openQA test failures here indicate a dependency issue of some kind. In the openQA tests that deploy as a domain controller, the system winds up with the older bind-9.11.28-1.fc32 packages installed even though this update was available; that indicates dnf refused to include the packages from this update because of some kind of dependency problem. Not sure what the issue is, though, it doesn't seem to be logged. Will try and find out.
The update has an soname bump. 9.11.28 had libdns.so.1113; 9.11.31 has libdns.so.1114. soname bumps should be avoided where possible in stable release updates, and if it can't be avoided, all dependencies at least need to be rebuilt and included in the update. Aside from other bind subpackages, two things require libdns.so.1113: bind-dyndb-ldap and dnsperf. The one that caused the openQA test to fail is likely bind-dyndb-ldap, FreeIPA uses that, so dnf will be using the older bind package to satisfy the dependency.
So, either the soname bump needs to be reverted (along with whatever incompatible change caused the bump, of course), or dnsperf and bind-dyndb-ldap should be rebuilt against the new soname and included in the update.
Ah, two problems are there. First, I forgot dnsperf on f32 still depends on bind-libs. Second, I haven't waited long enough before building bind-dyndb-ldap. Even when built on side-tag directly, I should have waited for wait-repo first. My build of bind-dyndb-ldap were started after bind were done, but not yet propagated to repo. So new builds of both are required.
BZ#1954897 CVE-2021-25214 bind: A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly [fedora-all]
0
0
BZ#1954903 CVE-2021-25215 bind: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself [fedora-all]
This update's test gating status has been changed to 'waiting'.
This update has been submitted for testing by bodhi.
This update's test gating status has been changed to 'ignored'.
openQA test failures here indicate a dependency issue of some kind. In the openQA tests that deploy as a domain controller, the system winds up with the older bind-9.11.28-1.fc32 packages installed even though this update was available; that indicates dnf refused to include the packages from this update because of some kind of dependency problem. Not sure what the issue is, though, it doesn't seem to be logged. Will try and find out.
The update has an soname bump. 9.11.28 had
libdns.so.1113
; 9.11.31 haslibdns.so.1114
. soname bumps should be avoided where possible in stable release updates, and if it can't be avoided, all dependencies at least need to be rebuilt and included in the update. Aside from other bind subpackages, two things requirelibdns.so.1113
:bind-dyndb-ldap
anddnsperf
. The one that caused the openQA test to fail is likelybind-dyndb-ldap
, FreeIPA uses that, so dnf will be using the olderbind
package to satisfy the dependency.So, either the soname bump needs to be reverted (along with whatever incompatible change caused the bump, of course), or dnsperf and bind-dyndb-ldap should be rebuilt against the new soname and included in the update.
CC @abbra
This update has been pushed to testing.
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
This update's test gating status has been changed to 'failed'.
Ah, two problems are there. First, I forgot
dnsperf
on f32 still depends on bind-libs. Second, I haven't waited long enough before buildingbind-dyndb-ldap
. Even when built on side-tag directly, I should have waited for wait-repo first. My build of bind-dyndb-ldap were started after bind were done, but not yet propagated to repo. So new builds of both are required.pemensik edited this update.
New build(s):
Removed build(s):
Karma has been reset.
pemensik edited this update.
This update has been submitted for testing by pemensik.
This update's test gating status has been changed to 'ignored'.
OK, openQA tests passed now, so we should be good.
This update has been pushed to testing.
This update's test gating status has been changed to 'failed'.
This update is marked obsolete because the F32 release is archived.