From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ctbzn2R74z32fs for ; Fri, 24 Oct 2025 21:45:25 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ctbzj6wcMz2xSM for ; Fri, 24 Oct 2025 21:45:21 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ctbzg1NBFzbc; Fri, 24 Oct 2025 21:45:19 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1761342319; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=pW9AsRAoNGK1a0Ja/S+iH6o7UDegKIpLbEHMLzGEUy4=; b=8dnB0TTAIod9FP7BnY/TwVtquq4iukTYsgSQbTASZpJX4wme2RXzjo8Wdy+rDR6KWZbXGX F2i9nuHm2YXPuvDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1761342319; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=pW9AsRAoNGK1a0Ja/S+iH6o7UDegKIpLbEHMLzGEUy4=; b=F0xxxO/3zUAA3oLP46IihTT/pDDmWzXegUmTs1nHLqXwfuuJOI0HybPkRFHe+xA6qxFAfv rqSvxoQEPafUTheJPuvv5WTrMtTt2qcNMSxNQry1s6pTzkLP38w9Xcu3HVDef8n3NEVZxN lGY8BI89iPlKy04OhB9vfZx0UwQn8wjS5AcPUkugYBRVLtDVyxhAAKhlaii1GK+BhWvXH+ zgihOLsRB/qhZD54CVODv/kn4rzOoR6TauqutcR5K07l4DFUnkdRtW5cN5vPtT0TwbanA3 9oO3BBMiUK439xbuhKpxBWIc2kZbgD+LBcdd8VgGAzwt+wlVP+xodsBMAJ+I9w== From: Matthias Fischer To: development@lists.ipfire.org Cc: Matthias Fischer Subject: [PATCH] bind: Update ot 9.20.15 Date: Fri, 24 Oct 2025 23:44:53 +0200 Message-ID: <20251024214510.110137-1-matthias.fischer@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit For details see: https://downloads.isc.org/isc/bind9/9.20.15/doc/arm/html/notes.html#notes-for-bind-9-20-15 Should anyone wonder where 9.20.14 has gone: "The BIND 9.20.14 release was withdrawn after the discovery of a regression in a security fix in it during pre-release testing." "Notes for BIND 9.20.15 Security Fixes DNSSEC validation fails if matching but invalid DNSKEY is found. (CVE-2025-8677) Previously, if a matching but cryptographically invalid key was encountered during DNSSEC validation, the key was skipped and not counted towards validation failures. named now treats such DNSSEC keys as hard failures and the DNSSEC validation fails immediately, instead of continuing with the next DNSKEYs in the RRset. ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One Security and Privacy Laboratory at Nankai University for bringing this vulnerability to our attention. [GL #5343] Address various spoofing attacks. (CVE-2025-40778) Previously, several issues could be exploited to poison a DNS cache with spoofed records for zones which were not DNSSEC-signed or if the resolver was configured to not do DNSSEC validation. These issues were assigned CVE-2025-40778 and have now been fixed. As an additional layer of protection, named no longer accepts DNAME records or extraneous NS records in the AUTHORITY section unless these are received via spoofing-resistant transport (TCP, UDP with DNS cookies, TSIG, or SIG(0)). ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan from Tsinghua University for bringing this vulnerability to our attention. [GL #5414] Cache-poisoning due to weak pseudo-random number generator. (CVE-2025-40780) It was discovered during research for an upcoming academic paper that a xoshiro128** internal state can be recovered by an external 3rd party, allowing the prediction of UDP ports and DNS IDs in outgoing queries. This could lead to an attacker spoofing the DNS answers with great efficiency and poisoning the DNS cache. The internal random generator has been changed to a cryptographically secure pseudo-random generator. ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from Hebrew University of Jerusalem for bringing this vulnerability to our attention. [GL #5484] New Features Add dnssec-policy keys configuration check to named-checkconf. A new option -k was added to named-checkconf that allows checking the dnssec-policy keys configuration against the configured key stores. If the found key files are not in sync with the given dnssec-policy, the check will fail. This is useful to run before migrating to dnssec-policy. [GL #5486] Bug Fixes Missing DNSSEC information when CD bit is set in query. The RRSIGs for glue records were not being cached correctly for CD=1 queries. This has been fixed. [GL #5502] rndc sign during ZSK rollover will now replace signatures. When performing a ZSK rollover, if the new DNSKEY is omnipresent, the rndc sign command now signs the zone completely with the successor key, replacing all zone signatures from the predecessor key with new ones. [GL #5483] Use signer name when disabling DNSSEC algorithms. disable-algorithms could cause DNSSEC validation failures when the parent zone was signed with the algorithms that were being disabled for the child zone. This has been fixed; disable-algorithms now works on a whole-of-zone basis. If the zone's name is at or below the disable-algorithms name the algorithm is disabled for that zone, using deepest match when there are multiple disable-algorithms clauses. [GL #5165] Preserve cache when reload fails and reload the server again. This fixes an issue where failing to reconfigure/reload the server would fail to preserve the views' caches for subsequent server reconfigurations/reloads. [GL #5523]" Signed-off-by: Matthias Fischer --- config/rootfiles/common/bind | 10 +++++----- lfs/bind | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind index db57a9d40..eff7149ca 100644 --- a/config/rootfiles/common/bind +++ b/config/rootfiles/common/bind @@ -241,18 +241,18 @@ usr/bin/nsupdate #usr/include/ns/types.h #usr/include/ns/update.h #usr/include/ns/xfrout.h -usr/lib/libdns-9.20.13.so +usr/lib/libdns-9.20.15.so #usr/lib/libdns.la #usr/lib/libdns.so -usr/lib/libisc-9.20.13.so +usr/lib/libisc-9.20.15.so #usr/lib/libisc.la #usr/lib/libisc.so -usr/lib/libisccc-9.20.13.so +usr/lib/libisccc-9.20.15.so #usr/lib/libisccc.la #usr/lib/libisccc.so -usr/lib/libisccfg-9.20.13.so +usr/lib/libisccfg-9.20.15.so #usr/lib/libisccfg.la #usr/lib/libisccfg.so -usr/lib/libns-9.20.13.so +usr/lib/libns-9.20.15.so #usr/lib/libns.la #usr/lib/libns.so diff --git a/lfs/bind b/lfs/bind index 9befe9bfc..e5f8de750 100644 --- a/lfs/bind +++ b/lfs/bind @@ -25,7 +25,7 @@ include Config -VER = 9.20.13 +VER = 9.20.15 THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = c3738ebe468849293bec3d89499d7607b76fb636c7d21833dd56414fb569c1edfaa84d152ff9febfe0ebd5c65fa351423fbfbeaaee294d57949eb45631fd5623 +$(DL_FILE)_BLAKE2 = f272fc5e7a107b28cb71b55d2e87cfb2b215612c38289483044445f6c5ae57b0eb7003a368386122fb1fed551ac7be2e4e9bb34c2f8908e379e1aaf4e761c394 install : $(TARGET) -- 2.43.0