Comment 1 Quality Assurance 2022-03-21 21:01:16 CET

--- mirror/ftp/pool/main/b/bind9/bind9_9.11.5.P4+dfsg-5.1+deb10u6A~5.0.0.202111011209.dsc
+++ apt/ucs_5.0-0-errata5.0-1/source/bind9_9.11.5.P4+dfsg-5.1+deb10u7A~5.0.1.202203212040.dsc
@@ -1,4 +1,4 @@
-1:9.11.5.P4+dfsg-5.1+deb10u6A~5.0.0.202111011209 [Mon, 01 Nov 2021 12:09:57 +0100] Univention builddaemon <buildd@univention.de>:
+1:9.11.5.P4+dfsg-5.1+deb10u7A~5.0.1.202203212040 [Mon, 21 Mar 2022 20:41:18 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     0001-Bug-22478-build-bind-with-libdb4.8
@@ -18,6 +18,12 @@
     0016-Bug-46526-Fix-memory-leak
     0017-Bug-51786-fix-apparmor-profile
 
+1:9.11.5.P4+dfsg-5.1+deb10u7 [Mon, 14 Mar 2022 15:21:48 +0100] Ondřej Surý <ondrej@debian.org>:
+
+  * CVE-2021-25220: The rules for acceptance of records into the cache
+    have been tightened to prevent the possibility of poisoning if
+    forwarders send records outside the configured bailiwick.
+
 1:9.11.5.P4+dfsg-5.1+deb10u6 [Mon, 25 Oct 2021 13:42:31 +0200] Ondřej Surý <ondrej@debian.org>:
 
   * CVE-2021-25219: The "lame-ttl" option is now forcibly set to 0. This

<http://piuparts.knut.univention.de/5.0-1/#5219390717509639471>

Comment 2 Philipp Hahn 2022-03-23 06:22:24 CET

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

ucr set dns/backend=ldap
systemctl restart bind9.service
journalctl -u univention-bind-ldap.service -u bind9.serivce
dig @localhost -p 7777 $(dnsdomainname) axfr
dig @localhost -p 53 $(dnsdomainname) axfr

ucr set dns/backend=samba4
systemctl restart bind9.service
journalctl -u bind9.serivce
dig @localhost -p 53 $(dnsdomainname) axfr

[5.0-1] b16b3c6992 Bug #54573: bind9 1:9.11.5.P4+dfsg-5.1+deb10u7A~5.0.1.202203212040
 doc/errata/staging/bind9.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

Comment 3 Julia Bremer 2022-03-23 14:14:50 CET

<https://errata.software-univention.de/#/?erratum=5.0x252>