Bug#778734: marked as done (unblock: bind9/9.9.5.dfsg-9)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 27 Feb 2015 18:52:11 +0100
with message-id <20150227175210.GA6127@ugent.be>
and subject line Re: Bug#778734: unblock: bind9/9.9.5.dfsg-9
has caused the Debian Bug report #778734,
regarding unblock: bind9/9.9.5.dfsg-9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
778734: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778734
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: bind9/9.9.5.dfsg-9
• From: Michael Gilbert <mgilbert@debian.org>
• Date: Wed, 18 Feb 2015 23:22:24 -0500
• Message-id: <[🔎] CANTw=MPJipiyvU_CHquzYYvDvn+QviNJv1x7y7YdKrwGUmMVOA@mail.gmail.com>

package: release.debian.org
user: release.debian.org@packages.debian.org
usertags: unblock
severity: normal
x-debbugs-cc: debian-boot@lists.debian.org

Please consider unblocking bind9.  It fixes a new security issue.

unblock bind9/9.9.5.dfsg-9
unblock-udeb bind9/9.9.5.dfsg-9

diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog
--- bind9-9.9.5.dfsg/debian/changelog
+++ bind9-9.9.5.dfsg/debian/changelog
@@ -1,3 +1,10 @@
+bind9 (1:9.9.5.dfsg-9) unstable; urgency=high
+
+  * Fix CVE-2015-1349: named crash due to managed key rollover, primarily only
+    affecting setups using DNSSEC (closes: #778733).
+
+ -- Michael Gilbert <mgilbert@debian.org>  Thu, 19 Feb 2015 03:42:21 +0000
+
 bind9 (1:9.9.5.dfsg-8) unstable; urgency=medium
 
   * Launch rndc command in the background in networking scripts to avoid a
only in patch2:
unchanged:
--- bind9-9.9.5.dfsg.orig/lib/dns/zone.c
+++ bind9-9.9.5.dfsg/lib/dns/zone.c
@@ -8496,6 +8496,12 @@
 					     namebuf, tag);
 				trustkey = ISC_TRUE;
 			}
+		} else {
+			/*
+			 * No previously known key, and the key is not
+			 * secure, so skip it.
+			 */
+			continue;
 		}
 
 		/* Delete old version */
@@ -8544,7 +8550,7 @@
 			trust_key(zone, keyname, &dnskey, mctx);
 		}
 
-		if (!deletekey)
+		if (secure && !deletekey)
 			set_refreshkeytimer(zone, &keydata, now);
 	}
 

--- End Message ---

--- Begin Message ---

• To: Cyril Brulebois <kibi@debian.org>, 778734-done@bugs.debian.org
• Cc: Steven Chamberlain <steven@pyro.eu.org>, Michael Gilbert <mgilbert@debian.org>, debian-bsd@lists.debian.org, debian-boot@lists.debian.org
• Subject: Re: Bug#778734: unblock: bind9/9.9.5.dfsg-9
• From: Ivo De Decker <ivodd@debian.org>
• Date: Fri, 27 Feb 2015 18:52:11 +0100
• Message-id: <20150227175210.GA6127@ugent.be>
• In-reply-to: <[🔎] 20150227001150.GP13817@mraw.org>
• References: <[🔎] CANTw=MPJipiyvU_CHquzYYvDvn+QviNJv1x7y7YdKrwGUmMVOA@mail.gmail.com> <[🔎] 20150226041934.GD13817@mraw.org> <[🔎] 20150226235625.GA5055@squeeze.pyro.eu.org> <[🔎] 20150227001150.GP13817@mraw.org>

Hi,

On Fri, Feb 27, 2015 at 01:11:50AM +0100, Cyril Brulebois wrote:
> Steven Chamberlain <steven@pyro.eu.org> (2015-02-26):
> > Cyril Brulebois wrote:
> > > No objection on my side, but let's give BSD folks a heads-up since
> > > isc-dhcp-client-udeb depends on bind9's udebs.
> > 
> > Thanks, the changes seem to only relate to authoritative DNS zones
> > though.  No foreseeable impact on ISC DHCP or d-i.
> 
> ACK, let's do that then.

Added unblock-udeb.

Cheers,

Ivo

--- End Message ---