[PATCH] bind: Update to 9.20.18

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Cc: Matthias Fischer <matthias.fischer@ipfire.org>
Subject: [PATCH] bind: Update to 9.20.18
Date: Thu, 22 Jan 2026 22:05:48 +0100	[thread overview]
Message-ID: <20260122210550.1611-1-matthias.fischer@ipfire.org> (raw)

For details see:

https://downloads.isc.org/isc/bind9/9.20.18/doc/arm/html/notes.html#notes-for-bind-9-20-18

"Notes for BIND 9.20.18
Security Fixes

    Fix incorrect length checks for BRID and HHIT records. (CVE-2025-13878)

    Malformed BRID and HHIT records could trigger an assertion failure.
    This has been fixed.

    ISC would like to thank Vlatko Kosturjak from Marlink Cyber for
    bringing this vulnerability to our attention. [GL #5616]

Feature Changes

    Add more information to the rndc recursing output about fetches.

    This adds more information about active fetches, for debugging and
    diagnostic purposes. [GL !11305]

Bug Fixes

    Make DNSSEC key rollovers more robust.

    A manual rollover when the zone was in an invalid DNSSEC state caused
    predecessor keys to be removed too quickly. Additional safeguards to
    prevent this have been added: DNSSEC records are not removed from the
    zone until the underlying state machine has moved back into a valid
    DNSSEC state. [GL #5458]

    Fix a catalog zone issue, where member zones could fail to load.

    A catalog zone member zone could fail to load in some rare cases, when
    the internally generated zone configuration string exceeded 512 bytes.
    That condition by itself was not enough for the issue to arise, but it
    was necessary. This could happen if, for example, the catalog zone's
    default primary servers list contained a large number of items. This
    has been fixed. [GL #5658]

    Allow glue in delegations with QTYPE=ANY.

    When a query for type ANY triggered a delegation response, all
    additional data was omitted from the response, including mandatory
    glue. This has been fixed. [GL #5659]

    Fix slow speed when signing a large delegation zone with NSEC3 opt-out.

    BIND 9.20+ took much longer signing a large delegation zone with NSEC3
    opt-out compared to version 9.18. This has been fixed. [GL #5672]

    Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be invalid.

    A zone that was signed with NSEC3, had opt-out enabled, and was then
    reconfigured to use NSEC, was published with missing NSEC records. This
    has been fixed. [GL #5679]

    Fix a possible catalog zone issue during reconfiguration.

    The named process could terminate unexpectedly during reconfiguration
    when a catalog zone update was taking place at the same time. This has
    been fixed. [GL !11366]

    Fix the charts in the statistics channel.

    The charts in the statistics channel could sometimes fail to render in
    the browser and were completely disabled for Mozilla-based browsers,
    for historical reasons. This has been fixed. [GL !11018]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 config/rootfiles/common/bind | 10 +++++-----
 lfs/bind                     |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
index fce491479..144914501 100644
--- a/config/rootfiles/common/bind
+++ b/config/rootfiles/common/bind
@@ -241,18 +241,18 @@ usr/bin/nsupdate
 #usr/include/ns/types.h
 #usr/include/ns/update.h
 #usr/include/ns/xfrout.h
-usr/lib/libdns-9.20.17.so
+usr/lib/libdns-9.20.18.so
 #usr/lib/libdns.la
 #usr/lib/libdns.so
-usr/lib/libisc-9.20.17.so
+usr/lib/libisc-9.20.18.so
 #usr/lib/libisc.la
 #usr/lib/libisc.so
-usr/lib/libisccc-9.20.17.so
+usr/lib/libisccc-9.20.18.so
 #usr/lib/libisccc.la
 #usr/lib/libisccc.so
-usr/lib/libisccfg-9.20.17.so
+usr/lib/libisccfg-9.20.18.so
 #usr/lib/libisccfg.la
 #usr/lib/libisccfg.so
-usr/lib/libns-9.20.17.so
+usr/lib/libns-9.20.18.so
 #usr/lib/libns.la
 #usr/lib/libns.so
diff --git a/lfs/bind b/lfs/bind
index 786ae69ee..1b0ff4947 100644
--- a/lfs/bind
+++ b/lfs/bind
@@ -25,7 +25,7 @@
 
 include Config
 
-VER        = 9.20.17
+VER        = 9.20.18
 
 THISAPP    = bind-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -43,7 +43,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = a3bfb881f3439750ddc1d94da674ed91e6447f101f2c20eb5f4472614b45b5f2af73f197712e18c891e774ed6e95fc811df1e3494c2b863b2544da19790ecf05
+$(DL_FILE)_BLAKE2 = 023ee08a692ce8c1dc2519483a9bdb06ff5e632ed35820f417db2950023efde79a467bf5561383eeefba4d89cc1e40a31df338e96e8563b56f564ffef895f01d
 
 install : $(TARGET)
 
-- 
2.43.0

next             reply	other threads:[~2026-01-22 21:06 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-22 21:05 Matthias Fischer [this message]
2026-01-23  9:50 ` Michael Tremer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260122210550.1611-1-matthias.fischer@ipfire.org \
    --to=matthias.fischer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox