Your message dated Sat, 02 Dec 2023 19:47:11 +0000
with message-id <e1r9vxh-003os4...@fasolo.debian.org>
and subject line Bug#1053483: fixed in hash-slinger 3.1-1.1+deb12u1
has caused the Debian Bug report #1053483,
regarding tlsa can produce invalid records
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1053483: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053483
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: hash-slinger
X-Debbugs-Cc: lavam...@torproject.org
Version: 3.1-1.1~bpo11+1
Severity: grave
On Debian bullseye, running the following command here generates an
invalid DNS record:
pauli# ./tlsa --create --usage=3 --selector=1 --mtype=1 --certificate
/srv/puppet.torproject.org/from-letsencrypt/cdn-fastly-backend.torproject.org.crt
--port 443 cdn-fastly-backend.torproject.org --output=generic
Got a certificate for cdn-fastly-backend.torproject.org. with Subject:
/CN=cdn-fastly-backend.torproject.org
_443._tcp.cdn-fastly-backend.torproject.org. IN TYPE52 \# 35.0
030101e86cb4aa5bec41b44c5e78c0b3b05992ab276d540376aca18eb494d8e229cd4c
Notice the float (35.0) there? That, of course, crashes bind with:
Notice: /Stage[main]/Dnsextras::Entries/Exec[rebuild torproject.org
zone]/returns: dns_rdata_fromtext:
/srv/dns.torproject.org/puppet-extra/include-torproject.org:945: near
'35.0': not a valid number
I suspect this wasn't caught by other users because it happens when the
len() of the cert string is an odd number, which, oddly, I guess it is
here.
I believe this is a release critical bug that should be fixed in
bookworm because it keeps the server from functioning at all.
For a little background, we used hash-slinger as a replacement for
"swede" here (not packaged) that wasn't ported to Python 3. It *almost*
worked but crashed on some records with the above error, taking down our
main DNS server...
This was also reported in:
https://github.com/letoams/hash-slinger/issues/45
And is being tracked on our side at:
https://gitlab.torproject.org/tpo/tpa/team/-/issues/41350
-- System Information:
Debian Release: 11.7
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500,
'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-25-amd64 (SMP w/2 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages hash-slinger depends on:
ii ca-certificates 20210119
ii dns-root-data 2021011101
ii openssh-client 1:8.4p1-5+deb11u1
ii python3 3.9.2-3
ii python3-dnspython 2.0.0-1
ii python3-gnupg 0.4.6-1
ii python3-m2crypto 0.37.1-2
ii python3-unbound 1.13.1-1+deb11u1
hash-slinger recommends no packages.
hash-slinger suggests no packages.
-- no debconf information
-- debsums errors found:
debsums: changed file /usr/bin/tlsa (from hash-slinger package)
--
Antoine Beaupré
torproject.org system administration
--- End Message ---
--- Begin Message ---
Source: hash-slinger
Source-Version: 3.1-1.1+deb12u1
Done: Antoine Beaupré <anar...@debian.org>
We believe that the bug you reported is fixed in the latest version of
hash-slinger, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1053...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antoine Beaupré <anar...@debian.org> (supplier of updated hash-slinger package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 05 Oct 2023 10:37:58 -0400
Source: hash-slinger
Architecture: source
Version: 3.1-1.1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian DNS Team <team+...@tracker.debian.org>
Changed-By: Antoine Beaupré <anar...@debian.org>
Closes: 1053483
Changes:
hash-slinger (3.1-1.1+deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* Bug fix: "tlsa can produce invalid records" (Closes: #1053483)
Checksums-Sha1:
7b1bbff92542f4744db3a41bf6ff0462e7040bf7 1377 hash-slinger_3.1-1.1+deb12u1.dsc
c74beb18125f882fd41af74c61da0c1cccc115c4 4388
hash-slinger_3.1-1.1+deb12u1.debian.tar.xz
946e98904fa446b323ad0329add40183a11bd0f9 6174
hash-slinger_3.1-1.1+deb12u1_amd64.buildinfo
Checksums-Sha256:
0defe8388891774e7eb0240c88432894a7a34ecba9cb2f80cae333bbd92fb7dd 1377
hash-slinger_3.1-1.1+deb12u1.dsc
8fe1dcc591ba76e279ec4aa7f3d8d8ae9b017847231301b5812c2fc1276293e4 4388
hash-slinger_3.1-1.1+deb12u1.debian.tar.xz
fe128a5bdcdc1b3fe109762c7b7f121dff182a7e0ca77094d775c5e1a036dc2a 6174
hash-slinger_3.1-1.1+deb12u1_amd64.buildinfo
Files:
139f447ab4fd6d1163e535c869699233 1377 utils optional
hash-slinger_3.1-1.1+deb12u1.dsc
4ec1b6028e5bd180f02fe23b1bb782d8 4388 utils optional
hash-slinger_3.1-1.1+deb12u1.debian.tar.xz
97e2baf064e55ab107349ff5893d7d6d 6174 utils optional
hash-slinger_3.1-1.1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQS7ts1MmNdOE1inUqYCKTpvpOU0cwUCZWfsCQAKCRACKTpvpOU0
c8ViAP0aVQznDa2V3O8+J22uTPo0Qma57slsmqCTg4Ve0ca31AEAt3+QxnWAe0rj
rHQkMh0SzVy2vlSUgjWI1mGLddAk0gw=
=QWgI
-----END PGP SIGNATURE-----
--- End Message ---
