Bug#704218: unblock: bind9/1:9.8.4.dfsg.P1-6+nmu1

[Salvatore Bonaccorso <carnil@debian.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team

Please unblock package bind9

Michael Gilbert uploaded bind9/1:9.8.4.dfsg.P1-6+nmu1 with fixes for
two CVEs:

 bind9 (1:9.8.4.dfsg.P1-6+nmu1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix cve-2012-5689: issue in nameservers using DNS64 to perform a AAAA
     lookup for a record with an A record overwrite rule in a Response Policy
     Zone (closes: #699145).
   * Fix cve-2013-2266: issues in regular expression handling (closes: #704174).

could these changes be unblocked for wheezy? Attached is the produced
debdiff against  current version in testing.

unblock bind9/1:9.8.4.dfsg.P1-6+nmu1

Thanks in advance and regards,
Salvatore

Base version: bind9_1:9.8.4.dfsg.P1-6 from testing
Target version: bind9_1:9.8.4.dfsg.P1-6+nmu1 from unstable

No hints in place.

Excuses:

bind9 (1:9.8.4.dfsg.P1-6 to 1:9.8.4.dfsg.P1-6+nmu1)
    Maintainer: LaMont Jones 
    Too young, only 0 of 2 days old
    Not touching package due to block request by freeze (contact debian-release if update is needed)
    Updating bind9 fixes old bugs: #704174
    Not considered

 bin/named/query.c |   28 ++++++++++++++++++++++++++++
 config.h.in       |    3 ---
 configure         |    2 +-
 configure.in      |    2 +-
 debian/changelog  |   10 ++++++++++
 5 files changed, 40 insertions(+), 5 deletions(-)

diff -u bind9-9.8.4.dfsg.P1/configure.in bind9-9.8.4.dfsg.P1/configure.in
--- bind9-9.8.4.dfsg.P1/configure.in
+++ bind9-9.8.4.dfsg.P1/configure.in
@@ -298,7 +298,7 @@
 
 AC_HEADER_STDC
 
-AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
+AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
 [$ac_includes_default
 #ifdef HAVE_SYS_PARAM_H
 # include <sys/param.h>
diff -u bind9-9.8.4.dfsg.P1/config.h.in bind9-9.8.4.dfsg.P1/config.h.in
--- bind9-9.8.4.dfsg.P1/config.h.in
+++ bind9-9.8.4.dfsg.P1/config.h.in
@@ -289,9 +289,6 @@
 /* Define if your OpenSSL version supports GOST. */
 #undef HAVE_OPENSSL_GOST
 
-/* Define to 1 if you have the <regex.h> header file. */
-#undef HAVE_REGEX_H
-
 /* Define to 1 if you have the `setegid' function. */
 #undef HAVE_SETEGID
 
diff -u bind9-9.8.4.dfsg.P1/configure bind9-9.8.4.dfsg.P1/configure
--- bind9-9.8.4.dfsg.P1/configure
+++ bind9-9.8.4.dfsg.P1/configure
@@ -12862,7 +12862,7 @@
 fi
 
 
-for ac_header in fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h
+for ac_header in fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
diff -u bind9-9.8.4.dfsg.P1/bin/named/query.c bind9-9.8.4.dfsg.P1/bin/named/query.c
--- bind9-9.8.4.dfsg.P1/bin/named/query.c
+++ bind9-9.8.4.dfsg.P1/bin/named/query.c
@@ -6136,6 +6136,7 @@
 			client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
 						DNS_MESSAGEFLAG_AD);
 			query_putrdataset(client, &sigrdataset);
+			rpz_st->q.is_zone = is_zone;
 			is_zone = ISC_TRUE;
 			rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
 					rpz_st->m.type, zone, rpz_st->p_name);
@@ -6513,6 +6514,15 @@
 			rdataset = NULL;
 			sigrdataset = NULL;
 			type = qtype = dns_rdatatype_a;
+			rpz_st = client->query.rpz_st;
+			if (rpz_st != NULL) {
+				/*
+				 * Arrange for RPZ rewriting of any A records.
+				 */
+				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+					is_zone = rpz_st->q.is_zone;
+				rpz_st_clear(client);
+			}
 			dns64 = ISC_TRUE;
 			goto db_find;
 		}
@@ -6771,6 +6781,15 @@
 			sigrdataset = NULL;
 			fname = NULL;
 			type = qtype = dns_rdatatype_a;
+			rpz_st = client->query.rpz_st;
+			if (rpz_st != NULL) {
+				/*
+				 * Arrange for RPZ rewriting of any A records.
+				 */
+				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+					is_zone = rpz_st->q.is_zone;
+				rpz_st_clear(client);
+			}
 			dns64 = ISC_TRUE;
 			goto db_find;
 		}
@@ -7271,6 +7290,15 @@
 			rdataset = NULL;
 			sigrdataset = NULL;
 			type = qtype = dns_rdatatype_a;
+			rpz_st = client->query.rpz_st;
+			if (rpz_st != NULL) {
+				/*
+				 * Arrange for RPZ rewriting of any A records.
+				 */
+				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+					is_zone = rpz_st->q.is_zone;
+				rpz_st_clear(client);
+			}
 			dns64_exclude = dns64 = ISC_TRUE;
 			goto db_find;
 		}
diff -u bind9-9.8.4.dfsg.P1/debian/changelog bind9-9.8.4.dfsg.P1/debian/changelog
--- bind9-9.8.4.dfsg.P1/debian/changelog
+++ bind9-9.8.4.dfsg.P1/debian/changelog
@@ -1,3 +1,13 @@
+bind9 (1:9.8.4.dfsg.P1-6+nmu1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix cve-2012-5689: issue in nameservers using DNS64 to perform a AAAA
+    lookup for a record with an A record overwrite rule in a Response Policy
+    Zone (closes: #699145).
+  * Fix cve-2013-2266: issues in regular expression handling (closes: #704174).
+
+ -- Michael Gilbert <mgilbert@debian.org>  Fri, 29 Mar 2013 00:47:25 +0000
+
 bind9 (1:9.8.4.dfsg.P1-6) unstable; urgency=low
 
   [Ben Hutchings]