Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: hash-slin...@packages.debian.org, ond...@debian.org,
team+...@tracker.debian.org
Control: affects -1 + src:hash-slinger
[ Reason ]
When upgrading our Puppet server to bullseye, our DNS server couldn't
generate TLSA rules anymore because it was relying on a unpackaged
program. We eventually migrated to hash-slinger but in doing so
noticed it was generating broken TLSA records.
This has been reported as #1053483 against unstable, where it was
fixed and migrated to testing without known ill effects.
[ Impact ]
TLSA records cannot be generated.
[ Tests ]
Reproducer:
tlsa --create --usage=3 --selector=1 --mtype=1 --certificate
example.com.crt --port 443 example.com --output=generic
Expected:
_443._tcp.cdn-fastly-backend.torproject.org. IN TYPE52 \# 35
030101e86cb4aa5bec41b44c5e78c0b3b05992ab276d540376aca18eb494d8e229cd4c
Actual:
_443._tcp.cdn-fastly-backend.torproject.org. IN TYPE52 \# 35.0
030101e86cb4aa5bec41b44c5e78c0b3b05992ab276d540376aca18eb494d8e229cd4c
Notice the float ("35.0") which should obviously be an integer. This
chokes the DNS server completely.
[ Risks ]
Code is a relatively trivial Python 3 tweak, minimal risk.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
This consists of a single, one-line patch, which has been submitted
and accepted upstream:
https://github.com/letoams/hash-slinger/pull/46
[ Other info ]
This is the second NMU on this package. I have tried to work on the
Git repository as well, but it's seriously lagging behind the versions
even in stable, so I haven't been able to do this. I understand the
maintainer is looking for help for the package but I unfortunately
cannot offer much help but patching this very issue for now...
