bind9 apparmor profile does not allow access to /var/lib/bind

Bug #201954 reported by Jamie Strandboge on 2008-03-13
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
LaMont Jones

Bug Description

Binary package hint: bind9

/var/lib/bind is the proper place for slave zones and dynamic updates, however the apparmor profile does not allow write access to /var/lib/bind. Patch is forthcoming.

CVE References

Changed in bind9:
assignee: nobody → jamie-strandboge
importance: Undecided → Medium
status: New → Triaged

 status inprogress

Changed in bind9:
status: Triaged → In Progress
LaMont Jones (lamont) wrote :

This will be in 1:9.4.2-7

Changed in bind9:
assignee: jamie-strandboge → lamont
status: In Progress → Fix Committed
LaMont Jones (lamont) wrote :

-9 includes more apparmor changes that need to be there for the profile to be correct. Please sync.

bind9 (1:9.4.2-9) unstable; urgency=low

  * apparmor: allow subdirs in {/etc,/var/cache,/var/lib}/bind
  * apparmor: make profile match README.Debian

 -- LaMont Jones <email address hidden> Tue, 01 Apr 2008 21:13:05 -0600

bind9 (1:9.4.2-8) unstable; urgency=low


  * CVE-2008-0122: off by one error in (unused) inet_network function.
    Closes: #462783 LP: #203476

  [Michael Milligan]

  * Fix min-cache-ttl and min-ncache-ttl keywords

  [Jamie Strandboge]

  * apparmor: force complain-mode for apparmor on certain upgrades. LP: #203528
  * debian/bind9.postrm: purge /etc/apparmor.d/force-complain/usr.sbin.named

 -- LaMont Jones <email address hidden> Tue, 18 Mar 2008 18:35:15 -0600

bind9 (1:9.4.2-7) unstable; urgency=low

  [Jamie Strandboge]

  * Allow rw access to /var/lib/bind/* in apparmor-profile. LP: #201954

  [LaMont Jones]

  * Drop root-delegation comments from named.conf. Closes: #217829, #297219

 -- LaMont Jones <email address hidden> Sat, 15 Mar 2008 09:48:10 -0600

Martin Pitt (pitti) wrote :

[Updating] bind9 (1:9.4.2-6 [Ubuntu] < 1:9.4.2-9 [Debian])
 * Trying to add bind9...
  - <bind9_9.4.2-9.dsc: downloading from>
  - <bind9_9.4.2.orig.tar.gz: already in distro - downloading from librarian>
  - <bind9_9.4.2-9.diff.gz: downloading from>
I: bind9 [main] -> bind9_1:9.4.2-6 [main].
I: bind9 [main] -> bind9-doc_1:9.4.2-6 [main].
I: bind9 [main] -> bind9-host_1:9.4.2-6 [main].
I: bind9 [main] -> libbind-dev_1:9.4.2-6 [main].
I: bind9 [main] -> libbind9-30_1:9.4.2-6 [main].
I: bind9 [main] -> libdns32_1:9.4.2-6 [main].
I: bind9 [main] -> libisc32_1:9.4.2-6 [main].
I: bind9 [main] -> liblwres30_1:9.4.2-6 [main].
I: bind9 [main] -> libisccc30_1:9.4.2-6 [main].
I: bind9 [main] -> libisccfg30_1:9.4.2-6 [main].
I: bind9 [main] -> dnsutils_1:9.4.2-6 [main].
I: bind9 [main] -> lwresd_1:9.4.2-6 [universe].

Changed in bind9:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers