Re: Supporting unbound in stretch by upgrading to 1.9

To: Markus Koschany <apo@debian.org>
Cc: debian-lts <debian-lts@lists.debian.org>, team <team@security.debian.org>
Subject: Re: Supporting unbound in stretch by upgrading to 1.9
From: Robert Edmonds <edmonds@debian.org>
Date: Thu, 11 Feb 2021 21:20:01 -0500
Message-id: <[🔎] YCXl0aO6deQfP8Di@mycre.ws>
In-reply-to: <[🔎] d1fee235823e53860fb170b3d8ab920fde2ad631.camel@debian.org>
References: <240f6cd3-77b0-2a24-ac14-99e7af98179b@beuc.net> <YAex8kxx0iJVyyxs@mycre.ws> <YAftVdSpPGsBL7/o@t14-buxy.home.ouaza.com> <YAf4rcX+8/UA5Hui@mycre.ws> <[🔎] 80e11f170c176d09c2b08b0826d597cc737c1cea.camel@debian.org> <[🔎] YB84XqgWM9HHcqJf@mycre.ws> <[🔎] d1fee235823e53860fb170b3d8ab920fde2ad631.camel@debian.org>

Markus Koschany wrote:
> Hi Robert,
> 
> Am Samstag, den 06.02.2021, 19:46 -0500 schrieb Robert Edmonds:
> [...]
> > Hi, Markus:
> > 
> > I'm OK with both of these plans.
> > 
> > For the proposed 1.9.6 buster update, can you send me git commits based
> > against
> > https://salsa.debian.org/dns-team/unbound/-/tree/branches/1.9.0-2_deb10
> > ?
> > 
> > Thanks!
> 
> I have opened a merge request on salsa for the 1.9.6 update.
> 
> Cheers,
> 
> Markus

OK, I created a new unbound branch based on that:

https://salsa.debian.org/dns-team/unbound/-/commits/branches/1.9.6-0_deb10

    $ git shortlog branches/1.9.0-2_deb10..branches/1.9.6-0_deb10
    Markus Koschany (1):
          Apply NLnet Labs patch for CVE-2020-28935 (Closes: #977165)

    Robert Edmonds (11):
          New upstream version 1.9.3~rc1
          New upstream version 1.9.3
          New upstream version 1.9.4
          New upstream version 1.9.6
          debian/source/options: Remove "single-debian-patch" option
          Revert "debian/source/patch-header: Add patch header for "single-debian-patch" mode"
          Revert "Apply NLnet Labs patch for CVE-2019-16866 (Closes: #941692)"
          Revert "Apply NLnet Labs patch for CVE-2020-12662, CVE-2020-12663"
          Merge tag 'upstream/1.9.6'
          Re-apply NLnet Labs patch for CVE-2020-12662, CVE-2020-12663
          debian/changelog: 1.9.6-0+deb10u0

I built it and uploaded it here:

https://people.debian.org/~edmonds/unbound/1.9.6-0+deb10u0/

The /usr/sbin/unbound binary is identical (same hash) to the binary in
the package you built at https://people.debian.org/~apo/buster/unbound/.

I removed the "single-debian-patch" source option because it makes it
hard to understand what is in the combined Debian patch looking just at
the source package, especially now that we're dealing with multiple
security patches. (I also removed it from the main branch a while back,
sometime after the buster release.)

I asked the reporter of #962459 to see if they can test the candidate
package here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962459#42

The candidate unbound package is now running on two of my buster
machines serving DNS at two small sites (30-40+ devices) for testing
purposes.

-- 
Robert Edmonds
edmonds@debian.org

Reply to:

Follow-Ups:
- Re: Supporting unbound in stretch by upgrading to 1.9
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Re: Supporting unbound in stretch by upgrading to 1.9
  - From: Markus Koschany <apo@debian.org>
- Re: Supporting unbound in stretch by upgrading to 1.9
  - From: Robert Edmonds <edmonds@debian.org>
- Re: Supporting unbound in stretch by upgrading to 1.9
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Re: Support for insecure applications
Next by Date: Re: Supporting unbound in stretch by upgrading to 1.9
Previous by thread: Re: Supporting unbound in stretch by upgrading to 1.9
Next by thread: Re: Supporting unbound in stretch by upgrading to 1.9
Index(es):
- Date
- Thread