Bug#873371: stretch-pu: package unbound/1.6.0-3+deb9u1
Control: block -1 by 873054
On Sun, 2017-08-27 at 01:25 -0400, Robert Edmonds wrote:
> There is a bug in the unbound package shipped in stretch (1.6.0-3) that
> will cause DNS resolution to fail on systems that install the unbound
> package between September 11 and October 11, 2017. The upstream
> developers have released 1.6.5 with a fix for this problem:
>
> https://unbound.nlnetlabs.nl/pipermail/unbound-users/2017-August/004883.html
>
> https://unbound.nlnetlabs.nl/pipermail/unbound-users/2017-August/004884.html
>
> After discussing this issue with the security team, it was suggested
> that a fix be released via a stable point release, as well as being
> fast-tracked via the *-updates mechanism, due to the time component of
> the bug.
We're not going to be able to get a point release out before the 11th,
so that makes sense.
> Please see attached a debdiff for unbound 1.6.0-3+deb9u1
> containing the backported fix from upstream version 1.6.5.
>
> Additionally, since new installs of the unbound package initialize the
> autotrust anchor file for the DNS root (/var/lib/unbound/root.key) from
> a copy shipped in the dns-root-data package (/usr/share/dns/root.key),
> the dns-root-data package in stretch needs to be updated to transition
> the root zone trust anchor KSK-2017 to the RFC 5011 "VALID" state. (The
> stretch-pu request for the dns-root-data package is #873054.)
> Accordingly, the proposed unbound 1.6.0-3+deb9u1 implements a versioned
> dependency on the dns-root-data package that would be shipped in
> #873054.
That means that we'd also need to release dns-root-data via -updates,
otherwise most users won't be able to install the fixed unbound. It also
imposes an ordering on the p-u requests, so adding a blocking
relationship to indicate that.
I'm assuming that this also affects the unbound package shipping in
jessie currently? Are you planning on fixing the issue there as well?
Regards,
Adam
Reply to: