subject:"Bug#928407\: unblock\: bind9\/1\:9.11.5.P4\+dfsg\-5"

Bug#928407: unblock: bind9/1:9.11.5.P4+dfsg-5

2019-05-05 Thread Cyril Brulebois

Niels Thykier  (2019-05-05):
> I have flagged it as ok from the RT PoV and is CC'ing KiBi for a d-i
> review before it is finally unblocked.

No objections.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#928407: unblock: bind9/1:9.11.5.P4+dfsg-5

2019-05-05 Thread Niels Thykier

Control: tags -1 d-i confirmed

Bernhard Schmidt:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package bind9
> 
> -4 and -5 have the following changes over -3 currently in testing.
> 
> - CVE-2018-5743 (Bug#927923)
>   The patch for this have been pulled directly from upstream. There is an
>   additional patch needed for platforms without atomic support
> - Some additions to the AppArmor policy
>   The seldomly used case of bind9 directly serving ActiveDirectory zones from
>   Samba through a DLZ (Dynamically Loadable Zone) module was quite broken 
> before
>   because Samba in Buster changed some important paths and the AppArmor policy
>   only really got enforced in Buster. Thanks to Steven Monai for filing bugs
>   (928398, 920530) this should be fixed. I consider it low-risk because it 
> only
>   adds paths.
> - During Buster EDDSA crypto was temporarily disabled because it added a 
> dependency
>   on OpenSSL 1.1.1, which was at that point preventing testing migration. In
>   our eyes it makes no sense to keep it disabled. Ed448 is currently broken
>   upstream (https://gitlab.isc.org/isc-projects/bind9/issues/225) so there is 
> an
>   additional patch to keep that disabled.
> 
> -4 has been in sid for more than a week without reported regressions, -5 only
> adds a single line to the AppArmor policy
> 
> unblock bind9/1:9.11.5.P4+dfsg-5
> 

Hi,

I have flagged it as ok from the RT PoV and is CC'ing KiBi for a d-i
review before it is finally unblocked.

Thanks,
~Niels

Processed: Re: Bug#928407: unblock: bind9/1:9.11.5.P4+dfsg-5

2019-05-05 Thread Debian Bug Tracking System

Processing control commands:

> tags -1 d-i confirmed
Bug #928407 [release.debian.org] unblock: bind9/1:9.11.5.P4+dfsg-5
Added tag(s) d-i and confirmed.

-- 
928407: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928407
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#928407: unblock: bind9/1:9.11.5.P4+dfsg-5

2019-05-03 Thread Bernhard Schmidt

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package bind9

-4 and -5 have the following changes over -3 currently in testing.

- CVE-2018-5743 (Bug#927923)
  The patch for this have been pulled directly from upstream. There is an
  additional patch needed for platforms without atomic support
- Some additions to the AppArmor policy
  The seldomly used case of bind9 directly serving ActiveDirectory zones from
  Samba through a DLZ (Dynamically Loadable Zone) module was quite broken before
  because Samba in Buster changed some important paths and the AppArmor policy
  only really got enforced in Buster. Thanks to Steven Monai for filing bugs
  (928398, 920530) this should be fixed. I consider it low-risk because it only
  adds paths.
- During Buster EDDSA crypto was temporarily disabled because it added a 
dependency
  on OpenSSL 1.1.1, which was at that point preventing testing migration. In
  our eyes it makes no sense to keep it disabled. Ed448 is currently broken
  upstream (https://gitlab.isc.org/isc-projects/bind9/issues/225) so there is an
  additional patch to keep that disabled.

-4 has been in sid for more than a week without reported regressions, -5 only
adds a single line to the AppArmor policy

unblock bind9/1:9.11.5.P4+dfsg-5
diffstat for bind9-9.11.5.P4+dfsg bind9-9.11.5.P4+dfsg

 changelog   |   20 
 extras/apparmor.d/usr.sbin.named|2 
 libisc1100.symbols  |2 
 patches/0012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch |  912 
++
 patches/0013-Replace-atomic-operations-in-bin-named-client.c-with.patch |  128 
+
 patches/0014-Disable-broken-Ed448-support.patch |  508 
+
 patches/series  |3 
 rules   |2 
 8 files changed, 1575 insertions(+), 2 deletions(-)

