Re: Bug#778734: unblock: bind9/9.9.5.dfsg-9
Hi, On Fri, Feb 27, 2015 at 01:11:50AM +0100, Cyril Brulebois wrote: > Steven Chamberlain (2015-02-26): > > Cyril Brulebois wrote: > > > No objection on my side, but let's give BSD folks a heads-up since > > > isc-dhcp-client-udeb depends on bind9's udebs. > > > > Thanks, the changes seem to only relate to authoritative DNS zones > > though. No foreseeable impact on ISC DHCP or d-i. > > ACK, let's do that then. Added unblock-udeb. Cheers, Ivo -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150227175210.ga6...@ugent.be
Re: Bug#778734: unblock: bind9/9.9.5.dfsg-9
Control: tag -1 confirmed Steven Chamberlain (2015-02-26): > Cyril Brulebois wrote: > > No objection on my side, but let's give BSD folks a heads-up since > > isc-dhcp-client-udeb depends on bind9's udebs. > > Thanks, the changes seem to only relate to authoritative DNS zones > though. No foreseeable impact on ISC DHCP or d-i. ACK, let's do that then. Mraw, KiBi. signature.asc Description: Digital signature
Re: Bug#778734: unblock: bind9/9.9.5.dfsg-9
Steven Chamberlain wrote: > Cyril Brulebois wrote: > > No objection on my side, but let's give BSD folks a heads-up since > > isc-dhcp-client-udeb depends on bind9's udebs. > > Thanks, the changes seem to only relate to authoritative DNS zones > though. No foreseeable impact on ISC DHCP or d-i. Actually, the libs in the udebs have identical object code to before, only their BuildID differs. (I think this kind of analysis could be quite useful in the future, and is becoming easier thanks to the ongoing work on reproducible builds.) Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150227001150.gb5...@squeeze.pyro.eu.org
Re: Bug#778734: unblock: bind9/9.9.5.dfsg-9
Cyril Brulebois wrote: > No objection on my side, but let's give BSD folks a heads-up since > isc-dhcp-client-udeb depends on bind9's udebs. Thanks, the changes seem to only relate to authoritative DNS zones though. No foreseeable impact on ISC DHCP or d-i. Regards -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150226235625.ga5...@squeeze.pyro.eu.org
Re: Bug#778734: unblock: bind9/9.9.5.dfsg-9
Michael Gilbert (2015-02-18): > package: release.debian.org > user: release.debian@packages.debian.org > usertags: unblock > severity: normal > x-debbugs-cc: debian-boot@lists.debian.org > > Please consider unblocking bind9. It fixes a new security issue. > > unblock bind9/9.9.5.dfsg-9 > unblock-udeb bind9/9.9.5.dfsg-9 > diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog > --- bind9-9.9.5.dfsg/debian/changelog > +++ bind9-9.9.5.dfsg/debian/changelog > @@ -1,3 +1,10 @@ > +bind9 (1:9.9.5.dfsg-9) unstable; urgency=high > + > + * Fix CVE-2015-1349: named crash due to managed key rollover, primarily > only > +affecting setups using DNSSEC (closes: #778733). > + > + -- Michael Gilbert Thu, 19 Feb 2015 03:42:21 + > + > bind9 (1:9.9.5.dfsg-8) unstable; urgency=medium > >* Launch rndc command in the background in networking scripts to avoid a > only in patch2: > unchanged: > --- bind9-9.9.5.dfsg.orig/lib/dns/zone.c > +++ bind9-9.9.5.dfsg/lib/dns/zone.c > @@ -8496,6 +8496,12 @@ >namebuf, tag); > trustkey = ISC_TRUE; > } > + } else { > + /* > + * No previously known key, and the key is not > + * secure, so skip it. > + */ > + continue; > } > > /* Delete old version */ > @@ -8544,7 +8550,7 @@ > trust_key(zone, keyname, &dnskey, mctx); > } > > - if (!deletekey) > + if (secure && !deletekey) > set_refreshkeytimer(zone, &keydata, now); > } No objection on my side, but let's give BSD folks a heads-up since isc-dhcp-client-udeb depends on bind9's udebs. Mraw, KiBi. signature.asc Description: Digital signature
Bug#778734: unblock: bind9/9.9.5.dfsg-9
package: release.debian.org user: release.debian@packages.debian.org usertags: unblock severity: normal x-debbugs-cc: debian-boot@lists.debian.org Please consider unblocking bind9. It fixes a new security issue. unblock bind9/9.9.5.dfsg-9 unblock-udeb bind9/9.9.5.dfsg-9 diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog --- bind9-9.9.5.dfsg/debian/changelog +++ bind9-9.9.5.dfsg/debian/changelog @@ -1,3 +1,10 @@ +bind9 (1:9.9.5.dfsg-9) unstable; urgency=high + + * Fix CVE-2015-1349: named crash due to managed key rollover, primarily only +affecting setups using DNSSEC (closes: #778733). + + -- Michael Gilbert Thu, 19 Feb 2015 03:42:21 + + bind9 (1:9.9.5.dfsg-8) unstable; urgency=medium * Launch rndc command in the background in networking scripts to avoid a only in patch2: unchanged: --- bind9-9.9.5.dfsg.orig/lib/dns/zone.c +++ bind9-9.9.5.dfsg/lib/dns/zone.c @@ -8496,6 +8496,12 @@ namebuf, tag); trustkey = ISC_TRUE; } + } else { + /* + * No previously known key, and the key is not + * secure, so skip it. + */ + continue; } /* Delete old version */ @@ -8544,7 +8550,7 @@ trust_key(zone, keyname, &dnskey, mctx); } - if (!deletekey) + if (secure && !deletekey) set_refreshkeytimer(zone, &keydata, now); }