Re: [SECURITY] [DSA 2054-1] New bind9 packages fix cache poisoning

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 2054-1] New bind9 packages fix cache poisoning
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 05 Jun 2010 19:44:17 +0200
Message-id: <87aar9z6pw.fsf@mid.deneb.enyo.de>
Reply-to: debian-security@lists.debian.org
In-reply-to: <87sk524n7t.fsf@mid.deneb.enyo.de> (Florian Weimer's message of "Fri, 04 Jun 2010 21:22:30 +0200")
References: <87sk524n7t.fsf@mid.deneb.enyo.de>

* Florian Weimer:

> This update is based on a new upstream version of BIND 9, 9.6-ESV-R1.
> Because of the scope of changes, extra care is recommended when
> installing the update.  Due to ABI changes, new Debian packages are
> included, and the update has to be installed using "apt-get
> dist-upgrade" (or an equivalent aptitude command).

It turns out that there is an undeclared file conflict with packages
libisc50 and libdns53.  These packages were in unstable/testing at one
point, and made it into lenny-proposed-updates.  If you have not
updated to the most recent BIND packages in lenny-backports, the
package manager tries to install the version from security.debian.org,
leading to an installation error.

You can either update to bind9 1:9.7.0.dfsg.P1-1 via lenny-backports,
or remove the libisc50 and libdns53 packages, and install
1:9.6.ESV.R1+dfsg-0+lenny1 from security.debian.org.

Given that this scenario only affects a very limited number of users,
we do not plan to issue a corrective DSA.  We are sorry for the
inconvenience.

Thanks to Peter Palfrader for bringing this issue to my attention.
It is tracked in #584585.

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 2054-1] New bind9 packages fix cache poisoning
  - From: Florian Weimer <fw@deneb.enyo.de>

Next by Date: fixing CVE-2010-0395 for testing
Next by thread: Re: [SECURITY] [DSA 2054-1] New bind9 packages fix cache poisoning
Index(es):
- Date
- Thread