Debian Bug report logs - #696661
bind9 - Fails if openssl can't load the gost engine

version graph

Package: bind9; Maintainer for bind9 is LaMont Jones <lamont@debian.org>; Source for bind9 is src:bind9.

Reported by: Bastian Blank <waldi@debian.org>

Date: Tue, 25 Dec 2012 11:51:01 UTC

Severity: grave

Tags: patch, pending

Found in versions bind9/1:9.8.1.dfsg.P1-4.3, bind9/1:9.8.1.dfsg.P1-4.4

Fixed in version bind9/1:9.8.4.dfsg.P1-6

Done: LaMont Jones <lamont@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#696661; Package bind9. (Tue, 25 Dec 2012 11:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
New Bug report received and forwarded. Copy sent to LaMont Jones <lamont@debian.org>. (Tue, 25 Dec 2012 11:51:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bind9 - Fails if openssl can't load the gost engine
Date: Tue, 25 Dec 2012 12:46:47 +0100
Package: bind9
Version: 1:9.8.1.dfsg.P1-4.4
Severity: grave
File: /usr/lib/libdns.so.81.3.1

libdns is configured with a list of openssl engines to load somewhere
after startup (lib/dns/dst_api.c). It errors out if it can't load one of
them. gost is _always_ an dynamic engine loaded as dynamic library so it
will fail at arbitrary times.

In this case named exits with a fatal error:
| Dec 25 11:43:09 triphammer named[13958]: initializing DST: openssl failure
| Dec 25 11:43:09 triphammer named[13958]: exiting (due to fatal error)

This initialization happens _after_ named calles chroot, so it will
completely fail to work in this case.

Bastian

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.6-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libdns81 depends on:
ii  libc6             2.13-37
ii  libcap2           1:2.22-1.2
ii  libgeoip1         1.4.8+dfsg-3
ii  libgssapi-krb5-2  1.10.1+dfsg-3
ii  libisc83          1:9.8.1.dfsg.P1-4.4
ii  libssl1.0.0       1.0.1c-4

libdns81 recommends no packages.

libdns81 suggests no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#696661; Package bind9. (Sun, 20 Jan 2013 18:06:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Sun, 20 Jan 2013 18:06:08 GMT) Full text and rfc822 format available.

Message #10 received at 696661@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: 696661@bugs.debian.org
Cc: 696661-submitter@bugs.debian.org
Subject: Re: Bug#696661: bind9 - Fails if openssl can't load the gost engine
Date: Sun, 20 Jan 2013 18:03:01 +0000
Control: found -1 1:9.8.1.dfsg.P1-4.3

Hi,

bind9/1:9.8.1.dfsg.P1-4.4 and libdns81 have disappeared out of the
archive.  It is missing from debian/changelog since 1:9.8.4.dfsg-1

(The nmu was not acked conventionally;  the change had already been
merged in from upstream and the changelog entry was missed).

Therefore version tracking of this bug was not working properly;
britney/UDD do not list it as an RC bug, but apt-listbugs does.

I'm marking it as 'found' in the preceding version so that this bug does
not go missing.  Whether or not it still exists in 9.8.4 I do not know.

Thanks,
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Marked as found in versions bind9/1:9.8.1.dfsg.P1-4.3. Request was from Steven Chamberlain <steven@pyro.eu.org> to 696661-submit@bugs.debian.org. (Sun, 20 Jan 2013 18:06:08 GMT) Full text and rfc822 format available.

Message sent on to Bastian Blank <waldi@debian.org>:
Bug#696661. (Sun, 20 Jan 2013 18:06:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#696661; Package bind9. (Sat, 26 Jan 2013 17:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Sat, 26 Jan 2013 17:33:03 GMT) Full text and rfc822 format available.

