[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#873371: marked as done (stretch-pu: package unbound/1.6.0-3+deb9u1)

Your message dated Sat, 07 Oct 2017 11:33:55 +0100
with message-id <1507372435.18586.64.camel@adam-barratt.org.uk>
and subject line Closing bugs for 9.2 point release
has caused the Debian Bug report #873371,
regarding stretch-pu: package unbound/1.6.0-3+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
873371: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873371
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

There is a bug in the unbound package shipped in stretch (1.6.0-3) that
will cause DNS resolution to fail on systems that install the unbound
package between September 11 and October 11, 2017. The upstream
developers have released 1.6.5 with a fix for this problem:

https://unbound.nlnetlabs.nl/pipermail/unbound-users/2017-August/004883.html

https://unbound.nlnetlabs.nl/pipermail/unbound-users/2017-August/004884.html

After discussing this issue with the security team, it was suggested
that a fix be released via a stable point release, as well as being
fast-tracked via the *-updates mechanism, due to the time component of
the bug. Please see attached a debdiff for unbound 1.6.0-3+deb9u1
containing the backported fix from upstream version 1.6.5.

Additionally, since new installs of the unbound package initialize the
autotrust anchor file for the DNS root (/var/lib/unbound/root.key) from
a copy shipped in the dns-root-data package (/usr/share/dns/root.key),
the dns-root-data package in stretch needs to be updated to transition
the root zone trust anchor KSK-2017 to the RFC 5011 "VALID" state. (The
stretch-pu request for the dns-root-data package is #873054.)
Accordingly, the proposed unbound 1.6.0-3+deb9u1 implements a versioned
dependency on the dns-root-data package that would be shipped in
#873054.

Thanks!

-- 
Robert Edmonds
edmonds@debian.org

diff -Nru unbound-1.6.0/debian/changelog unbound-1.6.0/debian/changelog
--- unbound-1.6.0/debian/changelog	2017-02-19 20:04:34.000000000 -0500
+++ unbound-1.6.0/debian/changelog	2017-08-27 00:43:42.000000000 -0400
@@ -1,3 +1,14 @@
+unbound (1.6.0-3+deb9u1) stretch; urgency=high
+
+  * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor
+    when two anchors are present, makes both valid.  Checks hash of DS but
+    not signature of new key.  This fixes installs between sep11 and oct11
+    2017."
+  * debian/control: unbound: Add versioned dependency on dns-root-data (>=
+    2017072601~) for KSK-2017 in RFC 5011 state VALID.
+
+ -- Robert Edmonds <edmonds@debian.org>  Sun, 27 Aug 2017 00:43:42 -0400
+
 unbound (1.6.0-3) unstable; urgency=medium
 
   * Cherry-pick upstream commit svn r4000, "Include root trust anchor id
diff -Nru unbound-1.6.0/debian/control unbound-1.6.0/debian/control
--- unbound-1.6.0/debian/control	2017-02-19 20:04:34.000000000 -0500
+++ unbound-1.6.0/debian/control	2017-08-27 00:43:42.000000000 -0400
@@ -96,7 +96,7 @@
 Architecture: any
 Depends:
  adduser,
- dns-root-data,
+ dns-root-data (>= 2017072601~),
  openssl,
  unbound-anchor,
  ${misc:Depends},
diff -Nru unbound-1.6.0/debian/patches/debian-changes unbound-1.6.0/debian/patches/debian-changes
--- unbound-1.6.0/debian/patches/debian-changes	2017-02-19 20:04:34.000000000 -0500
+++ unbound-1.6.0/debian/patches/debian-changes	2017-08-27 00:43:42.000000000 -0400
@@ -5,12 +5,15 @@
  information below has been extracted from the changelog. Adjust it or drop
  it.
  .
- unbound (1.6.0-3) unstable; urgency=medium
+ unbound (1.6.0-3+deb9u1) stretch; urgency=high
  .
-   * Cherry-pick upstream commit svn r4000, "Include root trust anchor id
-     20326 in unbound-anchor". (Closes: #855484)
+   * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor
+     when two anchors are present, makes both valid.  Checks hash of DS but
+     not signature of new key.  This fixes installs between sep11 and oct11
+     2017."
+   * debian/control: unbound: Add versioned dependency on dns-root-data (>=
+     2017072601~) for KSK-2017 in RFC 5011 state VALID.
 Author: Robert Edmonds <edmonds@debian.org>
-Bug-Debian: https://bugs.debian.org/855484
 
 ---
 The information above should follow the Patch Tagging Guidelines, please
@@ -23,7 +26,7 @@
 Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
 Forwarded: <no|not-needed|url proving that it has been forwarded>
 Reviewed-By: <name and email of someone who approved the patch>
-Last-Update: 2017-02-20
+Last-Update: 2017-08-27
 
 --- unbound-1.6.0.orig/acx_python.m4
 +++ unbound-1.6.0/acx_python.m4
@@ -118,3 +121,25 @@
  		free($2);
  	}
  	;
+--- unbound-1.6.0.orig/validator/autotrust.c
++++ unbound-1.6.0/validator/autotrust.c
+@@ -1571,6 +1571,11 @@ key_matches_a_ds(struct module_env* env,
+ 			verbose(VERB_ALGO, "DS match attempt failed");
+ 			continue;
+ 		}
++		/* match of hash is sufficient for bootstrap of trust point */
++		(void)reason;
++		(void)ve;
++		return 1;
++		/* no need to check RRSIG, DS hash already matched with source
+ 		if(dnskey_verify_rrset(env, ve, dnskey_rrset, 
+ 			dnskey_rrset, key_idx, &reason) == sec_status_secure) {
+ 			return 1;
+@@ -1578,6 +1583,7 @@ key_matches_a_ds(struct module_env* env,
+ 			verbose(VERB_ALGO, "DS match failed because the key "
+ 				"does not verify the keyset: %s", reason);
+ 		}
++		*/
+ 	}
+ 	return 0;
+ }

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 9.2

Hi.

The updates referenced by each of these bugs was included in today's
point release of stretch.

Regards,

Adam

--- End Message ---
Reply to: