Your message dated Sun, 23 Jul 2017 06:18:51 +0000 with message-id <e1dzae7-000b8y...@fasolo.debian.org> and subject line Bug#868952: fixed in bind9 1:9.10.3.dfsg.P4-12.5 has caused the Debian Bug report #868952, regarding bind9: regression introduced in DSA-3904-1 can cause problems with zone transfers from some non-BIND servers to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 868952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868952 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: bind9 Version: 1:9.10.3.dfsg.P4-12.4 Severity: serious Tags: upstream fixed-upstream Justification: regression relative to DSA-3904-1 Control: affects -1 security.debian.org,release.debian.org Control: found -1 1:9.9.5.dfsg-9+deb8u12 Control: found -1 1:9.10.3.dfsg.P4-12.3+deb9u1 Hi DSA-3904-1 (and the respective DLA) introduced a regression as described in: https://lists.isc.org/pipermail/bind-announce/2017-July/001054.html "Problems may occur when transferring from another server if TSIG is used *and* the AXFR or IXFR is more than two messages in length *and* the master server does not sign every message. NSD is an example of a popular DNS product that behaves in this manner [note: NSD's behavior is in compliance with the requirements of the RFC; it is BIND that has introduced a problem here.]" Commit in master: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=58f0fb325bbd9258d06431281eb8fdea2b126305 Commit cherry-picked to v9_9_10_P3 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=6fcdcabc11f18eb128167f7f7eca4a244bf75c52 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: bind9 Source-Version: 1:9.10.3.dfsg.P4-12.5 We believe that the bug you reported is fixed in the latest version of bind9, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 868...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated bind9 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 21 Jul 2017 22:28:32 +0200 Source: bind9 Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-140 libdns162 libirs141 libisc160 liblwres141 libisccc140 libisccfg140 dnsutils lwresd libbind-export-dev libdns-export162 libdns-export162-udeb libisc-export160 libisc-export160-udeb libisccfg-export140 libisccc-export140 libisccc-export140-udeb libisccfg-export140-udeb libirs-export141 libirs-export141-udeb Architecture: source Version: 1:9.10.3.dfsg.P4-12.5 Distribution: unstable Urgency: medium Maintainer: LaMont Jones <lam...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 868952 Description: bind9 - Internet Domain Name Server bind9-doc - Documentation for BIND bind9-host - Version of 'host' bundled with BIND 9.X bind9utils - Utilities for BIND dnsutils - Clients provided with BIND host - Transitional package libbind-dev - Static Libraries and Headers used by BIND libbind-export-dev - Development files for the exported BIND libraries libbind9-140 - BIND9 Shared Library used by BIND libdns-export162 - Exported DNS Shared Library libdns-export162-udeb - Exported DNS library for debian-installer (udeb) libdns162 - DNS Shared Library used by BIND libirs-export141 - Exported IRS Shared Library libirs-export141-udeb - Exported IRS library for debian-installer (udeb) libirs141 - DNS Shared Library used by BIND libisc-export160 - Exported ISC Shared Library libisc-export160-udeb - Exported ISC library for debian-installer (udeb) libisc160 - ISC Shared Library used by BIND libisccc-export140 - Command Channel Library used by BIND libisccc-export140-udeb - Command Channel Library used by BIND (udeb) libisccc140 - Command Channel Library used by BIND libisccfg-export140 - Exported ISC CFG Shared Library libisccfg-export140-udeb - Exported ISC CFG library for debian-installer (udeb) libisccfg140 - Config File Handling Library used by BIND liblwres141 - Lightweight Resolver Library used by BIND lwresd - Lightweight Resolver Daemon Changes: bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium . * Non-maintainer upload. * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG signed TCP message sequences where not all the messages contain TSIG records. These may be used in AXFR and IXFR responses. (Closes: #868952) Checksums-Sha1: 1be61f123b6c2dc1998d2d7f5b7622f493c3ece1 3913 bind9_9.10.3.dfsg.P4-12.5.dsc 4a74af43f97da5631099913ea6418e6f1e8e372d 86696 bind9_9.10.3.dfsg.P4-12.5.debian.tar.xz Checksums-Sha256: 18bc8ce12ed95a34efb8e73a30637fd07328ce49a91677184110a145890ba2f2 3913 bind9_9.10.3.dfsg.P4-12.5.dsc 56de82a903a1de9fe556362b26d4214817137757c1ede3a3d40190e81493f90b 86696 bind9_9.10.3.dfsg.P4-12.5.debian.tar.xz Files: dfc6d8fedd2cedd85fb8447baa7c28d5 3913 net optional bind9_9.10.3.dfsg.P4-12.5.dsc a6bb60876610c30e088c5527fd853afe 86696 net optional bind9_9.10.3.dfsg.P4-12.5.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllzBPVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EXNoQAJA3DjpP7MhQeC5qSwKwLfKIJlroXVI0 gvhRX3SxblOVOFAAwooaMQjXtSs8ol/FdQisb5gtWzsJ0ujfyn4kz2qZLsxhjHrK Da8PgIPMWHgvjiv4Q4bDkar1BvOVF72Dsdv1KyM7sGCZxJ3D0V6YFK4B7qLKcH3t iRvzPqD3/Cp6mMEIbM+Mtge3WKVWw7xKf8Xw9ygMP1/fejMWSWHn+dg2PLOICLs4 ObphxJpWo0xm6O4JiaMbPUFDuPKseFElm253S+X/uDu6gxx2+wRgU2AwtthsNBsw 7dyMIiNJhnokpXDW9syIBr+oeUbbstxNRpIurWIN+Ir+q5P/NWJwv96vHnTk6wVV s+HWoOXZbwG7oJtJgC/z64q32U2Z0DQUbmWw1GjwLGFcnImdLmUgwQhLbKoBCxXk cpGw0wWx6rkZCwizcOJnmlVz0UMpFIK3dSeaVTjlHDWCniMlDZ3Cl3KaiYNzK/k+ BoJbUGCwIRm5od+ed24hKlsOC+rZbM3E7q51qF8Mm57hymnDaRLgogyvRdKFBdu9 57FFvCqlaO/79ec4Wv5L3ngrKbtW6lqSZ55V5DUadQr80EHD/wruGq5Qr2xjv2iA 5woULaGdi64EodMz2Kl1t3vHHWrNyNoT3TAr0fOMKGcskA1W9JMn9f+1/SPZlfpz sxLdjWk47YjI =kW+I -----END PGP SIGNATURE-----
--- End Message ---
