Bug#891801: stretch-pu: package unbound/1.6.0-3+deb9u2

2018-08-30 Thread Robert Edmonds
Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On 2018-07-14 07:46, Salvatore Bonaccorso wrote:
> > Control: tags -1 - moreinfo
> > 
> > On Fri, Mar 02, 2018 at 05:49:52PM +, Adam D. Barratt wrote:
> > > Control: tags -1 + moreinfo
> > > 
> > > On Wed, 2018-02-28 at 17:47 -0500, Robert Edmonds wrote:
> > > > I would like to fix a DNSSEC validation bug (CVE-2017-15105) in the
> > > > unbound package shipped in stretch. After discussion with the
> > > > security
> > > > team, this bug was deemed minor enough that the fix could be shipped
> > > > in
> > > > a point release:
> > > >
> > > > https://security-tracker.debian.org/tracker/CVE-2017-15105
> > > >
> > > 
> > > According to the above Security Tracker entry, this issue has not yet
> > > been fixed in unstable. Assuming that's correct, I'm afraid that's a
> > > blocker for looking at an update in stable.
> > 
> > This happened later on with the 1.7.1-1 upload.
> 
> Thanks, Salvatore. Robert, please feel free to upload.
> 
> Regards,
> 
> Adam

Uploaded. Thanks!

-- 
Robert Edmonds
edmo...@debian.org



Bug#891801: stretch-pu: package unbound/1.6.0-3+deb9u2

2018-08-26 Thread Adam D. Barratt

Control: tags -1 + confirmed

On 2018-07-14 07:46, Salvatore Bonaccorso wrote:

Control: tags -1 - moreinfo

On Fri, Mar 02, 2018 at 05:49:52PM +, Adam D. Barratt wrote:

Control: tags -1 + moreinfo

On Wed, 2018-02-28 at 17:47 -0500, Robert Edmonds wrote:
> I would like to fix a DNSSEC validation bug (CVE-2017-15105) in the
> unbound package shipped in stretch. After discussion with the
> security
> team, this bug was deemed minor enough that the fix could be shipped
> in
> a point release:
>
> https://security-tracker.debian.org/tracker/CVE-2017-15105
>

According to the above Security Tracker entry, this issue has not yet
been fixed in unstable. Assuming that's correct, I'm afraid that's a
blocker for looking at an update in stable.


This happened later on with the 1.7.1-1 upload.


Thanks, Salvatore. Robert, please feel free to upload.

Regards,

Adam



Bug#891801: stretch-pu: package unbound/1.6.0-3+deb9u2

2018-07-14 Thread Salvatore Bonaccorso
Control: tags -1 - moreinfo

On Fri, Mar 02, 2018 at 05:49:52PM +, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On Wed, 2018-02-28 at 17:47 -0500, Robert Edmonds wrote:
> > I would like to fix a DNSSEC validation bug (CVE-2017-15105) in the
> > unbound package shipped in stretch. After discussion with the
> > security
> > team, this bug was deemed minor enough that the fix could be shipped
> > in
> > a point release:
> > 
> > https://security-tracker.debian.org/tracker/CVE-2017-15105
> > 
> 
> According to the above Security Tracker entry, this issue has not yet
> been fixed in unstable. Assuming that's correct, I'm afraid that's a
> blocker for looking at an update in stable.

This happened later on with the 1.7.1-1 upload.

Regards,
Salvatore



Bug#891801: stretch-pu: package unbound/1.6.0-3+deb9u2

2018-03-02 Thread Adam D. Barratt
Control: tags -1 + moreinfo

On Wed, 2018-02-28 at 17:47 -0500, Robert Edmonds wrote:
> I would like to fix a DNSSEC validation bug (CVE-2017-15105) in the
> unbound package shipped in stretch. After discussion with the
> security
> team, this bug was deemed minor enough that the fix could be shipped
> in
> a point release:
> 
> https://security-tracker.debian.org/tracker/CVE-2017-15105
> 

According to the above Security Tracker entry, this issue has not yet
been fixed in unstable. Assuming that's correct, I'm afraid that's a
blocker for looking at an update in stable.

Regards,

Adam



Bug#891801: stretch-pu: package unbound/1.6.0-3+deb9u2

2018-02-28 Thread Robert Edmonds
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I would like to fix a DNSSEC validation bug (CVE-2017-15105) in the
unbound package shipped in stretch. After discussion with the security
team, this bug was deemed minor enough that the fix could be shipped in
a point release:

https://security-tracker.debian.org/tracker/CVE-2017-15105

Please see attached a debdiff for unbound 1.6.0-3+deb9u2 containing the
backported fix from upstream version 1.6.8. I'd like to have this
considered for the upcoming stable point release.

