Version in base suite: 9.3.4-2etch4
Version in overlay suite: (not present)

Base version: bind9_9.3.4-2etch4
Target version: bind9_9.3.4-2etch5
Base file: /org/ftp.debian.org/ftp/pool/main/b/bind9/bind9_9.3.4-2etch4.dsc
Target file: /org/ftp.debian.org/queue/o-p-u-new/bind9_9.3.4-2etch5.dsc

 bin/named/update.c           |    8 ++++++--
 bind9-9.3.4/CHANGES          |    3 +++
 bind9-9.3.4/debian/changelog |    9 +++++++++
 bind9-9.3.4/version          |    4 ++--
 4 files changed, 20 insertions(+), 4 deletions(-)

diff -u bind9-9.3.4/debian/changelog bind9-9.3.4/debian/changelog
--- bind9-9.3.4/debian/changelog
+++ bind9-9.3.4/debian/changelog
@@ -1,3 +1,12 @@
+bind9 (1:9.3.4-2etch5) oldstable-security; urgency=low
+
+  [Internet Software Consortium, Inc]
+
+  * A specially crafted update packet will cause named to exit. 
+    CVE-2009-0696, CERT VU#725188.  Closes: #538975
+
+ -- LaMont Jones <lamont@debian.org>  Tue, 28 Jul 2009 23:35:53 -0600
+
 bind9 (1:9.3.4-2etch4) stable-security; urgency=high
 
   * Fix check of DSA_do_verify return value.
diff -u bind9-9.3.4/version bind9-9.3.4/version
--- bind9-9.3.4/version
+++ bind9-9.3.4/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.26.2.17.2.31.4.1 2008/05/22 21:11:13 each Exp $
+# $Id: version,v 1.29.134.23.2.3 2009/07/28 13:57:27 marka Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -10 +10 @@
-RELEASEVER=1.1
+RELEASEVER=1.2
diff -u bind9-9.3.4/CHANGES bind9-9.3.4/CHANGES
--- bind9-9.3.4/CHANGES
+++ bind9-9.3.4/CHANGES
@@ -1,4 +1,7 @@
 
+2640.	[security]	A specially crafted update packet will cause named
+			to exit. [RT #20000]
+
 2375.   [security]      Fully randomize UDP query ports to improve
 			forgery resilience. [RT #17949]
 
only in patch2:
unchanged:
--- bind9-9.3.4.orig/bin/named/update.c
+++ bind9-9.3.4/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.88.2.5.2.29 2006/01/06 00:01:42 marka Exp $ */
+/* $Id: update.c,v 1.109.18.27.4.1 2009/07/28 13:57:27 marka Exp $ */
 
 #include <config.h>
 
@@ -859,7 +859,11 @@
 			if (type == dns_rdatatype_rrsig ||
 			    type == dns_rdatatype_sig)
 				covers = dns_rdata_covers(&t->rdata);
-			else
+			else if (type == dns_rdatatype_any) {
+				dns_db_detachnode(db, &node);
+				dns_diff_clear(&trash);
+				return (DNS_R_NXRRSET);
+			} else
 				covers = 0;
 
 			/*