Re: bind9 LTS

To: Sean Whitton <spwhitton@spwhitton.name>
Cc: debian-lts@lists.debian.org
Subject: Re: bind9 LTS
From: Ola Lundqvist <ola@inguza.com>
Date: Fri, 19 Apr 2024 07:54:58 +0200
Message-id: <[🔎] CABY6=0mErBiG07Yedda7vcXjgvY_7i_zz76qp8HVc-9uLb0Uqg@mail.gmail.com>
In-reply-to: <[🔎] CABY6=0kxts4SCtDqQYkGijq6JmgnnBbaBcjfgZNcNqHbFzfVyQ@mail.gmail.com>
References: <87r0g14mrp.fsf@melete.silentflame.com> <Zf6qEx1z3n1-6TjU@novelo> <Zf6roFm1wyuoeM_3@connexer.com> <87edbqwlv2.fsf@melete.silentflame.com> <87a5mewkvh.fsf@melete.silentflame.com> <[🔎] CABY6=0mZ-0CmPPC5EsRcPizSFOtFMLWSd-A6c-YenzZBZ=zWmQ@mail.gmail.com> <[🔎] 87o7ac8zc2.fsf@melete.silentflame.com> <[🔎] 87a5lw4lqz.fsf@melete.silentflame.com> <[🔎] CABY6=0kxts4SCtDqQYkGijq6JmgnnBbaBcjfgZNcNqHbFzfVyQ@mail.gmail.com>

Hi

I have now made the package build.

Cheers

// Ola

On Wed, 17 Apr 2024 at 23:20, Ola Lundqvist <ola@inguza.com> wrote:
>
> Hi Sean, all
>
> I'm starting to lean toward your idea, to release a snapshot version,
> but I have a concern about that.
> To me it looks like 9.11 track have actually an ABI change. It is not
> so visible but a data structure is changed to increase the size and
> I'm not 100% sure this is ABI compatible. I could be wrong.
>
> In any case, the work effort needed to fix the current CVEs is large.
> Considering the size of the changes there is quite a significant risk
> in backporting. The patches are large and rather intrusive. I see a
> significant risk in breaking something regardless whether we take the
> snapshot version or backport individual things.
>
> In any case I have found out the following:
> - The correction for CVE-2023-4408 is intrusive. This is where I think
> we have a potential ABI change. There is an API backport and if the
> API changes the ABI is likely to change too. But maybe it is not. I'm
> not an expert on bind9. The total size of this patch is over 3000
> lines so it is large.
> - The correction for CVE-2023-50868 and CVE-2023-50387 takes a lot of
> time to make. I have now waded through a lot of patch apply failures
> and fixed them all. I have fixed build failures in validator.c and I'm
> now working on task.c build failures. There are some potential ABI
> changes too, but I have not checked those details too much yet. This
> patch file is 677 lines long so it is quite large.
>
> Before I continue this path, I think I should ask you one thing. You
> mentioned that "applying 88ff84ae2a first" means less rebasing. But I
> do not find such a commit. I find the other ones, but not that one. Do
> you happen to have a copy? Maybe it can help me to reduce the work of
> fixing all build errors. There are quite a few and in task.c they will
> require quite a lot more.
>
> Also did you try to compile after you applied? Just checking to see if
> I can re-use some of your work.
>
> Thank you in advance.
>
> Cheers
>
> // Ola
>
> On Sun, 14 Apr 2024 at 06:22, Sean Whitton <spwhitton@spwhitton.name> wrote:
> >
> > Hello,
> >
> > On Sun 14 Apr 2024 at 10:14am +08, Sean Whitton wrote:
> >
> > > Hello,
> > >
> > > On Sat 13 Apr 2024 at 10:04am +02, Ola Lundqvist wrote:
> > >
> > >> Do you happen to have reference to specific commits to look at?
> > >> You seem to have that since you refer to them as too big to backport.
> > >
> > > Yes, here you go, hopefully this format is helpful:
> > >
> > >     * 92b4f88bc8..: Michał Kępień 2024-02-22 Merge branch
> > > '4234-use-hashmap-when-parsing-9.11' into 'bind-9.11'
> > >     |\
> > >     | * 1f9bbe1fe3..: Ondřej Surý 2024-02-11 Add a system test for mixed-case
> > >     | data for the same owner
> > >     | * 418b379359..: Ondřej Surý 2024-02-11 Fix case insensitive matching in
> > >     | isc_ht hash table implementation
> > >     | * c6026cbbaa..: Mark Andrews 2024-01-31 Apply various tweaks specific to BIND 9.11
> > >     | * bbbcaf8b2e..: Evan Hunt 2024-01-29 fix another message parsing regression
> > >     | * 98ab8c81cc..: Evan Hunt 2024-01-16 fix a message parsing regression
> > >     | * 1296d37687..: Matthijs Mekking 2023-11-14 Fix windows build, remove external symbols
> > >     | * 40a0656e6a..: Ondřej Surý 2023-10-11 Add CHANGES for [GL #4234]
> > >     | * 2fc28056b3..: Ondřej Surý 2023-10-11 Backport isc_ht API changes from BIND 9.18
> > >     | * 0ceed03ebe..: Ondřej Surý 2023-09-11 Use hashtable when parsing a message
> > >     |/
> >
> > I also found that applying 88ff84ae2a first means less rebasing.
> >
> > --
> > Sean Whitton
>
>
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> |  ola@inguza.com                    opal@debian.org            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>  ---------------------------------------------------------------



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: bind9 LTS
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>

References:
- Re: bind9 LTS
  - From: Ola Lundqvist <ola@inguza.com>
- Re: bind9 LTS
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: bind9 LTS
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: bind9 LTS
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
Next by Date: Re: Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
Previous by thread: Re: bind9 LTS
Next by thread: Re: bind9 LTS
Index(es):
- Date
- Thread