Bug#820974: marked as done (does not start chrooted, ENGINE_by_id failed (crypto failure))

Tue, 07 Feb 2017 03:37:00 -0800 

Your message dated Tue, 07 Feb 2017 11:33:32 +0000
with message-id <[email protected]>
and subject line Bug#820974: fixed in bind9 1:9.10.3.dfsg.P4-11.1
has caused the Debian Bug report #820974,
regarding does not start chrooted, ENGINE_by_id failed (crypto failure)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
820974: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820974
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: bind9
Version: 1:9.10.3.dfsg.P4-8
Severity: important

Hi,

bind9 in unstable does not run at all:

Apr 14 10:05:32 fan named[8795]: starting BIND 9.10.3-P4-Debian <id:ebd72b3> -f 
-u bind -t /var/local/chroot/bind
Apr 14 10:05:32 fan named[8795]: built with '--prefix=/usr' 
'--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' 
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/' 
'--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' 
'--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' 
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' 
'--enable-filter-aaaa' '--enable-native-pkcs11' 
'--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' 'CFLAGS=-g -O2 
-fPIE -fstack-protector-strong -Wformat -Werror=format-security 
-fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time 
-D_FORTIFY_SOURCE=2 -DDIG_SIGCHASE'
Apr 14 10:05:32 fan named[8795]: 
----------------------------------------------------
Apr 14 10:05:32 fan named[8795]: BIND 9 is maintained by Internet Systems 
Consortium,
Apr 14 10:05:32 fan named[8795]: Inc. (ISC), a non-profit 501(c)(3) 
public-benefit
Apr 14 10:05:32 fan named[8795]: corporation.  Support and training for BIND 9 
are
Apr 14 10:05:32 fan named[8795]: available at https://www.isc.org/support
Apr 14 10:05:32 fan named[8795]: 
----------------------------------------------------
Apr 14 10:05:32 fan named[8795]: adjusted limit on open files from 4096 to 
1048576
Apr 14 10:05:32 fan named[8795]: found 6 CPUs, using 6 worker threads
Apr 14 10:05:32 fan named[8795]: using 3 UDP listeners per interface
Apr 14 10:05:32 fan named[8795]: using up to 4096 sockets
Apr 14 10:05:32 fan named[8795]: ENGINE_by_id failed (crypto failure)
Apr 14 10:05:32 fan named[8795]: error:25070067:DSO support 
routines:DSO_load:could not load the shared library:dso_lib.c:233:
Apr 14 10:05:32 fan named[8795]: error:260B6084:engine 
routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
Apr 14 10:05:32 fan named[8795]: error:2606A074:engine routines:ENGINE_by_id:no 
such engine:eng_list.c:390:id=gost
Apr 14 10:05:32 fan named[8795]: initializing DST: crypto failure
Apr 14 10:05:32 fan named[8795]: exiting (due to fatal error)

This is a rather simple setup - recursor for a handful of VMs, a few
local zones, no DNSSEC, next to no load.

Going back to bind9 from jessie fixes the issue for me.

Greetings
Marc


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.4.0-rc5+ (SMP w/6 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bind9 depends on:
ii  adduser                3.114
ii  bind9utils             1:9.10.3.dfsg.P4-8
ii  debconf [debconf-2.0]  1.5.59
ii  init-system-helpers    1.29
ii  libbind9-140           1:9.10.3.dfsg.P4-8
ii  libc6                  2.22-6
ii  libcap2                1:2.24-12
ii  libcomerr2             1.43~WIP.2016.03.15-2
ii  libdns162              1:9.10.3.dfsg.P4-8
ii  libgeoip1              1.6.9-1
ii  libgssapi-krb5-2       1.13.2+dfsg-5
ii  libirs141              1:9.10.3.dfsg.P4-7
ii  libisc160              1:9.10.3.dfsg.P4-8
ii  libisccc140            1:9.10.3.dfsg.P4-8
ii  libisccfg140           1:9.10.3.dfsg.P4-8
ii  libk5crypto3           1.13.2+dfsg-5
ii  libkrb5-3              1.13.2+dfsg-5
ii  liblwres141            1:9.10.3.dfsg.P4-8
ii  libssl1.0.2            1.0.2g-1
ii  libxml2                2.9.3+dfsg1-1
ii  lsb-base               9.20160110
ii  net-tools              1.60+git20150829.73cef8a-2
ii  netbase                5.3

bind9 recommends no packages.

Versions of packages bind9 suggests:
ii  bind9-doc   1:9.10.3.dfsg.P4-7
ii  dnsutils    1:9.10.3.dfsg.P4-8
pn  resolvconf  <none>
pn  ufw         <none>

-- Configuration Files:
/etc/bind/named.conf.local changed:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
include "/etc/bind/fan.keys";
controls {
  inet ::1
  allow { ::1; }
  keys { fan-rndc; };
};
acl ka51-nets {
        127.0.0.1;
        192.168.18.0/24;
        192.168.29.0/24;
        192.168.251.0/24;
        192.168.181.0/24;
        192.168.182.0/24;
        192.168.221.0/24;
        ::1;
        2a01:238:4071:3200::/56;
};
acl transfer-ips {
        127.0.0.1;
        ::1;
};
include "/etc/bind/named.conf.logging";
include "/etc/bind/conf/zones.conf";

/etc/bind/named.conf.options changed:
options {
        directory "/var/cache/bind";
        session-keyfile "/run/named/session.key";
        pid-file "/run/named/named.pid";
        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.
        forwarders {
                192.168.181.53;
                192.168.251.53;
                2a01:238:4071:328e::35:100;
                2a01:238:4071:3281::35:100;
        };
        forward only;
        
        
//========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        
//========================================================================
        dnssec-validation auto;
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        allow-query {
                ka51-nets;
        };
       
        allow-recursion {
                ka51-nets;
        };
        
        allow-transfer {
                transfer-ips;
        };
};


-- debconf information:
  bind9/different-configuration-file:
  bind9/start-as-user: bind
  bind9/run-resolvconf: true

--- End Message ---
--- Begin Message --- 
Source: bind9
Source-Version: 1:9.10.3.dfsg.P4-11.1

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arturo Borrero Gonzalez <[email protected]> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Feb 2017 10:42:00 +0100
Source: bind9
Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-140 
libdns162 libirs141 libisc160 liblwres141 libisccc140 libisccfg140 dnsutils 
lwresd libbind-export-dev libdns-export162 libdns-export162-udeb 
libisc-export160 libisc-export160-udeb libisccfg-export140 libisccc-export140 
libisccc-export140-udeb libisccfg-export140-udeb libirs-export141 
libirs-export141-udeb
Architecture: source
Version: 1:9.10.3.dfsg.P4-11.1
Distribution: unstable
Urgency: medium
Maintainer: LaMont Jones <[email protected]>
Changed-By: Arturo Borrero Gonzalez <[email protected]>
Description:
 bind9      - Internet Domain Name Server
 bind9-doc  - Documentation for BIND
 bind9-host - Version of 'host' bundled with BIND 9.X
 bind9utils - Utilities for BIND
 dnsutils   - Clients provided with BIND
 host       - Transitional package
 libbind-dev - Static Libraries and Headers used by BIND
 libbind-export-dev - Development files for the exported BIND libraries
 libbind9-140 - BIND9 Shared Library used by BIND
 libdns-export162 - Exported DNS Shared Library
 libdns-export162-udeb - Exported DNS library for debian-installer (udeb)
 libdns162  - DNS Shared Library used by BIND
 libirs-export141 - Exported IRS Shared Library
 libirs-export141-udeb - Exported IRS library for debian-installer (udeb)
 libirs141  - DNS Shared Library used by BIND
 libisc-export160 - Exported ISC Shared Library
 libisc-export160-udeb - Exported ISC library for debian-installer (udeb)
 libisc160  - ISC Shared Library used by BIND
 libisccc-export140 - Command Channel Library used by BIND
 libisccc-export140-udeb - Command Channel Library used by BIND (udeb)
 libisccc140 - Command Channel Library used by BIND
 libisccfg-export140 - Exported ISC CFG Shared Library
 libisccfg-export140-udeb - Exported ISC CFG library for debian-installer (udeb)
 libisccfg140 - Config File Handling Library used by BIND
 liblwres141 - Lightweight Resolver Library used by BIND
 lwresd     - Lightweight Resolver Daemon
Closes: 820974
Changes:
 bind9 (1:9.10.3.dfsg.P4-11.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Disable GOST to prevent ENGINE_by_id failed (crypto failure) in chroot.
     Patch by Marc Haber <[email protected]> (Closes: #820974).
Checksums-Sha1:
 d9f4bb269aba5ad082ad0fac7aeec4ab6ae09dc1 3783 bind9_9.10.3.dfsg.P4-11.1.dsc
 3687cad8dbfc0ed3ff31aeea92c7e7eaa43a123b 72900 
bind9_9.10.3.dfsg.P4-11.1.debian.tar.xz
Checksums-Sha256:
 78021cf2e0e8fcb99f9b56487aec75473206b8da05fc1cac73be1488d4baedb2 3783 
bind9_9.10.3.dfsg.P4-11.1.dsc
 b64222b3b5190cc77f382a3c03bc8d9ad65bdf5cd6151383e2bc1bc12d6bd689 72900 
bind9_9.10.3.dfsg.P4-11.1.debian.tar.xz
Files:
 cc49ae8ceeb0922f9d0ebde88cc4119d 3783 net optional 
bind9_9.10.3.dfsg.P4-11.1.dsc
 55ae67a41aafd4ea46063e72abb5f1bd 72900 net optional 
bind9_9.10.3.dfsg.P4-11.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEE3ZhhqyPcMzOJLgepaOcTmB0VFfgFAliZq8ISHGFydHVyb0Bk
ZWJpYW4ub3JnAAoJEGjnE5gdFRX4ZQ0P/0pdeOP7rHJARCJtOGwDI03RK86EPPOV
sOWgnjsnyF3qhnlkOQxfqUx1Jy1tzgKD5/Vy1Z9NhFsSBOsQYP/dG3kTZLcSrATy
prtFYpcxEvP8cJPyzYWCYMIjLggr/k92Se8TwO09ieOx/WmdedLXrxuEfrAcn/kx
sFVO549JJpUNS9L0wsoKQCpD3IetLPAwP8ob6QVM6/ggM604wCZtA86xc7ENIsfx
sX/guSGvnUPi9LgrFg0dwXc7shP1V59gdv5YarcxCBa6mfo4BQvuTf3m+/0VWbzD
IazXbh+hDVHEC30wuMp3xi8y11Dlm2/JPXMXMPGSPcmg9GRluszG+gHajhlCwpUk
swpzF1AYriO5GRyiGw7jCa3RZVknmbdCnYlOr/w1a++6mdnJHkhBsXGjo2H5ybmH
Wint+yAmN+KTRfgLMNRRG0IP8iXmiNef6vWcFFHoMHYfLDlJe69HVM3HgUqEePU3
Mk2GvjceRkjKbDc+ij/zZeKxBTOMguhh86lYjJNjCRLIhCTfyt/fPabR6JCiCpC6
pv1AK5Azo0JBMx/t/4TJ6sVn3dTfOlyv+o2CNYeHoc3BcubpNuKKPU1ZXpAf3yGf
i9PHwI8J0ExpQKFwcux3UvLn9KTU/oLppZd5AYCzUUP6nkZMI8ppRvE3BaT+tHV6
IdwOqJ1GHgdl
=SpIL
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to