Re: bind9 LTS
Hi Adrian
On Sat, 13 Apr 2024 at 13:33, Adrian Bunk <bunk@debian.org> wrote:
>
> On Sun, Mar 31, 2024 at 10:12:34PM +0800, Sean Whitton wrote:
> >...
> > - looks like backporting the old branches is what's done in bullseye and
> > bookworm; do you know of some reason we're not doing this for buster too?
>
> bind9 in buster provides shared libraries,
> with soversion changes in every release.
That is a bummer. That will not work. I'll look at backporting patches.
> > - CVE-2023-50387 and CVE-2023-50868 are both DoS vulnerabilities for
> > DNSSEC. The fixes for CVE-2023-50387 is large, and I am not sure
> > there is one for CVE-2023-50868 for bind-9.11.
>
> It's the same fix for both.
Do you mean that these fixes mentioned in CVE-2023-50387 also solve
CVE-2023-50686?
https://gitlab.isc.org/isc-projects/bind9/-/commit/c12608ca934c0433d280e65fe6c631013e200cfe
(v9.16.48)
https://gitlab.isc.org/isc-projects/bind9/-/commit/751b7cc4750ede6d8c5232751d60aad8ad84aa67
(v9.16.48)
https://gitlab.isc.org/isc-projects/bind9/-/commit/6a65a425283d70da86bf732449acd6d7c8dec718
(v9.16.48)
https://gitlab.isc.org/isc-projects/bind9/-/commit/3d206e918b3efbc20074629ad9d99095fbd2e5fd
(v9.16.48)
https://gitlab.isc.org/isc-projects/bind9/-/commit/a520fbc0470a0d6b72db6aa0b8deda8798551614
(v9.16.48)
> > I think that these fixes are too intrusive to fix by backporting,
> > unless we decide to start backporting whole upstream 9.11.y releases.
> >...
>
> Fixing KeyTrap might be possible.
>
> The change that breaks ABI looks unnecessary to me even when including
> the commit that introduces it, which might anyway not be desirable since
> it might break existing setups.
Which specific commit are you referring to now?
> Testing everything really carefully is surely the hardest part.
Yes.
>From the 9.11 repo I have (so far) found the following commits to use:
https://gitlab.isc.org/isc-projects/bind9/-/commit/8b7ecba9885e163c07c2dd3e1ceab79b2ba89e34
https://gitlab.isc.org/isc-projects/bind9/-/commit/75faeefcab47e4f1e12b358525190b4be90f97de
https://gitlab.isc.org/isc-projects/bind9/-/commit/db083a21726300916fa0b9fd8a433a796fedf636
https://gitlab.isc.org/isc-projects/bind9/-/commit/b38552cca7200a72658e482f8407f57516efc5db
I have not tried to apply them yet.
Cheers
// Ola
> > Sean Whitton
>
> cu
> Adrian
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Reply to: