From: Michael Tremer <michael.tremer@ipfire.org>
To: Matthias Fischer <matthias.fischer@ipfire.org>
Cc: development@lists.ipfire.org
Subject: Re: [PATCH] bind: Update to 9.20.18
Date: Fri, 23 Jan 2026 09:50:08 +0000 [thread overview]
Message-ID: <14055B7C-3245-4FC8-BA76-9980B96A0F86@ipfire.org> (raw)
In-Reply-To: <20260122210550.1611-1-matthias.fischer@ipfire.org>
Thank you. Very fast!
> On 22 Jan 2026, at 21:05, Matthias Fischer <matthias.fischer@ipfire.org> wrote:
>
> For details see:
>
> https://downloads.isc.org/isc/bind9/9.20.18/doc/arm/html/notes.html#notes-for-bind-9-20-18
>
> "Notes for BIND 9.20.18
> Security Fixes
>
> Fix incorrect length checks for BRID and HHIT records. (CVE-2025-13878)
>
> Malformed BRID and HHIT records could trigger an assertion failure.
> This has been fixed.
>
> ISC would like to thank Vlatko Kosturjak from Marlink Cyber for
> bringing this vulnerability to our attention. [GL #5616]
>
> Feature Changes
>
> Add more information to the rndc recursing output about fetches.
>
> This adds more information about active fetches, for debugging and
> diagnostic purposes. [GL !11305]
>
> Bug Fixes
>
> Make DNSSEC key rollovers more robust.
>
> A manual rollover when the zone was in an invalid DNSSEC state caused
> predecessor keys to be removed too quickly. Additional safeguards to
> prevent this have been added: DNSSEC records are not removed from the
> zone until the underlying state machine has moved back into a valid
> DNSSEC state. [GL #5458]
>
> Fix a catalog zone issue, where member zones could fail to load.
>
> A catalog zone member zone could fail to load in some rare cases, when
> the internally generated zone configuration string exceeded 512 bytes.
> That condition by itself was not enough for the issue to arise, but it
> was necessary. This could happen if, for example, the catalog zone's
> default primary servers list contained a large number of items. This
> has been fixed. [GL #5658]
>
> Allow glue in delegations with QTYPE=ANY.
>
> When a query for type ANY triggered a delegation response, all
> additional data was omitted from the response, including mandatory
> glue. This has been fixed. [GL #5659]
>
> Fix slow speed when signing a large delegation zone with NSEC3 opt-out.
>
> BIND 9.20+ took much longer signing a large delegation zone with NSEC3
> opt-out compared to version 9.18. This has been fixed. [GL #5672]
>
> Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be invalid.
>
> A zone that was signed with NSEC3, had opt-out enabled, and was then
> reconfigured to use NSEC, was published with missing NSEC records. This
> has been fixed. [GL #5679]
>
> Fix a possible catalog zone issue during reconfiguration.
>
> The named process could terminate unexpectedly during reconfiguration
> when a catalog zone update was taking place at the same time. This has
> been fixed. [GL !11366]
>
> Fix the charts in the statistics channel.
>
> The charts in the statistics channel could sometimes fail to render in
> the browser and were completely disabled for Mozilla-based browsers,
> for historical reasons. This has been fixed. [GL !11018]"
>
> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> ---
> config/rootfiles/common/bind | 10 +++++-----
> lfs/bind | 4 ++--
> 2 files changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
> index fce491479..144914501 100644
> --- a/config/rootfiles/common/bind
> +++ b/config/rootfiles/common/bind
> @@ -241,18 +241,18 @@ usr/bin/nsupdate
> #usr/include/ns/types.h
> #usr/include/ns/update.h
> #usr/include/ns/xfrout.h
> -usr/lib/libdns-9.20.17.so
> +usr/lib/libdns-9.20.18.so
> #usr/lib/libdns.la
> #usr/lib/libdns.so
> -usr/lib/libisc-9.20.17.so
> +usr/lib/libisc-9.20.18.so
> #usr/lib/libisc.la
> #usr/lib/libisc.so
> -usr/lib/libisccc-9.20.17.so
> +usr/lib/libisccc-9.20.18.so
> #usr/lib/libisccc.la
> #usr/lib/libisccc.so
> -usr/lib/libisccfg-9.20.17.so
> +usr/lib/libisccfg-9.20.18.so
> #usr/lib/libisccfg.la
> #usr/lib/libisccfg.so
> -usr/lib/libns-9.20.17.so
> +usr/lib/libns-9.20.18.so
> #usr/lib/libns.la
> #usr/lib/libns.so
> diff --git a/lfs/bind b/lfs/bind
> index 786ae69ee..1b0ff4947 100644
> --- a/lfs/bind
> +++ b/lfs/bind
> @@ -25,7 +25,7 @@
>
> include Config
>
> -VER = 9.20.17
> +VER = 9.20.18
>
> THISAPP = bind-$(VER)
> DL_FILE = $(THISAPP).tar.xz
> @@ -43,7 +43,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_BLAKE2 = a3bfb881f3439750ddc1d94da674ed91e6447f101f2c20eb5f4472614b45b5f2af73f197712e18c891e774ed6e95fc811df1e3494c2b863b2544da19790ecf05
> +$(DL_FILE)_BLAKE2 = 023ee08a692ce8c1dc2519483a9bdb06ff5e632ed35820f417db2950023efde79a467bf5561383eeefba4d89cc1e40a31df338e96e8563b56f564ffef895f01d
>
> install : $(TARGET)
>
> --
> 2.43.0
>
>
prev parent reply other threads:[~2026-01-23 9:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-22 21:05 Matthias Fischer
2026-01-23 9:50 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=14055B7C-3245-4FC8-BA76-9980B96A0F86@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
--cc=matthias.fischer@ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox