Package: release.debian.org X-Debbugs-CC: secur...@debian.org,lam...@debian.org,mgilb...@debian.org User: release.debian....@packages.debian.org UserTags: unblock
testing currently has bind9 version 1:9.9.5.dfsg-5 Upstream released 9.9.6 fixing some bugs with an impact on compatibility and at least one appears to be security related "Corrected bugs in the handling of wildcard records by the DNSSEC validator: invalid wildcard expansions could be treated as valid if signed, and valid wildcard expansions in NSEC3 opt-out ranges had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]" Full upstream changelogs: https://kb.isc.org/article/AA-01210/0/BIND-9.9.6-Release-Notes.html I haven't made a debdiff but looking at the list of things in the changelog it probably isn't trivial. There is also one outstanding RC issue in bind9 that can be fixed with a one line patch against the existing package or it is fixed upstream by the 9.9.6 release, missing dlz_dlopen.h header file: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769117 I understand the release team would usually prefer to see the one line fix for debian/rules against the existing package and I'm happy to NMU if the maintainers aren't able to provide that in the next couple of days. However, does anybody feel there is a strong enough case to jump directly to the latest version, 9.9.6, does the security team have any opinion on this package and its upstream changelog? Looking at the upstream support lifecycle, bind9 9.9.x appears to be supported until June 2017, this appears OK for the support lifecycle of jessie: http://www.isc.org/downloads/software-support-policy/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org