From patchwork Sat Feb 28 17:00:18 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 9543 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4fNWfY6Tc1z3wh8 for ; Sat, 28 Feb 2026 17:00:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E7" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4fNWfY2mjSz5hD for ; Sat, 28 Feb 2026 17:00:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4fNWfY20dgz33pY for ; Sat, 28 Feb 2026 17:00:37 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4fNWfV50tqz2xGm for ; Sat, 28 Feb 2026 17:00:34 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4fNWfR6pLFz1FW; Sat, 28 Feb 2026 17:00:31 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1772298032; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+qDesH7EGF7U5TiUMzXUM4648TiJGCoVLCMdmdqywWI=; b=6Y7+NXB1Sq6QUQpOHKEKuEtXucH/6y41tnpyAEVmU8reoI3HMbt6AVfClTbsM2aSInRNj2 9mfF1TO1YmBnB1Ag== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1772298032; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+qDesH7EGF7U5TiUMzXUM4648TiJGCoVLCMdmdqywWI=; b=T31C5dLi4iMAF6gDtHlislM9GGLEpOzA31KVaUaGnxJReZGg+L0ujqiSIacfYiLhd2guVU hqLiXjum55CXNsSiEteQOPYmUQjkRQkV9l9nCOSqU3/sP+MHRMKPnVxmBSNeQ/Lk0OaS3T p9dDRsJy83xDuCW9RcD8t/7vDyABC1/fX2tX+LCFbtAS7swh7l0a67yXYEFoP4Ct4An+Cd poznKn5RzXzYVX0OEJiMDph8UmNeJd1SksgsvlPbrnL0H9saCmb3a0SmxItC15cA5zoT3x gV/CZfdEAb8VdeSCevFYXAJZ0WVdaeIx1V/68Tfp9yDcBB+ck5nkHh6Q1x38Vw== From: Matthias Fischer To: development@lists.ipfire.org Cc: Matthias Fischer Subject: [PATCH] bind: Update to 9.20.20 Date: Sat, 28 Feb 2026 18:00:18 +0100 Message-ID: <20260228170023.3564848-1-matthias.fischer@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 For details see: https://downloads.isc.org/isc/bind9/9.20.20/doc/arm/html/notes.html#notes-for-bind-9-20-20 "Notes for BIND 9.20.20 Security Fixes Fix a use-after-free error in dns_client_resolve() triggered by a DNAME response. This issue only affected the delv tool and it has now been fixed. ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention. [GL #5728] Feature Changes Record query time for all dnstap responses. Not all DNS responses had the query time set in their corresponding dnstap messages. This has been fixed. [GL #3695] Optimize TCP source port selection on Linux. Enable the IP_LOCAL_PORT_RANGE socket option on the outgoing TCP sockets to allow faster selection of the source tuple for different destination tuples, when nearing over 70-80% of the source port utilization. [GL !11569] Bug Fixes Fix an assertion failure triggered by non-minimal IXFRs. Processing an IXFR that included an RRset whose contents were not changed by the transfer triggered an assertion failure. This has been fixed. [GL #5759] Fix a crash when retrying a NOTIFY over TCP. Furthermore, do not attempt to retry over TCP at all if the source address is not available. [GL #5457] Fetch loop detection improvements. Fix a case where an in-domain nameserver with expired glue would fail to resolve. [GL #5588] Randomize nameserver selection. Since BIND 9.20.17, when selecting nameserver addresses to be looked up, named selected them in DNSSEC order from the start of the NS RRset. This could lead to a resolution failure despite there being an address that could be resolved using the other nameserver names. named now randomizes the order in which nameserver addresses are looked up. [GL #5695] [GL #5745] Fix dnstap logging of forwarded queries. [GL #5724] A stale answer could have been served in case of multiple upstream failures when following CNAME chains. This has been fixed. [GL #5751] Fail DNSKEY validation when supported but invalid DS is found. A regression was introduced in BIND 9.20.6 when adding the EDE code for unsupported DNSKEY and DS algorithms. When the parent had both supported and unsupported algorithms in the DS record, the validator would treat the supported DS algorithm as insecure instead of bogus when validating DNSKEY records. This has no security impact, as the rest of the child zone correctly ends with bogus status, but it is incorrect and thus the regression has been fixed. [GL #5757] Importing an invalid SKR file might corrupt stack memory. If an administrator imported an invalid SKR file, the local stack in the import function might overflow. This could lead to a memory corruption on the stack and ultimately a server crash. This has been fixed. [GL #5758] Return FORMERR for queries with the EDNS Client Subnet FAMILY field set to 0. RFC 7871 only defines families 1 (IPv4) and 2 (IPv6), and requires FORMERR to be returned for all unknown families. Queries with the EDNS Client Subnet FAMILY field set to 0 now elicit responses with RCODE=FORMERR. [GL !11565]" Signed-off-by: Matthias Fischer --- config/rootfiles/common/bind | 10 +++++----- lfs/bind | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind index 08cb3c223..42690fd5f 100644 --- a/config/rootfiles/common/bind +++ b/config/rootfiles/common/bind @@ -241,18 +241,18 @@ usr/bin/nsupdate #usr/include/ns/types.h #usr/include/ns/update.h #usr/include/ns/xfrout.h -usr/lib/libdns-9.20.19.so +usr/lib/libdns-9.20.20.so #usr/lib/libdns.la #usr/lib/libdns.so -usr/lib/libisc-9.20.19.so +usr/lib/libisc-9.20.20.so #usr/lib/libisc.la #usr/lib/libisc.so -usr/lib/libisccc-9.20.19.so +usr/lib/libisccc-9.20.20.so #usr/lib/libisccc.la #usr/lib/libisccc.so -usr/lib/libisccfg-9.20.19.so +usr/lib/libisccfg-9.20.20.so #usr/lib/libisccfg.la #usr/lib/libisccfg.so -usr/lib/libns-9.20.19.so +usr/lib/libns-9.20.20.so #usr/lib/libns.la #usr/lib/libns.so diff --git a/lfs/bind b/lfs/bind index cfc1cb5c7..179d4875d 100644 --- a/lfs/bind +++ b/lfs/bind @@ -1,4 +1,4 @@ -############################################################################### +############################################################################### # # # IPFire.org - A linux based firewall # # Copyright (C) 2007-2026 IPFire Team # @@ -25,7 +25,7 @@ include Config -VER = 9.20.19 +VER = 9.20.20 THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 9330f6fdf44038b1a28d1cbba19a7110dcaaf3e1ba32dc5eea5ff20b0adab0c6f4450acda0932f4aa3b73bde03599fddd8b8f5bd735b8bbc3518c15ca6e8237b +$(DL_FILE)_BLAKE2 = 416593b641ec7de486f474bb4edbe843a2abd18d9a5c12dcd74fd55c4f1d2d89bdacfa32458dd6ecc09e7e601692f9c134459f5c183dabc3f98fa7b5506736e0 install : $(TARGET)