover (CVE-2010-3614) + * Using "allow-query" in the "options" or "view" statements to + restrict access to authoritative zones had no effect. + (CVE-2010-3615) + + [LaMont Jones] + + * Adjust indentation for dpkg change. Closes: #597171 + + -- LaMont Jones <lamont@debian.org> Wed, 01 Dec 2010 16:32:48 -0700 + +bind9 (1:9.7.2.dfsg.P2-3) unstable; urgency=low + + [LaMont Jones] + + * Adjust indentation for dpkg change. Closes: #597171 + * acknowledge and incorporate ubuntu change. + + -- LaMont Jones <lamont@debian.org> Fri, 26 Nov 2010 05:18:43 -0700 + +bind9 (1:9.7.2.dfsg.P2-2ubuntu1) natty; urgency=low + + [ Andres Rodriguez ] + * Add apport hook (LP: #533601): + - debian/bind9.apport: Added. + + [ Martin Pitt ] + * debian/rules: Install Apport hook when building on Ubuntu. + + -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 26 Nov 2010 10:50:17 +0100 + +bind9 (1:9.7.2.dfsg.P2-2) unstable; urgency=low + + [Roy Jamison] + + * lib/isc/unix/resource.c was missing inttypes.h include. LP: #674199 + + -- LaMont Jones <lamont@debian.org> Fri, 12 Nov 2010 10:52:32 -0700 + +bind9 (1:9.7.2.dfsg.P2-1) unstable; urgency=low + + [Joe Dalton] + + * Add Danish translation of debconf templates. Closes: #599431 + + [Internet Software Consortium, Inc] + + * v9.7.2-P2 + + [José Figueiredo] + + * Add Brazilian Portuguese debconf templates translation. Closes: #597616 + + [LaMont Jones] + + * drop this v3 (quilt) source format idea. Closes: #589916 + + -- LaMont Jones <lamont@debian.org> Sun, 10 Oct 2010 19:01:57 -0600 + +bind9 (1:9.7.1.dfsg.P2-2) unstable; urgency=low + + * Correct conflicts for bind9-host + + -- LaMont Jones <lamont@debian.org> Fri, 16 Jul 2010 05:24:38 -0600 + +bind9 (1:9.7.1.dfsg.P2-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * Temporarily and partially disable change 2864 because it would cause + inifinite attempts of RRSIG queries. This is an urgent care fix; we'll + revisit the issue and complete the fix later. [RT #21710] + * Temporarially rollback change 2748. [RT #21594] + * Named failed to accept uncachable negative responses from insecure zones. + [RT# 21555] + + [LaMont Jones] + + * freshen copyright file + + -- LaMont Jones <lamont@debian.org> Thu, 15 Jul 2010 15:07:54 -0600 + +bind9 (1:9.7.1.dfsg.0-1) unstable; urgency=low + + * Repack to drop zkt/doc/{draft,rfc}* Closes: #588055 + + -- LaMont Jones <lamont@debian.org> Mon, 05 Jul 2010 07:21:34 -0600 + +bind9 (1:9.7.1.dfsg-2) unstable; urgency=low + + [Regid Ichira] + + * explicitly add nsupdate to dynamic updates in README.Debian. + Closes: #577398 + + [LaMont Jones] + + * Cleanup bind9-host description. Closes: #579421 + * switch to 3.0 (quilt) source format, but not to quilt. Closes: #578210 + + [Stephen Gran] + + * updated geoip patch for ipv6, based on work by John 'Warthog9' Hawley + <warthog9@eaglescrag.net>. Closes: #584603 + + -- LaMont Jones <lamont@debian.org> Fri, 02 Jul 2010 08:19:29 -0600 + +bind9 (1:9.7.1.dfsg-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.7.1 + + [LaMont Jones] + + * Add freebsd support. Closes: #578447 + * soname changes + * freshen root cache. LP: #596363 + + -- LaMont Jones <lamont@debian.org> Mon, 21 Jun 2010 09:53:30 -0600 + +bind9 (1:9.7.0.dfsg.P1-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.7.0-P1 + - 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] + + -- LaMont Jones <lamont@debian.org> Wed, 17 Mar 2010 08:06:42 -0600 + +bind9 (1:9.7.0.dfsg.1-1) unstable; urgency=low + + [Niko Tyni] + + * fix mips/mipsel startup. Closes: #516616 + + [LaMont Jones] + + * ignore failures due to a lack of /etc/bind/named.conf*. LP: #422968 + * ldap API changed regarding % sign. LP: #227344 + * Drop more rfc and draft files. Closes: #572606 + * update config.guess, config.sub. Closes: #572528 + + -- LaMont Jones <lamont@debian.org> Fri, 12 Mar 2010 14:56:08 -0700 + +bind9 (1:9.7.0.dfsg-2) unstable; urgency=low + + [Aurelien Jarno] + + * kfreebsd has linux threads. Closes: #470500 + + [LaMont Jones] + + * do not error out on initial install. Closes: #572443 + + -- LaMont Jones <lamont@debian.org> Thu, 04 Mar 2010 09:32:13 -0700 + +bind9 (1:9.7.0.dfsg-1) unstable; urgency=low + + * New upstream release + + -- LaMont Jones <lamont@debian.org> Wed, 17 Feb 2010 14:53:36 -0700 + +bind9 (1:9.7.0.dfsg~rc2-1) experimental; urgency=low + + * New upstream release + + -- LaMont Jones <lamont@debian.org> Thu, 28 Jan 2010 05:46:50 -0700 + +bind9 (1:9.7.0.dfsg~b3-2) experimental; urgency=low + + * merge changes from 9.6.1.dfsg.P2-1 + * meta: drop verisoned depends from library packages, for less upgrade pain + * apparmor: allow named to create /var/run/named/session.key + + -- LaMont Jones <lamont@debian.org> Sun, 06 Dec 2009 11:46:17 -0700 + +bind9 (1:9.7.0.dfsg~b3-1) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * 9.7.0b3 + + [LaMont Jones] + + * Merge remote branch 'origin/master' + * soname changes + + -- LaMont Jones <lamont@debian.org> Mon, 30 Nov 2009 21:07:58 -0700 + +bind9 (1:9.6.1.dfsg.P2-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.6.1-P2 + - When validating, track whether pending data was from the + additional section or not and only return it if validates + as secure. [RT #20438] CVE-2009-4022 + + [LaMont Jones] + + * prerm: do not stop named on upgrade. Closes: #542888 + * Drop some RFCs that crept into the diff. + * meta: add ${misc:Depends} + * lintian: update config.guess, config.sub in idnkit-1.0 tree + * dnsutils: remove pre-sarge dpkg-divert calls in postinst + * meta: soname changes + * l10n: missing newline in pofile. + + -- LaMont Jones <lamont@debian.org> Fri, 27 Nov 2009 10:07:10 -0700 + +bind9 (1:9.7.0.dfsg~b2-2) experimental; urgency=low + + * dnsutils: remove pre-sarge dpkg-divert calls in postinst + + -- LaMont Jones <lamont@debian.org> Tue, 17 Nov 2009 22:42:40 -0600 + +bind9 (1:9.7.0.dfsg~b2-1) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * 9.7.0b2 + + [LaMont Jones] + + * /etc/bind/bind.keys need not be executable. + * bind9: drop old stale code from postinst + * prerm: do not stop named on upgrade. Closes: #542888 + * Drop some RFCs that crept into the diff. + * meta: add ${misc:Depends} + * lintian: update config.guess, config.sub in idnkit-1.0 tree + * l10n: missing newline in pofile. + + -- LaMont Jones <lamont@debian.org> Mon, 16 Nov 2009 18:53:24 -0700 + +bind9 (1:9.7.0~a1.dfsg-0) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * 9.7.0a1 + + -- LaMont Jones <lamont@debian.org> Wed, 24 Jun 2009 15:10:08 -0600 + +bind9 (1:9.6.1.dfsg.P1-3) unstable; urgency=low + + * Build-Depend on the fixed libgeoip-dev. Closes: #540973 + + -- LaMont Jones <lamont@debian.org> Mon, 17 Aug 2009 06:53:11 -0600 + +bind9 (1:9.6.1.dfsg.P1-2) unstable; urgency=low + + [Jamie Strandboge] + + * reload individual named profile, not all of apparmor. LP: #412751 + + [Guillaume Delacour] + + * bind9 did not purge cleanly. Closes: #497959 + + [LaMont Jones] + + * postinst: do not append a blank line to /etc/default/bind9. + Closes: #541469 + * init.d stop needs to not error out. LP: #398033 + * meta: fix build-depends. Closes: #539230 + + -- LaMont Jones <lamont@debian.org> Fri, 14 Aug 2009 17:03:31 -0600 + +bind9 (1:9.6.1.dfsg.P1-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * A specially crafted update packet will cause named to exit. + CVE-2009-0696, CERT VU#725188. Closes: #538975 + + [InterNIC] + + * Update db.root hints file. + + [LaMont Jones] + + * Move default zone definitions from named.conf to named.conf.default-zones. + Closes: #492308 + * use start-stop-daemon if rndc stop fails. Closes: #536487 + * lwresd: pidfile name was wrong in init script. Closes: #527137 + + -- LaMont Jones <lamont@debian.org> Tue, 28 Jul 2009 22:03:14 -0600 + +bind9 (1:9.6.1.dfsg-2) unstable; urgency=low + + * ia64: fix atomic.h + + -- LaMont Jones <lamont@debian.org> Tue, 23 Jun 2009 01:56:35 -0600 + +bind9 (1:9.6.1.dfsg-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.6.1 + + -- LaMont Jones <lamont@debian.org> Mon, 22 Jun 2009 14:33:20 -0600 + +bind9 (1:9.6.0.dfsg.P1-3) unstable; urgency=low + + [Martin Zobel-Helas] + + * GEO-IP Patch from + git://git.kernel.org/pub/scm/network/bind/bind-geodns.git. Closes: #395191 + + [LaMont Jones] + + * Remove /var/lib/bind on purge. Closes: #527613 + * Build-Depend: libdb-dev (>4.6). Closes: #527877, #528772 + * init.d: detect rndc errors better. LP: #380962 + * init.d: clean up exit status. Closes: #523454 + * Enable pkcs11 support, and then Revert - causes assertion failures + c.f.: #516552 + + -- LaMont Jones <lamont@debian.org> Mon, 22 Jun 2009 13:58:32 -0600 + +bind9 (1:9.6.0.dfsg.P1-2) unstable; urgency=low + + * random_1 broke memory usage assertions. + + -- LaMont Jones <lamont@debian.org> Thu, 23 Apr 2009 05:15:45 -0600 + +bind9 (1:9.6.0.dfsg.P1-1) experimental; urgency=low + + [Michael Milligan] + + * Add min-cache-ttl and min-ncache-ttl keywords + + [LaMont Jones] + + * Fix merge errors from 9.6.0.dfsg.P1-0 + + -- LaMont Jones <lamont@debian.org> Fri, 20 Mar 2009 15:50:50 -0600 + +bind9 (1:9.6.0.dfsg.P1-0) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * 9.6.0-P1 + + [LaMont Jones] + + * meta: fix override disparity + * meta: soname package fixups for 9.6.0 + * meta: update Standards-Version: 3.7.3.0 + * upstream now uses a bind subdir. Closes: #212659 + + [Sven Joachim] + + * meta: pass host and build into configure for hybrid build machines. + Closes: #515110 + + -- LaMont Jones <lamont@debian.org> Fri, 20 Mar 2009 11:54:55 -0600 + +bind9 (1:9.5.1.dfsg.P1-3) unstable; urgency=low + + * package -2 for unstable + + -- LaMont Jones <lamont@debian.org> Wed, 18 Mar 2009 09:40:18 -0600 + +bind9 (1:9.5.1.dfsg.P1-2) stable; urgency=low + + [Juhana Helovuo] + + * fix atomic operations on alpha. Closes: #512285 + + [Dann Frazier] + + * fix atomic operations on ia64. Closes: #520179 + + [LaMont Jones] + + * build-conflict: libdb4.2-dev. Closes: #515074, #507013 + + [localization folks] + + * l10n: Basque debconf template. Closes: #516549 (Piarres Beobide) + + -- LaMont Jones <lamont@debian.org> Wed, 18 Mar 2009 05:30:22 -0600 + +bind9 (1:9.5.1.dfsg.P1-1) unstable; urgency=low + + * New upstream patch release + - supportable version of fix from 9.5.0.dfsg.P2-5.1 + - CVE-2009-0025: Closes: #511936 + - 2475: Overly agressive cache entry removal. Closes: #511768 + - other bug fixes worthy of patch-release inclusion + + -- LaMont Jones <lamont@debian.org> Mon, 26 Jan 2009 10:33:42 -0700 + +bind9 (1:9.5.0.dfsg.P2-5.1) unstable; urgency=low + + * Non-maintainer upload. + * Apply upstream ACL fixes from 9.5.1 to fix RC bug. Patch was provided + by Evan Hunt (upstream bind9 developer) after Emmanuel Bouthenot + contacted him. Closes: #496954, #501800. + * Remove obsolete dh_installmanpages invocation which was adding + unwanted manual pages to bind9. Closes: #486196. + + -- Ben Hutchings <ben@decadent.org.uk> Fri, 02 Jan 2009 16:51:42 +0000 + +bind9 (1:9.5.0.dfsg.P2-5) unstable; urgency=low + + [ISC] + + * 2463: IPv6 Advanced Socket API broken on linux. LP: #249824 + + [Jamie Strandboge] + + * apparmor: add capability sys_resource + * apparmor: add krb keytab access. LP: #277370 + + [LaMont Jones] + + * apparmor: allow proc/*/net/if_inet6 read access too. LP: #289060 + * apparmor: add /var/log/named/* entries. LP: #294935 + + [Ben Hutchings] + + * meta: Add dependency of bind9 on net-tools (ifconfig used in init script) + * meta: Fix bind9utils Depends. + * meta: fix typo in package description + + [localization folks] + + * l10n: add polish debconf translations. Closes: #506856 (L) + + -- LaMont Jones <lamont@debian.org> Sun, 07 Dec 2008 21:03:29 -0700 + +bind9 (1:9.5.0.dfsg.P2-4) unstable; urgency=low + + * meta: fix typo in Depends: lsb-base. Closes: #501365 + + -- LaMont Jones <lamont@debian.org> Tue, 07 Oct 2008 17:20:11 -0600 + +bind9 (1:9.5.0.dfsg.P2-3) unstable; urgency=low + + [LaMont Jones] + + * enable largefile support. Closes: #497040 + + [localization folks] + + * l10n: Dutch translation. Closes: #499977 (Paul Gevers) + * l10n: simplified chinese debconf template. Closes: #501103 (LI Daobing) + * l10n: Update spanish template. Closes: #493775 (Ignacio Mondino) + + -- LaMont Jones <lamont@debian.org> Sun, 05 Oct 2008 20:20:00 -0600 + +bind9 (1:9.5.0.dfsg.P2-2) unstable; urgency=low + + [Kees Cook] + + * debian/{control,rules}: enable PIE hardening (from -1ubuntu1) + + [Nicolas Valcárcel] + + * Add ufw integration (from -1ubuntu2) + + [Dustin Kirkland] + + * use pid file in init.d/bind9 status. LP: #247084 + + [LaMont Jones] + + * dig: add -DDIG_SIGCHASE to compile options. LP: #257682 + * apparmor profile: add /var/log/named + + [Nikita Ofitserov] + + * ipv6 support requires _GNU_SOURCE definition. LP: #249824 + + -- LaMont Jones <lamont@debian.org> Thu, 28 Aug 2008 23:08:36 -0600 + +bind9 (1:9.5.0.dfsg.P2-1) unstable; urgency=low + + [LaMont Jones] + + * default to using resolvconf if it is installed + * fix sonames and dependencies. Closes: #149259, #492418 + * Do not build-depend libcap2-dev on non-linux. Closes: #493392 + * drop unused query-loc manpage. Closes: #492564 + * lwresd: Deliver /etc/bind directory. Closes: #490027 + * fix query-source comment in default install + + [Internet Software Consortium, Inc] + + * 9.5.0-P2. Closes: #492949 + + [localization folks] + + * l10n: Spanish debconf translation. Closes: #492425 (Ignacio Mondino) + * l10n: Swedish debconf templates. Closes: #491369 (Martin Ågren) + * l10n: Japanese debconf translations. Closes: #492048 (Hideki Yamane + (Debian-JP)) + * l10n: Finnish translation. Closes: #490630 (Esko Arajärvi) + * l10n: Italian debconf translations. Closes: #492587 (Alessandro Vietta) + + -- LaMont Jones <lamont@debian.org> Sat, 02 Aug 2008 14:20:20 -0600 + +bind9 (1:9.5.0.dfsg.P1-2) unstable; urgency=low + + * Revert "meta: merge the mess of single-lib packages back into one large + one." - That way lies madness and pain. + * init.d/bind9: implement status function. LP: #203169 + + -- LaMont Jones <lamont@debian.org> Tue, 08 Jul 2008 21:56:58 -0600 + +bind9 (1:9.5.0.dfsg.P1-1) unstable; urgency=low + + * Repackage 9.5.0.dfsg-5 with the -P1 tarball. + + -- LaMont Jones <lamont@debian.org> Tue, 08 Jul 2008 15:06:07 -0600 + +bind9 (1:9.5.0.dfsg-5) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * Randomize UDP query source ports to improve forgery resilience. + (CVE-2008-1447) + + [LaMont Jones] + + * add build-depends: texlive-latex-base, xsltproc, remove Bv9ARM.pdf in clean + * fix sonames + * drop unneeded build-deps, since we do not actually deliver B9vARM.pdf + * meta: cleanup libbind9-41 Provides/Conflicts + * build: fix sonames for new libraries + * postinst: really restart bind/lwresd in postinst + + -- LaMont Jones <lamont@debian.org> Sun, 06 Jul 2008 21:34:18 -0600 + +bind9 (1:9.5.0.dfsg-4) unstable; urgency=low + + [LaMont Jones] + + * control: fix dnsutils description to avoid list reformatting. + Closes: #480317 + * lwresd: restart in postinst. Closes: #486481 + * meta: merge the mess of single-lib packages back into one large one. + * apparmor: allow bind to create files in /var/{lib,cache}/bind + * build: drop .la files. Closes: #486969 + * build: drop the extra lib path from the library-package merge + * meta: liblwres40 does not conflict with the libbind9-40-provided libbind0 + + [localization folks] + + * l10n: German debconf translation. Closes: #486547 (Helge Kreutzmann) + * l10n: Indonesian debconf translations. Closes: #486503 (Arief S Fitrianto) + * l10n: Slovak po-debconf translation Closes: #488905 (helix84) + * l10n: Turkish debconf template. Closes: #486479 (Mert Dirik) + + -- LaMont Jones <lamont@debian.org> Mon, 30 Jun 2008 11:22:05 -0600 + +bind9 (1:9.4.2-12) unstable; urgency=low + + * apparmor: allow bind to create files in /var/{lib,cache}/bind + + -- LaMont Jones <lamont@debian.org> Mon, 30 Jun 2008 11:17:53 -0600 + +bind9 (1:9.4.2-11) unstable; urgency=low + + * apparmor: add dnscvsutil package files + * lwresd Depends: adduser + * control: fix dnsutils description to avoid list reformatting. + Closes: #480317 + + -- LaMont Jones <lamont@debian.org> Tue, 17 Jun 2008 21:30:12 -0600 + +bind9 (1:9.5.0.dfsg-3) unstable; urgency=low + + [LaMont Jones] + + * bind9utils Depends: libbind9-40. Closes: #486194 + * bind9 should not deliver manpages for nonexistant binaries. + Closes: #486196 + + [localization folks] + + * l10n: Vietnamese debconf templates translation update. Closes: #486185 + (Clytie Siddall) + * l10n: Russian debconf templates translation. Closes: #486191 (Yuri Kozlov) + * l10n: Galician debconf template. Closes: #486215 (Jacobo Tarrio) + * l10n: French debconf templates. Closes: #486325 (CALARESU Luc) + * l10n: Czech debconf translation. Closes: #486337 (Miroslav Kure) + * l10n: Updated Portuguese translation. Closes: #486267 (Traduz - + Portuguese Translation Team) + + -- LaMont Jones <lamont@debian.org> Sun, 15 Jun 2008 18:25:02 -0600 + +bind9 (1:9.5.0.dfsg-2) unstable; urgency=low + + [Tim Spriggs] + + * init.d: Nexenta has different ifconfig arguments + + [LaMont Jones] + + * templates rework from debian-l10n-english + * reload named when an interface goes up or down. LP: #226495 + * build: need to create the directories for interface restart triggering + * Build-Depends: libcap2-dev. Closes: #485747 + * Leave named running during update. Closes: #453765 + * Fix path to uname, cleaning up the nexenta checks. + * l10n: avoid double-question in templates. + + [localization folks] + + * l10n: Vietnamese debconf translations. Closes: #483911 (Clytie Siddall) + * l10n: Portuguese debconf translations. Closes: #483872 (Traduz - + Portuguese Translation Team) + + -- LaMont Jones <lamont@debian.org> Fri, 13 Jun 2008 16:54:42 -0600 + +bind9 (1:9.5.0.dfsg-1) unstable; urgency=low + + [LaMont Jones] + + * manpages: fix references that should say /etc/bind + * meta: build-depend libxml2-dev for statistics support + + -- LaMont Jones <lamont@debian.org> Sat, 31 May 2008 12:17:21 -0600 + +bind9 (1:9.5.0.dfsg-0) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * 9.5.0 release + + [LaMont Jones] + + * Only use capabilities if they are present: reprise. Closes: #360339, #212226 + * control: fix dnsutils description to avoid list reformatting. Closes: #480317 + * build: use the correct directories in dh_shlibdeps invocation + * build: turn on dlz. No pgsql or mysql support yet. LP: #227344 + + -- LaMont Jones <lamont@debian.org> Thu, 29 May 2008 22:05:19 -0600 + +bind9 (1:9.5.0~rc1-2~0ubuntu2) intrepid; urgency=low + + * build: use the correct directories in dh_shlibdeps invocation + * build: turn on dlz. LP: #227344 + + -- LaMont Jones <lamont@ubuntu.com> Tue, 27 May 2008 21:43:06 -0600 + +bind9 (1:9.5.0~rc1-2~0ubuntu1) intrepid; urgency=low + + * Upload what will become (maybe an ancestor of) -2 to intrepid. + - Only use capabilities if they are present: reprise. Closes: #360339, #212226 + - control: fix dnsutils description to avoid list reformatting. Closes: #480317 + + -- LaMont Jones <lamont@ubuntu.com> Mon, 26 May 2008 11:46:27 -0600 + +bind9 (1:9.5.0~rc1-1) experimental; urgency=low + + [Patrick Winnertz] + + * postinst: make add debconf support. Closes: #473460 + + [Jamie Strandboge] + + * debian/bind9.preinst: Apparmor force-complain on upgrade without + existing profile. LP: #204658 + + [LaMont Jones] + + * bind9utils: fix typos in .install + * host: manpage inaccurately describes default query. LP: #203087 + * apparmor: add dnscvsutil package files + * Revert "Only use capabilities if they are present." for merge of 9.5.0rc1. + * soname: libdns41 -> 42 + * fix typos in debconf patch, #473460 + * cleanup more files in clean target + * lwresd Depends: adduser + + -- LaMont Jones <lamont@debian.org> Thu, 15 May 2008 17:59:54 -0600 + +bind9 (1:9.5.0~b2-2) experimental; urgency=low + + * meta: add bind9utils binary package, with various useful utilities. Closes: #151957, #130445, #160483 + + -- LaMont Jones <lamont@debian.org> Thu, 03 Apr 2008 07:01:42 -0600 + +bind9 (1:9.4.2-10) unstable; urgency=low + + [Jamie Strandboge] + + * debian/bind9.preinst: AA force-complain on upgrade without existing + profile. LP: #204658 + + [LaMont Jones] + + * host: manpage inaccurately describes default query. LP: #203087 + + -- LaMont Jones <lamont@debian.org> Tue, 08 Apr 2008 22:45:57 -0600 + +bind9 (1:9.4.2-9) unstable; urgency=low + + * apparmor: allow subdirs in {/etc,/var/cache,/var/lib}/bind + * apparmor: make profile match README.Debian + + -- LaMont Jones <lamont@debian.org> Tue, 01 Apr 2008 21:13:05 -0600 + +bind9 (1:9.4.2-8) unstable; urgency=low + + [ISC] + + * CVE-2008-0122: off by one error in (unused) inet_network function. + Closes: #462783 LP: #203476 + + [Michael Milligan] + + * Fix min-cache-ttl and min-ncache-ttl keywords + + [Jamie Strandboge] + + * apparmor: force complain-mode for apparmor on certain upgrades. LP: #203528 + * debian/bind9.postrm: purge /etc/apparmor.d/force-complain/usr.sbin.named + + -- LaMont Jones <lamont@debian.org> Tue, 18 Mar 2008 18:35:15 -0600 + +bind9 (1:9.4.2-7) unstable; urgency=low + + [Jamie Strandboge] + + * Allow rw access to /var/lib/bind/* in apparmor-profile. LP: #201954 + + [LaMont Jones] + + * Drop root-delegation comments from named.conf. Closes: #217829, #297219 + + -- LaMont Jones <lamont@debian.org> Sat, 15 Mar 2008 09:48:10 -0600 + +bind9 (1:9.4.2-6) unstable; urgency=low + + * Correct apparmor profile filename. LP: #200739 + + -- LaMont Jones <lamont@debian.org> Mon, 10 Mar 2008 14:28:01 -0600 + +bind9 (1:9.4.2-5) unstable; urgency=low + + * add "order random_1" support (return one random RR) + * Fix doc pathnames in README.Debian. Closes: #266891 + * Add AAAA ::1 entry to db.local. Closes: #230088 + + -- LaMont Jones <lamont@debian.org> Mon, 10 Mar 2008 13:51:28 -0600 + +bind9 (1:9.5.0~b2-1) experimental; urgency=low + + [Thiemo Seufer] + + * mips:atomic.h: improve implementation of atomic ops, fix mips{el,64} + + [LaMont Jones] + + * manpages: call it /etc/bind/named.conf throughout, and typos. Closes: #419750 + * named.conf.5: correct filename. Closes: #428015 + * manpages: fix typo errors. Closes: #395834 + * Makefile.in: be explicit about library paths + * build: Turn on GSS-TSIG support. LP: #158197 + * build: soname changes + * db.root: include AAAA RRs. Closes: #464111 + * soname: lib{dns,isc}40 -> 41 + * meta: use binary:Version instead of Source-Version + + [Andreas John] + + * Only use capabilities if they are present. Closes: #360339, #212226 + + -- LaMont Jones <lamont@debian.org> Sat, 23 Feb 2008 08:06:17 -0700 + +bind9 (1:9.4.2-4) unstable; urgency=low + + * incorporate ubuntu apparmor change from Jamie Strandboge, + with changes: + - Add apparmor profile, reload apparmor profile on config + - Add a note about apparmor to README.Debian + - conflicts/replaces old apparmor versions + * db.root: include AAAA RRs. Closes: #464111 + * Don't die when /var/lib/bind already exists. LP: #191685 + * build: turn on optimization. Closes: #435194 + + -- LaMont Jones <lamont@debian.org> Fri, 22 Feb 2008 22:05:25 -0700 + +bind9 (1:9.4.2-3ubuntu1) hardy; urgency=low + + * add AppArmor profile + + debian/apparmor-profile + + debian/bind9.postinst: Reload AA profile on configuration + * updated debian/README.Debian for note on AppArmor + * debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we + should now take control + * debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmor-profiles gets installed + it won't overwrite our profile + * Modify Maintainer value to match the DebianMaintainerField + specification. + + -- Jamie Strandboge <jamie@ubuntu.com> Wed, 13 Feb 2008 17:30:45 +0000 + +bind9 (1:9.4.2-3) unstable; urgency=low + + * don't run rndc-confgen when it's not there. Closes: #459551 + * control: drop use of ${Source-Version} + + -- LaMont Jones <lamont@debian.org> Mon, 07 Jan 2008 10:16:06 -0700 + +bind9 (1:9.4.2-2) unstable; urgency=low + + * init.d: add --oknodo to start-stop-daemon. Closes: #411881 + * init: LSB dependency info. Closes: #459421, #448006 + * meta: bind9 Suggests: resolvconf. Closes: #252285 + * bind9: deliver /var/lib/bind directory, and document. + Closes: #248771, #200253, #202981, #209022 + * lwresd: create bind user/group and rndc key if needed, at install. + Closes: #190742 + * dnsutils: update long description. Closes: #236901 + + -- LaMont Jones <lamont@debian.org> Sun, 06 Jan 2008 12:25:31 -0700 + +bind9 (1:9.4.2-1) unstable; urgency=low + + [Mike O'Connor] + + * bind9.init: LSB compliance. Closes: #448006 + + [Internet Software Consortium, Inc] + + * New release: 9.4.2 + + [LaMont Jones] + + * soname shifts for new release + + -- LaMont Jones <lamont@debian.org> Sat, 17 Nov 2007 10:50:07 -0700 + +bind9 (1:9.4.2~rc2-1) experimental; urgency=low + + * New upstream release + + -- LaMont Jones <lamont@debian.org> Fri, 12 Oct 2007 18:33:57 -0600 + +bind9 (1:9.4.1-P1-4) unstable; urgency=low + + [Thomas Antepoth] + + * unix/socket.c: don't send to a socket with pending_send. Closes: #430065 + + [LaMont Jones] + + * document git repositories + * db.root: l.root-servers.net changed IP address. Closes: #449148 LP: #160176 + * init.d: if there are no networks configured, error out quickly + + -- LaMont Jones <lamont@debian.org> Thu, 08 Nov 2007 21:31:55 -0700 + +bind9 (1:9.4.1-P1-3) unstable; urgency=low + + * Only deliver upstream changes with bind9-doc + + -- LaMont Jones <lamont@debian.org> Thu, 04 Oct 2007 08:30:55 -0600 + +bind9 (1:9.4.1-P1-2) unstable; urgency=low + + * manpages: fix typo errors. Closes: #395834 + * manpages: call it /etc/bind/named.conf throughout, and typos. Closes: #419750 + * named.conf.5: correct filename. Closes: #428015 + * bind9.NEWS: update version for ACL change doc. Closes: #435225 + * build: don't have dnsutils deliver man pages that it shouldn't. LP: #82178 + * nslookup.1: some of the manpage was not visible. LP: #131415 + * document git repositories + * unix/socket.c: don't send to a socket with pending_send. Closes: #430065 + + -- LaMont Jones <lamont@debian.org> Wed, 03 Oct 2007 01:10:59 -0600 + +bind9 (1:9.4.1-P1-1) unstable; urgency=high + + * New upstream version, addresses CVE-2007-2926 and CVE-2007-2925 + + -- Bdale Garbee <bdale@gag.com> Thu, 26 Jul 2007 16:41:50 -0600 + +bind9 (1:9.4.1-1) unstable; urgency=low + + * New upstream version + + -- LaMont Jones <lamont@debian.org> Mon, 30 Apr 2007 16:59:05 -0600 + +bind9 (1:9.4.0-2) unstable; urgency=low + + * upload to unstable + + -- LaMont Jones <lamont@debian.org> Tue, 10 Apr 2007 11:12:16 -0600 + +bind9 (1:9.4.0-1) experimental; urgency=low + + * New upstream version + * more mipsel patch. Closes: #406409 + + -- LaMont Jones <lamont@debian.org> Sun, 25 Feb 2007 11:44:11 -0700 + +bind9 (1:9.4.0~rc2-1) experimental; urgency=low + + * New upstream version. Addresses CVE-2007-0493 CVE-2007-0494 + + -- LaMont Jones <lamont@debian.org> Thu, 25 Jan 2007 14:26:12 -0700 + +bind9 (1:9.4.0~rc1.0-3) experimental; urgency=low + + * add NEWS file talking about the change in defaults: + As of bind 9.4, allow-query-cache and allow-recursion default to the + builtin acls 'localnets' and 'localhost'. If you are setting up a + name server for a network, you will almost certainly need to change + this. + + The change in default has been done to make caching servers less + attractive as reflective amplifying targets for spoofed traffic. + This still leaves authoritative servers exposed. + + -- LaMont Jones <lamont@debian.org> Wed, 24 Jan 2007 09:35:06 -0700 + +bind9 (1:9.4.0~rc1.0-2) experimental; urgency=low + + * Fix mips64. Closes: #406409 + + -- LaMont Jones <lamont@debian.org> Sun, 21 Jan 2007 15:32:27 -0700 + +bind9 (1:9.4.0~rc1.0-1) experimental; urgency=low + + * Broken orig.tar.gz. + + -- LaMont Jones <lamont@debian.org> Thu, 28 Dec 2006 23:04:05 -0700 + +bind9 (1:9.4.0~rc1-1) experimental; urgency=low + + * New upstream + + -- LaMont Jones <lamont@debian.org> Thu, 28 Dec 2006 19:00:37 -0700 + +bind9 (1:9.3.4-2etch2) stable-proposed-updates; urgency=low + + [Thomas Antepoth] + + * unix/socket.c: don't send to a socket with pending_send. Closes: #430065 + + [LaMont Jones] + + * document git repositories + * db.root: l.root-servers.net changed IP address. Closes: #449148 + + -- LaMont Jones <lamont@debian.org> Mon, 05 Nov 2007 19:48:23 -0700 + +bind9 (1:9.3.4-2etch1) stable-security; urgency=high + + * Fix DNS cache poisoning through predictable query IDs. (CVE-2007-2926) + + -- Moritz Muehlenhoff <jmm@debian.org> Tue, 24 Jul 2007 22:09:35 +0000 + +bind9 (1:9.3.4-2) unstable; urgency=high + + * Actually really do the merge of 9.3.4. Sigh. Closes: #408925 + + -- LaMont Jones <lamont@debian.org> Mon, 29 Jan 2007 06:09:03 -0700 + +bind9 (1:9.3.4-1) unstable; urgency=high + + * New upstream version. Addresses CVE-2007-0493 CVE-2007-0494 + + -- LaMont Jones <lamont@debian.org> Thu, 25 Jan 2007 14:31:09 -0700 + +bind9 (1:9.3.3-1) unstable; urgency=low + + * New upstream version + + -- LaMont Jones <lamont@debian.org> Tue, 12 Dec 2006 23:31:51 -0700 + +bind9 (1:9.3.2-P1.0-1) unstable; urgency=low + + * Fix README.Debian to point to the URL. Closes: #387437 + * Strip rfc's from orig.tar.gz. Closes: #393359 + + -- LaMont Jones <lamont@mmjgroup.com> Mon, 16 Oct 2006 06:38:22 -0600 + +bind9 (1:9.3.2-P1-2) unstable; urgency=low + + * Fix init script output. Closes: #354192 + Thanks to Joey Hess for the patch. + * Default install should listen on ipv6 interfaces. Closes: #382438 + + -- LaMont Jones <lamont@debian.org> Sat, 9 Sep 2006 19:01:53 -0600 + +bind9 (1:9.3.2-P1-1) unstable; urgency=high + + * New upstream, fixes CVE-2006-4095 and CVE-2006-4096. + Closes: #386237, #386245 + * Drop gcc-3.4 [powerpc] dependency. Closes: #342957, #372203 + * Add -fno-strict-aliasing for type-punned pointer aliasing issues + Closes: #386224 + * Use getent in postinst instead of chown/chgrp. Closes: #386091, #239665 + * Drop redundant update-rc.d calls. Closes: #356914 + + -- LaMont Jones <lamont@debian.org> Wed, 6 Sep 2006 08:07:13 -0600 + +bind9 (1:9.3.2-2) unstable; urgency=low + + * correct force-reload. Closes: #333841 + * Fix init.d's usage message. Closes: #331090 + * resolvconf tweaks. Closes: #252232, #275412 + + -- LaMont Jones <lamont@debian.org> Mon, 16 Jan 2006 15:17:04 -0700 + +bind9 (1:9.3.2-1) unstable; urgency=low + + * New upstream + * use lsb-base for start/stop messages in init.d. + * switch to debhelper 4 + + -- LaMont Jones <lamont@debian.org> Thu, 5 Jan 2006 12:29:28 -0700 + +bind9 (1:9.3.1-2) unstable; urgency=low + + * Getting good reports from experimental, uploading to sid. + Release team, please consider this package for sarge. Thanks. + * correct pidfile name in init.d/lwresd. Closes: #298100 + + -- LaMont Jones <lamont@debian.org> Sat, 19 Mar 2005 17:46:31 -0700 + +bind9 (1:9.3.1-1) experimental; urgency=low + + * Build with gcc-3.4 on powerpc, to work around #292958. + + -- LaMont Jones <lamont@debian.org> Sat, 19 Mar 2005 11:40:06 -0700 + +bind9 (1:9.3.1-0) experimental; urgency=low + + * New upstream version. + + -- LaMont Jones <lamont@debian.org> Sun, 13 Mar 2005 21:44:57 -0700 + +bind9 (1:9.3.0+9.3.1beta2-1) experimental; urgency=low + + * new upstream version + + -- LaMont Jones <lamont@debian.org> Tue, 25 Jan 2005 14:21:51 -0700 + +bind9 (1:9.3.0-1) experimental; urgency=low + + * New upstream version + + -- LaMont Jones <lamont@debian.org> Sat, 25 Sep 2004 21:35:46 -0600 + +bind9 (1:9.2.4-1) unstable; urgency=high + + * New upstream version. Closes: #269157 and others. + * Version debhelper build-dep. Closes: #262720 + + -- LaMont Jones <lamont@mmjgroup.com> Thu, 23 Sep 2004 09:11:37 -0600 + +bind9 (1:9.2.3+9.2.4-rc7-1) unstable; urgency=low + + * New upstream + + -- LaMont Jones <lamont@mmjgroup.com> Wed, 1 Sep 2004 00:04:55 -0600 + +bind9 (1:9.2.3+9.2.4-rc6-1) unstable; urgency=low + + * New upstream. + * Comment out delegation-only directives in named.conf + + -- LaMont Jones <lamont@debian.org> Mon, 2 Aug 2004 10:00:38 -0600 + +bind9 (1:9.2.3+9.2.4-rc5-1) unstable; urgency=low + + * New upstream release candidate + + -- LaMont Jones <lamont@debian.org> Thu, 17 Jun 2004 19:50:37 -0600 + +bind9 (1:9.2.3+9.2.4-rc2-1) unstable; urgency=low + + * New upstream release candidate + * Remove shared library symlinks in clean. Closes: #243109 + * Deal with capset being a module. Closes: #245043, #240874, #241605 + * deliver /var/run/bind/run in lwresd as well. Closes: #186569 + + -- LaMont Jones <lamont@debian.org> Thu, 22 Apr 2004 12:20:05 -0600 + +bind9 (1:9.2.3-3) unstable; urgency=low + + * new IP for b.root-servers.net. Closes: #234278 + * Fix RC linkages to match bind8. Closes: #218007 + + -- LaMont Jones <lamont@debian.org> Mon, 1 Mar 2004 15:00:44 -0700 + +bind9 (1:9.2.3-2) unstable; urgency=low + + * Rebuild autoconf files for mips. Closes: #221419 + + -- LaMont Jones <lamont@debian.org> Tue, 18 Nov 2003 06:33:34 -0700 + +bind9 (1:9.2.3-1) unstable; urgency=low + + * New upstream. + * cleanup zones.rfc1918/db.empty stuff. + * Fix Makefiles to work even if the build environment is unclean. + Closes: #211503 + * Add comments about root-delegation-only to named.conf. Closes: #212243 + * Add resolvconf support. Closes: #199255 + * more SO_BSDCOMPAT hacks for linux. Closes: #220735, #214460 + + -- LaMont Jones <lamont@debian.org> Mon, 17 Nov 2003 21:30:33 -0700 + +bind9 (1:9.2.2+9.2.3rc4-1) unstable; urgency=low + + * Yet another new upstream release. + + -- LaMont Jones <lamont@debian.org> Mon, 22 Sep 2003 09:39:50 -0600 + +bind9 (1:9.2.2+9.2.3rc3-1) unstable; urgency=low + + * New upstream. Closes: #211752. #211503. #211496, #211520 + + -- LaMont Jones <lamont@debian.org> Sat, 20 Sep 2003 12:22:59 -0600 + +bind9 (1:9.2.2+9.2.3rc2-4) unstable; urgency=low + + * Really fix versioned depends. Closes: #211590 + + -- LaMont Jones <lamont@debian.org> Thu, 18 Sep 2003 17:29:47 -0600 + +bind9 (1:9.2.2+9.2.3rc2-3) unstable; urgency=low + + * Version depends for all the libraries. sigh. Closes: #211412,#210293 + + -- LaMont Jones <lamont@debian.org> Wed, 17 Sep 2003 10:56:36 -0600 + +bind9 (1:9.2.2+9.2.3rc2-2) unstable; urgency=low + + * Need a versioned depend. sigh. + + -- LaMont Jones <lamont@debian.org> Wed, 17 Sep 2003 10:25:35 -0600 + +bind9 (1:9.2.2+9.2.3rc2-1) unstable; urgency=low + + * New upstream release. Closes: #211373 + * Remove RFC's from package, per policy. + * Make com and net zones delegation-only by default. + + -- LaMont Jones <lamont@debian.org> Wed, 17 Sep 2003 07:15:37 -0600 + +bind9 (1:9.2.2+9.2.3rc1-3) unstable; urgency=low + + * A bit more cleanup of descriptions. + * fix package sections + * Fix b0rkage with dependencies. + + -- LaMont Jones <lamont@debian.org> Sun, 14 Sep 2003 09:05:10 -0600 + +bind9 (1:9.2.2+9.2.3rc1-2) unstable; urgency=low + + * Explicitly link libraries. Closes: #210653 + * Fix descriptions. Closes: #209563, #209853, #210063 + + -- LaMont Jones <lamont@debian.org> Sat, 13 Sep 2003 19:29:05 -0600 + +bind9 (1:9.2.2+9.2.3rc1-1) unstable; urgency=low + + * New upstream release candidate. + * Quit using SO_BSDCOMPAT (why is it still in the header files??) so + that the kernel will shut up about it's advertised, obsolete option. + Closes: #201293, #204282, #205590 + + -- LaMont Jones <lamont@debian.org> Thu, 28 Aug 2003 14:44:28 -0600 + +bind9 (1:9.2.2-2) unstable; urgency=low + + * Fix libtool.m4. Closes: #183791 + * move lib packages into Section: libs. Closes: #184788 + * make sure it's libssl0.9.7. Closes: #182363 + * Add /etc/default/lwresd. Closes: #169727 + * Add fakeroot dir to dh_shlibdeps. Closes: #169622 + * Fix rndc manpage. Closes: #179353 + * Deliver /usr/bin/isc-config.sh (in libbind-dev). Closes: #178186 + + -- LaMont Jones <lamont@debian.org> Sat, 15 Mar 2003 16:34:15 -0700 + +bind9 (1:9.2.2-1) unstable; urgency=low + + * New upstream version + * Document /etc/default/bind9 in init.d script. Closes: #170267 + + -- LaMont Jones <lamont@debian.org> Tue, 4 Mar 2003 22:43:58 -0700 + +bind9 (1:9.2.1-7) unstable; urgency=low + + * One more overrides disparity. + * Fix bashism in postinst. Closes: #169531 + + -- LaMont Jones <lamont@debian.org> Sun, 17 Nov 2002 19:22:58 -0700 + +bind9 (1:9.2.1-6) unstable; urgency=low + + * The "I give up for now" release. + * Only convert to running as bind if named.conf hasn't been modified. + * Closes: #163552, #164352 + * Fix overrides + * Cleanup README.Debian wrt non-root-by-default. + * Make sure that /var/run/bind/run exists in init.d script. Closes: #168912 + * New IP for j.root-servers.net. Closes: #167818 + * Check for 2.2.18 kernel in preinst. Closes: #164349 + * Move local options to /etc/default/bind9. Closes: #169132, #163073 + * Cleanup old bugs (fixed in -5, really). Closes: #165864 + * Add /etc/bind/named.conf.local, included from named.conf. Closes: #129576 + * Do options definitions in /etc/bind/named.conf.options, makes life + easier in the face of named.conf changes from upstream. + * Add missing Depends: adduser + + -- LaMont Jones <lamont@debian.org> Sat, 16 Nov 2002 17:05:45 -0700 + +bind9 (1:9.2.1-5) unstable; urgency=low + + * Run named a non-privileged user by default. Closes: #149059 + + -- LaMont Jones <lamont@debian.org> Thu, 12 Sep 2002 16:57:37 -0600 + +bind9 (1:9.2.1-4) unstable; urgency=low + + * swap maintainer/uploader status so LaMont is primary and Bdale is backup + * Deal with bind/bind9 collisions better. Closes: #149580 + * Fix some documentation. Closes: #151579 + + -- LaMont Jones <lamont@debian.org> Wed, 4 Sep 2002 23:25:33 -0600 + +bind9 (1:9.2.1-3) unstable; urgency=high + + * fold in lib/bind/resolv from 8.3.3 to resolve buffer overlow issue in + resolver library, closes: #151342, #151431 + + -- Bdale Garbee <bdale@gag.com> Mon, 1 Jul 2002 00:16:31 -0600 + +bind9 (1:9.2.1-1.woody.1) testing-security woody-proposed-updates; urgency=high + + * backport to woody (simple rebuild) since 9.2.1 resolves a security issue + + -- Bdale Garbee <bdale@gag.com> Tue, 4 Jun 2002 10:30:57 -0600 + +bind9 (1:9.2.1-2) unstable; urgency=low + + * don't include nslint man page, closes: #148695 + * fix typo in rndc.8, closes: #139602 + * add a section to README.Debian explaining the rndc key mode that has been + our default since 9.2.0-2, closes: #129849 + * fix paths for named.conf in named.8 to reflect our default, closes: #143443 + * upstream fixed the nsupdate man page at some point, closes: #121108 + + -- Bdale Garbee <bdale@gag.com> Mon, 3 Jun 2002 15:44:37 -0600 + +bind9 (1:9.2.1-1) unstable; urgency=medium + + * new upstream version + * have bind9-host provide host, closes: #140174 + * move bind9-host to priority standard since dnsutils depends on it or host, + and we prefer bind9-host over host. + * move libdns5 and libisc4 to priority standard since dnsutils depends on + them and is priority standard + + -- Bdale Garbee <bdale@gag.com> Thu, 30 May 2002 10:38:39 -0600 + +bind9 (1:9.2.0-6) unstable; urgency=low + + * move to US main! Yippee! Closes: #123969 + * add info to README.Debian about 2.5 kernels vs --disable-linux-caps + + -- Bdale Garbee <bdale@gag.com> Sat, 23 Mar 2002 00:18:05 -0700 + +bind9 (1:9.2.0-5) unstable; urgency=medium + + * clean up various issues in the rules file + * make bind9-host conflict/replace old dnsutils as host does, otherwise we + can have problems upgrading from potato to woody, closes: #136686 + * use /dev/urandom for rndc-confgen in postinst, it should be good enough for + this purpose, and will keep the postinst from blocking arbitrarily. + closes: #130372 + * add fresh pointers to chroot howto to README.Debian, closes: #135774 + + -- Bdale Garbee <bdale@gag.com> Sun, 3 Mar 2002 16:47:12 -0700 + +bind9 (1:9.2.0-4) unstable; urgency=low + + * bind9-host needs to conflict with host, closes: #127395 + + -- Bdale Garbee <bdale@gag.com> Tue, 1 Jan 2002 20:12:14 -0700 + +bind9 (1:9.2.0-3) unstable; urgency=low + + * force removal of old diverted files, closes: #126236 + * change priority of liblwres1 from optional to standard per ftp admins + * add a bind9-host package so that the 'host' provided with the BIND 9.X + source tree can be an alternative to the aging NIKHEF version packaged + separately. Update dnsutils dependencies to depend on one of the two, + with preference to this one since it has fewer bugs (but fewer features, + too). + + -- Bdale Garbee <bdale@gag.com> Sun, 23 Dec 2001 00:59:15 -0700 + +bind9 (1:9.2.0-2) unstable; urgency=medium + + * change rc.d links to ensure daemon starts before and stops after other + daemons that may fail if name service is not working (bug was filed + against 8.X bind packages, but is just as relevant here!) + * use rndc for daemon shutdown instead of start-stop-daemon, closes: #111935 + * add a postinst to dnsutils to remove any lingering diversions from old + dnsutils packages, closes: #122227 + * not much point in delivering zone2ldap.1 since we aren't delivering + zone2ldap right now (though we might someday?), closes: #124058 + * be more verbose with shared library descriptions, closes: #123426, #123428 + * 9.2.0 added a new rndc.key file that both named and rndc will read to + obtain a shared key, and rndc-confgen will easily create this file with + a unique-per-system key. Modify named.conf and remove rndc.conf + to take advantage of this mechanism and stop delivering a pre-determined + static key to all Debian systems (which has been a mild security risk). + Create the key in postinst if the key file doesn't already exist, and + remove the file in postrm if purging. + Closes: #86718, #87208 + + -- Bdale Garbee <bdale@gag.com> Fri, 21 Dec 2001 04:04:30 -0700 + +bind9 (1:9.2.0-1) unstable; urgency=low + + * new upstream version, closes: #108243, #112266, #114250, #119506, #120657 + * /etc/bind/rndc.conf is now a conffile + * minor hacks to the README.Debian since the chroot instructions it points + to are 8.X specific, part of addressing bug 111868. + * libomapi is gone, replaced by libisccc and libisccfg + * a few lintian-motivated cosmetic cleanups + * lose task-dns-server meta package, since tasksel doesn't need it now + * dig problem not reproducible in this version, closes: #89526 + * named-checkconf now uses $sysconfdir, closes: #107835 + * no longer deliver man pages for contributed binaries we're not including + in dnsutils, closes: #108220 + * fix section in nslookup man page, though that's the least of the man + page's problems... glitch reported is unreproducible + closes: #103630, #120946 + * update libbind-dev README.Debian, closes: #121050 + + -- Bdale Garbee <bdale@gag.com> Tue, 27 Nov 2001 01:41:00 -0700 + +bind9 (1:9.1.3-1) unstable; urgency=low + + * new upstream version, closes: #96483, #99824, #100647, #101568, #103429 + * update config.sub/guess for hppa/ia64 support + * small init.d patch from Marco d'Itri to ease adding options on invocation + * stop having bind9-doc conflict/replace bind-doc since they don't really + conflict and there's no reason to prevent having both installed at the + same time, closes: #90994 + * the CHANGES file documents fixes since 9.1.1 that probably cured the + reported assertion failure. If it turns out that I'm wrong, the bug can + be re-opened or a new one filed. I can't see any way to reproduce the bug + in a test case here. Closes: #99352 + * have libbind-dev depend on the runtime library packages it delivers + compile-time symlinks for, closes: #100898, #103855 + * fix lwres man pages to source man3/* instead of * so all the page content + can actually be found, closes: #85450, #103865 + + -- Bdale Garbee <bdale@gag.com> Mon, 9 Jul 2001 11:30:39 -0600 + +bind9 (1:9.1.1-1) unstable; urgency=low + + * new upstream release + * update build-depends for libssl-dev + * add build-depends on bison, closes: #90150, #90752, #90159 + * split up libbind0 since libdns is changing so numbers + * downgrade rblcheck from a depends to a suggests, closes: #90783 + * bind9 mkdep creates files in the current working directory, closes: #58353 + + -- Bdale Garbee <bdale@gag.com> Wed, 25 Apr 2001 22:53:21 -0600 + +bind9 (1:9.1.0-3) unstable; urgency=low + + * merge patch from Zack Weinberg that solves compilation problem, and + reduces the memory footprint of applications by making configure.in + smarter. Closes: #86776, #86910 + * the bind-doc package includes all relevant documentation from the bind9 + source tree, including HTML content in /usr/share/doc/bind9-doc/arm, + closes: #85718 + * default named.conf and rndc.conf to not world-readable. This is an + interim step towards addressing the concerns about security raised by + bugs 86718 and closes: #86836 A better long-term solution would be for + rndc.conf to allow includes, so that both named.conf and rndc.conf could + include a key file built on the fly during installation while themselves + retaining conffile status. The required functionality has been requested + of the bind9 upstream, this will limit vulnerability in the meantime. + * add replaces logic to the dnsutils package to avoid complaints about the + delivery of nsupdate.8.gz, closes: #86759 + * move a couple of man pages back from dnsutils to bind9 that really belong + there. sigh. + + -- Bdale Garbee <bdale@gag.com> Thu, 22 Feb 2001 16:39:02 -0700 + +bind9 (1:9.1.0-2) unstable; urgency=low + + * merge patch from Luca Filipozzi <lfilipoz@debian.org> - thanks! + + bind9: ships with a working rndc.conf file, closes: #84572 + + bind9: init.d calls rndc rather than ndc on reload, closes: #85481 + + bind9: named.conf ships with 'key' and 'control' sections + + bind9: correctly creates /var/cache/bind, closes: #85457 + + lwresd: lwresd is split off into its own package, closes: #85627 + * nsupdate is delivered by the dnsutils package, but the (wrong) man page + was accidentally also included in the bind9 package, closes: #85717 + * freshen config.sub and config.guess for ia64 and hppa support + + -- Bdale Garbee <bdale@gag.com> Mon, 12 Feb 2001 23:43:55 -0700 + +bind9 (1:9.1.0-1) unstable; urgency=low + + * Initial packaging of BIND 9.1.0. Must use epoch so that meta packages + retain their sequencing from the bind 8 package version stream. + * snarf a couple of man pages from the 8.X tree for now + + -- Bdale Garbee <bdale@gag.com> Thu, 1 Feb 2001 16:30:35 -0700 + |