Re: Bug#778734: unblock: bind9/9.9.5.dfsg-9

2015-02-27 Thread Ivo De Decker 
Hi,

On Fri, Feb 27, 2015 at 01:11:50AM +0100, Cyril Brulebois wrote:
> Steven Chamberlain  (2015-02-26):
> > Cyril Brulebois wrote:
> > > No objection on my side, but let's give BSD folks a heads-up since
> > > isc-dhcp-client-udeb depends on bind9's udebs.
> > 
> > Thanks, the changes seem to only relate to authoritative DNS zones
> > though.  No foreseeable impact on ISC DHCP or d-i.
> 
> ACK, let's do that then.

Added unblock-udeb.

Cheers,

Ivo


-- 
To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150227175210.ga6...@ugent.be

Re: Bug#778734: unblock: bind9/9.9.5.dfsg-9

2015-02-26 Thread Cyril Brulebois 
Control: tag -1 confirmed

Steven Chamberlain  (2015-02-26):
> Cyril Brulebois wrote:
> > No objection on my side, but let's give BSD folks a heads-up since
> > isc-dhcp-client-udeb depends on bind9's udebs.
> 
> Thanks, the changes seem to only relate to authoritative DNS zones
> though.  No foreseeable impact on ISC DHCP or d-i.

ACK, let's do that then.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Bug#778734: unblock: bind9/9.9.5.dfsg-9

2015-02-26 Thread Steven Chamberlain 
Steven Chamberlain wrote:
> Cyril Brulebois wrote:
> > No objection on my side, but let's give BSD folks a heads-up since
> > isc-dhcp-client-udeb depends on bind9's udebs.
> 
> Thanks, the changes seem to only relate to authoritative DNS zones
> though.  No foreseeable impact on ISC DHCP or d-i.

Actually, the libs in the udebs have identical object code to before,
only their BuildID differs.

(I think this kind of analysis could be quite useful in the future, and
is becoming easier thanks to the ongoing work on reproducible builds.)

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


-- 
To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150227001150.gb5...@squeeze.pyro.eu.org

Re: Bug#778734: unblock: bind9/9.9.5.dfsg-9

2015-02-26 Thread Steven Chamberlain 
Cyril Brulebois wrote:
> No objection on my side, but let's give BSD folks a heads-up since
> isc-dhcp-client-udeb depends on bind9's udebs.

Thanks, the changes seem to only relate to authoritative DNS zones
though.  No foreseeable impact on ISC DHCP or d-i.

Regards
-- 
Steven Chamberlain
ste...@pyro.eu.org


-- 
To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150226235625.ga5...@squeeze.pyro.eu.org

Re: Bug#778734: unblock: bind9/9.9.5.dfsg-9

2015-02-25 Thread Cyril Brulebois 
Michael Gilbert  (2015-02-18):
> package: release.debian.org
> user: release.debian@packages.debian.org
> usertags: unblock
> severity: normal
> x-debbugs-cc: debian-boot@lists.debian.org
> 
> Please consider unblocking bind9.  It fixes a new security issue.
> 
> unblock bind9/9.9.5.dfsg-9
> unblock-udeb bind9/9.9.5.dfsg-9

> diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog
> --- bind9-9.9.5.dfsg/debian/changelog
> +++ bind9-9.9.5.dfsg/debian/changelog
> @@ -1,3 +1,10 @@
> +bind9 (1:9.9.5.dfsg-9) unstable; urgency=high
> +
> +  * Fix CVE-2015-1349: named crash due to managed key rollover, primarily 
> only
> +affecting setups using DNSSEC (closes: #778733).
> +
> + -- Michael Gilbert   Thu, 19 Feb 2015 03:42:21 +
> +
>  bind9 (1:9.9.5.dfsg-8) unstable; urgency=medium
>  
>* Launch rndc command in the background in networking scripts to avoid a
> only in patch2:
> unchanged:
> --- bind9-9.9.5.dfsg.orig/lib/dns/zone.c
> +++ bind9-9.9.5.dfsg/lib/dns/zone.c
> @@ -8496,6 +8496,12 @@
>namebuf, tag);
>   trustkey = ISC_TRUE;
>   }
> + } else {
> + /*
> +  * No previously known key, and the key is not
> +  * secure, so skip it.
> +  */
> + continue;
>   }
>  
>   /* Delete old version */
> @@ -8544,7 +8550,7 @@
>   trust_key(zone, keyname, &dnskey, mctx);
>   }
>  
> - if (!deletekey)
> + if (secure && !deletekey)
>   set_refreshkeytimer(zone, &keydata, now);
>   }

No objection on my side, but let's give BSD folks a heads-up since
isc-dhcp-client-udeb depends on bind9's udebs.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Bug#778734: unblock: bind9/9.9.5.dfsg-9

2015-02-18 Thread Michael Gilbert 
package: release.debian.org
user: release.debian@packages.debian.org
usertags: unblock
severity: normal
x-debbugs-cc: debian-boot@lists.debian.org

Please consider unblocking bind9.  It fixes a new security issue.

unblock bind9/9.9.5.dfsg-9
unblock-udeb bind9/9.9.5.dfsg-9
diff -u bind9-9.9.5.dfsg/debian/changelog bind9-9.9.5.dfsg/debian/changelog
--- bind9-9.9.5.dfsg/debian/changelog
+++ bind9-9.9.5.dfsg/debian/changelog
@@ -1,3 +1,10 @@
+bind9 (1:9.9.5.dfsg-9) unstable; urgency=high
+
+  * Fix CVE-2015-1349: named crash due to managed key rollover, primarily only
+affecting setups using DNSSEC (closes: #778733).
+
+ -- Michael Gilbert   Thu, 19 Feb 2015 03:42:21 +
+
 bind9 (1:9.9.5.dfsg-8) unstable; urgency=medium
 
   * Launch rndc command in the background in networking scripts to avoid a
only in patch2:
unchanged:
--- bind9-9.9.5.dfsg.orig/lib/dns/zone.c
+++ bind9-9.9.5.dfsg/lib/dns/zone.c
@@ -8496,6 +8496,12 @@
 	 namebuf, tag);
 trustkey = ISC_TRUE;
 			}
+		} else {
+			/*
+			 * No previously known key, and the key is not
+			 * secure, so skip it.
+			 */
+			continue;
 		}
 
 		/* Delete old version */
@@ -8544,7 +8550,7 @@
 			trust_key(zone, keyname, &dnskey, mctx);
 		}
 
-		if (!deletekey)
+		if (secure && !deletekey)
 			set_refreshkeytimer(zone, &keydata, now);
 	}