Michael Gilbert <mgilbert@debian.org> (2015-02-18): > package: release.debian.org > user: release.debian.org@packages.debian.org > usertags: unblock > severity: normal > x-debbugs-cc: debian-boot@lists.debian.org > > Please consider unblocking bind9. It fixes a new security issue. > > unblock bind9/9.9.5.dfsg-9 > unblock-udeb bind9/9.9.5.dfsg-9 > diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog > --- bind9-9.9.5.dfsg/debian/changelog > +++ bind9-9.9.5.dfsg/debian/changelog > @@ -1,3 +1,10 @@ > +bind9 (1:9.9.5.dfsg-9) unstable; urgency=high > + > + * Fix CVE-2015-1349: named crash due to managed key rollover, primarily only > + affecting setups using DNSSEC (closes: #778733). > + > + -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Feb 2015 03:42:21 +0000 > + > bind9 (1:9.9.5.dfsg-8) unstable; urgency=medium > > * Launch rndc command in the background in networking scripts to avoid a > only in patch2: > unchanged: > --- bind9-9.9.5.dfsg.orig/lib/dns/zone.c > +++ bind9-9.9.5.dfsg/lib/dns/zone.c > @@ -8496,6 +8496,12 @@ > namebuf, tag); > trustkey = ISC_TRUE; > } > + } else { > + /* > + * No previously known key, and the key is not > + * secure, so skip it. > + */ > + continue; > } > > /* Delete old version */ > @@ -8544,7 +8550,7 @@ > trust_key(zone, keyname, &dnskey, mctx); > } > > - if (!deletekey) > + if (secure && !deletekey) > set_refreshkeytimer(zone, &keydata, now); > } No objection on my side, but let's give BSD folks a heads-up since isc-dhcp-client-udeb depends on bind9's udebs. Mraw, KiBi.
Attachment:
signature.asc
Description: Digital signature