Re: bind9 LTS

To: Sean Whitton <spwhitton@spwhitton.name>
Cc: Roberto C. Sánchez <roberto@freexian.com>, debian-lts@lists.debian.org
Subject: Re: bind9 LTS
From: Ola Lundqvist <ola@inguza.com>
Date: Sat, 13 Apr 2024 10:04:51 +0200
Message-id: <[🔎] CABY6=0mZ-0CmPPC5EsRcPizSFOtFMLWSd-A6c-YenzZBZ=zWmQ@mail.gmail.com>
In-reply-to: <87a5mewkvh.fsf@melete.silentflame.com>
References: <87r0g14mrp.fsf@melete.silentflame.com> <Zf6qEx1z3n1-6TjU@novelo> <Zf6roFm1wyuoeM_3@connexer.com> <87edbqwlv2.fsf@melete.silentflame.com> <87a5mewkvh.fsf@melete.silentflame.com>

Hi Sean


On Sun, 31 Mar 2024 at 16:13, Sean Whitton <spwhitton@spwhitton.name> wrote:
>
> Hello,
>
> On Sun 31 Mar 2024 at 09:51pm +08, Sean Whitton wrote:
>
> > I've started looking at the first vulnerability, CVE-2023-4408, and have
> > some confusions/questions.
> >
> > The ISC website that 9.11 is EOL as of March 2022.  But there is a lot
> > of activity on the 9.11 branch, including a fix for this CVE.  Are we
> > generally able to assume that changes are intended not to break anything
> > for users?

I guess you are referring to the git branch here and not the released packages.
Interesting.

> > For example, commit 2fc28056b3 is a backport of API changes, and I can
> > do the work to *confirm* that they don't appear to break anything for
> > users, but I wouldn't like to rely on my own *discovery* as to whether
> > they might break anything.
> >
> > At any point did you consider just backporting snapshots of upstream's
> > 9.11 branch into LTS?  Do you know if any other vendors do that?  I'm
> > wondering if, on balance, that might be safest -- if, that is, upstream
> > are indeed not intending to break anything.

Using a snapshot version sound a little risky. It may be a way
forward, but we need to be careful.

> > Finally, do you you have any notes on testing?
>
> Some follow-up.
>
> - looks like backporting the old branches is what's done in bullseye and
>   bookworm; do you know of some reason we're not doing this for buster too?

See the other mail thread. We risk breaking things since we go from
9.11 to 9.16.
I think this is still worth investigating since bind9 is a well
written piece of software,
but here we need to weigh the risk of breaking things and compare that
to the severity of the problems.

> - CVE-2023-50387 and CVE-2023-50868 are both DoS vulnerabilities for
>   DNSSEC.  The fixes for CVE-2023-50387 is large, and I am not sure
>   there is one for CVE-2023-50868 for bind-9.11.

DoS for bind9 is problematic.

>   I think that these fixes are too intrusive to fix by backporting,
>   unless we decide to start backporting whole upstream 9.11.y releases.
>   Would you agree?

Do you happen to have reference to specific commits to look at?
You seem to have that since you refer to them as too big to backport.

Thanks in advance

// Ola

>
> --
> Sean Whitton



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: bind9 LTS
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: bind9 LTS
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: Re: bind9 patch or new upstream version
Next by Date: Re: freeimage and CVE-2019-12214
Previous by thread: Re: bind9 patch or new upstream version
Next by thread: Re: bind9 LTS
Index(es):
- Date
- Thread