Your message dated Mon, 27 Jan 2020 04:34:29 +0000
with message-id <[email protected]>
and subject line Bug#919511: fixed in unbound 1.9.6-1
has caused the Debian Bug report #919511,
regarding unbound: apparmor enabled after systemd service started, thus not
applied
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
919511: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919511
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: unbound
Version: 1.8.1-1
Severity: important
Tags: security
The unbound package runs dh_apparmor too late, causing the generated postinst
to have dh_enable_systemd parts run first, which enable and start the service.
Because the process is already running the parts added by dh_apparmor to load
the apparmor files have no effect until a manual service restart.
This means that, directly after install, unbound is not protected by apparmor;
a restart of the machine or service is required first. As this has security
implications, I chose the important severity.
The system info below is from Ubuntu, but I verified it on a Debian system.
-- System Information:
Debian Release: buster/sid
APT prefers disco
APT policy: (500, 'disco'), (500, 'cosmic-security')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.18.0-13-generic (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unbound depends on:
ii adduser 3.117ubuntu1
ii dns-root-data 2018091102
ii libc6 2.28-0ubuntu1
ii libevent-2.1-6 2.1.8-stable-4build1
ii libfstrm0 0.4.0-1
ii libprotobuf-c1 1.3.1-1build1
ii libpython3.7 3.7.2~rc1-1
ii libssl1.1 1.1.1a-1ubuntu2
ii libsystemd0 239-7ubuntu15
ii lsb-base 9.20170808ubuntu1
ii openssl 1.1.1a-1ubuntu2
ii unbound-anchor 1.8.1-1
unbound recommends no packages.
Versions of packages unbound suggests:
ii apparmor 2.12-4ubuntu10
-- no debconf information
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
--- End Message ---
--- Begin Message ---
Source: unbound
Source-Version: 1.9.6-1
We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robert Edmonds <[email protected]> (supplier of updated unbound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 26 Jan 2020 22:45:45 -0500
Source: unbound
Architecture: source
Version: 1.9.6-1
Distribution: unstable
Urgency: medium
Maintainer: unbound packagers <[email protected]>
Changed-By: Robert Edmonds <[email protected]>
Closes: 910675 915056 919511 923314 930699 941573 946421 948036
Changes:
unbound (1.9.6-1) unstable; urgency=medium
.
[ Robert Edmonds ]
* New upstream version 1.9.6 (Closes: #948036)
- Fixes 'unbound crashes with "Assertion nread >= 0 failed in
evmap_io_del_"' (Closes: #930699)
- Fixes "unbound: Fails to answer TCP queries due to broken idle-timeout"
(Closes: #946421)
* debian/source/options: Remove 'single-debian-patch' option
* debian/unbound.service: Change ExecReload to send SIGHUP rather than
using unbound-control (Closes: #923314)
* Enable remote-control by default (Closes: #923314)
* Allow use of libbsd functions with configure option --with-libbsd
* Remove "qname-minimisation: yes" config file setting, since this is
now the default (Closes: #915056)
* debian/package-helper: No longer invoke unbound-anchor for root trust
anchor update (Closes: #910675)
* debian/control: Bump Standards-Version to 4.5.0 (no changes)
* debian/control: Remove build dependencies on autotools-dev, dh-
autoreconf
* debian/libunbound8.symbols: Add "* Build-Depends-Package: libunbound-
dev"
* Rename debian/NEWS.Debian -> debian/NEWS
.
[ Matthew Palmer ]
* Fix insecure use of start-stop-daemon --pidfile (Closes: #941573)
.
[ Simon Deziel ]
* Install Apparmor profile prior to service startup (Closes: #919511)
.
[ Debian Janitor ]
* Trim trailing whitespace.
* Drop use of autotools-dev debhelper.
* Bump debhelper from old 9 to 10.
* Set field Upstream-Name in debian/copyright.
