Am Mittwoch, den 20.01.2021, 04:32 -0500 schrieb Robert Edmonds: [...] > I would be OK with promoting an unbound package based on 1.9.6-2 (the > last 1.9.x package) to buster, if that's OK with the release team. Hello Robert, As you know we have had a request from users to "resurrect" unbound in Debian 9 "Stretch". We have discussed several options internally and we came to the conclusion that we can just backport the current version of unbound in Buster and apply the patch to fix CVE-2020-28935. In order to avoid rebuilds of reverse-dependencies we have decided to introduce a new source package called unbound1.9 which takes over the binary packages unbound, unbound-anchor, unbound-host and libunbound8. This allows us to avoid rebuilding reverse- dependencies of libunbound2 in Stretch which is not necessary because they are not affected by the reported security vulnerabilities. You also don't have to feel responsible for those changes because we track them in a different source package. So far the users in Stretch can't reproduce the reported instability bugs in Buster and everything looks fine. Therefore we intend to maintain the 1.9.0 version and apply patches on top of it, if necessary. In order to fix those bugs in Debian 10 "Buster" we could upgrade to the latest version in the 1.9.x series. The bug reporters claimed that version 1.9.2 or 1.9.3 would fix it for them. I have prepared a new release for Buster and uploaded it to https://people.debian.org/~apo/buster/unbound/ In my opinion we should let those bug reporters test the update. If this is successful we should try to get this into the next buster point update. What are your thoughts? Regards, Markus
Attachment:
signature.asc
Description: This is a digitally signed message part