Debian Package Tracker - knot-resolver

general

source: knot-resolver (main)
version: 3.2.1-3
maintainer: knot-resolver packagers (DMD)
uploaders: Ondřej Surý [DMD] – Daniel Kahn Gillmor [DMD]
arch: all amd64 armel armhf i386 mips mips64el mipsel ppc64 ppc64el
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

old-bpo: 3.2.1-3~bpo9+1
stable: 3.2.1-3
unstable: 3.2.1-3

versioned links

2.3.0-3~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.2.1-3~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.2.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

knot-resolver (4 bugs: 0, 3, 1, 0)
knot-resolver-doc
knot-resolver-module-http (1 bugs: 1, 0, 0, 0)

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:01:41
Last run: 2020-01-26 23:26:45 UTC
Previous status: fail

stable: fail (log)
The tests ran in 0:02:28
Last run: 2020-01-31 16:04:06 UTC
Previous status:

Created: 2020-01-03 Last update: 2020-02-17 12:39

A new upstream version is available: 5.0.1 high

A new upstream version 5.0.1 is available, you should consider packaging it.

Created: 2019-04-21 Last update: 2020-02-17 12:34

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2019-10191: A vulnerability was discovered in DNS resolver of knot resolver before version 4.1.0 which allows remote attackers to downgrade DNSSEC-secure domains to DNSSEC-insecure state, opening possibility of domain hijack using attacks against insecure DNS protocol.
CVE-2019-10190: A vulnerability was discovered in DNS resolver component of knot resolver through version 3.2.0 before 4.1.0 which allows remote attackers to bypass DNSSEC validation for non-existence answer. NXDOMAIN answer would get passed through to the client even if its DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this particular bug but see CVE-2019-10191.
CVE-2019-19331: knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).

Please fix them.

Created: 2019-07-14 Last update: 2019-12-18 08:38

3 security issues in buster high

There are 3 open security issues in buster.

3 important issues:

CVE-2019-10191: A vulnerability was discovered in DNS resolver of knot resolver before version 4.1.0 which allows remote attackers to downgrade DNSSEC-secure domains to DNSSEC-insecure state, opening possibility of domain hijack using attacks against insecure DNS protocol.
CVE-2019-10190: A vulnerability was discovered in DNS resolver component of knot resolver through version 3.2.0 before 4.1.0 which allows remote attackers to bypass DNSSEC validation for non-existence answer. NXDOMAIN answer would get passed through to the client even if its DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this particular bug but see CVE-2019-10191.
CVE-2019-19331: knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).

Please fix them.

Created: 2019-07-14 Last update: 2019-12-18 08:38

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2019-08-28 Last update: 2020-02-17 12:33

9 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 5d2e49cd34d53bacc3d9dc45a11ff18c7b829a4c
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Thu Dec 5 19:42:38 2019 +0000

    debian/copyright: Use spaces rather than tabs to start continuation lines
    
    Fixes lintian: tab-in-licence-text
    See https://lintian.debian.org/tags/tab-in-licence-text.html for more details.

commit c7278661edc9c4ce04564fc459752040b17c301c
Author: Robert Edmonds <edmonds@debian.org>
Date:   Sat Jan 25 00:00:47 2020 -0500

    debian/upstream/signing-key.asc: Update
    
    Per upstream, https://www.knot-resolver.cz/download/
    
        Releases are signed with one of those PGP keys:
    
        4A8B A48C 2AED 933B D495  C509 A1FB A5F7 EF8C 4869
        B600 6460 B60A 80E7 8206  2449 E747 DF1F 9575 A3AA
        BE26 EBB9 CBE0 59B3 910C  A35B CE8D D6A1 A50A 21E4
    
    Before this commit:
    
        gpg: Note: signature key A1FBA5F7EF8C4869 expired Thu 10 Jan 2019 04:24:11 PM EST
        gpg: Note: signature key A1FBA5F7EF8C4869 expired Thu 10 Jan 2019 04:24:11 PM EST
        gpg: Note: signature key A1FBA5F7EF8C4869 expired Thu 10 Jan 2019 04:24:11 PM EST
        gpg: Note: signature key 22A2A94B5E49415A expired Wed 10 Jan 2018 01:13:48 PM EST
        gpg: Note: signature key 22A2A94B5E49415A has been revoked
        gpg: Note: signature key A1FBA5F7EF8C4869 expired Thu 10 Jan 2019 04:24:11 PM EST
        gpg: Note: signature key A1FBA5F7EF8C4869 expired Thu 10 Jan 2019 04:24:11 PM EST
        gpg: Note: signature key A1FBA5F7EF8C4869 expired Thu 10 Jan 2019 04:24:11 PM EST
        gpg: Note: signature key 1859C8263905566C expired Thu 10 Jan 2019 04:18:48 PM EST
        gpg: Note: signature key A1FBA5F7EF8C4869 expired Thu 10 Jan 2019 04:24:11 PM EST
        pub   rsa4096 2016-10-16 [SCA] [expires: 2021-10-15]
              B6006460B60A80E782062449E747DF1F9575A3AA
        uid           Vladimír Čunát (work) <vladimir.cunat@nic.cz>
        sig        E747DF1F9575A3AA 2017-09-25   [selfsig]
        uid           Vladimír Čunát <vcunat@gmail.com>
        sig        E747DF1F9575A3AA 2017-09-25   [selfsig]
        sub   rsa4096 2016-10-16 [E] [expires: 2021-10-15]
        sig        E747DF1F9575A3AA 2016-10-16   [keybind]
        pub   rsa4096 2016-12-07 [SC] [expired: 2019-01-10]
              4A8BA48C2AED933BD495C509A1FBA5F7EF8C4869
        uid           Tomas Krizek <tkrizek@redhat.com>
        rev        A1FBA5F7EF8C4869 2017-12-20   [selfsig]
        uid           Tomas Krizek <tomas.krizek@nic.cz>
        sig        A1FBA5F7EF8C4869 2017-12-07   [selfsig]
        sub   ed25519 2018-01-21 [A] [expired: 2019-01-21]
        sig        A1FBA5F7EF8C4869 2018-01-21   [keybind]
        sub   rsa2048 2016-12-07 [S] [revoked: 2018-01-16]
        sig        A1FBA5F7EF8C4869 2018-01-16   [selfsig]
        sig        A1FBA5F7EF8C4869 2016-12-07   [keybind]
        sub   rsa2048 2016-12-07 [E] [revoked: 2018-01-16]
        sig        A1FBA5F7EF8C4869 2016-12-07   [keybind]
        sig        A1FBA5F7EF8C4869 2018-01-16   [selfsig]
        sub   rsa4096 2017-12-07 [S] [expired: 2019-01-10]
        sig        A1FBA5F7EF8C4869 2017-12-07   [keybind]
        sub   rsa4096 2017-12-07 [E] [expired: 2019-01-10]
        sig        A1FBA5F7EF8C4869 2017-12-07   [keybind]
    
    After this commit:
    
        gpg: Note: signature key 22A2A94B5E49415A expired Wed 10 Jan 2018 01:13:48 PM EST
        gpg: Note: signature key 22A2A94B5E49415A has been revoked
        pub   rsa4096 2016-12-07 [SC] [expires: 2022-01-20]
              4A8BA48C2AED933BD495C509A1FBA5F7EF8C4869
        uid           Tomas Krizek <tkrizek@redhat.com>
        rev        A1FBA5F7EF8C4869 2017-12-20   [selfsig]
        uid           Tomas Krizek <tomas.krizek@nic.cz>
        sig        A1FBA5F7EF8C4869 2020-01-01   [selfsig]
        sub   ed25519 2018-01-21 [A] [expires: 2022-01-20]
        sig        A1FBA5F7EF8C4869 2020-01-01   [keybind]
        sub   rsa2048 2016-12-07 [S] [revoked: 2018-01-16]
        sig        A1FBA5F7EF8C4869 2018-01-16   [selfsig]
        sig        A1FBA5F7EF8C4869 2016-12-07   [keybind]
        sub   rsa2048 2016-12-07 [E] [revoked: 2018-01-16]
        sig        A1FBA5F7EF8C4869 2016-12-07   [keybind]
        sig        A1FBA5F7EF8C4869 2018-01-16   [selfsig]
        sub   rsa4096 2017-12-07 [S] [expires: 2022-01-20]
        sig        A1FBA5F7EF8C4869 2020-01-01   [keybind]
        sub   rsa4096 2017-12-07 [E] [expires: 2022-01-20]
        sig        A1FBA5F7EF8C4869 2020-01-01   [keybind]
        pub   rsa4096 2016-10-16 [SCA] [expires: 2021-10-15]
              B6006460B60A80E782062449E747DF1F9575A3AA
        uid           Vladimír Čunát <vcunat@gmail.com>
        sig        E747DF1F9575A3AA 2017-11-16   [selfsig]
        uid           Vladimír Čunát (personal) <v@cunat.cz>
        sig        E747DF1F9575A3AA 2019-02-24   [selfsig]
        uid           Vladimír Čunát (work) <vladimir.cunat@nic.cz>
        sig        E747DF1F9575A3AA 2017-11-16   [selfsig]
        sub   rsa4096 2016-10-16 [E] [expires: 2021-10-15]
        sig        E747DF1F9575A3AA 2016-10-16   [keybind]
        pub   rsa4096 2017-01-03 [SC] [expires: 2021-01-15]
              BE26EBB9CBE059B3910CA35BCE8DD6A1A50A21E4
        uid           Petr Spacek <petr.spacek@nic.cz>
        sig        CE8DD6A1A50A21E4 2020-01-04   [selfsig]
        uid           Petr Špaček <petr.spacek@nic.cz>
        sig        CE8DD6A1A50A21E4 2020-01-04   [selfsig]
        sub   rsa4096 2017-01-03 [E] [expires: 2021-01-15]
        sig        CE8DD6A1A50A21E4 2020-01-04   [keybind]

commit 6226aa2524cdd190809b5192a127f18be4769033
Merge: 1ca57be9 e64203fb
Author: Daniel Salzman <daniel.salzman@nic.cz>
Date:   Fri Jan 24 09:54:39 2020 +0000

    Merge branch 'patch-1' into 'debian/master'
    
    Remove spurious Build-Dep on libgeoip-dev
    
    See merge request dns-team/knot-resolver!2

commit e64203fbb5cdd6f0e929b9a53c693a94eb865ce3
Author: Faidon Liambotis <paravoid@debian.org>
Date:   Thu Aug 29 17:03:08 2019 +0000

    Remove spurious Build-Dep on libgeoip-dev
    
    GeoIP was only used by tinyweb and that has been superseded by the HTTP
    module and not present in the source anymore.

commit 1ca57be9efc01300a600f69afa5611c0ff4aa51e
Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Thu Apr 11 12:41:27 2019 -0400

    knot-resolver Recommends: lua-cqueues (Closes: #926771)

commit 636e0d10087cfb49821888eda834e60ec174f111
Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Sun Mar 24 15:21:39 2019 +0100

    note goal of aligning sysvinit script with systemd mechanism

commit 022f54398fc12f59ece9809e7d853933a53915bc
Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Sun Mar 24 15:08:15 2019 +0100

    kresd.conf: include comments similar to upstream

commit f09c258b34da870372a1baa6715b83468d167386
Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Sun Mar 24 12:20:29 2019 +0100

    bring debian/TODO: bring up to date
    
    i've raised the concerns about warnings and linker dependencies
    upstream already.  I've also dropped the attempt to split out the
    library packaging since that does not appear to be functional.

commit 6c9d727f0979bbc1da1e007f5f266362ce6e5d61
Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Sun Mar 24 12:13:20 2019 +0100

    Adopt preferred upstream name "Knot Resolver"
    
    Upstream apparently prefers the name "Knot Resolver" over "Knot DNS
    Resolver".  We should keep our messaging consistent with theirs.

Created: 2019-04-11 Last update: 2020-02-13 23:04

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.0 instead of 4.3.0).

