diff options
| author | LaMont Jones <lamont@debian.org> | 2013-10-29 15:06:04 -0600 |
|---|---|---|
| committer | LaMont Jones <lamont@debian.org> | 2013-10-29 15:06:04 -0600 |
| commit | 2267c87d6d963c7da70da7f78b53c11801d64630 (patch) | |
| tree | 0c9cf46e23ce2781dbe9861a987764f0822ca1fd | |
| parent | d59ac9b93fe0aa91958305ef4175393e54db5e0b (diff) | |
| parent | fef68bcf997b38ed0370387f44efe6283063ec9c (diff) | |
| download | bind9-2267c87d6d963c7da70da7f78b53c11801d64630.tar.gz | |
Merge branch 'stable/v9.9.3' into stable/v9.9.4
| -rw-r--r-- | bind9-resolvconf.service | 13 | ||||
| -rw-r--r-- | bind9.service | 12 | ||||
| -rw-r--r-- | bind9.tmpfile | 1 | ||||
| -rw-r--r-- | configure.in | 2 | ||||
| -rw-r--r-- | debian/apparmor-profile | 3 | ||||
| -rw-r--r-- | debian/bind9-resolvconf.service | 13 | ||||
| -rw-r--r-- | debian/bind9.init | 2 | ||||
| -rw-r--r-- | debian/bind9.postinst | 2 | ||||
| -rw-r--r-- | debian/bind9.service | 12 | ||||
| -rw-r--r-- | debian/bind9.tmpfile | 1 | ||||
| -rw-r--r-- | debian/bind9utils.install | 8 | ||||
| -rw-r--r-- | debian/changelog | 123 | ||||
| -rw-r--r-- | debian/control | 4 | ||||
| -rw-r--r-- | debian/lwresd.service | 10 | ||||
| -rw-r--r-- | debian/lwresd.tmpfile | 1 | ||||
| -rw-r--r-- | debian/rules | 20 | ||||
| -rw-r--r-- | lib/export/dns/include/dns/Makefile.in | 2 | ||||
| -rw-r--r-- | lib/export/isc/include/isc/Makefile.in | 2 |
18 files changed, 220 insertions, 11 deletions
diff --git a/bind9-resolvconf.service b/bind9-resolvconf.service new file mode 100644 index 00000000..3426c1ff --- /dev/null +++ b/bind9-resolvconf.service @@ -0,0 +1,13 @@ +[Unit] +Description=local BIND via resolvconf +Documentation=man:named(8) man:resolvconf(8) +Requires=bind9.service +After=bind9.service +ConditionFileIsExecutable=/sbin/resolvconf + +[Service] +ExecStart=/bin/sh -c 'echo nameserver 127.0.0.1 | /sbin/resolvconf -a lo.named' +ExecStop=/sbin/resolvconf -d lo.named + +[Install] +WantedBy=bind9.service diff --git a/bind9.service b/bind9.service new file mode 100644 index 00000000..5cbafa14 --- /dev/null +++ b/bind9.service @@ -0,0 +1,12 @@ +[Unit] +Description=BIND Domain Name Server +Documentation=man:named(8) +After=network.target + +[Service] +ExecStart=/usr/sbin/named -f -u bind +ExecReload=/usr/sbin/rndc reload +ExecStop=/usr/sbin/rndc stop + +[Install] +WantedBy=multi-user.target diff --git a/bind9.tmpfile b/bind9.tmpfile new file mode 100644 index 00000000..36fc91d6 --- /dev/null +++ b/bind9.tmpfile @@ -0,0 +1 @@ +d /run/named 0775 root bind - - diff --git a/configure.in b/configure.in index da5a67b0..6ce5d71f 100644 --- a/configure.in +++ b/configure.in @@ -3456,7 +3456,7 @@ BIND9_PRODUCT="PRODUCT=\"${PRODUCT}\"" AC_SUBST(BIND9_PRODUCT) BIND9_DESCRIPTION="DESCRIPTION=\"${DESCRIPTION}\"" AC_SUBST(BIND9_DESCRIPTION) -BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}" +BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}-$(dpkg-vendor --query Vendor)-$(dpkg-parsechangelog | awk '/^Version/ {print $2}')" AC_SUBST(BIND9_VERSION) BIND9_SRCID="SRCID=unset" diff --git a/debian/apparmor-profile b/debian/apparmor-profile index 0eb118a7..35df558f 100644 --- a/debian/apparmor-profile +++ b/debian/apparmor-profile @@ -29,6 +29,9 @@ # ssl /etc/ssl/openssl.cnf r, + # GeoIP data files for GeoIP ACLs + /usr/share/GeoIP/** r, + # dnscvsutil package /var/lib/dnscvsutil/compiled/** rw, diff --git a/debian/bind9-resolvconf.service b/debian/bind9-resolvconf.service new file mode 100644 index 00000000..3426c1ff --- /dev/null +++ b/debian/bind9-resolvconf.service @@ -0,0 +1,13 @@ +[Unit] +Description=local BIND via resolvconf +Documentation=man:named(8) man:resolvconf(8) +Requires=bind9.service +After=bind9.service +ConditionFileIsExecutable=/sbin/resolvconf + +[Service] +ExecStart=/bin/sh -c 'echo nameserver 127.0.0.1 | /sbin/resolvconf -a lo.named' +ExecStop=/sbin/resolvconf -d lo.named + +[Install] +WantedBy=bind9.service diff --git a/debian/bind9.init b/debian/bind9.init index 4fb7a187..d38986f9 100644 --- a/debian/bind9.init +++ b/debian/bind9.init @@ -88,7 +88,7 @@ case "$1" in start-stop-daemon --stop --oknodo --quiet --exec /usr/sbin/named \ --pidfile ${PIDFILE} -- $OPTIONS fi - if [ -n $pid ]; then + if [ -n "$pid" ]; then sig=0 n=1 while kill -$sig $pid 2>/dev/null; do diff --git a/debian/bind9.postinst b/debian/bind9.postinst index 01ca6119..61ea486d 100644 --- a/debian/bind9.postinst +++ b/debian/bind9.postinst @@ -19,7 +19,7 @@ if [ "$1" = configure ]; then chmod 775 /var/lib/bind fi - if [ ! -s /etc/bind/rndc.key ]; then + if [ ! -s /etc/bind/rndc.key ] && [ ! -s /etc/bind/rndc.conf ]; then rndc-confgen -r /dev/urandom -a fi diff --git a/debian/bind9.service b/debian/bind9.service new file mode 100644 index 00000000..5cbafa14 --- /dev/null +++ b/debian/bind9.service @@ -0,0 +1,12 @@ +[Unit] +Description=BIND Domain Name Server +Documentation=man:named(8) +After=network.target + +[Service] +ExecStart=/usr/sbin/named -f -u bind +ExecReload=/usr/sbin/rndc reload +ExecStop=/usr/sbin/rndc stop + +[Install] +WantedBy=multi-user.target diff --git a/debian/bind9.tmpfile b/debian/bind9.tmpfile new file mode 100644 index 00000000..36fc91d6 --- /dev/null +++ b/debian/bind9.tmpfile @@ -0,0 +1 @@ +d /run/named 0775 root bind - - diff --git a/debian/bind9utils.install b/debian/bind9utils.install index 1cf5bd23..a3da519a 100644 --- a/debian/bind9utils.install +++ b/debian/bind9utils.install @@ -1,5 +1,9 @@ usr/sbin/dnssec-checkds +usr/sbin/dnssec-dsfromkey +usr/sbin/dnssec-keyfromlabel usr/sbin/dnssec-keygen +usr/sbin/dnssec-revoke +usr/sbin/dnssec-settime usr/sbin/dnssec-signzone usr/sbin/dnssec-verify usr/sbin/named-checkconf @@ -7,7 +11,11 @@ usr/sbin/named-checkzone usr/sbin/named-compilezone usr/sbin/rndc usr/sbin/rndc-confgen +usr/share/man/man8/dnssec-dsfromkey.8 +usr/share/man/man8/dnssec-keyfromlabel.8 usr/share/man/man8/dnssec-keygen.8 +usr/share/man/man8/dnssec-revoke.8 +usr/share/man/man8/dnssec-settime.8 usr/share/man/man8/dnssec-signzone.8 usr/share/man/man8/named-checkconf.8 usr/share/man/man8/named-checkzone.8 diff --git a/debian/changelog b/debian/changelog index de236ebe..a72a0054 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,73 @@ +bind9 (1:9.9.3.dfsg.P2-4) unstable; urgency=low + + [Peter Marschall] + + * If rndc.conf exists, skip creation of rndc.key. Closes: #620394 + + [Al Tarakanoff] + + * properly quote check of pid in bind9 init.d. LP: #1092243 + + [LaMont Jones] + + * include distro and package version in version string + * apparmor: allow GeoIP data file access. LP: #834901 + * enable filter-aaaa. Closes: #701704 LP: #1115168 + + -- LaMont Jones <lamont@debian.org> Thu, 29 Aug 2013 16:22:29 -0600 + +bind9 (1:9.9.3.dfsg.P2-3) unstable; urgency=low + + [Michael Stapelberg] + + * add systemd service file. Closes: #718212 + + [LaMont Jones] + + * deliver more dnssec-* tools in bind9utils. Closes: #713026 + * support parallel=N DEB_BUILD_OPTIONS, fix -j build. Closes: #713025 + * deliver rrl.h and stat.h Closes: #692483, #720813 + + -- LaMont Jones <lamont@debian.org> Tue, 27 Aug 2013 10:06:37 -0600 + +bind9 (1:9.9.3.dfsg.P2-2build1) saucy; urgency=low + + [Marc Deslauriers] + + * 9.9.2.dfsg.P1-2ubuntu1: fixed in 9.9.3b1 + * 9.9.2.dfsg.P1-2ubuntu3: fixed in 9.9.3-P2 + + [Robie Basak] + + * 9.9.2.dfsg.P1-2ubuntu2: fixed in 9.9.3b1 + + [LaMont Jones] + + * Merge ubuntu changes, except: autoconf files are generated as part + of the source packagee creation, not on the build host. NAK + * deliver more dnssec-* tools in bind9utils. Closes: #713026 + * support parallel=N DEB_BUILD_OPTIONS, fix -j build + + [Michael Stapelberg] + + * add systemd service file. Closes: #718212 + + -- LaMont Jones <lamont@debian.org> Thu, 22 Aug 2013 10:57:17 -0600 + +bind9 (1:9.9.3.dfsg.P2-2) unstable; urgency=low + + * ack NMUs of 9.8.4 + - upstream 9.9.3-P2 fixes: CVE-2013-4854, CVE-2012-5689, + CVE-2013-2266 + - deliver rrl.h + + [LaMont Jones] + + * Use ISC's bin/tests + * Diff cleanup and rationalization to 9.9.3 upstream + + -- LaMont Jones <lamont@debian.org> Sat, 17 Aug 2013 07:09:54 -0600 + bind9 (1:9.9.3.dfsg.P2-1) unstable; urgency=low @@ -31,6 +101,33 @@ bind9 (1:9.9.2.dfsg.P1-3) experimental; urgency=low -- LaMont Jones <lamont@debian.org> Mon, 04 Mar 2013 09:30:50 -0700 +bind9 (1:9.9.2.dfsg.P1-2ubuntu3) saucy; urgency=low + + * SECURITY UPDATE: denial of service via incorrect bounds checking on + private type 'keydata' + - lib/dns/rdata/generic/keydata_65533.c: check for correct length. + - Patch backported from 9.9.3-P2 + - CVE-2013-4854 + + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Sun, 28 Jul 2013 10:13:06 -0400 + +bind9 (1:9.9.2.dfsg.P1-2ubuntu2) raring; urgency=low + + * configure.in: detect libxml 2.9 as well as 2.[678] (LP: #1164475). + * debian/control: add Build-Depends on dh-autoreconf. + * debian/rules: use dh_autoreconf and dh_autoreconf_clean. + + -- Robie Basak <robie.basak@canonical.com> Wed, 10 Apr 2013 16:50:28 +0000 + +bind9 (1:9.9.2.dfsg.P1-2ubuntu1) raring; urgency=low + + * SECURITY UPDATE: denial of service via regex syntax checking + - configure,configure.in,config.h.in: remove check for regex.h to + disable regex syntax checking. + - CVE-2013-2266 + + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 28 Mar 2013 15:04:57 -0400 + bind9 (1:9.9.2.dfsg.P1-2) experimental; urgency=low [Michael Gilbert] @@ -53,6 +150,32 @@ bind9 (1:9.9.2.dfsg.P1-2) experimental; urgency=low -- LaMont Jones <lamont@debian.org> Wed, 09 Jan 2013 10:09:40 -0700 +bind9 (1:9.8.4.dfsg.P1-6+nmu3) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2013-4854: A specially crafted query that includes malformed rdata can + cause named to terminate with an assertion failure while rejecting the + malformed query. (Closes: #717936). + + -- Salvatore Bonaccorso <carnil@debian.org> Sat, 27 Jul 2013 10:24:07 +0200 + +bind9 (1:9.8.4.dfsg.P1-6+nmu2) unstable; urgency=medium + + * Non-maintainer upload. + * Install /usr/include/dns/rrl.h (closes: #699834). + + -- Michael Gilbert <mgilbert@debian.org> Tue, 16 Apr 2013 01:59:05 +0000 + +bind9 (1:9.8.4.dfsg.P1-6+nmu1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix cve-2012-5689: issue in nameservers using DNS64 to perform a AAAA + lookup for a record with an A record overwrite rule in a Response Policy + Zone (closes: #699145). + * Fix cve-2013-2266: issues in regular expression handling (closes: #704174). + + -- Michael Gilbert <mgilbert@debian.org> Fri, 29 Mar 2013 00:47:25 +0000 + bind9 (1:9.8.4.dfsg.P1-6) unstable; urgency=low [Ben Hutchings] diff --git a/debian/control b/debian/control index 284b10ea..e76806b5 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,7 @@ Section: net Priority: optional Maintainer: LaMont Jones <lamont@debian.org> Uploaders: Bdale Garbee <bdale@gag.com> -Build-Depends: libkrb5-dev, debhelper (>= 5), libssl-dev, libtool, bison, libdb-dev (>>4.6), libldap2-dev, libxml2-dev, libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], hardening-wrapper, libgeoip-dev (>= 1.4.6.dfsg-5), dpkg-dev (>= 1.15.5), python, python-argparse +Build-Depends: libkrb5-dev, debhelper (>= 5), libssl-dev, libtool, bison, libdb-dev (>>4.6), libldap2-dev, libxml2-dev, libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], hardening-wrapper, libgeoip-dev (>= 1.4.6.dfsg-5), dpkg-dev (>= 1.15.5), python, python-argparse, dh-systemd Build-Conflicts: libdb4.2-dev Standards-Version: 3.7.3.0 XS-Vcs-Browser: http://git.debian.org/?p=users/lamont/bind9.git @@ -13,7 +13,7 @@ Package: bind9 Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, debconf | debconf-2.0, netbase, adduser, libdns99 (=${binary:Version}), libisccfg90 (=${binary:Version}), libisc95 (=${binary:Version}), libisccc90 (=${binary:Version}), lsb-base (>= 3.2-14), bind9utils (=${binary:Version}), liblwres90 (=${binary:Version}), libbind9-90 (=${binary:Version}), net-tools Conflicts: bind, apparmor-profiles (<< 2.1+1075-0ubuntu4) -Replaces: bind, dnsutils (<< 1:9.1.0-3), apparmor-profiles (<< 2.1+1075-0ubuntu4) +Replaces: bind, dnsutils (<< 1:9.1.0-3), apparmor-profiles (<< 2.1+1075-0ubuntu4), bind9utils (<< 1:9.9.3.dfsg.P2-3) Suggests: dnsutils, bind9-doc, resolvconf, ufw Description: Internet Domain Name Server ${Description} diff --git a/debian/lwresd.service b/debian/lwresd.service new file mode 100644 index 00000000..64a34a50 --- /dev/null +++ b/debian/lwresd.service @@ -0,0 +1,10 @@ +[Unit] +Description=Lightweight Resolver Daemon +Documentation=man:lwresd(8) +After=network.target + +[Service] +ExecStart=/usr/sbin/lwresd -f + +[Install] +WantedBy=multi-user.target diff --git a/debian/lwresd.tmpfile b/debian/lwresd.tmpfile new file mode 100644 index 00000000..ffdd79e8 --- /dev/null +++ b/debian/lwresd.tmpfile @@ -0,0 +1 @@ +d /run/lwresd 0775 root bind - - diff --git a/debian/rules b/debian/rules index 20618ddd..b7ac0908 100644 --- a/debian/rules +++ b/debian/rules @@ -23,6 +23,11 @@ else OPT = -O2 endif +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) +NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) +export MAKEFLAGS += -j$(NUMJOBS) +endif + export CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE $(DEBUG) $(OPT) ifeq ($(DEB_HOST_ARCH_OS),kfreebsd) @@ -48,15 +53,16 @@ configure-stamp: --with-geoip=/usr \ --with-atf=no \ --enable-ipv6 \ + --enable-filter-aaaa \ $(EXTRA_FEATURES) - touch configure-stamp + touch $@ -build: configure-stamp build-stamp -build-stamp: +build: build-stamp +build-stamp: configure-stamp dh_testdir LD_LIBRARY_PATH=$$(pwd)/lib/isc/.libs:$$(pwd)/lib/isccc/.libs:$$(pwd)/isccfg/.libs:$${LD_LIBRARY_PATH} $(MAKE) - touch build-stamp + touch $@ autofiles: libtoolize --automake --copy --force @@ -65,6 +71,7 @@ autofiles: autoheader autoconf rm -rf autom4te.cache + cp config.guess config.sub contrib/idn/idnkit-1.0-src/ clean: dh_testdir @@ -146,7 +153,12 @@ binary-arch: build install dh_installdocs -a dh_installexamples -a dh_installmenu -a + dh_systemd_enable -pbind9 --no-enable bind9-resolvconf.service + dh_systemd_enable -pbind9 bind9.service + dh_systemd_enable -plwresd lwresd.service dh_installinit -a --no-start -- defaults 15 85 + # Ship the extra service file for resolvconf integration manually. + cp debian/bind9-resolvconf.service debian/bind9/lib/systemd/system dh_installcron -a dh_installdebconf -pbind9 dh_installinfo -a diff --git a/lib/export/dns/include/dns/Makefile.in b/lib/export/dns/include/dns/Makefile.in index b7f51b4a..7a8512e2 100644 --- a/lib/export/dns/include/dns/Makefile.in +++ b/lib/export/dns/include/dns/Makefile.in @@ -31,7 +31,7 @@ HEADERS = acl.h adb.h byaddr.h \ peer.h portlist.h \ rbt.h rcode.h rdata.h rdataclass.h \ rdatalist.h rdataset.h rdatasetiter.h rdataslab.h rdatatype.h \ - request.h resolver.h result.h \ + request.h resolver.h result.h rrl.h \ secalg.h secproto.h soa.h stats.h \ tcpmsg.h time.h tsec.h tsig.h ttl.h types.h \ validator.h version.h view.h diff --git a/lib/export/isc/include/isc/Makefile.in b/lib/export/isc/include/isc/Makefile.in index 8c7eff8e..2084b750 100644 --- a/lib/export/isc/include/isc/Makefile.in +++ b/lib/export/isc/include/isc/Makefile.in @@ -37,7 +37,7 @@ HEADERS = app.h assertions.h base64.h bitstring.h boolean.h \ print.h quota.h radix.h random.h ratelimiter.h \ refcount.h regex.h region.h resource.h \ result.h resultclass.h rwlock.h serial.h sha1.h sha2.h \ - sockaddr.h socket.h stdio.h stdlib.h string.h \ + sockaddr.h socket.h stat.h stdio.h stdlib.h string.h \ symtab.h \ task.h taskpool.h timer.h types.h util.h version.h \ xml.h |