Control: block -1 by 873054 On Sun, 2017-08-27 at 01:25 -0400, Robert Edmonds wrote: > There is a bug in the unbound package shipped in stretch (1.6.0-3) that > will cause DNS resolution to fail on systems that install the unbound > package between September 11 and October 11, 2017. The upstream > developers have released 1.6.5 with a fix for this problem: > > https://unbound.nlnetlabs.nl/pipermail/unbound-users/2017-August/004883.html > > https://unbound.nlnetlabs.nl/pipermail/unbound-users/2017-August/004884.html > > After discussing this issue with the security team, it was suggested > that a fix be released via a stable point release, as well as being > fast-tracked via the *-updates mechanism, due to the time component of > the bug.
We're not going to be able to get a point release out before the 11th, so that makes sense. > Please see attached a debdiff for unbound 1.6.0-3+deb9u1 > containing the backported fix from upstream version 1.6.5. > > Additionally, since new installs of the unbound package initialize the > autotrust anchor file for the DNS root (/var/lib/unbound/root.key) from > a copy shipped in the dns-root-data package (/usr/share/dns/root.key), > the dns-root-data package in stretch needs to be updated to transition > the root zone trust anchor KSK-2017 to the RFC 5011 "VALID" state. (The > stretch-pu request for the dns-root-data package is #873054.) > Accordingly, the proposed unbound 1.6.0-3+deb9u1 implements a versioned > dependency on the dns-root-data package that would be shipped in > #873054. That means that we'd also need to release dns-root-data via -updates, otherwise most users won't be able to install the fixed unbound. It also imposes an ordering on the p-u requests, so adding a blocking relationship to indicate that. I'm assuming that this also affects the unbound package shipping in jessie currently? Are you planning on fixing the issue there as well? Regards, Adam
