Re: bind9 LTS

To: Sean Whitton <spwhitton@spwhitton.name>
Cc: Roberto C. Sánchez <roberto@freexian.com>, debian-lts@lists.debian.org
Subject: Re: bind9 LTS
From: Adrian Bunk <bunk@debian.org>
Date: Sat, 13 Apr 2024 14:17:06 +0300
Message-id: <Zhppsn2Qp/HvmqaY@localhost>
In-reply-to: <87a5mewkvh.fsf@melete.silentflame.com>
References: <87r0g14mrp.fsf@melete.silentflame.com> <Zf6qEx1z3n1-6TjU@novelo> <Zf6roFm1wyuoeM_3@connexer.com> <87edbqwlv2.fsf@melete.silentflame.com> <87a5mewkvh.fsf@melete.silentflame.com>

On Sun, Mar 31, 2024 at 10:12:34PM +0800, Sean Whitton wrote:
>...
> - looks like backporting the old branches is what's done in bullseye and
>   bookworm; do you know of some reason we're not doing this for buster too?

bind9 in buster provides shared libraries,
with soversion changes in every release.

> - CVE-2023-50387 and CVE-2023-50868 are both DoS vulnerabilities for
>   DNSSEC.  The fixes for CVE-2023-50387 is large, and I am not sure
>   there is one for CVE-2023-50868 for bind-9.11.

It's the same fix for both.

>   I think that these fixes are too intrusive to fix by backporting,
>   unless we decide to start backporting whole upstream 9.11.y releases.
>...

Fixing KeyTrap might be possible.

The change that breaks ABI looks unnecessary to me even when including 
the commit that introduces it, which might anyway not be desirable since 
it might break existing setups.

Testing everything really carefully is surely the hardest part.

> Sean Whitton

cu
Adrian

Reply to:

Follow-Ups:
- Re: bind9 LTS
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: freeimage and CVE-2019-12214
Next by Date: Re: bind9 LTS
Previous by thread: Re: bind9 LTS
Next by thread: Re: bind9 LTS
Index(es):
- Date
- Thread