From patchwork Thu Mar 26 21:58:13 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthias Fischer <matthias.fischer@ipfire.org>
X-Patchwork-Id: 9568
Return-Path: <development+bounces-1838-patchwork=ipfire.org@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature ECDSA (secp384r1 raw public key)
 server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4fhd2M4Y0jz3wbG
	for <patchwork@web04.haj.ipfire.org>; Thu, 26 Mar 2026 21:58:35 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail02.haj.ipfire.org", Issuer "E7" (not verified))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4fhd2M1rcLz60F
	for <patchwork@ipfire.org>; Thu, 26 Mar 2026 21:58:35 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [IPv6:::1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4fhd2M0x83z30Zv
	for <patchwork@ipfire.org>; Thu, 26 Mar 2026 21:58:35 +0000 (UTC)
X-Original-To: development@lists.ipfire.org
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature ECDSA (secp384r1 raw public key)
 server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4fhd2959sMz2xHk
	for <development@lists.ipfire.org>; Thu, 26 Mar 2026 21:58:25 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4fhd276VYwz2SK;
	Thu, 26 Mar 2026 21:58:23 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1774562304;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=vHPQjXLPaubEDzQrAzxIlIaRHe27KdL2S5WJjKG9HgI=;
	b=WFu6mX/9lV8KvCi+D1blDVVMcrDABdrXsQI88/WaZPdlDVqMnhwSG2/ptGGwUGiWN40lcf
	Hm3Wt/MR7cuLOSAA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1774562304;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=vHPQjXLPaubEDzQrAzxIlIaRHe27KdL2S5WJjKG9HgI=;
	b=ZK1CAQxsIs1fMfjbjB1s33ef974PwQdd8fQIjKuLCQ8KQ1uz0N63OSvCXRW5rgodbFm0uu
	nA8lQbukEO7/YveOi1BGRYwcXlx7Dalj25Z/WKK0v0qCm1FFpjjNhjSOhhfiz8eOY/+NFf
	XeowuRFxpcvb5DONyh1EFR8wVrBmn+KbBVZQUG06YiP5zWD7ZSQvSyivk8TGfOlqLVWWBy
	B6HHxgJxuakkID8vaVaXtCMqpjaVsxC3ssS6bHSaAhPybAIyhUqZc00HECQysIjBbAGTqf
	vAIVDT8W33ivULFhqQQ+0RF1u64jbZx3IuoWj0qu1T5N92bzw0AsUWrgJ1IwAg==
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Cc: Matthias Fischer <matthias.fischer@ipfire.org>
Subject: [PATCH] bind: Update to 9.20.21
Date: Thu, 26 Mar 2026 22:58:13 +0100
Message-ID: <20260326215815.18055-1-matthias.fischer@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0

For details see:

https://downloads.isc.org/isc/bind9/9.20.21/doc/arm/html/notes.html#notes-for-bind-9-20-21

"Notes for BIND 9.20.21
Security Fixes

    Fix unbounded NSEC3 iterations when validating referrals to unsigned
    delegations. (CVE-2026-1519)

    DNSSEC-signed zones may contain high iteration-count NSEC3 records,
    which prove that certain delegations are insecure. Previously, a
    validating resolver encountering such a delegation processed these
    iterations up to the number given, which could be a maximum of 65,535.
    This has been addressed by introducing a processing limit, set at 50.
    Now, if such an NSEC3 record is encountered, the delegation will be
    treated as insecure.

    ISC would like to thank Samy Medjahed/Ap4sh for bringing this
    vulnerability to our attention. [GL #5708]

    Fix memory leaks in code preparing DNSSEC proofs of non-existence.
    (CVE-2026-3104)

    An attacker controlling a DNSSEC-signed zone could trigger a memory
    leak in the logic preparing DNSSEC proofs of non-existence, by creating
    more than max-records-per-type RRSIGs for NSEC records. These memory
    leaks have been fixed.

    ISC would like to thank Vitaly Simonovich for bringing this
    vulnerability to our attention. [GL #5742]

    Prevent a crash in code processing queries containing a TKEY record.
    (CVE-2026-3119)

    The named process could terminate unexpectedly when processing a
    correctly signed query containing a TKEY record. This has been fixed.

    ISC would like to thank Vitaly Simonovich for bringing this
    vulnerability to our attention. [GL #5748]

    Fix a stack use-after-return flaw in SIG(0) handling code.
    (CVE-2026-3591)

    A stack use-after-return flaw in SIG(0) handling code could enable ACL
    bypass and/or assertion failures in certain circumstances. This flaw
    has been fixed.

    ISC would like to thank Mcsky23 for bringing this vulnerability to our
    attention. [GL #5754]

Bug Fixes

    Fix the handling of key statements defined inside views.

    A recent change introduced in BIND 9.20.17 hardened the key name check
    when used in primaries, to immediately reject the configuration if the
    key was not defined (rather than only checking whether the key name was
    correctly formed). However, that change introduced a regression that
    prevented the use of a key defined in a view. This has now been fixed.
    [GL #5761]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 config/rootfiles/common/bind | 10 +++++-----
 lfs/bind                     |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
index 42690fd5f..ad7f23645 100644
--- a/config/rootfiles/common/bind
+++ b/config/rootfiles/common/bind
@@ -241,18 +241,18 @@ usr/bin/nsupdate
 #usr/include/ns/types.h
 #usr/include/ns/update.h
 #usr/include/ns/xfrout.h
-usr/lib/libdns-9.20.20.so
+usr/lib/libdns-9.20.21.so
 #usr/lib/libdns.la
 #usr/lib/libdns.so
-usr/lib/libisc-9.20.20.so
+usr/lib/libisc-9.20.21.so
 #usr/lib/libisc.la
 #usr/lib/libisc.so
-usr/lib/libisccc-9.20.20.so
+usr/lib/libisccc-9.20.21.so
 #usr/lib/libisccc.la
 #usr/lib/libisccc.so
-usr/lib/libisccfg-9.20.20.so
+usr/lib/libisccfg-9.20.21.so
 #usr/lib/libisccfg.la
 #usr/lib/libisccfg.so
-usr/lib/libns-9.20.20.so
+usr/lib/libns-9.20.21.so
 #usr/lib/libns.la
 #usr/lib/libns.so
diff --git a/lfs/bind b/lfs/bind
index 179d4875d..9a52fcdde 100644
--- a/lfs/bind
+++ b/lfs/bind
@@ -25,7 +25,7 @@
 
 include Config
 
-VER        = 9.20.20
+VER        = 9.20.21
 
 THISAPP    = bind-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -43,7 +43,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 416593b641ec7de486f474bb4edbe843a2abd18d9a5c12dcd74fd55c4f1d2d89bdacfa32458dd6ecc09e7e601692f9c134459f5c183dabc3f98fa7b5506736e0
+$(DL_FILE)_BLAKE2 = 20c2acac40242516da10cc8e45074de3d5d8906e4c4e216f6d69cba0585816aba4ec77adda8142294623eef5b045ec64cc8a18c721ece6af939741903558454b
 
 install : $(TARGET)