Created: 2019-07-08 Last update: 2020-01-21 05:06

testing migrations

This package will soon be part of the auto-knot transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for knot-resolver (- to 3.2.1-3): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- Updating knot-resolver introduces new bugs: #932048, #946181
- autopkgtest for knot-resolver/3.2.1-3: amd64: Pass, arm64: Regression ♻
- Additional info:
- Piuparts tested OK - https://piuparts.debian.org/sid/source/k/knot-resolver.html
- 346 days old (needed 5 days)
- Not considered

news

[rss feed]

[2019-08-29] knot-resolver REMOVED from testing (Debian testing watch)
[2019-03-24] Accepted knot-resolver 3.2.1-3~bpo9+1 (source) into stretch-backports->backports-policy, stretch-backports (Daniel Kahn Gillmor)
[2019-03-24] knot-resolver 3.2.1-3 MIGRATED to testing (Debian testing watch)
[2019-03-08] Accepted knot-resolver 3.2.1-3 (source) into unstable (Daniel Kahn Gillmor)
[2019-03-08] Accepted knot-resolver 3.2.1-2 (source) into unstable (Daniel Kahn Gillmor)
[2019-03-07] Accepted knot-resolver 3.2.1-1~bpo9+1 (source amd64 all) into stretch-backports, stretch-backports (Daniel Kahn Gillmor)
[2019-03-03] knot-resolver 3.2.1-1 MIGRATED to testing (Debian testing watch)
[2019-02-21] Accepted knot-resolver 3.2.1-1 (source) into unstable (Ondřej Surý)
[2018-12-31] knot-resolver 3.2.0-1 MIGRATED to testing (Debian testing watch)
[2018-12-23] Accepted knot-resolver 3.2.0-1 (source amd64 all) into unstable, unstable (Daniel Kahn Gillmor)
[2018-12-01] knot-resolver 3.1.0-1 MIGRATED to testing (Debian testing watch)
[2018-11-20] Accepted knot-resolver 3.1.0-1 (source) into unstable (Daniel Kahn Gillmor)
[2018-11-06] knot-resolver 3.0.0-9 MIGRATED to testing (Debian testing watch)
[2018-09-13] knot-resolver REMOVED from testing (Debian testing watch)
[2018-09-12] Accepted knot-resolver 3.0.0-9 (source) into unstable (Daniel Kahn Gillmor)
[2018-09-12] Accepted knot-resolver 3.0.0-8 (source) into unstable (Daniel Kahn Gillmor)
[2018-09-12] Accepted knot-resolver 3.0.0-7 (source) into unstable (Daniel Kahn Gillmor)
[2018-09-05] Accepted knot-resolver 3.0.0-6 (source) into unstable (Daniel Kahn Gillmor)
[2018-09-01] Accepted knot-resolver 3.0.0-5 (source) into unstable (Daniel Kahn Gillmor)
[2018-08-31] Accepted knot-resolver 3.0.0-4 (source) into unstable (Daniel Kahn Gillmor)
[2018-08-31] Accepted knot-resolver 3.0.0-3 (source) into unstable (Daniel Kahn Gillmor)
[2018-08-30] Accepted knot-resolver 3.0.0-2 (source) into unstable (Daniel Kahn Gillmor)
[2018-08-28] Accepted knot-resolver 3.0.0-1 (source amd64 all) into unstable, unstable (Daniel Kahn Gillmor)
[2018-08-27] Accepted knot-resolver 2.4.1-1 (source) into unstable (Daniel Kahn Gillmor)
[2018-05-30] knot-resolver 2.3.0-4 MIGRATED to testing (Debian testing watch)
[2018-05-29] Accepted knot-resolver 2.3.0-3~bpo9+1 (source amd64 all) into stretch-backports, stretch-backports (Daniel Kahn Gillmor)
[2018-05-24] Accepted knot-resolver 2.3.0-4 (source) into unstable (Daniel Kahn Gillmor)
[2018-05-21] knot-resolver 2.3.0-3 MIGRATED to testing (Debian testing watch)
[2018-05-14] Accepted knot-resolver 2.3.0-3 (source) into unstable (Daniel Kahn Gillmor)
[2018-05-05] knot-resolver REMOVED from testing (Debian testing watch)

bugs [bug history graph]

all: 10
RC: 3
I&N: 6
M&W: 1
F&P: 0
patch: 0

links

homepage
buildd: logs, clang, cross
popcon
browse source code
edit tags
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.2.1-3ubuntu2
6 bugs
patches for 3.2.1-3ubuntu2