CVE-2021-25220: The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records outside the configured bailiwick.

Salvatore Bonaccorso authored Feb 15, 2021 and Ondrej Sury committed Apr 29, 2021

bind9 (1:9.11.5.P4+dfsg-5.1+deb10u3) buster-security; urgency=high
.
  * Non-maintainer upload by the Security Team.
  * Buffer overflow in GSSAPI security policy negotiation (CVE-2020-8625)

Security fixes from 2020-08-20 (CVE-2020-8622, CVE-2020-8623 and CVE-2020-8624)

See merge request !14

Gbp-Dch: Ignore

Closes: #966497

[CVE-2020-8619]: It was possible to trigger a INSIST when a zone with interior (non-leaf) wildcard label

Fix CVE-2019-6471

See merge request !5

Gbp-Dch: Ignore

Closes: #930746

Thanks: Steven Monai
Closes: #928398

This reverts commit 94c7cd6f.

Closes: #927827

Apparently used in the BIND9 DLZ Samba case

Add "k" (locking) to Samba/DLZ dns.keytab file
Fix path to smb.conf

Andreas Beckmann authored Mar 24, 2019 and Bernhard Schmidt committed Apr 02, 2019

In squeeze and earlier /etc/bind/named.conf.options was a conffile.
On upgrades from such a version dpkg will remember it as an obsolete
conffile with an outdated md5sum. Therefore we must not move it aside in
this case (which dpkg would take as a deletion by the local admin),
instead we edit it in place to match the to-be-installed version in
order to avoid prompting and make dpkg update the md5sum.

Closes: #905177