[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Supporting unbound in stretch by upgrading to 1.9

Am Mittwoch, den 20.01.2021, 04:32 -0500 schrieb Robert Edmonds:
> I would be OK with promoting an unbound package based on 1.9.6-2 (the
> last 1.9.x package) to buster, if that's OK with the release team.

Hello Robert,

As you know we have had a request from users to "resurrect" unbound in Debian 9
"Stretch". We have discussed several options internally and we came to the
conclusion that we can just backport the current version of unbound in Buster
and apply the patch to fix CVE-2020-28935. In order to avoid rebuilds of
reverse-dependencies we have decided to introduce a new source package called
unbound1.9 which takes over the binary packages unbound, unbound-anchor,
unbound-host and libunbound8. This allows us to avoid rebuilding reverse-
dependencies of libunbound2 in Stretch which is not necessary because they are
not affected by the reported security vulnerabilities. You also don't have to
feel responsible for those changes because we track them in a different source

So far the users in Stretch can't reproduce the reported instability bugs in
Buster and everything looks fine. Therefore we intend to maintain the 1.9.0
version and apply patches on top of it, if necessary.

In order to fix those bugs in Debian 10 "Buster" we could upgrade to the latest
version in the 1.9.x series. The bug reporters claimed that version 1.9.2 or
1.9.3 would fix it for them. 

I have prepared a new release for Buster and uploaded it to


In my opinion we should let those bug reporters test the update. If this is
successful we should try to get this into the next buster point update.

What are your thoughts?




Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: