Re: bind9 LTS

To: Adrian Bunk <bunk@debian.org>
Cc: Sean Whitton <spwhitton@spwhitton.name>, Roberto C. Sánchez <roberto@freexian.com>, debian-lts@lists.debian.org
Subject: Re: bind9 LTS
From: Ola Lundqvist <ola@inguza.com>
Date: Sat, 13 Apr 2024 23:58:02 +0200
Message-id: <[🔎] CABY6=0ng1cvDgYDXD1mgObTfLVu-GMZPBnHzVoC1++auQCMnbg@mail.gmail.com>
In-reply-to: <Zhppsn2Qp/HvmqaY@localhost>
References: <87r0g14mrp.fsf@melete.silentflame.com> <Zf6qEx1z3n1-6TjU@novelo> <Zf6roFm1wyuoeM_3@connexer.com> <87edbqwlv2.fsf@melete.silentflame.com> <87a5mewkvh.fsf@melete.silentflame.com> <Zhppsn2Qp/HvmqaY@localhost>

Hi Adrian

On Sat, 13 Apr 2024 at 13:33, Adrian Bunk <bunk@debian.org> wrote:
>
> On Sun, Mar 31, 2024 at 10:12:34PM +0800, Sean Whitton wrote:
> >...
> > - looks like backporting the old branches is what's done in bullseye and
> >   bookworm; do you know of some reason we're not doing this for buster too?
>
> bind9 in buster provides shared libraries,
> with soversion changes in every release.

That is a bummer. That will not work. I'll look at backporting patches.

> > - CVE-2023-50387 and CVE-2023-50868 are both DoS vulnerabilities for
> >   DNSSEC.  The fixes for CVE-2023-50387 is large, and I am not sure
> >   there is one for CVE-2023-50868 for bind-9.11.
>
> It's the same fix for both.

Do you mean that these fixes mentioned in CVE-2023-50387 also solve
CVE-2023-50686?

https://gitlab.isc.org/isc-projects/bind9/-/commit/c12608ca934c0433d280e65fe6c631013e200cfe
(v9.16.48)
https://gitlab.isc.org/isc-projects/bind9/-/commit/751b7cc4750ede6d8c5232751d60aad8ad84aa67
(v9.16.48)
https://gitlab.isc.org/isc-projects/bind9/-/commit/6a65a425283d70da86bf732449acd6d7c8dec718
(v9.16.48)
https://gitlab.isc.org/isc-projects/bind9/-/commit/3d206e918b3efbc20074629ad9d99095fbd2e5fd
(v9.16.48)
https://gitlab.isc.org/isc-projects/bind9/-/commit/a520fbc0470a0d6b72db6aa0b8deda8798551614
(v9.16.48)

> >   I think that these fixes are too intrusive to fix by backporting,
> >   unless we decide to start backporting whole upstream 9.11.y releases.
> >...
>
> Fixing KeyTrap might be possible.
>
> The change that breaks ABI looks unnecessary to me even when including
> the commit that introduces it, which might anyway not be desirable since
> it might break existing setups.

Which specific commit are you referring to now?

> Testing everything really carefully is surely the hardest part.

Yes.

>From the 9.11 repo I have (so far) found the following commits to use:
https://gitlab.isc.org/isc-projects/bind9/-/commit/8b7ecba9885e163c07c2dd3e1ceab79b2ba89e34
https://gitlab.isc.org/isc-projects/bind9/-/commit/75faeefcab47e4f1e12b358525190b4be90f97de
https://gitlab.isc.org/isc-projects/bind9/-/commit/db083a21726300916fa0b9fd8a433a796fedf636
https://gitlab.isc.org/isc-projects/bind9/-/commit/b38552cca7200a72658e482f8407f57516efc5db

I have not tried to apply them yet.

Cheers

// Ola

> > Sean Whitton
>
> cu
> Adrian
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to:

References:
- Re: bind9 LTS
  - From: Adrian Bunk <bunk@debian.org>

Prev by Date: Re: bind9 LTS
Next by Date: Re: bind9 LTS
Previous by thread: Re: bind9 LTS
Next by thread: Re: Remove support for nvidia-cuda-toolkit?
Index(es):
- Date
- Thread