Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: bind9

bind9 (1:9.16.2-3ubuntu1) groovy; urgency=medium * Merge with Debian unstable. Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/libdns1104.symbols: don't include dnstap symbols + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: buil-depends on dh-apport and use it - d/t/simpletest: drop the internetsociety.org test as it requires network egress access that is not available in the Ubuntu autopkgtest farm. - d/NEWS: mention some of the bigger changes in 9.16.0 packaging - d/t/control: change the dep8 test dependency to be on the real bind9-dnsutils package, and not the transitional one (LP #1864761) - d/control: make bind9-dnsutils multi-arch foreign as another step towards fixing LP #1864761 - d/rules: change deprecated --with-libjson-c configure argument to --with-json-c - SECURITY UPDATE: BIND does not sufficiently limit the number of fetches performed when processing referrals + debian/patches/CVE-2020-8616.patch: further limit the number of queries that can be triggered from a request in lib/dns/adb.c, lib/dns/include/dns/adb.h, lib/dns/resolver.c. + CVE-2020-8616 - SECURITY UPDATE: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c + debian/patches/CVE-2020-8617.patch: don't allow replaying a TSIG BADTIME response in lib/dns/tsig.c. + CVE-2020-8617 * Dropped: - use iproute2 instead of net-tools (LP #1850699): + d/control: replace net-tools depends with iproute2 + d/bind9.init: use ip instead of ifconfig [In 1:9.16.1-2] - d/control: Enable readline-like support in dnsutils (nslookup and nsupdate) via libedit-dev (libreadline has a license conflict with bind) [In 1:9.16.1-2] - d/control: drop hardcoded python3 dependency (LP #1856211, Closes #946643) [In 1:9.16.1-2] - d/extras/apparmor.d/usr.sbin.named: + Add flags=(attach_disconnected) to AppArmor profile + AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ (Closes: #928398) [In 1:9.16.1-2] - d/rules: fix typo in the apparmor profile installation [In 1:9.16.1-2] - d/control: create transitional packages for dnsutils, bind9utils [In 1:9.16.1-2] - d/p/fix-rebinding-protection.patch: fix rebinding protection bug when using forwarder setups (LP #1873046) [Fixed upstream] -- Andreas Hasenack <andreas@canonical.com> Fri, 22 May 2020 09:52:13 -0300

Modifications :
  1. Download patch debian/bind9.apport

    --- 1:9.16.2-3/debian/bind9.apport 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.16.2-3ubuntu1/debian/bind9.apport 2020-05-22 12:52:13.000000000 +0000 @@ -0,0 +1,24 @@ +'''apport hook for bind9 + +(c) 2010 Andres Rodriguez. +Author: Andres Rodriguez <andreserl@ubuntu.com> + +This program is free software; you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 2 of the License, or (at your +option) any later version. See http://www.gnu.org/copyleft/gpl.html for +the full text of the license. +''' + +from apport.hookutils import * +import re + +def add_info(report, ui): + + # getting syslog stuff + report['SyslogBind9'] = recent_syslog(re.compile(r'named\[')) + + # Attaching related packages info + attach_related_packages(report, ['bind9utils', 'apparmor']) + + attach_mac_events(report, '/usr/sbin/named')
  2. Download patch debian/tests/control

    --- 1:9.16.2-3/debian/tests/control 2020-04-23 09:45:43.000000000 +0000 +++ 1:9.16.2-3ubuntu1/debian/tests/control 2020-05-22 12:52:13.000000000 +0000 @@ -1,4 +1,4 @@ Tests: simpletest Restrictions: needs-root, isolation-container Depends: bind9, - dnsutils + bind9-dnsutils
  3. Download patch debian/rules

    --- 1:9.16.2-3/debian/rules 2020-04-23 09:45:43.000000000 +0000 +++ 1:9.16.2-3ubuntu1/debian/rules 2020-05-22 12:52:13.000000000 +0000 @@ -29,7 +29,7 @@ SED_VERSION_EXTENSIONS := \ sed -e 's,^EXTENSIONS=,EXTENSIONS="$$(dpkg-parsechangelog --file=../debian/changelog | sed -n '/^Version/s/[^-]*//p')-$$(dpkg-vendor --query Vendor)",' %: - dh $@ --with python3 + dh $@ --with python3,apport prepare_version_extensions: if [ ! -f version.bak ]; then \ @@ -60,7 +60,7 @@ override_dh_auto_configure: --with-openssl=/usr \ --with-gssapi=/usr \ --with-libidn2 \ - --with-libjson-c \ + --with-json-c \ --with-lmdb=/usr \ --with-gnu-ld \ --with-maxminddb \ @@ -69,7 +69,6 @@ override_dh_auto_configure: --enable-rrl \ --enable-filter-aaaa \ --disable-native-pkcs11 \ - --enable-dnstap \ $(EXTRA_FEATURES) override_dh_auto_build:
  4. Download patch debian/NEWS

    --- 1:9.16.2-3/debian/NEWS 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.16.2-3ubuntu1/debian/NEWS 2020-05-22 12:52:13.000000000 +0000 @@ -0,0 +1,24 @@ +bind9 (1:9.16.0-1ubuntu1) focal; urgency=medium + + Some packages like isc-dhcp do not build with bind 9.14 or higher, so a new + source package bind9-libs version 9.11 was created for that purpose, + providing only libraries and header files. The bind9 9.16.x packages do not + provide development libraries or headers. See commit + https://salsa.debian.org/dns-team/bind9-libs/commit/40cab7029d for more + details. udebs used in the debian-installer are also being provided by + bind9-libs. + + Another package which doesn't build with the newer bind9 package is + bind-dyndb-ldap. It will build using the libraries from bind9-libs, but + since this is a server plugin, it won't work with the newer server. + + Native pkcs#11 support via softhsm2 is no longer being built for this + package. This was first introduced in 1:9.10.3.dfsg.P4-8 (see + https://bugs.launchpad.net/bugs/1565392) for FreeIPA. Ubuntu Focal no longer + ships FreeIPA, and Debian also dropped the native pkcs#11 support. + + There are no development libraries or header files in this bind9 9.16.x + packaging at the moment. This may change later, see + https://gitlab.isc.org/isc-projects/bind9/merge_requests/3089#note_111229 + + -- Andreas Hasenack <andreas@canonical.com> Sat, 22 Feb 2020 17:40:38 -0300
  5. Download patch debian/control

    --- 1:9.16.2-3/debian/control 2020-04-23 09:45:43.000000000 +0000 +++ 1:9.16.2-3ubuntu1/debian/control 2020-05-22 12:52:13.000000000 +0000 @@ -1,12 +1,14 @@ Source: bind9 Section: net Priority: optional -Maintainer: Debian DNS Team <team+dns@tracker.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org> Uploaders: Ondřej Surý <ondrej@debian.org>, Bernhard Schmidt <berni@debian.org> Build-Depends: bison, debhelper-compat (= 12), dh-apparmor, + dh-apport, dh-exec, dh-python, docbook-xml, @@ -15,20 +17,17 @@ Build-Depends: bison, libcmocka-dev, libdb-dev, libedit-dev, - libfstrm-dev, libidn2-dev, libjson-c-dev, libkrb5-dev, libldap2-dev, liblmdb-dev, libmaxminddb-dev (>= 1.3.0), - libprotobuf-c-dev, libssl-dev, libtool, libuv1-dev, libxml2-dev, pkg-config, - protobuf-c-compiler, python3, python3-ply, zlib1g-dev @@ -158,6 +157,7 @@ Description: Transitional package for bi Package: bind9-dnsutils Priority: standard Architecture: any +Multi-Arch: foreign Depends: bind9-host | host, bind9-libs (= ${binary:Version}), ${misc:Depends},
  6. Download patch debian/bind9-dnsutils.install

    --- 1:9.16.2-3/debian/bind9-dnsutils.install 2020-04-23 09:45:43.000000000 +0000 +++ 1:9.16.2-3ubuntu1/debian/bind9-dnsutils.install 2020-05-22 12:52:13.000000000 +0000 @@ -1,12 +1,10 @@ usr/bin/delv usr/bin/dig -usr/bin/dnstap-read usr/bin/mdig usr/bin/nslookup usr/bin/nsupdate usr/share/man/man1/delv.1 usr/share/man/man1/dig.1 -usr/share/man/man1/dnstap-read.1 usr/share/man/man1/mdig.1 usr/share/man/man1/nslookup.1 usr/share/man/man1/nsupdate.1
  7. Download patch debian/tests/simpletest

    --- 1:9.16.2-3/debian/tests/simpletest 2020-04-23 09:45:43.000000000 +0000 +++ 1:9.16.2-3ubuntu1/debian/tests/simpletest 2020-05-22 12:52:13.000000000 +0000 @@ -10,10 +10,6 @@ setup() { run() { # Make a query against a local zone dig -x 127.0.0.1 @127.0.0.1 - - # Make a query against an external nameserver and check for DNSSEC validation - echo "Checking for DNSSEC validation status of internetsociety.org" - dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY' } teardown() {
  8. Download patch debian/patches/series

    --- 1:9.16.2-3/debian/patches/series 2020-04-23 09:45:43.000000000 +0000 +++ 1:9.16.2-3ubuntu1/debian/patches/series 2020-05-22 12:52:13.000000000 +0000 @@ -1,2 +1,4 @@ 0001-Add_--install-layout=deb_to_setup.py_call.patch 0002-python-fix-for-dist-packages.patch +CVE-2020-8616.patch +CVE-2020-8617.patch
  9. Download patch debian/patches/CVE-2020-8616.patch

    --- 1:9.16.2-3/debian/patches/CVE-2020-8616.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.16.2-3ubuntu1/debian/patches/CVE-2020-8616.patch 2020-05-22 12:52:13.000000000 +0000 @@ -0,0 +1,137 @@ +Description: further limit the number of queries that can be triggered + from a request +Origin: provided by ISC + +diff --git a/lib/dns/adb.c b/lib/dns/adb.c +index a2800226d1..8df418d189 100644 +--- a/lib/dns/adb.c ++++ b/lib/dns/adb.c +@@ -440,6 +440,7 @@ log_quota(dns_adbentry_t *entry, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3); + #define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) + #define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) + #define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) ++#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0) + + /* + * These are currently used on simple unsigned ints, so they are +@@ -3234,7 +3235,9 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, + } else { + have_address = false; + } +- if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address)) { ++ if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) && ++ !FIND_NOFETCH(find)) ++ { + /* + * We're missing at least one address family. Either the + * caller hasn't instructed us to avoid fetches, or we don't +diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h +index 5895b5db3a..724f9b001a 100644 +--- a/lib/dns/include/dns/adb.h ++++ b/lib/dns/include/dns/adb.h +@@ -205,6 +205,10 @@ struct dns_adbfind { + * lame for this query. + */ + #define DNS_ADBFIND_OVERQUOTA 0x00000400 ++/*% ++ * Don't perform a fetch even if there are no address records available. ++ */ ++#define DNS_ADBFIND_NOFETCH 0x00000800 + + /*% + * The answers to queries come back as a list of these. +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 645a3e12cb..7252b17dfa 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -183,6 +183,14 @@ + #define DEFAULT_MAX_QUERIES 75 + #endif /* ifndef DEFAULT_MAX_QUERIES */ + ++/* ++ * After NS_FAIL_LIMIT attempts to fetch a name server address, ++ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT, ++ * stop trying to fetch, in order to avoid wasting resources. ++ */ ++#define NS_FAIL_LIMIT 4 ++#define NS_RR_LIMIT 5 ++ + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS + #define RES_DOMAIN_BUCKETS 523 +@@ -3465,7 +3473,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) { + static void + findname(fetchctx_t *fctx, const dns_name_t *name, in_port_t port, + unsigned int options, unsigned int flags, isc_stdtime_t now, +- bool *overquota, bool *need_alternate) { ++ bool *overquota, bool *need_alternate, unsigned int *no_addresses) { + dns_adbaddrinfo_t *ai; + dns_adbfind_t *find; + dns_resolver_t *res; +@@ -3562,6 +3570,9 @@ findname(fetchctx_t *fctx, const dns_name_t *name, in_port_t port, + { + *need_alternate = true; + } ++ if (no_addresses != NULL) { ++ (*no_addresses)++; ++ } + } else { + if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) { + if (overquota != NULL) { +@@ -3616,6 +3627,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + dns_rdata_ns_t ns; + bool need_alternate = false; + bool all_spilled = true; ++ unsigned int no_addresses = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3792,8 +3804,13 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + continue; + } + ++ if (no_addresses > NS_FAIL_LIMIT && ++ dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT) ++ { ++ stdoptions |= DNS_ADBFIND_NOFETCH; ++ } + findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota, +- &need_alternate); ++ &need_alternate, &no_addresses); + + if (!overquota) { + all_spilled = false; +@@ -3818,7 +3835,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + if (!a->isaddress) { + findname(fctx, &a->_u._n.name, a->_u._n.port, + stdoptions, FCTX_ADDRINFO_FORWARDER, +- now, NULL, NULL); ++ now, NULL, NULL, NULL); + continue; + } + if (isc_sockaddr_pf(&a->_u.addr) != family) { +@@ -4264,16 +4264,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) { + return; + } + +- if (dns_name_countlabels(&fctx->domain) > 2) { +- result = isc_counter_increment(fctx->qc); +- if (result != ISC_R_SUCCESS) { +- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, +- DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), +- "exceeded max queries resolving '%s'", +- fctx->info); +- fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); +- return; +- } ++ result = isc_counter_increment(fctx->qc); ++ if (result != ISC_R_SUCCESS) { ++ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, ++ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), ++ "exceeded max queries resolving '%s'", ++ fctx->info); ++ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); ++ return; + } + + fctx_increference(fctx);
  10. Download patch debian/patches/CVE-2020-8617.patch

    --- 1:9.16.2-3/debian/patches/CVE-2020-8617.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.16.2-3ubuntu1/debian/patches/CVE-2020-8617.patch 2020-05-22 12:52:13.000000000 +0000 @@ -0,0 +1,27 @@ +Description: don't allow replaying a TSIG BADTIME response +Origin: provided by ISC + +diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c +index 02a6775502..c940469520 100644 +--- a/lib/dns/tsig.c ++++ b/lib/dns/tsig.c +@@ -1360,8 +1360,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + goto cleanup_context; + } + msg->verified_sig = 1; +- } else if (tsig.error != dns_tsigerror_badsig && +- tsig.error != dns_tsigerror_badkey) ++ } else if (!response || (tsig.error != dns_tsigerror_badsig && ++ tsig.error != dns_tsigerror_badkey)) + { + tsig_log(msg->tsigkey, 2, "signature was empty"); + return (DNS_R_TSIGVERIFYFAILURE); +@@ -1409,7 +1409,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + } + } + +- if (tsig.error != dns_rcode_noerror) { ++ if (response && tsig.error != dns_rcode_noerror) { + msg->tsigstatus = tsig.error; + if (tsig.error == dns_tsigerror_badtime) { + ret = DNS_R_CLOCKSKEW;
  1. bind9