bind9 FTBFS in bionic, regression in updates

Bug #1815474 reported by Dimitri John Ledkov on 2019-02-11
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)

Bug Description


 * when building bind9 with openssl 1.1.1 it picks up a new feature and exposes symbols in shared libraries to support it
 * this is problematic, as abi symbols of the shared library are changed based on the build-time version of OpenSSL
 * in later releases bind9 configuration option were tweaked to prevent autodetection and enablement of the new feature. Similar fix was applied in disco and unstable

[Test Case]

 * add-apt-repository ppa:ci-train-ppa-service/3540
 * rebuild the package
 * it should complete the build successfully without any "missing symbols" reported

[Regression Potential]

 * We are rebuilding the binaries, however, the test suite passes correctly with both old and new openssl without regressions.

CVE References

Changed in bind9 (Ubuntu):
status: New → Fix Released
Changed in bind9 (Ubuntu Bionic):
status: New → In Progress
tags: added: id-5c6196e9e3e4c51dd370ee15

Hello Dimitri, or anyone else affected,

Accepted bind9 into bionic-proposed. The package will build now and be available at in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in bind9 (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Dimitri John Ledkov (xnox) wrote :

rebuilt bind9 1:9.11.3+dfsg-1ubuntu1.4 against openssl 1.1.1a, and it built correctly and kept the dep on 1.1.0 only.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bind9 - 1:9.11.3+dfsg-1ubuntu1.5

bind9 (1:9.11.3+dfsg-1ubuntu1.5) bionic-security; urgency=medium

  * SECURITY UPDATE: memory leak via specially crafted packet
    - debian/patches/CVE-2018-5744.patch: silently drop additional keytag
      options in bin/named/client.c.
    - CVE-2018-5744
  * SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
    unsupported key algorithm when using managed-keys
    - debian/patches/CVE-2018-5745.patch: properly handle situations when
      the key tag cannot be computed in lib/dns/include/dst/dst.h,
    - CVE-2018-5745
  * SECURITY UPDATE: Controls for zone transfers may not be properly
    applied to Dynamically Loadable Zones (DLZs) if the zones are writable
    - debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
      the zone table as a DLZ zone bin/named/xfrout.c.
    - CVE-2019-6465

 -- Marc Deslauriers <email address hidden> Wed, 20 Feb 2019 09:10:34 +0100

Changed in bind9 (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers