Re: bind9 LTS
- To: Sean Whitton <spwhitton@spwhitton.name>
- Cc: Roberto C. Sánchez <roberto@freexian.com>, debian-lts@lists.debian.org
- Subject: Re: bind9 LTS
- From: Adrian Bunk <bunk@debian.org>
- Date: Sat, 13 Apr 2024 14:17:06 +0300
- Message-id: <Zhppsn2Qp/HvmqaY@localhost>
- In-reply-to: <87a5mewkvh.fsf@melete.silentflame.com>
- References: <87r0g14mrp.fsf@melete.silentflame.com> <Zf6qEx1z3n1-6TjU@novelo> <Zf6roFm1wyuoeM_3@connexer.com> <87edbqwlv2.fsf@melete.silentflame.com> <87a5mewkvh.fsf@melete.silentflame.com>
On Sun, Mar 31, 2024 at 10:12:34PM +0800, Sean Whitton wrote:
>...
> - looks like backporting the old branches is what's done in bullseye and
> bookworm; do you know of some reason we're not doing this for buster too?
bind9 in buster provides shared libraries,
with soversion changes in every release.
> - CVE-2023-50387 and CVE-2023-50868 are both DoS vulnerabilities for
> DNSSEC. The fixes for CVE-2023-50387 is large, and I am not sure
> there is one for CVE-2023-50868 for bind-9.11.
It's the same fix for both.
> I think that these fixes are too intrusive to fix by backporting,
> unless we decide to start backporting whole upstream 9.11.y releases.
>...
Fixing KeyTrap might be possible.
The change that breaks ABI looks unnecessary to me even when including
the commit that introduces it, which might anyway not be desirable since
it might break existing setups.
Testing everything really carefully is surely the hardest part.
> Sean Whitton
cu
Adrian
Reply to: