Hello, On Sun 31 Mar 2024 at 09:51pm +08, Sean Whitton wrote: > I've started looking at the first vulnerability, CVE-2023-4408, and have > some confusions/questions. > > The ISC website that 9.11 is EOL as of March 2022. But there is a lot > of activity on the 9.11 branch, including a fix for this CVE. Are we > generally able to assume that changes are intended not to break anything > for users? > > For example, commit 2fc28056b3 is a backport of API changes, and I can > do the work to *confirm* that they don't appear to break anything for > users, but I wouldn't like to rely on my own *discovery* as to whether > they might break anything. > > At any point did you consider just backporting snapshots of upstream's > 9.11 branch into LTS? Do you know if any other vendors do that? I'm > wondering if, on balance, that might be safest -- if, that is, upstream > are indeed not intending to break anything. > > Finally, do you you have any notes on testing? Some follow-up. - looks like backporting the old branches is what's done in bullseye and bookworm; do you know of some reason we're not doing this for buster too? - CVE-2023-50387 and CVE-2023-50868 are both DoS vulnerabilities for DNSSEC. The fixes for CVE-2023-50387 is large, and I am not sure there is one for CVE-2023-50868 for bind-9.11. I think that these fixes are too intrusive to fix by backporting, unless we decide to start backporting whole upstream 9.11.y releases. Would you agree? -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature