Ubuntu
bind9 package

SRU for bind9 to 9.4.2.dfsg.P2 on hardy

Bug #279316 reported by Jamie Strandboge on 2008-10-06

8

Affects		Status	Importance	Assigned to	Milestone
	bind9 (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

Binary package hint: bind9

This update is an upstream microversion update that fixes bugs #252675. ISC has described this update as:
This is the SECOND security patch for BIND 9.4.2, addressing performance and stability issues in BIND 9.4.2-P1. Key features are as follows:

- performance improvement over the P1 releases, namely
   + significantly remedying the port allocation issues
   + allowing TCP queries and zone transfers while issuing as many
      outstanding UDP queries as possible
   + additional security of port randomization at the same level as P1

In addition to the above, this update includes fixes for bug #257682 (compile dig with -DDIG_SIGCHASE) and an apparmor addition to allow access to /var/log/named

The apparmor policy and dig changes have minimal regression potential. The upstream upgrade to P2 is required for for high volume sites, as performance regressions were introduced in the security update for CVE-2008-1447 in these circumstances.

Intrepid has these updates in the 9.5.0 P2 series

There is no practical test case for the performance regression, other than using it in a very high volume capacity. Test case for dig:
% dig +sigchase +dnssec DS fugue.se.
Invalid option: +sigchase

Lamont, can you comment on the regression potential for this update?

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-10-06:

#1

bind9_9.4.2.dfsg.P2-2.debdiff Edit (539.3 KiB, text/plain)

$ diffstat ./bind9_9.4.2.dfsg.P2-2.debdiff
CHANGES | 46
COPYRIGHT | 4
bin/dig/dighost.c | 14
bin/named/client.c | 4
bin/named/config.c | 7
bin/named/controlconf.c | 10
bin/named/interfacemgr.c | 9
bin/named/lwresd.c | 9
bin/named/named.conf.docbook | 6
bin/named/server.c | 69
bin/rndc/rndc.c | 10
bin/tests/sig0_test.c | 8
bin/tests/sock_test.c | 8
bin/tests/system/ifconfig.sh | 10
configure | 8
configure.in | 6
debian/apparmor-profile | 8
debian/changelog | 43
debian/control | 23
debian/libbind9-30.files | 2
debian/libdns35.files | 2
debian/libisc32.files | 2
debian/libisc32.postinst | 5
debian/libisc35.files | 2
debian/libisc35.postinst | 5
debian/libisccfg30.files | 2
debian/rules | 4
doc/arm/Bv9ARM-book.xml | 23
doc/arm/Bv9ARM.pdf | 4352 ++++++++++++++++++++---------------------
lib/bind/configure | 2
lib/bind/configure.in | 6
lib/dns/api | 2
lib/dns/dispatch.c | 34
lib/dns/include/dns/dispatch.h | 4
lib/dns/request.c | 10
lib/dns/resolver.c | 22
lib/dns/xfrin.c | 7
lib/isc/api | 4
lib/isc/include/isc/resource.h | 19
lib/isc/include/isc/socket.h | 21
lib/isc/include/isc/timer.h | 8
lib/isc/timer.c | 16
lib/isc/unix/app.c | 8
lib/isc/unix/resource.c | 78
lib/isc/unix/socket.c | 243 +-
lib/isc/unix/socket_p.h | 4
lib/isc/win32/libisc.def | 2
lib/isc/win32/resource.c | 16
lib/isc/win32/socket.c | 27
lib/isccfg/api | 2
lib/isccfg/namedconf.c | 7
version | 4
52 files changed, 2867 insertions(+), 2380 deletions(-)

$ diffstat ./bind9_9.4.2.dfsg.P2-2.debdiff
 CHANGES                        |   46 
 COPYRIGHT                      |    4 
 bin/dig/dighost.c              |   14 
 bin/named/client.c             |    4 
 bin/named/config.c             |    7 
 bin/named/controlconf.c        |   10 
 bin/named/interfacemgr.c       |    9 
 bin/named/lwresd.c             |    9 
 bin/named/named.conf.docbook   |    6 
 bin/named/server.c             |   69 
 bin/rndc/rndc.c                |   10 
 bin/tests/sig0_test.c          |    8 
 bin/tests/sock_test.c          |    8 
 bin/tests/system/ifconfig.sh   |   10 
 configure                      |    8 
 configure.in                   |    6 
 debian/apparmor-profile        |    8 
 debian/changelog               |   43 
 debian/control                 |   23 
 debian/libbind9-30.files       |    2 
 debian/libdns35.files          |    2 
 debian/libisc32.files          |    2 
 debian/libisc32.postinst       |    5 
 debian/libisc35.files          |    2 
 debian/libisc35.postinst       |    5 
 debian/libisccfg30.files       |    2 
 debian/rules                   |    4 
 doc/arm/Bv9ARM-book.xml        |   23 
 doc/arm/Bv9ARM.pdf             | 4352 ++++++++++++++++++++---------------------
 lib/bind/configure             |    2 
 lib/bind/configure.in          |    6 
 lib/dns/api                    |    2 
 lib/dns/dispatch.c             |   34 
 lib/dns/include/dns/dispatch.h |    4 
 lib/dns/request.c              |   10 
 lib/dns/resolver.c             |   22 
 lib/dns/xfrin.c                |    7 
 lib/isc/api                    |    4 
 lib/isc/include/isc/resource.h |   19 
 lib/isc/include/isc/socket.h   |   21 
 lib/isc/include/isc/timer.h    |    8 
 lib/isc/timer.c                |   16 
 lib/isc/unix/app.c             |    8 
 lib/isc/unix/resource.c        |   78 
 lib/isc/unix/socket.c          |  243 +-
 lib/isc/unix/socket_p.h        |    4 
 lib/isc/win32/libisc.def       |    2 
 lib/isc/win32/resource.c       |   16 
 lib/isc/win32/socket.c         |   27 
 lib/isccfg/api                 |    2 
 lib/isccfg/namedconf.c         |    7 
 version                        |    4 
 52 files changed, 2867 insertions(+), 2380 deletions(-)

Revision history for this message

LaMont Jones (lamont) wrote on 2008-10-10:

#2

The SIGCHASE code is limited to the dig and host commands, and (as far as I can tell), any regression would be limited to failures when using the sigchase options (which currently just say "invalid option +sigchase", so they wouldn't particularly be regressions as much as continued bugs.) The code seems to be checking if sigchase is in use everywhere that the code behaves differently because of the compile switch.

lamont

Revision history for this message

LaMont Jones (lamont) wrote on 2008-10-10:

#3

also, yes, there are soname changes. The only consumers of the affected libraries are packages from the bind9 source, so this is also a non-issue.

lamont

Revision history for this message

Martin Pitt (pitti) wrote on 2008-10-10:

#4

Unfortunately the changelog of the SRU only mentions bug 257682, so I'll close this one (since it is fixed in intrepid) and we are using that bug for verification testing.

Changed in bind9:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

bind9_9.4.2.dfsg.P2-2.debdiff Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.