From patchwork Thu Jan 22 21:05:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 9436 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4dxtrt68nHz3wkD for ; Thu, 22 Jan 2026 21:06:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4dxtrt2pCQz5ZQ for ; Thu, 22 Jan 2026 21:06:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4dxtrt23hPz332Z for ; Thu, 22 Jan 2026 21:06:06 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4dxtrq3Zf9z2xGm for ; Thu, 22 Jan 2026 21:06:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4dxtrp2JdlzCx; Thu, 22 Jan 2026 21:06:02 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1769115962; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IGTB3+ibDPKaPqmUa5TOAe7CSkugMQRTv66t6UzVhQQ=; b=gOsoaiEqLdVCV2dfuIL8aDvEaR1KT6FSimJPF232Hw0e0Zr/brlkMpnwZcJFItScNpC6Z5 VQ0NUFgZ+oldADAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1769115962; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IGTB3+ibDPKaPqmUa5TOAe7CSkugMQRTv66t6UzVhQQ=; b=WvYTYLfU1s+x83tiI8F90zRYngxo4ufXlaiYlLXkatoOeJQlLkqk24Ptp3snEI6rimC2Zj s/0zpy7qJ4SjSmfCxgfVVZCO+wHsXoikCZYyD1HLjv2IZznZRXTPGeBvv1iM/m/XQTLK5o qGVzO11+I78aw4SDLIOlvZRqmMZ+ZOIHEhsH99pi2eSPPOzfRO5xSn7B9ne2Wa1LuhejpO 4vvcmNNQfDce2XsLOx3d1Qrlx1B5hawAD13QOzh2LC1Psw9yWEUqoF1iMGIBVorbg2Qz8B QNgm8QkGVC1BOawrrYUsUpbMNgPVd+JNg4o2Ta0KzLnfPj6sPEpfcFmJq1KG+A== From: Matthias Fischer To: development@lists.ipfire.org Cc: Matthias Fischer Subject: [PATCH] bind: Update to 9.20.18 Date: Thu, 22 Jan 2026 22:05:48 +0100 Message-ID: <20260122210550.1611-1-matthias.fischer@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 For details see: https://downloads.isc.org/isc/bind9/9.20.18/doc/arm/html/notes.html#notes-for-bind-9-20-18 "Notes for BIND 9.20.18 Security Fixes Fix incorrect length checks for BRID and HHIT records. (CVE-2025-13878) Malformed BRID and HHIT records could trigger an assertion failure. This has been fixed. ISC would like to thank Vlatko Kosturjak from Marlink Cyber for bringing this vulnerability to our attention. [GL #5616] Feature Changes Add more information to the rndc recursing output about fetches. This adds more information about active fetches, for debugging and diagnostic purposes. [GL !11305] Bug Fixes Make DNSSEC key rollovers more robust. A manual rollover when the zone was in an invalid DNSSEC state caused predecessor keys to be removed too quickly. Additional safeguards to prevent this have been added: DNSSEC records are not removed from the zone until the underlying state machine has moved back into a valid DNSSEC state. [GL #5458] Fix a catalog zone issue, where member zones could fail to load. A catalog zone member zone could fail to load in some rare cases, when the internally generated zone configuration string exceeded 512 bytes. That condition by itself was not enough for the issue to arise, but it was necessary. This could happen if, for example, the catalog zone's default primary servers list contained a large number of items. This has been fixed. [GL #5658] Allow glue in delegations with QTYPE=ANY. When a query for type ANY triggered a delegation response, all additional data was omitted from the response, including mandatory glue. This has been fixed. [GL #5659] Fix slow speed when signing a large delegation zone with NSEC3 opt-out. BIND 9.20+ took much longer signing a large delegation zone with NSEC3 opt-out compared to version 9.18. This has been fixed. [GL #5672] Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be invalid. A zone that was signed with NSEC3, had opt-out enabled, and was then reconfigured to use NSEC, was published with missing NSEC records. This has been fixed. [GL #5679] Fix a possible catalog zone issue during reconfiguration. The named process could terminate unexpectedly during reconfiguration when a catalog zone update was taking place at the same time. This has been fixed. [GL !11366] Fix the charts in the statistics channel. The charts in the statistics channel could sometimes fail to render in the browser and were completely disabled for Mozilla-based browsers, for historical reasons. This has been fixed. [GL !11018]" Signed-off-by: Matthias Fischer --- config/rootfiles/common/bind | 10 +++++----- lfs/bind | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind index fce491479..144914501 100644 --- a/config/rootfiles/common/bind +++ b/config/rootfiles/common/bind @@ -241,18 +241,18 @@ usr/bin/nsupdate #usr/include/ns/types.h #usr/include/ns/update.h #usr/include/ns/xfrout.h -usr/lib/libdns-9.20.17.so +usr/lib/libdns-9.20.18.so #usr/lib/libdns.la #usr/lib/libdns.so -usr/lib/libisc-9.20.17.so +usr/lib/libisc-9.20.18.so #usr/lib/libisc.la #usr/lib/libisc.so -usr/lib/libisccc-9.20.17.so +usr/lib/libisccc-9.20.18.so #usr/lib/libisccc.la #usr/lib/libisccc.so -usr/lib/libisccfg-9.20.17.so +usr/lib/libisccfg-9.20.18.so #usr/lib/libisccfg.la #usr/lib/libisccfg.so -usr/lib/libns-9.20.17.so +usr/lib/libns-9.20.18.so #usr/lib/libns.la #usr/lib/libns.so diff --git a/lfs/bind b/lfs/bind index 786ae69ee..1b0ff4947 100644 --- a/lfs/bind +++ b/lfs/bind @@ -25,7 +25,7 @@ include Config -VER = 9.20.17 +VER = 9.20.18 THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = a3bfb881f3439750ddc1d94da674ed91e6447f101f2c20eb5f4472614b45b5f2af73f197712e18c891e774ed6e95fc811df1e3494c2b863b2544da19790ecf05 +$(DL_FILE)_BLAKE2 = 023ee08a692ce8c1dc2519483a9bdb06ff5e632ed35820f417db2950023efde79a467bf5561383eeefba4d89cc1e40a31df338e96e8563b56f564ffef895f01d install : $(TARGET)