Details on the bug and its impact are available in this upstream
advisory:

https://unbound.net/downloads/CVE-2017-15105.txt

I have cherry-picked two commits (svn r4441, r4528) from the upstream
repository containing the fix and a test case. Those upstream commits
are available here:

https://github.com/NLnetLabs/unbound/commit/2a6250e3fb3ccd6e9a0a16b6908c5cfb76d8d6f3

https://github.com/NLnetLabs/unbound/commit/eff62cecac1388214032906eb6944ceb9c0e6d41

(There was a minor conflict when merging the cherry-picked commit r4441
due to the renaming of some internal types in svn r3989.)

A very similar fix has already been shipped for wheezy-lts in
1.4.17-3+deb7u3.

Thanks!

-- 
Robert Edmonds
edmo...@debian.org
diff -Nru unbound-1.6.0/debian/changelog unbound-1.6.0/debian/changelog
--- unbound-1.6.0/debian/changelog  2017-08-27 00:43:42.0 -0400
+++ unbound-1.6.0/debian/changelog  2018-02-28 17:00:51.0 -0500
@@ -1,3 +1,12 @@
+unbound (1.6.0-3+deb9u2) stretch; urgency=high
+
+  * Cherry-pick upstream commit svn r4441, "patch for CVE-2017-15105:
+vulnerability in the processing of wildcard synthesized NSEC records."
+  * Cherry-pick upstream commit svn r4528, "Added tests with wildcard
+expanded NSEC records (CVE-2017-15105 test)".
+
+ -- Robert Edmonds   Wed, 28 Feb 2018 17:00:51 -0500
+
 unbound (1.6.0-3+deb9u1) stretch; urgency=high
 
   * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor
diff -Nru unbound-1.6.0/debian/patches/debian-changes 
unbound-1.6.0/debian/patches/debian-changes
--- unbound-1.6.0/debian/patches/debian-changes 2017-08-27 00:43:42.0 
-0400
+++ unbound-1.6.0/debian/patches/debian-changes 2018-02-28 17:00:51.0 
-0500
@@ -5,14 +5,12 @@
  information below has been extracted from the changelog. Adjust it or drop
  it.
  .
- unbound (1.6.0-3+deb9u1) stretch; urgency=high
+ unbound (1.6.0-3+deb9u2) stretch; urgency=high
  .
-   * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor
- when two anchors are present, makes both valid.  Checks hash of DS but
- not signature of new key.  This fixes installs between sep11 and oct11
- 2017."
-   * debian/control: unbound: Add versioned dependency on dns-root-data (>=
- 2017072601~) for KSK-2017 in RFC 5011 state VALID.
+   * Cherry-pick upstream commit svn r4441, "patch for CVE-2017-15105:
+ vulnerability in the processing of wildcard synthesized NSEC records."
+   * Cherry-pick upstream commit svn r4528, "Added tests with wildcard
+ expanded NSEC records (CVE-2017-15105 test)".
 Author: Robert Edmonds 
 
 ---
@@ -26,7 +24,7 @@
 Bug-Ubuntu: https://launchpad.net/bugs/
 Forwarded: 
 Reviewed-By: 
-Last-Update: 2017-08-27
+Last-Update: 2018-02-28
 
 --- unbound-1.6.0.orig/acx_python.m4
 +++ unbound-1.6.0/acx_python.m4
@@ -79,6 +77,165 @@
 +echo "Setup success. Certificates created."
  
  exit 0
+--- unbound-1.6.0.orig/testcode/unitverify.c
 unbound-1.6.0/testcode/unitverify.c
+@@ -186,7 +186,9 @@ verifytest_rrset(struct module_env* env,
+   ntohs(rrset->rk.rrset_class));
+   }
+   setup_sigalg(dnskey, sigalg); /* check all algorithms in the dnskey */
+-  sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, );
++  /* ok to give null as qstate here, won't be used for answer section. */
++  sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, ,
++  LDNS_SECTION_ANSWER, NULL);
+   if(vsig) {
+   printf("verify outcome is: %s %s\n", sec_status_to_string(sec),
+   reason?reason:"");
+--- /dev/null
 unbound-1.6.0/testdata/val_nodata_failwc.rpl
+@@ -0,0 +1,71 @@
++; config options
++; The island of trust is at nsecwc.nlnetlabs.nl
++server:
++  trust-anchor: "nsecwc.nlnetlabs.nl. 10024   IN  DS  565 8 2 
0C15C04C022700C8713028F6F64CF2343DE627B8F83CDA1C421C65DB 52908A2E"
++  val-override-date: "20181202115531"
++  target-fetch-policy: "0 0 0 0 0"
++  fake-sha1: yes
++  trust-anchor-signaling: no
++stub-zone:
++  name: "nsecwc.nlnetlabs.nl"
++  stub-addr: "185.49.140.60"
++
++CONFIG_END
++
++SCENARIO_BEGIN Test validator with nodata response with wildcard expanded 
NSEC record, original NSEC owner does not provide proof for QNAME.