Re: Supporting unbound in stretch by upgrading to 1.9
Markus Koschany wrote:
> Am Mittwoch, den 20.01.2021, 04:32 -0500 schrieb Robert Edmonds:
> > I would be OK with promoting an unbound package based on 1.9.6-2 (the
> > last 1.9.x package) to buster, if that's OK with the release team.
> Hello Robert,
> As you know we have had a request from users to "resurrect" unbound in Debian 9
> "Stretch". We have discussed several options internally and we came to the
> conclusion that we can just backport the current version of unbound in Buster
> and apply the patch to fix CVE-2020-28935. In order to avoid rebuilds of
> reverse-dependencies we have decided to introduce a new source package called
> unbound1.9 which takes over the binary packages unbound, unbound-anchor,
> unbound-host and libunbound8. This allows us to avoid rebuilding reverse-
> dependencies of libunbound2 in Stretch which is not necessary because they are
> not affected by the reported security vulnerabilities. You also don't have to
> feel responsible for those changes because we track them in a different source
> So far the users in Stretch can't reproduce the reported instability bugs in
> Buster and everything looks fine. Therefore we intend to maintain the 1.9.0
> version and apply patches on top of it, if necessary.
> In order to fix those bugs in Debian 10 "Buster" we could upgrade to the latest
> version in the 1.9.x series. The bug reporters claimed that version 1.9.2 or
> 1.9.3 would fix it for them.
> I have prepared a new release for Buster and uploaded it to
> In my opinion we should let those bug reporters test the update. If this is
> successful we should try to get this into the next buster point update.
> What are your thoughts?
I'm OK with both of these plans.
For the proposed 1.9.6 buster update, can you send me git commits based