Bug#1010203: bullseye-pu: package bind9/1:9.16.28-1~deb11u1

Tue, 26 Apr 2022 02:03:27 -0700 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[ Reason ]

New upstream version update, the upstream CHANGES are:

        --- 9.16.28 released ---

5856.   [bug]           The "starting maxtime timer" message related to outgoing
                        zone transfers was incorrectly logged at the ERROR level
                        instead of DEBUG(1). [GL #3208]

5852.   [func]          Add new "reuseport" option to enable/disable load
                        balancing of sockets. [GL #3249]

5843.   [bug]           When an UPDATE targets a zone that is not configured,
                        the requested zone name is now logged in the "not
                        authoritative" error message, so that it is easier to
                        track down problematic update clients. [GL #3209]

5836.   [bug]           Quote the dns64 prefix in error messages that complain
                        about problems with it, to avoid confusion with the
                        following dns64 ACLs. [GL #3210]

5834.   [cleanup]       C99 variable-length arrays are difficult to use safely,
                        so avoid them except in test code. [GL #3201]

5828.   [bug]           Replace single TCP write timer with per-TCP write
                        timers. [GL #3200]

5824.   [bug]           Invalid dnssec-policy definitions were being accepted
                        where the defined keys did not cover both KSK and ZSK
                        roles for a given algorithm.  This is now checked for
                        and the dnssec-policy is rejected if both roles are
                        not present for all algorithms in use. [GL #3142]

And the user-friendly release notes:

Notes for BIND 9.16.28
- ----------------------

New Features
~~~~~~~~~~~

- - Add a new configuration option ``reuseport`` to disable load balancing
  on sockets in situations where processing of Response Policy Zones
  (RPZ), Catalog Zones, or large zone transfers can cause service
  disruptions. See the BIND 9 ARM for more detail. :gl:`#3249`

Bug Fixes
~~~~~~~~

- - Invalid ``dnssec-policy`` definitions, where the defined keys did not
  cover both KSK and ZSK roles for a given algorithm, were being
  accepted. These are now checked, and the ``dnssec-policy`` is rejected
  if both roles are not present for all algorithms in use. :gl:`#3142`

- - Handling of TCP write timeouts has been improved to track the timeout
  for each TCP write separately, leading to a faster connection teardown
  in case the other party is not reading the data. :gl:`#3200`

[ Impact ]

The package will be updated when there's a new BIND 9 release containing
security vulnerabilities.

[ Tests ]

Upstream runs automated test suite covering many different platforms and also
runs a manually-triggered more extensive checks in their CI platform.

[ Risks ]

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

There are two extra related changes:

* Drop the libldap2-dev Build-Depends (it's not used at all)

* Add more string dependency on libuv1

  There are new flags (as enum members) that are being used because the BIND 9
  is compiled with libuv1 >= 1.40.0, but this is something not caught by
  dpkg-gensymbols mechanism because that can look only at the exported symbols.

  When the flags that were available at the compile time are used with older
  libuv1 at runtime, it causes assertion failure with "invalid argument":

  udp.c:229: fatal error: uv_udp_init_ex failed: invalid argument

[ Other info ]

FTR I am BIND 9 packager and upstream at the same time.  There were no reports
of regressions from the users using BIND 9.16.28 from ISC provided packages or
compiled from source.

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmJntMRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcKkVg//QNOtb5iqRRuTAAz/Lqd3Sd6Vdvex3KxpeBt+a1PhEjM1RHntYAhifWMa
mmyIR0oCuxHLe8WbbJIuFKvktsV9aaRTKVF1HzLedSl0k3TY6lTyNemwZ7U159mF
wJavJ6CsFpYz5+K0HNoVI5/Rlaw/K890oyLtio4KLmfYai/eewsS5a9j0NDakw8S
GgBxJDWyCynf6PA1yuiUKEsb2QBLme2v/9pSTW3V72vZzgXZmDS8UryPX/FhMbX2
Aqn8h/llnsSfKv4zymygjdazoWNgqm+WGV+oB1dhmTnYqA0Uft9WQ/S4rdKdJLFp
+Atlo6eZv4CieMIMaFYT2u0D4YodWxb8jjoUVGlZbA44YLEh3VY56kiY64RpAWlV
UkXxGbBvsqjb7rvydX71uAX7ZjVNOb/VXRh73H6o8UTg8LnSSb1AawJHeEZURchM
aRkCQJR1pjxbgpSuk/ph5g3ErPNXdtH8cQ0Uw51blb5/lRSBZCjdBlqNWiVUhYgb
ImACk8koo/RxEqk1QVyiEpDX1fZ67LUXC5xTE2l0Nc3i/NKa5UYgc8+Tgs9JONjN
ywnGuG18TvrAWu0nhnprfwXyQhGBBbrvXzZQBiIm1UjxFj0m7BviQPvrY640C0dl
4rLkTgrmOAt/6HktZuDEY1JxXMUFmqLOyTWjevSAQMEF1LXFa+g=
=hs25
-----END PGP SIGNATURE-----

Attachment: bind9_9.16.28-1~deb11u1.debdiff.xz
Description: application/xz

Attachment: bind9_9.16.28-1~deb11u1_source.debdiff.xz
Description: application/xz

Attachment: bind9_9.16.28-1~deb11u1_amd64.debdiff.xz
Description: application/xz

Reply via email to