[Pkg-dns-devel] Bug#873371: stretch-pu: package unbound/1.6.0-3+deb9u1

Robert Edmonds edmonds at debian.org
Sun Aug 27 05:25:10 UTC 2017 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org at packages.debian.org
Usertags: pu

Hi,

There is a bug in the unbound package shipped in stretch (1.6.0-3) that
will cause DNS resolution to fail on systems that install the unbound
package between September 11 and October 11, 2017. The upstream
developers have released 1.6.5 with a fix for this problem:

https://unbound.nlnetlabs.nl/pipermail/unbound-users/2017-August/004883.html

https://unbound.nlnetlabs.nl/pipermail/unbound-users/2017-August/004884.html

After discussing this issue with the security team, it was suggested
that a fix be released via a stable point release, as well as being
fast-tracked via the *-updates mechanism, due to the time component of
the bug. Please see attached a debdiff for unbound 1.6.0-3+deb9u1
containing the backported fix from upstream version 1.6.5.

Additionally, since new installs of the unbound package initialize the
autotrust anchor file for the DNS root (/var/lib/unbound/root.key) from
a copy shipped in the dns-root-data package (/usr/share/dns/root.key),
the dns-root-data package in stretch needs to be updated to transition
the root zone trust anchor KSK-2017 to the RFC 5011 "VALID" state. (The
stretch-pu request for the dns-root-data package is #873054.)
Accordingly, the proposed unbound 1.6.0-3+deb9u1 implements a versioned
dependency on the dns-root-data package that would be shipped in
#873054.

Thanks!

-- 
Robert Edmonds
edmonds at debian.org
-------------- next part --------------
diff -Nru unbound-1.6.0/debian/changelog unbound-1.6.0/debian/changelog
--- unbound-1.6.0/debian/changelog	2017-02-19 20:04:34.000000000 -0500
+++ unbound-1.6.0/debian/changelog	2017-08-27 00:43:42.000000000 -0400
@@ -1,3 +1,14 @@
+unbound (1.6.0-3+deb9u1) stretch; urgency=high
+
+  * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor
+    when two anchors are present, makes both valid.  Checks hash of DS but
+    not signature of new key.  This fixes installs between sep11 and oct11
+    2017."
+  * debian/control: unbound: Add versioned dependency on dns-root-data (>=
+    2017072601~) for KSK-2017 in RFC 5011 state VALID.
+
+ -- Robert Edmonds <edmonds at debian.org>  Sun, 27 Aug 2017 00:43:42 -0400
+
 unbound (1.6.0-3) unstable; urgency=medium
 
   * Cherry-pick upstream commit svn r4000, "Include root trust anchor id
diff -Nru unbound-1.6.0/debian/control unbound-1.6.0/debian/control
--- unbound-1.6.0/debian/control	2017-02-19 20:04:34.000000000 -0500
+++ unbound-1.6.0/debian/control	2017-08-27 00:43:42.000000000 -0400
@@ -96,7 +96,7 @@
 Architecture: any
 Depends:
  adduser,
- dns-root-data,
+ dns-root-data (>= 2017072601~),
  openssl,
  unbound-anchor,
  ${misc:Depends},
diff -Nru unbound-1.6.0/debian/patches/debian-changes unbound-1.6.0/debian/patches/debian-changes
--- unbound-1.6.0/debian/patches/debian-changes	2017-02-19 20:04:34.000000000 -0500
+++ unbound-1.6.0/debian/patches/debian-changes	2017-08-27 00:43:42.000000000 -0400
@@ -5,12 +5,15 @@
  information below has been extracted from the changelog. Adjust it or drop
  it.
  .
- unbound (1.6.0-3) unstable; urgency=medium
+ unbound (1.6.0-3+deb9u1) stretch; urgency=high
  .
-   * Cherry-pick upstream commit svn r4000, "Include root trust anchor id
-     20326 in unbound-anchor". (Closes: #855484)
+   * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor
+     when two anchors are present, makes both valid.  Checks hash of DS but
+     not signature of new key.  This fixes installs between sep11 and oct11
+     2017."
+   * debian/control: unbound: Add versioned dependency on dns-root-data (>=
+     2017072601~) for KSK-2017 in RFC 5011 state VALID.
 Author: Robert Edmonds <edmonds at debian.org>
-Bug-Debian: https://bugs.debian.org/855484
 
 ---
 The information above should follow the Patch Tagging Guidelines, please
@@ -23,7 +26,7 @@
 Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
 Forwarded: <no|not-needed|url proving that it has been forwarded>
 Reviewed-By: <name and email of someone who approved the patch>
-Last-Update: 2017-02-20
+Last-Update: 2017-08-27
 
 --- unbound-1.6.0.orig/acx_python.m4
 +++ unbound-1.6.0/acx_python.m4
@@ -118,3 +121,25 @@
  		free($2);
  	}
  	;
+--- unbound-1.6.0.orig/validator/autotrust.c
++++ unbound-1.6.0/validator/autotrust.c
+@@ -1571,6 +1571,11 @@ key_matches_a_ds(struct module_env* env,
+ 			verbose(VERB_ALGO, "DS match attempt failed");
+ 			continue;
+ 		}
++		/* match of hash is sufficient for bootstrap of trust point */
++		(void)reason;
++		(void)ve;
++		return 1;
++		/* no need to check RRSIG, DS hash already matched with source
+ 		if(dnskey_verify_rrset(env, ve, dnskey_rrset, 
+ 			dnskey_rrset, key_idx, &reason) == sec_status_secure) {
+ 			return 1;
+@@ -1578,6 +1583,7 @@ key_matches_a_ds(struct module_env* env,
+ 			verbose(VERB_ALGO, "DS match failed because the key "
+ 				"does not verify the keyset: %s", reason);
+ 		}
++		*/
+ 	}
+ 	return 0;
+ }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-dns-devel/attachments/20170827/3e99c309/attachment.sig>

More information about the pkg-dns-devel mailing list