Bug#873466: jessie-pu: package unbound/1.4.22-3+deb8u3

Robert Edmonds Sun, 27 Aug 2017 21:42:47 -0700

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu


Hi,

I'd like to update jessie's unbound with a fix for the same RFC 5011
issue described in #873371 for stretch, fast-tracked via the *-updates
mechanism due to the time component of the bug. Please see attached a
debdiff for unbound 1.4.22-3+deb8u3.

The fix for jessie requires an additional patch adding the root zone
trust anchor KSK-2017 to the unbound-anchor utility. This change is
nearly identical to a freeze exemption approved for stretch, #855635.

Thanks!

-- 
Robert Edmonds
edmo...@debian.org

diff -Nru unbound-1.4.22/debian/changelog unbound-1.4.22/debian/changelog
--- unbound-1.4.22/debian/changelog     2016-07-04 15:58:35.000000000 -0400
+++ unbound-1.4.22/debian/changelog     2017-08-28 00:17:29.000000000 -0400
@@ -1,3 +1,14 @@
+unbound (1.4.22-3+deb8u3) jessie; urgency=high
+
+  * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor
+    when two anchors are present, makes both valid.  Checks hash of DS but
+    not signature of new key.  This fixes installs between sep11 and oct11
+    2017."
+  * Cherry-pick upstream commit svn r4000, "Include root trust anchor id
+    20326 in unbound-anchor".
+
+ -- Robert Edmonds <edmo...@debian.org>  Mon, 28 Aug 2017 00:17:29 -0400
+
 unbound (1.4.22-3+deb8u2) jessie; urgency=medium
 
   * debian/unbound.init: Add "pidfile" magic comment (Closes: #807132)
diff -Nru unbound-1.4.22/debian/patches/debian-changes 
unbound-1.4.22/debian/patches/debian-changes
--- unbound-1.4.22/debian/patches/debian-changes        2016-07-04 
16:06:41.000000000 -0400
+++ unbound-1.4.22/debian/patches/debian-changes        2017-08-28 
00:18:52.000000000 -0400
@@ -5,13 +5,15 @@
  information below has been extracted from the changelog. Adjust it or drop
  it.
  .
- unbound (1.4.22-3+deb8u2) jessie; urgency=medium
+ unbound (1.4.22-3+deb8u3) jessie; urgency=high
  .
-   * debian/unbound.init: Add "pidfile" magic comment (Closes: #807132)
-   * debian/unbound.init: Call start-stop-daemon with --retry for 'stop'
-     action (patch from Julien Cristau)
+   * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor
+     when two anchors are present, makes both valid.  Checks hash of DS but
+     not signature of new key.  This fixes installs between sep11 and oct11
+     2017."
+   * Cherry-pick upstream commit svn r4000, "Include root trust anchor id
+     20326 in unbound-anchor".
 Author: Robert Edmonds <edmo...@debian.org>
-Bug-Debian: https://bugs.debian.org/807132
 
 ---
 The information above should follow the Patch Tagging Guidelines, please
@@ -24,7 +26,7 @@
 Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
 Forwarded: <no|not-needed|url proving that it has been forwarded>
 Reviewed-By: <name and email of someone who approved the patch>
-Last-Update: 2016-07-04
+Last-Update: 2017-08-28
 
 --- unbound-1.4.22.orig/acx_python.m4
 +++ unbound-1.4.22/acx_python.m4
@@ -229,6 +231,20 @@
  
        /**
         * The query must store NS records from referrals as parentside RRs
+--- unbound-1.4.22.orig/smallapp/unbound-anchor.c
++++ unbound-1.4.22/smallapp/unbound-anchor.c
+@@ -239,7 +239,10 @@ static const char*
+ get_builtin_ds(void)
+ {
+       return
+-". IN DS 19036 8 2 
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n";
++/* anchor 19036 is from 2010 */
++/* anchor 20326 is from 2017 */
++". IN DS 19036 8 2 
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"
++". IN DS 20326 8 2 
E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
+ }
+ 
+ /** print hex data */
 --- unbound-1.4.22.orig/smallapp/unbound-control-setup.sh
 +++ unbound-1.4.22/smallapp/unbound-control-setup.sh
 @@ -157,6 +157,6 @@ chmod o-rw $SVR_BASE.pem $SVR_BASE.key $
@@ -259,3 +275,25 @@
        cfg->control_ifs = NULL;
        cfg->control_port = UNBOUND_CONTROL_PORT;
        cfg->minimal_responses = 0;
+--- unbound-1.4.22.orig/validator/autotrust.c
++++ unbound-1.4.22/validator/autotrust.c
+@@ -1557,6 +1557,11 @@ key_matches_a_ds(struct module_env* env,
+                       verbose(VERB_ALGO, "DS match attempt failed");
+                       continue;
+               }
++              /* match of hash is sufficient for bootstrap of trust point */
++              (void)reason;
++              (void)ve;
++              return 1;
++              /* no need to check RRSIG, DS hash already matched with source
+               if(dnskey_verify_rrset(env, ve, dnskey_rrset, 
+                       dnskey_rrset, key_idx, &reason) == sec_status_secure) {
+                       return 1;
+@@ -1564,6 +1569,7 @@ key_matches_a_ds(struct module_env* env,
+                       verbose(VERB_ALGO, "DS match failed because the key "
+                               "does not verify the keyset: %s", reason);
+               }
++              */
+       }
+       return 0;
+ }

signature.asc
Description: PGP signature

Bug#873466: jessie-pu: package unbound/1.4.22-3+deb8u3

Reply via email to