Ubuntu
bind9 package

bind9 apparmor profile does not allow access to /var/lib/bind

Bug #201954 reported by Jamie Strandboge
4
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Fix Released
Medium
LaMont Jones

Bug Description

Binary package hint: bind9

/var/lib/bind is the proper place for slave zones and dynamic updates, however the apparmor profile does not allow write access to /var/lib/bind. Patch is forthcoming.

CVE References

Jamie Strandboge (jdstrand)
Changed in bind9:
assignee: nobody → jamie-strandboge
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: [Bug 201954] bind9 apparmor profile does not allow access to /var/lib/bind

 status inprogress

Changed in bind9:
status: Triaged → In Progress
Revision history for this message
LaMont Jones (lamont) wrote :

This will be in 1:9.4.2-7

Changed in bind9:
assignee: jamie-strandboge → lamont
status: In Progress → Fix Committed
Revision history for this message
LaMont Jones (lamont) wrote :

-9 includes more apparmor changes that need to be there for the profile to be correct. Please sync.

bind9 (1:9.4.2-9) unstable; urgency=low

  * apparmor: allow subdirs in {/etc,/var/cache,/var/lib}/bind
  * apparmor: make profile match README.Debian

 -- LaMont Jones <email address hidden> Tue, 01 Apr 2008 21:13:05 -0600

bind9 (1:9.4.2-8) unstable; urgency=low

  [ISC]

  * CVE-2008-0122: off by one error in (unused) inet_network function.
    Closes: #462783 LP: #203476

  [Michael Milligan]

  * Fix min-cache-ttl and min-ncache-ttl keywords

  [Jamie Strandboge]

  * apparmor: force complain-mode for apparmor on certain upgrades. LP: #203528
  * debian/bind9.postrm: purge /etc/apparmor.d/force-complain/usr.sbin.named

 -- LaMont Jones <email address hidden> Tue, 18 Mar 2008 18:35:15 -0600

bind9 (1:9.4.2-7) unstable; urgency=low

  [Jamie Strandboge]

  * Allow rw access to /var/lib/bind/* in apparmor-profile. LP: #201954

  [LaMont Jones]

  * Drop root-delegation comments from named.conf. Closes: #217829, #297219

 -- LaMont Jones <email address hidden> Sat, 15 Mar 2008 09:48:10 -0600

Revision history for this message
Martin Pitt (pitti) wrote :

[Updating] bind9 (1:9.4.2-6 [Ubuntu] < 1:9.4.2-9 [Debian])
 * Trying to add bind9...
  - <bind9_9.4.2-9.dsc: downloading from http://ftp.debian.org/debian/>
  - <bind9_9.4.2.orig.tar.gz: already in distro - downloading from librarian>
  - <bind9_9.4.2-9.diff.gz: downloading from http://ftp.debian.org/debian/>
I: bind9 [main] -> bind9_1:9.4.2-6 [main].
I: bind9 [main] -> bind9-doc_1:9.4.2-6 [main].
I: bind9 [main] -> bind9-host_1:9.4.2-6 [main].
I: bind9 [main] -> libbind-dev_1:9.4.2-6 [main].
I: bind9 [main] -> libbind9-30_1:9.4.2-6 [main].
I: bind9 [main] -> libdns32_1:9.4.2-6 [main].
I: bind9 [main] -> libisc32_1:9.4.2-6 [main].
I: bind9 [main] -> liblwres30_1:9.4.2-6 [main].
I: bind9 [main] -> libisccc30_1:9.4.2-6 [main].
I: bind9 [main] -> libisccfg30_1:9.4.2-6 [main].
I: bind9 [main] -> dnsutils_1:9.4.2-6 [main].
I: bind9 [main] -> lwresd_1:9.4.2-6 [universe].

Changed in bind9:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.