Checksums-Sha1:
919421506f2d6abdea69567c44cb26049658ea75 3233 unbound_1.9.6-1.dsc
b6af3dc87ec3b372f96390c2527140ab8679fc18 5680145 unbound_1.9.6.orig.tar.gz
0634beddcea091582454fd115cfa6865739f0f51 488 unbound_1.9.6.orig.tar.gz.asc
4792250609e69b78d4bc8ff2980f0d87b2314e0c 20664 unbound_1.9.6-1.debian.tar.xz
988338fb0447f5e8412a441d6ca2659bc43f9440 11091 unbound_1.9.6-1_amd64.buildinfo
Checksums-Sha256:
0b2bc16180994ab88bf0e3606d4ca29bdfc130efad6b3fcf94a4f1e797e7ffad 3233
unbound_1.9.6-1.dsc
1d98fc6ea99197a20b4a0e540e87022cf523085786e0fc26de6ebb2720f5aaf0 5680145
unbound_1.9.6.orig.tar.gz
0662b11ef0e366f311948ea2ca03ffbad0a015c31bf0b9efc09723b65aa2ecf6 488
unbound_1.9.6.orig.tar.gz.asc
74d6f0cb270343426f27044387a2ff0f8c4d1a3a2aba7c3960cd92647bec08b3 20664
unbound_1.9.6-1.debian.tar.xz
9bc0aa48284cbf9c364d52f99cd9d1741a65e8321971b75a279806f1731ce2d2 11091
unbound_1.9.6-1_amd64.buildinfo
Files:
ca0d10ad58a45fd3f07ab24541e6c15f 3233 net optional unbound_1.9.6-1.dsc
e6423d68e293ffec953477ef1adbbfb7 5680145 net optional unbound_1.9.6.orig.tar.gz
6f924a4a81071a934b9fe5027c4045a5 488 net optional unbound_1.9.6.orig.tar.gz.asc
5d0ab557c2cd5d18e6182d589db72322 20664 net optional
unbound_1.9.6-1.debian.tar.xz
4d84bd8fe4d8a9f02c26a9e00db24446 11091 net optional
unbound_1.9.6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE3z2W7rOCeCDzAmZcAYF6sKr2za4FAl4uYewACgkQAYF6sKr2
za45FQ/+KVWkungr38bP/4PoF/2QpVY30iT8kMi4vxtC7nqUaCnhCyI4KswjrkY8
7fflYtUjQCIqUWx0yWN6UsFp9pyxHrSdiY3FqIBvzLiaT9KtrL8Z0osc4XsCBhnt
sB5BDfKG6WSa4Q4RvzkdQrUpob8nToWDFhlrVe84etcY1tGlTJLY3xTA9mvDz0XW
o5bA0Qcm4/Cj5Znq7cYWxdPzfGxeM0I8zNFKHqqptqSvJ6X1w+ZwyWCNGScKnCh4
c+HkgKxfbHvl+MkIB5p/M767MctI5OPYMOsAhg/Joz/94ipiPARpiZlGdLdBJr4u
RLpfflqcJ2N3db+cKVPS495vZ8bd34XkDOd+vqwx54Y4JT7zfaFLjUFH4kerMIwF
tUuYKU3WF62KoASjIFBooEl5F5y5QhLyuYeU47aMGkjDCl/if+KpvP9On8ifdY78
663y1CqkaK7H2Ojqty3LOCrbITRpHCpfM/P7lrqHzNlkm2QN+OaxWWF6hAyl73bT
Nz9p/1cHdepMyiEeS1MezMzeveeRZA2bSzd+iYwE6FsIAf29HEI/7au+CFgZCAXK
DUcQyoBWduDM4U5ptiJoUPPV8BpWVMC8pi1OLfSDEyPn4+SHlHRGaa3+E6v5Geri
d2taAUPGxFmlOTsspiC4xid1RxPpLsgUr8y71A1xB41+kfd/JYM=
=o9k7
-----END PGP SIGNATURE-----
--- End Message ---