Message #20 received at 696661@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: Bastian Blank <waldi@debian.org>
Cc: 696661@bugs.debian.org
Subject: Re: bind9 - Fails if openssl can't load the gost engine
Date: Sat, 26 Jan 2013 17:30:52 +0000
[Message part 1 (text/plain, inline)]
Control: tag -1 patch moreinfo

On Tue, 2012-12-25 at 12:46 +0100, Bastian Blank wrote:
> Package: bind9
> Version: 1:9.8.1.dfsg.P1-4.4
> Severity: grave
> File: /usr/lib/libdns.so.81.3.1
> 
> libdns is configured with a list of openssl engines to load somewhere
> after startup (lib/dns/dst_api.c). It errors out if it can't load one of
> them. gost is _always_ an dynamic engine loaded as dynamic library so it
> will fail at arbitrary times.
> 
> In this case named exits with a fatal error:
> | Dec 25 11:43:09 triphammer named[13958]: initializing DST: openssl failure
> | Dec 25 11:43:09 triphammer named[13958]: exiting (due to fatal error)
> 
> This initialization happens _after_ named calles chroot, so it will
> completely fail to work in this case.

This patch seems to work - at least, it was enough to get the daemon
running in a chroot with only configuration and var directories.  Please
can you confirm whether this works for a real installation?

Ben.

-- 
Ben Hutchings
Any smoothly functioning technology is indistinguishable from a rigged demo.
[bind9-9.8.4-init-openssl-before-chroot.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) moreinfo and patch. Request was from Ben Hutchings <ben@decadent.org.uk> to 696661-submit@bugs.debian.org. (Sat, 26 Jan 2013 17:33:03 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from LaMont Jones <lamont@debian.org> to control@bugs.debian.org. (Fri, 01 Mar 2013 15:24:03 GMT) Full text and rfc822 format available.

Reply sent to LaMont Jones <lamont@debian.org>:
You have taken responsibility. (Mon, 04 Mar 2013 15:36:05 GMT) Full text and rfc822 format available.

Notification sent to Bastian Blank <waldi@debian.org>:
Bug acknowledged by developer. (Mon, 04 Mar 2013 15:36:05 GMT) Full text and rfc822 format available.

Message #29 received at 696661-close@bugs.debian.org (full text, mbox):

From: LaMont Jones <lamont@debian.org>
To: 696661-close@bugs.debian.org
Subject: Bug#696661: fixed in bind9 1:9.8.4.dfsg.P1-6
Date: Mon, 04 Mar 2013 15:32:47 +0000
Source: bind9
Source-Version: 1:9.8.4.dfsg.P1-6

