CVE-2017-15105

I've attached debdiffs for Xenial to Bionic. Please let me know if something needs a rework.

For Cosmic, all that's needed is a sync from Debian. Merge-o-matic didn't do it due to the Ubuntu delta but fortunately this delta was adopted by Debian with Unbound 1.7.1-1. Should I open a new LP to ask for that "force" sync?

The attachment "bionic-lp1773720.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Hi Simon,

So I hit a few issues with the debdiffs:

 - the patch taken from upstream is in patch -p0 format so quilt push would fail; attempting to adjust the quilt series file to use -p0 (I think, may have conflated with the following issue) failed during the package build.
 - the unbound package has a debian-changes.patch in its series, which is a catch-all patch that accumulates changes; with the added patch in the series file after that, pushing the patch then building the source resulted in duplicated changes trying to be applied.
 - for xenial, the upstream patch fails to apply and needs backporting.

I addressed the first two issues for bionic and artful, and have uploaded to the ubuntu-security-proposed ppa for testing. The patch for xenial needs backporting, and please ensure that proposed fixes build successfully, either locally or in a ppa. Thanks!

@sbeattie, thanks for fixing the bionic and artful packages and sorry for the bad debdiffs. They built (and tested) fine locally, probably missing the patch as you highlighted though.

I tested the bionic and artful builds from the ubuntu-security-proposed ppa and they work fine, thanks! I'll be looking into the backport for xenial but it would be nice if the bionic/artful builds are not gated by this.

Hi Simon,
I agree that all Delta we currently carry is picked by Debian.
Therefore making this a sync in Cosmic now [1].
It just started to build, lets see if there are any hickups on migration.

[1]: https://launchpad.net/ubuntu/+source/unbound/1.7.1-1

This bug was fixed in the package unbound - 1.7.1-1

---------------
unbound (1.7.1-1) unstable; urgency=medium

  [ Robert Edmonds ]
  * debian/control: Update Vcs-* links to use salsa.debian.org URLs
  * New upstream version 1.7.1

  [ Simon Deziel ]
  * debian/apparmor-profile: Add capabilities to chown/chmod Unix control
    socket (Closes: #891705)
  * debian/apparmor-profile: Allow reading /var/lib/sss/mc/initgroups
  * debian/apparmor-profile: Permit unbound to notify readiness to systemd
    (Closes: #867186)
  * debian/apparmor-profile: Let unbound r/w anywhere under
    /var/lib/unbound (Closes: #882731)
  * debian/apparmor-profile: Use attach_disconnected

 -- Robert Edmonds <email address hidden> Wed, 23 May 2018 15:41:54 -0400

Migrated successfully, and done for Cosmic

This bug was fixed in the package unbound - 1.5.8-1ubuntu1.1

---------------
unbound (1.5.8-1ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: vulnerability in the processing of wildcard
    synthesized NSEC records (LP: #1773720)
    - debian/patches/CVE-2017-15105.patch
    - CVE-2017-15105
  * Fix install of trust anchor when two anchors are present
    - debian/patches/unbound-r4302.patch

 -- Simon Deziel <email address hidden> Mon, 28 May 2018 02:38:19 +0000

This bug was fixed in the package unbound - 1.6.5-1ubuntu0.2

---------------
unbound (1.6.5-1ubuntu0.2) artful-security; urgency=medium

  * SECURITY UPDATE: vulnerability in the processing of wildcard
    synthesized NSEC records (LP: #1773720)
    - debian/patches/CVE-2017-15105.patch
    - CVE-2017-15105

 -- Simon Deziel <email address hidden> Mon, 28 May 2018 02:38:19 +0000

This bug was fixed in the package unbound - 1.6.7-1ubuntu2.1

---------------
unbound (1.6.7-1ubuntu2.1) bionic-security; urgency=medium

  * SECURITY UPDATE: vulnerability in the processing of wildcard
    synthesized NSEC records (LP: #1773720)
    - debian/patches/CVE-2017-15105.patch
    - CVE-2017-15105

 -- Simon Deziel <email address hidden> Mon, 28 May 2018 02:38:19 +0000