Re: Bind 9.16.17 update built for packages?
- Reply: Michael Gmelin : "Re: Bind 9.16.17 update built for packages?"
- In reply to: Simon Wright : "Re: Bind 9.16.17 update built for packages?"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 21 Jun 2021 11:24:51 UTC
Am 21.06.21 um 09:49 schrieb Simon Wright: > Indeed "these things they do 'appen!" :) Is it possible/worth adding a > note to UPDATING to not upgrade to 9.16.17? > > Something like this: > > ============ > 20210621: > AFFECTS: users of bind916 9.16.17 > > ISC have issued a warning to users to not upgrade to this version of > bind916 due to bug in the lookup tables which is likely to cause > operational errors for most users. > > https://gitlab.isc.org/isc-projects/bind9/-/issues/2779 > > The issue does not exist in 9.16.16 and is fixed in 9.16.18, please wait > for that package to be released before upgrading. > > ============ > > Or probably better, roll changes back to remove the faulty package? I'd think a mechanisms that allows to purge packages with known vulnerabilites should be provided. But there is the issue of dependent packages that will not install or update unless the dependency is resolved. Those packages need to be quickly rebuilt, and together with the updated repository catalogue pushed to the mirrors. I do not know whether emergency pushes to mirrors can be performed, but IMHO we should not distribute packages with significant security issues via the servers under our direct control and the mirrors. The deletion of vulnerable packages even if dependencies and the repository catalogue cannot be updated at the same time might be appropriate as an emergency measure in highly critical cases. Anyway, AFAIK such an mechanism is not currently implemented and IMHO it should be designed and rolled out in coordination with mirror operators (if they need to be involved). Regards, STefan