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696661@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
LaMont Jones <lamont@debian.org> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 01 Mar 2013 08:23:27 -0700
Source: bind9
Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-80 libdns88 libisc84 liblwres80 libisccc80 libisccfg82 dnsutils lwresd
Architecture: all amd64 source
Version: 1:9.8.4.dfsg.P1-6
Distribution: unstable
Urgency: low
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: LaMont Jones <lamont@debian.org>
Closes: 696661
Description: 
 bind9-doc  - Documentation for BIND
 bind9-host - Version of 'host' bundled with BIND 9.X
 bind9      - Internet Domain Name Server
 bind9utils - Utilities for BIND
 dnsutils   - Clients provided with BIND
 host       - Transitional package
 libbind9-80 - BIND9 Shared Library used by BIND
 libbind-dev - Static Libraries and Headers used by BIND
 libdns88   - DNS Shared Library used by BIND
 libisc84   - ISC Shared Library used by BIND
 libisccc80 - Command Channel Library used by BIND
 libisccfg82 - Config File Handling Library used by BIND
 liblwres80 - Lightweight Resolver Library used by BIND
 lwresd     - Lightweight Resolver Daemon
Changes: 
 bind9 (1:9.8.4.dfsg.P1-6) unstable; urgency=low
 .
   [Ben Hutchings]
 .
   * Initialise OpenSSL before calling chroot().  Closes: #696661
Checksums-Sha1: 
 def0de848a5f6f866bc44f8b64007b08689edd40 1942 bind9_9.8.4.dfsg.P1-6.dsc
 5864f532c1d1e108060434e04e0e4d657e95a4f3 671183 bind9_9.8.4.dfsg.P1-6.diff.gz
 50a12357da53e33c6952902026de2bf04aa9e865 363678 bind9-doc_9.8.4.dfsg.P1-6_all.deb
 ecb9eed821db323cf50ef740f1fbc8c2868ff15b 20228 host_9.8.4.dfsg.P1-6_all.deb
 0e47f0f7f741e0f7f7e14e8a706265062b38123a 369746 bind9_9.8.4.dfsg.P1-6_amd64.deb
 0970e00769797220f555eaa998250cf6cbb6240a 124346 bind9utils_9.8.4.dfsg.P1-6_amd64.deb
 60e129d6e898658067b955a503cc3a55c2000557 73096 bind9-host_9.8.4.dfsg.P1-6_amd64.deb
 e15451a9f4983c3bcf4538ae3d283e3838f35be4 1578470 libbind-dev_9.8.4.dfsg.P1-6_amd64.deb
 a6e0c2793c9c89db6bdc5c4c4bdeab7db9bfb22c 41922 libbind9-80_9.8.4.dfsg.P1-6_amd64.deb
 d6eeb7a13a175f25e5bf40660df9872dc5e8760e 750052 libdns88_9.8.4.dfsg.P1-6_amd64.deb
 0402341ffc0be8fe77593832195c98261837d41b 182126 libisc84_9.8.4.dfsg.P1-6_amd64.deb
 905212c2091ee533c8d15a6e4b8aca2c50623d0a 54834 liblwres80_9.8.4.dfsg.P1-6_amd64.deb
 f73063b1d990964b2e3c5577e4b9be3ea1ba8ce7 35546 libisccc80_9.8.4.dfsg.P1-6_amd64.deb
 49f7c414a7c6dd4835597765325832aa7dcc2560 62402 libisccfg82_9.8.4.dfsg.P1-6_amd64.deb
 a53ee47031586615c15aa759f2a5d6104ef4f4b7 166196 dnsutils_9.8.4.dfsg.P1-6_amd64.deb
 7fec90cecf7d7841aec7a8aab5d39ac86bd5570a 252066 lwresd_9.8.4.dfsg.P1-6_amd64.deb
Checksums-Sha256: 
 0eecac5717b825ffa1fb6e4a0f6b5cb203edea3567f2684cfe791647f4d56bf7 1942 bind9_9.8.4.dfsg.P1-6.dsc
 37658a0544b43fb2309d3d86fbbf1d3d84c06d0f850c9022ff9d6ff65a68dd3b 671183 bind9_9.8.4.dfsg.P1-6.diff.gz
 48dd4b52970d7a200f234c0fa5e54d2649fc6bd8e7fb092d0438124444a52428 363678 bind9-doc_9.8.4.dfsg.P1-6_all.deb
 96d4b7e0c5a84022951d4b6f374ef602919d8612fcbeebf60e1f653a66428af5 20228 host_9.8.4.dfsg.P1-6_all.deb
 bec9289ee926e9f798df1d380d7bb5bb1c6c08da4eaa3ee2560500d4fa890861 369746 bind9_9.8.4.dfsg.P1-6_amd64.deb
