From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Cc: Matthias Fischer <matthias.fischer@ipfire.org>
Subject: [PATCH] bind: Update to 9.20.22
Date: Thu, 2 Apr 2026 21:24:04 +0200 [thread overview]
Message-ID: <20260402192413.3376620-1-matthias.fischer@ipfire.org> (raw)
For details see:
https://downloads.isc.org/isc/bind9/9.20.22/doc/arm/html/notes.html#notes-for-bind-9-20-22
"Notes for BIND 9.20.22
Security Fixes
Fix crash when reconfiguring zone update policy during active updates.
We fixed a crash that could occur when running rndc reconfig to change
a zone's update policy (e.g., from allow-update to update-policy) while
DNS UPDATE requests were being processed for that zone.
ISC would like to thank Vitaly Simonovich for bringing this issue to
our attention. [GL #5817]
Bug Fixes
Fix intermittent named crashes during asynchronous zone operations.
Asynchronous zone loading and dumping operations occasionally
dispatched tasks to the wrong internal event loop. This threading
violation triggered internal safety assertions that abruptly terminated
named. Strict loop affinity is now enforced for these tasks, ensuring
they execute on their designated threads and preventing the crashes.
[GL #4882]
Count temporal problems with DNSSEC validation as attempts.
After the KeyTrap vulnerability (CVE-2023-50387), any temporal DNSSEC
errors were originally hard errors that caused validation failures,
even if the records had another valid signature. This has been changed;
RRSIGs outside of the inception and expiration time are not counted as
hard errors. However, these errors were not even counted as validation
attempts, so an excessive number of expired RRSIGs would cause some
non-cryptographic extra work for the validator. This has been fixed and
the temporal errors are now correctly counted as validation attempts.
[GL #5760]
Fix a possible deadlock in RPZ processing.
The named process could hang when processing a maliciously crafted
update for a response policy zone (RPZ). This has been fixed. [GL
#5775]
Fix a crash triggered by rndc modzone on a zone from a configuration
file.
Calling rndc modzone on a zone that was configured in the configuration
file caused a crash. This has been fixed. [GL #5800]
Fix the processing of empty catalog zone ACLs.
The named process could terminate unexpectedly when processing a
catalog zone ACL in an APL resource record that was completely empty.
This has been fixed. [GL #5801]
Fix a crash triggered by rndc modzone on zone that already existed in
NZF file.
Calling rndc modzone didn't work properly for a zone that was
configured in the configuration file. It could crash if BIND 9 was
built without LMDB or if there was already an NZF file for the zone.
This has been fixed. [GL #5826]
Fix potential resource leak during resolver error handling.
Under specific error conditions during query processing, resources were
not being properly released, which could eventually lead to unnecessary
memory consumption for the server. A potential resource leak in the
resolver has been fixed. [GL !11658]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
config/rootfiles/common/bind | 10 +++++-----
lfs/bind | 4 ++--
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
index ad7f23645..63816f380 100644
--- a/config/rootfiles/common/bind
+++ b/config/rootfiles/common/bind
@@ -241,18 +241,18 @@ usr/bin/nsupdate
#usr/include/ns/types.h
#usr/include/ns/update.h
#usr/include/ns/xfrout.h
-usr/lib/libdns-9.20.21.so
+usr/lib/libdns-9.20.22.so
#usr/lib/libdns.la
#usr/lib/libdns.so
-usr/lib/libisc-9.20.21.so
+usr/lib/libisc-9.20.22.so
#usr/lib/libisc.la
#usr/lib/libisc.so
-usr/lib/libisccc-9.20.21.so
+usr/lib/libisccc-9.20.22.so
#usr/lib/libisccc.la
#usr/lib/libisccc.so
-usr/lib/libisccfg-9.20.21.so
+usr/lib/libisccfg-9.20.22.so
#usr/lib/libisccfg.la
#usr/lib/libisccfg.so
-usr/lib/libns-9.20.21.so
+usr/lib/libns-9.20.22.so
#usr/lib/libns.la
#usr/lib/libns.so
diff --git a/lfs/bind b/lfs/bind
index 9a52fcdde..5dfedca9c 100644
--- a/lfs/bind
+++ b/lfs/bind
@@ -25,7 +25,7 @@
include Config
-VER = 9.20.21
+VER = 9.20.22
THISAPP = bind-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -43,7 +43,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 20c2acac40242516da10cc8e45074de3d5d8906e4c4e216f6d69cba0585816aba4ec77adda8142294623eef5b045ec64cc8a18c721ece6af939741903558454b
+$(DL_FILE)_BLAKE2 = 74537646d8c08c4874548b064ab62bab3721d22e2654feed54ea0b61c087018b24f725d0cfaf8298bc71a1be280c753c86449b13e5d9ec26f84ba7e9f61b7a5a
install : $(TARGET)
--
2.53.0
reply other threads:[~2026-04-02 19:24 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260402192413.3376620-1-matthias.fischer@ipfire.org \
--to=matthias.fischer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox