Michael Gilbert <mgilbert@debian.org> (2015-02-18):
> package: release.debian.org
> user: release.debian.org@packages.debian.org
> usertags: unblock
> severity: normal
> x-debbugs-cc: debian-boot@lists.debian.org
>
> Please consider unblocking bind9. It fixes a new security issue.
>
> unblock bind9/9.9.5.dfsg-9
> unblock-udeb bind9/9.9.5.dfsg-9
> diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog
> --- bind9-9.9.5.dfsg/debian/changelog
> +++ bind9-9.9.5.dfsg/debian/changelog
> @@ -1,3 +1,10 @@
> +bind9 (1:9.9.5.dfsg-9) unstable; urgency=high
> +
> + * Fix CVE-2015-1349: named crash due to managed key rollover, primarily only
> + affecting setups using DNSSEC (closes: #778733).
> +
> + -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Feb 2015 03:42:21 +0000
> +
> bind9 (1:9.9.5.dfsg-8) unstable; urgency=medium
>
> * Launch rndc command in the background in networking scripts to avoid a
> only in patch2:
> unchanged:
> --- bind9-9.9.5.dfsg.orig/lib/dns/zone.c
> +++ bind9-9.9.5.dfsg/lib/dns/zone.c
> @@ -8496,6 +8496,12 @@
> namebuf, tag);
> trustkey = ISC_TRUE;
> }
> + } else {
> + /*
> + * No previously known key, and the key is not
> + * secure, so skip it.
> + */
> + continue;
> }
>
> /* Delete old version */
> @@ -8544,7 +8550,7 @@
> trust_key(zone, keyname, &dnskey, mctx);
> }
>
> - if (!deletekey)
> + if (secure && !deletekey)
> set_refreshkeytimer(zone, &keydata, now);
> }
No objection on my side, but let's give BSD folks a heads-up since
isc-dhcp-client-udeb depends on bind9's udebs.
Mraw,
KiBi.
Attachment:
signature.asc
Description: Digital signature