 52b909019012e0845459eb69996efa7f33b0827c38a7de5dacefeeb93d8a5996 124346 bind9utils_9.8.4.dfsg.P1-6_amd64.deb
 b8d83540229f4a3b6187074b7cea298eb9ce599f8ff6ac6cdf98fdbe65138b28 73096 bind9-host_9.8.4.dfsg.P1-6_amd64.deb
 ba1285d8b9988799acb3597fdcc0550a7e217fce13cc10671e1ef86a1bfc75bc 1578470 libbind-dev_9.8.4.dfsg.P1-6_amd64.deb
 2ee85c89c78aca4dabf26b6d8fec35d7d2174ec100e099f70a824eeefa94f2bc 41922 libbind9-80_9.8.4.dfsg.P1-6_amd64.deb
 ffaff392e4366d4307310df24e6dc4e3f4459d04de2f01c1242a98e63e1001e0 750052 libdns88_9.8.4.dfsg.P1-6_amd64.deb
 ccdd937697439047617f141fcb734937fc51de8dffa99ed5ac1f1c3acff13da5 182126 libisc84_9.8.4.dfsg.P1-6_amd64.deb
 76ca115cf316d6d49e5e836825ae16a1f68ad2800fb560162f7ee9eaddc9cfba 54834 liblwres80_9.8.4.dfsg.P1-6_amd64.deb
 ec4346e52367e11ed7bf19cc77b27fbf1c317d94ffbd45ee5f39154279655cd9 35546 libisccc80_9.8.4.dfsg.P1-6_amd64.deb
 10e0e98879577014c7eb529495883e9df90629b36d6d79c5f7169c34ab4db8ca 62402 libisccfg82_9.8.4.dfsg.P1-6_amd64.deb
 b813695cb1afb04073b296a8f39385e5c6f20e3274f724cf042c93ea2e3df21b 166196 dnsutils_9.8.4.dfsg.P1-6_amd64.deb
 a254ee73acf3833960551bbd54af04f716577093fc46cc88c2bb18ee2d686285 252066 lwresd_9.8.4.dfsg.P1-6_amd64.deb
Files: 
 994b3be2ad9215706d5dc1694169d508 1942 net optional bind9_9.8.4.dfsg.P1-6.dsc
 c6e69d3c546dd6cd70aa06668e304480 671183 net optional bind9_9.8.4.dfsg.P1-6.diff.gz
 6239fe815091583a010be7bb33476b4f 363678 doc optional bind9-doc_9.8.4.dfsg.P1-6_all.deb
 61a4ad511bf7062d65a99c3a45bad040 20228 net standard host_9.8.4.dfsg.P1-6_all.deb
 be32cff62fef71b0e78d1a20f04ac8b5 369746 net optional bind9_9.8.4.dfsg.P1-6_amd64.deb
 9af32736e558ecbbd52578fffddc3bd0 124346 net optional bind9utils_9.8.4.dfsg.P1-6_amd64.deb
 8de36311ab286df6438f6347a03a0f79 73096 net standard bind9-host_9.8.4.dfsg.P1-6_amd64.deb
 8cff4b07e617e9d08c7d93e2a9603aa0 1578470 libdevel optional libbind-dev_9.8.4.dfsg.P1-6_amd64.deb
 b7575fe10fcdb95abe8054e01d654002 41922 libs standard libbind9-80_9.8.4.dfsg.P1-6_amd64.deb
 078b2b5a0c4e20a5583146dd1b454136 750052 libs standard libdns88_9.8.4.dfsg.P1-6_amd64.deb
 71d0af145aea4389c4e4399365bf557d 182126 libs standard libisc84_9.8.4.dfsg.P1-6_amd64.deb
 43373648c3b900173739c07729dc3ba3 54834 libs standard liblwres80_9.8.4.dfsg.P1-6_amd64.deb
 cb3de410a256e75d589a9478592187a8 35546 libs optional libisccc80_9.8.4.dfsg.P1-6_amd64.deb
 1548c74ce53dbfddd5af5c2d5b54af8a 62402 libs optional libisccfg82_9.8.4.dfsg.P1-6_amd64.deb
 f60a1ddd54d13e4224a2388490347d9a 166196 net standard dnsutils_9.8.4.dfsg.P1-6_amd64.deb
 b6184972e850803525a08836550b5631 252066 net optional lwresd_9.8.4.dfsg.P1-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFRNLo+zN/kmwoKyScRAj4IAKCKC50e9a8W/jw/5V8s8V0gk2fbyACdF3iP
/EAFeopW0vKiIMp+RS1MkB0=
=pk08
-----END PGP SIGNATURE-----




Removed tag(s) moreinfo. Request was from LaMont Jones <lamont@debian.org> to control@bugs.debian.org. (Mon, 04 Mar 2013 16:18:08 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from LaMont Jones <lamont@debian.org> to control@bugs.debian.org. (Mon, 04 Mar 2013 16:18:16 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 02 Apr 2013 07:27:09 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 23:18:02 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.