[Pkg-dns-devel] Bug#873466: jessie-pu: package unbound/1.4.22-3+deb8u3

Robert Edmonds edmonds at debian.org
Mon Aug 28 04:38:12 UTC 2017 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org at packages.debian.org
Usertags: pu

Hi,

I'd like to update jessie's unbound with a fix for the same RFC 5011
issue described in #873371 for stretch, fast-tracked via the *-updates
mechanism due to the time component of the bug. Please see attached a
debdiff for unbound 1.4.22-3+deb8u3.

The fix for jessie requires an additional patch adding the root zone
trust anchor KSK-2017 to the unbound-anchor utility. This change is
nearly identical to a freeze exemption approved for stretch, #855635.

Thanks!

-- 
Robert Edmonds
edmonds at debian.org
-------------- next part --------------
diff -Nru unbound-1.4.22/debian/changelog unbound-1.4.22/debian/changelog
--- unbound-1.4.22/debian/changelog	2016-07-04 15:58:35.000000000 -0400
+++ unbound-1.4.22/debian/changelog	2017-08-28 00:17:29.000000000 -0400
@@ -1,3 +1,14 @@
+unbound (1.4.22-3+deb8u3) jessie; urgency=high
+
+  * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor
+    when two anchors are present, makes both valid.  Checks hash of DS but
+    not signature of new key.  This fixes installs between sep11 and oct11
+    2017."
+  * Cherry-pick upstream commit svn r4000, "Include root trust anchor id
+    20326 in unbound-anchor".
+
+ -- Robert Edmonds <edmonds at debian.org>  Mon, 28 Aug 2017 00:17:29 -0400
+
 unbound (1.4.22-3+deb8u2) jessie; urgency=medium
 
   * debian/unbound.init: Add "pidfile" magic comment (Closes: #807132)
diff -Nru unbound-1.4.22/debian/patches/debian-changes unbound-1.4.22/debian/patches/debian-changes
--- unbound-1.4.22/debian/patches/debian-changes	2016-07-04 16:06:41.000000000 -0400
+++ unbound-1.4.22/debian/patches/debian-changes	2017-08-28 00:18:52.000000000 -0400
@@ -5,13 +5,15 @@
  information below has been extracted from the changelog. Adjust it or drop
  it.
  .
- unbound (1.4.22-3+deb8u2) jessie; urgency=medium
+ unbound (1.4.22-3+deb8u3) jessie; urgency=high
  .
-   * debian/unbound.init: Add "pidfile" magic comment (Closes: #807132)
-   * debian/unbound.init: Call start-stop-daemon with --retry for 'stop'
-     action (patch from Julien Cristau)
+   * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor
+     when two anchors are present, makes both valid.  Checks hash of DS but
+     not signature of new key.  This fixes installs between sep11 and oct11
+     2017."
+   * Cherry-pick upstream commit svn r4000, "Include root trust anchor id
+     20326 in unbound-anchor".
 Author: Robert Edmonds <edmonds at debian.org>
-Bug-Debian: https://bugs.debian.org/807132
 
 ---
 The information above should follow the Patch Tagging Guidelines, please
@@ -24,7 +26,7 @@
 Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
 Forwarded: <no|not-needed|url proving that it has been forwarded>
 Reviewed-By: <name and email of someone who approved the patch>
-Last-Update: 2016-07-04
+Last-Update: 2017-08-28
 
 --- unbound-1.4.22.orig/acx_python.m4
 +++ unbound-1.4.22/acx_python.m4
@@ -229,6 +231,20 @@
  
  	/**
  	 * The query must store NS records from referrals as parentside RRs
+--- unbound-1.4.22.orig/smallapp/unbound-anchor.c
++++ unbound-1.4.22/smallapp/unbound-anchor.c
+@@ -239,7 +239,10 @@ static const char*
+ get_builtin_ds(void)
+ {
+ 	return
+-". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n";
++/* anchor 19036 is from 2010 */
++/* anchor 20326 is from 2017 */
++". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"
++". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
+ }
+ 
+ /** print hex data */
 --- unbound-1.4.22.orig/smallapp/unbound-control-setup.sh
 +++ unbound-1.4.22/smallapp/unbound-control-setup.sh
 @@ -157,6 +157,6 @@ chmod o-rw $SVR_BASE.pem $SVR_BASE.key $
@@ -259,3 +275,25 @@
  	cfg->control_ifs = NULL;
  	cfg->control_port = UNBOUND_CONTROL_PORT;
  	cfg->minimal_responses = 0;
+--- unbound-1.4.22.orig/validator/autotrust.c
++++ unbound-1.4.22/validator/autotrust.c
+@@ -1557,6 +1557,11 @@ key_matches_a_ds(struct module_env* env,
+ 			verbose(VERB_ALGO, "DS match attempt failed");
+ 			continue;
+ 		}
++		/* match of hash is sufficient for bootstrap of trust point */
++		(void)reason;
++		(void)ve;
++		return 1;
++		/* no need to check RRSIG, DS hash already matched with source
+ 		if(dnskey_verify_rrset(env, ve, dnskey_rrset, 
+ 			dnskey_rrset, key_idx, &reason) == sec_status_secure) {
+ 			return 1;
+@@ -1564,6 +1569,7 @@ key_matches_a_ds(struct module_env* env,
+ 			verbose(VERB_ALGO, "DS match failed because the key "
+ 				"does not verify the keyset: %s", reason);
+ 		}
++		*/
+ 	}
+ 	return 0;
+ }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-dns-devel/attachments/20170828/5a4b40d6/attachment.sig>

More information about the pkg-dns-devel mailing list