BIND

Fails running In chroot with "ENGINE_by_id failed (crypto failure)"

Bug #1630025 reported by Alexander Radev
38
This bug affects 6 people
Affects Status Importance Assigned to Milestone
BIND
New
Undecided
Unassigned
bind9 (Debian)
Fix Released
Unknown
bind9 (Ubuntu)
Fix Released
Low
Unassigned
Xenial
Won't Fix
Undecided
Unassigned

Bug Description

Running inside an OpenVZ guest, it is not possible to use the AppArmor as discussed, so I am trying to configure BIND9 to run in chroot.

Then I got the following in the log:

named[3398]: ENGINE_by_id failed (crypto failure)
named[3398]: error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
named[3398]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
named[3398]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:390:id=gost
named[3398]: initializing DST: crypto failure
named[3398]: exiting (due to fatal error)
systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE

This seems to be a bug that is found in Debian https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820974

Bug Watch Updater (bug-watch-updater)
Changed in bind9 (Debian):
status: Unknown → New
Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Since this bug affects a non-default configuration of bind, there are alternatives (such as AppArmor and running in a container) and OpenVZ is not part of Ubuntu, I'm setting the importance of this bug to Low. I don't expect anyone on the Ubuntu Server Team to work on this bug, but if someone else wants to provide a fix, please do.

Changed in bind9 (Ubuntu):
importance: Undecided → Low
Bug Watch Updater (bug-watch-updater)
Changed in bind9 (Debian):
status: New → Fix Released
Revision history for this message
Brian Menges (mengesb) wrote :

Per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820974#86 , Debian has fixed this. Can we please import this package to get this resolved? While this may be thought of as a non-standard configuration this is a critical security issue that is now solved upstream. Could we please get this update pushed?

Revision history for this message
Brian Menges (mengesb) wrote :

I can confirm that the following debian packages resolve the issue:

bind9_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
bind9utils_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libbind9-140_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libdns162_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libgssapi-krb5-2_1.15-1+deb9u1_amd64.deb
libisc160_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libisccc140_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libisccfg140_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libk5crypto3_1.15-1+deb9u1_amd64.deb
libkrb5-3_1.15-1+deb9u1_amd64.deb
libkrb5support0_1.15-1+deb9u1_amd64.deb
liblwres141_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libssl1.0.2_1.0.2l-2+deb9u1_amd64.deb

If we could get bind9 and dependencies rebuilt with the necessary patch (from the bug, a 1-liner) that'd be splendid so that we can return to a safe chroot bind9 scenario

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in bind9 (Ubuntu):
status: New → Confirmed
Revision history for this message
Brian Menges (mengesb) wrote :

Will this be fixed any time soon?

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi Brian,
these versions are actually already in Artful and Bionic.
Given the time you opened this you found that on Xenial I'll add a task for an SRU.

@Andreas - you look at bind fixes every now and then - how about to include this on your next run?

Changed in bind9 (Ubuntu):
status: Confirmed → Fix Released
Changed in bind9 (Ubuntu Xenial):
status: New → Triaged
Revision history for this message
Bryce Harrington (bryce) wrote :

[Xenial has reached its end of standard support.]

Changed in bind9 (Ubuntu Xenial):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.