diff -Nru bind9-9.11.5.P4+dfsg/debian/changelog 
bind9-9.11.5.P4+dfsg/debian/changelog
--- bind9-9.11.5.P4+dfsg/debian/changelog   2019-04-22 22:31:06.0 
+0200
+++ bind9-9.11.5.P4+dfsg/debian/changelog   2019-05-03 19:44:57.0 
+0200
@@ -1,3 +1,23 @@
+bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium
+
+  * AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ.
+Thanks to Steven Monai (Closes: 928398)
+
+ -- Bernhard Schmidt   Fri, 03 May 2019 19:44:57 +0200
+
+bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium
+
+  [ Bernhard Schmidt ]
+  * AppArmor: Also add /var/lib/samba/bind-dns/dns/** (Closes: #927827)
+
+  [ Ondřej Surý ]
+  * [CVE-2018-5743]: Limiting simultaneous TCP clients is ineffective
+(Closes: #927932)
+  * Update symbols file for new symbol in libisc
+  * Enable EDDSA again, but disable broken Ed448 support (Closes: #927962)
+
+ -- Ondřej Surý   Fri, 26 Apr 2019 08:33:13 +
+
 bind9 (1:9.11.5.P4+dfsg-3) unstable; urgency=medium
 
   * More fixes to the AppArmor policy for Samba AD DLZ
diff -Nru bind9-9.11.5.P4+dfsg/debian/extras/apparmor.d/usr.sbin.named 
bind9-9.11.5.P4+dfsg/debian/extras/apparmor.d/usr.sbin.named
--- bind9-9.11.5.P4+dfsg/debian/extras/apparmor.d/usr.sbin.named
2019-04-22 22:31:06.0 +0200
+++ bind9-9.11.5.P4+dfsg/debian/extras/apparmor.d/usr.sbin.named
2019-05-03 19:44:57.0 +0200
@@ -81,11 +81,13 @@
   /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
   /var/lib/samba/bind-dns/dns.keytab rk,
   /var/lib/samba/bind-dns/named.conf r,
+  /var/lib/samba/bind-dns/dns/** rwk,
   /var/lib/samba/private/dns.keytab rk,
   /var/lib/samba/private/named.conf r,
   /var/lib/samba/private/dns/** rwk,
   /etc/samba/smb.conf r,
   /dev/urandom rwmk,
+  owner /var/tmp/krb5_* rwk,
 
   # Site-specific additions and overrides. See local/README for details.
   #include 
diff -Nru bind9-9.11.5.P4+dfsg/debian/libisc1100.symbols 
bind9-9.11.5.P4+dfsg/debian/libisc1100.symbols
--- bind9-9.11.5.P4+dfsg/debian/libisc1100.symbols  2019-04-22 
22:31:06.0 +0200
+++ bind9-9.11.5.P4+dfsg/debian/libisc1100.symbols  2019-05-03 
19:44:57.0 +0200
@@ -580,6 +580,7 @@
  isc_quota_attach@Base 1:9.11.3+dfsg
  isc_quota_destroy@Base 1:9.11.3+dfsg
  isc_quota_detach@Base 1:9.11.3+dfsg
+ isc_quota_force@Base 1:9.11.5.P4+dfsg
  isc_quota_init@Base 1:9.11.3+dfsg
  isc_quota_max@Base 1:9.11.3+dfsg
  isc_quota_release@Base 1:9.11.3+dfsg
@@ -1482,6 +1483,7 @@
  isc_quota_attach@Base 1:9.11.3+dfsg
  isc_quota_destroy@Base 1:9.11.3+dfsg
  isc_quota_detach@Base 1:9.11.3+dfsg
+ isc_quota_force@Base 1:9.11.5.P4+dfsg
  isc_quota_init@Base 1:9.11.3+dfsg
  isc_quota_max@Base 1:9.11.3+dfsg
  isc_quota_release@Base 1:9.11.3+dfsg
diff -Nru 
bind9-9.11.5.P4+dfsg/debian/patches/0012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch

Bug#928407: unblock: bind9/1:9.11.5.P4+dfsg-5

Bug#928407: unblock: bind9/1:9.11.5.P4+dfsg-5

Processed: Re: Bug#928407: unblock: bind9/1:9.11.5.P4+dfsg-5

Bug#928407: unblock: bind9/1:9.11.5.P4+dfsg-5

4 matches

Site Navigation

Mail list logo

Footer information