Bug#873371: stretch-pu: package unbound/1.6.0-3+deb9u1

Robert Edmonds Sat, 26 Aug 2017 22:36:27 -0700

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu


Hi,

There is a bug in the unbound package shipped in stretch (1.6.0-3) that
will cause DNS resolution to fail on systems that install the unbound
package between September 11 and October 11, 2017. The upstream
developers have released 1.6.5 with a fix for this problem:

https://unbound.nlnetlabs.nl/pipermail/unbound-users/2017-August/004883.html

https://unbound.nlnetlabs.nl/pipermail/unbound-users/2017-August/004884.html

After discussing this issue with the security team, it was suggested
that a fix be released via a stable point release, as well as being
fast-tracked via the *-updates mechanism, due to the time component of
the bug. Please see attached a debdiff for unbound 1.6.0-3+deb9u1
containing the backported fix from upstream version 1.6.5.

Additionally, since new installs of the unbound package initialize the
autotrust anchor file for the DNS root (/var/lib/unbound/root.key) from
a copy shipped in the dns-root-data package (/usr/share/dns/root.key),
the dns-root-data package in stretch needs to be updated to transition
the root zone trust anchor KSK-2017 to the RFC 5011 "VALID" state. (The
stretch-pu request for the dns-root-data package is #873054.)
Accordingly, the proposed unbound 1.6.0-3+deb9u1 implements a versioned
dependency on the dns-root-data package that would be shipped in
#873054.

Thanks!

-- 
Robert Edmonds
edmo...@debian.org

diff -Nru unbound-1.6.0/debian/changelog unbound-1.6.0/debian/changelog
--- unbound-1.6.0/debian/changelog      2017-02-19 20:04:34.000000000 -0500
+++ unbound-1.6.0/debian/changelog      2017-08-27 00:43:42.000000000 -0400
@@ -1,3 +1,14 @@
+unbound (1.6.0-3+deb9u1) stretch; urgency=high
+
+  * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor
+    when two anchors are present, makes both valid.  Checks hash of DS but
+    not signature of new key.  This fixes installs between sep11 and oct11
+    2017."
+  * debian/control: unbound: Add versioned dependency on dns-root-data (>=
+    2017072601~) for KSK-2017 in RFC 5011 state VALID.
+
+ -- Robert Edmonds <edmo...@debian.org>  Sun, 27 Aug 2017 00:43:42 -0400
+
 unbound (1.6.0-3) unstable; urgency=medium
 
   * Cherry-pick upstream commit svn r4000, "Include root trust anchor id
diff -Nru unbound-1.6.0/debian/control unbound-1.6.0/debian/control
--- unbound-1.6.0/debian/control        2017-02-19 20:04:34.000000000 -0500
+++ unbound-1.6.0/debian/control        2017-08-27 00:43:42.000000000 -0400
@@ -96,7 +96,7 @@
 Architecture: any
 Depends:
  adduser,
- dns-root-data,
+ dns-root-data (>= 2017072601~),
  openssl,
  unbound-anchor,
  ${misc:Depends},
diff -Nru unbound-1.6.0/debian/patches/debian-changes 
unbound-1.6.0/debian/patches/debian-changes
--- unbound-1.6.0/debian/patches/debian-changes 2017-02-19 20:04:34.000000000 
-0500
+++ unbound-1.6.0/debian/patches/debian-changes 2017-08-27 00:43:42.000000000 
-0400
@@ -5,12 +5,15 @@
  information below has been extracted from the changelog. Adjust it or drop
  it.
  .
- unbound (1.6.0-3) unstable; urgency=medium
+ unbound (1.6.0-3+deb9u1) stretch; urgency=high
  .
-   * Cherry-pick upstream commit svn r4000, "Include root trust anchor id
-     20326 in unbound-anchor". (Closes: #855484)
+   * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor
+     when two anchors are present, makes both valid.  Checks hash of DS but
+     not signature of new key.  This fixes installs between sep11 and oct11
+     2017."
+   * debian/control: unbound: Add versioned dependency on dns-root-data (>=
+     2017072601~) for KSK-2017 in RFC 5011 state VALID.
 Author: Robert Edmonds <edmo...@debian.org>
-Bug-Debian: https://bugs.debian.org/855484
 
 ---
 The information above should follow the Patch Tagging Guidelines, please
@@ -23,7 +26,7 @@
 Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
 Forwarded: <no|not-needed|url proving that it has been forwarded>
 Reviewed-By: <name and email of someone who approved the patch>
-Last-Update: 2017-02-20
+Last-Update: 2017-08-27
 
 --- unbound-1.6.0.orig/acx_python.m4
 +++ unbound-1.6.0/acx_python.m4
@@ -118,3 +121,25 @@
                free($2);
        }
        ;
+--- unbound-1.6.0.orig/validator/autotrust.c
++++ unbound-1.6.0/validator/autotrust.c
+@@ -1571,6 +1571,11 @@ key_matches_a_ds(struct module_env* env,
+                       verbose(VERB_ALGO, "DS match attempt failed");
+                       continue;
+               }
++              /* match of hash is sufficient for bootstrap of trust point */
++              (void)reason;
++              (void)ve;
++              return 1;
++              /* no need to check RRSIG, DS hash already matched with source
+               if(dnskey_verify_rrset(env, ve, dnskey_rrset, 
+                       dnskey_rrset, key_idx, &reason) == sec_status_secure) {
+                       return 1;
+@@ -1578,6 +1583,7 @@ key_matches_a_ds(struct module_env* env,
+                       verbose(VERB_ALGO, "DS match failed because the key "
+                               "does not verify the keyset: %s", reason);
+               }
++              */
+       }
+       return 0;
+ }

signature.asc
Description: PGP signature

Bug#873371: stretch-pu: package unbound/1.6.0-3+deb9u1

Reply via email to