Bind9 Security Update Broken

Transmobius · June 5, 2010, 5:10pm

Had an e-mail this morning that a update was available for bind:
bind9-host Version of ‘host’ bundled with BIND 9.X New version 9.6.ESV.R1+dfsg-0+lenny1

In trying to apply this I ended up with:
Installing package(s) with command apt-get -y install bind9-host …

  dpkg: dependency problems prevent configuration of dnsutils:
   dnsutils depends on libisc52 (= 1:9.6.ESV.R1+dfsg-0+lenny1); however:
    Package libisc52 is not installed.
  dpkg: error processing dnsutils (--configure):
   dependency problems - leaving unconfigured
  dpkg: dependency problems prevent configuration of libisccfg50:
   libisccfg50 depends on libisc52 (= 1:9.6.ESV.R1+dfsg-0+lenny1); however:
    Package libisc52 is not installed.
  dpkg: error processing libisccfg50 (--configure):
   dependency problems - leaving unconfigured
  dpkg: dependency problems prevent configuration of libisccc50:
   libisccc50 depends on libisc52 (= 1:9.6.ESV.R1+dfsg-0+lenny1); however:
    Package libisc52 is not installed.
  dpkg: error processing libisccc50 (--configure):
   dependency problems - leaving unconfigured
  dpkg: dependency problems prevent configuration of libbind9-50:
   libbind9-50 depends on libisc52 (= 1:9.6.ESV.R1+dfsg-0+lenny1); however:
    Package libisc52 is not installed.
   libbind9-50 depends on libisccfg50 (= 1:9.6.ESV.R1+dfsg-0+lenny1); however:
    Package libisccfg50 is not configured yet.
  dpkg: error processing libbind9-50 (--configure):
   dependency problems - leaving unconfigured
  dpkg: dependency problems prevent configuration of libdns55:
   libdns55 depends on libisc52 (= 1:9.6.ESV.R1+dfsg-0+lenny1); however:
    Package libisc52 is not installed.
  dpkg: error processing libdns55 (--configure):
   dependency problems - leaving unconfigured
  dpkg: dependency problems prevent configuration of bind9utils:
   bind9utils depends on libbind9-50; however:
    Package libbind9-50 is not configured yet.
   bind9utils depends on libdns55; however:
    Package libdns55 is not configured yet.
   bind9utils depends on libisc52; however:
    Package libisc52 is not installed.
   bind9utils depends on libisccc50; however:
    Package libisccc50 is not configured yet.
   bind9utils depends on libisccfg50; however:
    Package libisccfg50 is not configured yet.
  dpkg: error processing bind9utils (--configure):
   dependency problems - leaving unconfigured
  dpkg: dependency problems prevent configuration of bind9:
   bind9 depends on libbind9-50 (= 1:9.6.ESV.R1+dfsg-0+lenny1); however:
    Package libbind9-50 is not configured yet.
   bind9 depends on libdns55 (= 1:9.6.ESV.R1+dfsg-0+lenny1); however:
    Package libdns55 is not configured yet.
   bind9 depends on libisc52 (= 1:9.6.ESV.R1+dfsg-0+lenny1); however:
    Package libisc52 is not installed.
   bind9 depends on libisccc50 (= 1:9.6.ESV.R1+dfsg-0+lenny1); however:
    Package libisccc50 is not configured yet.
   bind9 depends on libisccfg50 (= 1:9.6.ESV.R1+dfsg-0+lenny1); however:
    Package libisccfg50 is not configured yet.
   bind9 depends on bind9utils (= 1:9.6.ESV.R1+dfsg-0+lenny1); however:
    Package bind9utils is not configured yet.
  dpkg: error processing bind9 (--configure):
   dependency problems - leaving unconfigured
  Errors were encountered while processing:
   dnsutils
   libisccfg50
   libisccc50
   libbind9-50
   libdns55
   bind9utils
   bind9
  Reading package lists...
  Building dependency tree...
  Reading state information...
  You might want to run `apt-get -f install' to correct these:
  The following packages have unmet dependencies:
    bind9: Depends: libisc52 (= 1:9.6.ESV.R1+dfsg-0+lenny1) but it is not going to be installed
    bind9-host: Depends: libisc52 (= 1:9.6.ESV.R1+dfsg-0+lenny1) but it is not going to be installed
    bind9utils: Depends: libisc52 but it is not going to be installed
    dnsutils: Depends: libisc52 (= 1:9.6.ESV.R1+dfsg-0+lenny1) but it is not going to be installed
    libbind9-50: Depends: libisc52 (= 1:9.6.ESV.R1+dfsg-0+lenny1) but it is not going to be installed
    libdns55: Depends: libisc52 (= 1:9.6.ESV.R1+dfsg-0+lenny1) but it is not going to be installed
    libisccc50: Depends: libisc52 (= 1:9.6.ESV.R1+dfsg-0+lenny1) but it is not going to be installed
    libisccfg50: Depends: libisc52 (= 1:9.6.ESV.R1+dfsg-0+lenny1) but it is not going to be installed
  E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution).

  .. install failed!

This looks to be exactly what is reported here http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584585

An attempt at manually fixing the dependency did not go well:
apt-get install libisc52 Reading package lists… Done Building dependency tree Reading state information… Done The following packages were automatically installed and are no longer required: libdns53 libisc50 Use ‘apt-get autoremove’ to remove them. The following NEW packages will be installed: libisc52 0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded. 7 not fully installed or removed. Need to get 0B/154kB of archives. After this operation, 401kB of additional disk space will be used. (Reading database … 77658 files and directories currently installed.) Unpacking libisc52 (from …/libisc52_1%3a9.6.ESV.R1+dfsg-0+lenny1_i386.deb) … dpkg: error processing /var/cache/apt/archives/libisc52_1%3a9.6.ESV.R1+dfsg-0+lenny1_i386.deb (–unpack): trying to overwrite `/usr/lib/libisc.so.50’, which is also in package libisc50 Errors were encountered while processing: /var/cache/apt/archives/libisc52_1%3a9.6.ESV.R1+dfsg-0+lenny1_i386.deb E: Sub-process /usr/bin/dpkg returned an error code (1)

Several variations on ‘-f install’ and ‘remove’ yield that same error. Does anyone here have any idea how to fix this problem?

agreen416 · June 5, 2010, 11:46pm

also virtualmin reports that BIND is disabled even though the service is up and running.

Kether2 · June 6, 2010, 2:37am

Same issue, but BIND is still is process list so it’s running and just virtualmin for some reason doesn’t recognize it.

Eric · June 6, 2010, 4:02am

Hmm, it looks like it was reported here that the BIND PID file location needed to be updated:

https://www.virtualmin.com/node/14570#comment-63791

For the cases above where Virtualmin is reporting BIND isn’t running, does updating the PID file location help?

-Eric

Kether2 · June 6, 2010, 10:47am

Yes, updating PID according to instructuions in bugtracker helps, thank you!
BIND is running correctly and Virtualmin clearly see it.

gnilebein · June 8, 2010, 9:53am

Can you restart the bind service? Stopping bind works fine. But starting… Not really… (Re)start via /etc/init.d/ works fine…

Syslog shows me the following error message:

Jun 7 09:04:10 www.domain.de named[24459]: none:0: open: /etc/bind/rndc.key: permission denied
Jun 7 09:04:10 www.domain.de named[24459]: couldn’t add command channel 127.0.0.1#953: permission denied
Jun 7 09:04:10 www.domain.de named[24459]: none:0: open: /etc/bind/rndc.key: permission denied
Jun 7 09:04:10 www.domain.de named[24459]: couldn’t add command channel ::1#953: permission denied
Jun 7 09:04:10 www.domain.de named[24459]: couldn’t open pid file ‘/var/run/bind/run/named/named.pid’: Permission denied

My System: Debian Lenny with Virtualmin GPL

web_support · June 10, 2010, 7:08pm

I had the same issue.
I run Debian Lenny and bind as chrooted.
The new location of the pid file is (inside /var/lib/named chroot for my setup)
/var/lib/named/var/run/bind/run/named/named.pid

So in the virtualmin bind configuration I had to change the location of the pid file to /var/run/bind/run/named/named.pid (without the chroot dir)

What seems strange to me is that the service script /etc/init.d/bind9 has the following lines

..
PIDFILE=/var/run/bind/run/named.pid
..
if start-stop-daemon --start --oknodo --quiet --exec /usr/sbin/named \
        --pidfile ${PIDFILE} -- $OPTIONS; then
        if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/resolvconf ] ; then
        echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.named
        fi
        log_end_msg 0
    else
        log_end_msg 1
    fi
..

It seems as though the pidfile location set in /etc/init.d/bind9 is ignored

witoszek · June 14, 2010, 8:26pm

Hello
I’ve got a similar problem: virtualmin reports that BIND is disabled even though the service is up and running.

I haven’t bind8 , but bind9 yes , how can i do that virtualmin reports that BIND is enabled ?

I’ve got debian 5.04 and virtualmin pro.

I haven’t any problems with bind9 , it’s work fine and i’ve got no problem of dependecy with deb package.

Thanks

Joe · June 14, 2010, 8:57pm

Update the PID file location in Webmin’s BIND module configuration. Or wait for the next release of Webmin which has the new location in the default configuration.

Iam-TJ · June 20, 2010, 7:07pm

… Webmin > Servers > BIND DNS Server

Module Config > System Configuration

Default PID file location(s):

add to the list: “/var/run/named/named.pid” so it looks something like this:

/var/run/bind/run/named.pid /var/run/named.pid /var/run/named/named.pid

Save and then recheck the status screen. You may need to fake it by pressing the “Start” button against the service so WebMin figure it out.