From patchwork Thu Apr 2 19:24:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 9572 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4fmsHc42Wdz3wh8 for ; Thu, 02 Apr 2026 19:24:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E7" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4fmsHc2xH0z5ZQ for ; Thu, 02 Apr 2026 19:24:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4fmsHD5tD9z33ss for ; Thu, 02 Apr 2026 19:24:24 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4fmsHB1Ch4z2xMD for ; Thu, 02 Apr 2026 19:24:22 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4fmsH92Scrz4W; Thu, 02 Apr 2026 19:24:21 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1775157861; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=QWgvHWaXMN9LTx3WCpu2942A73+VSvxTjHbx/t6GoE8=; b=bRrCsqfEtY53t4lMWLZu2ntKMj6CUfA2P4AvxTT5T5zx276J+q+qz00bPPyNxPpxEA8ncW uutHpga30jJt0TCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1775157861; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=QWgvHWaXMN9LTx3WCpu2942A73+VSvxTjHbx/t6GoE8=; b=rgunCSW1SOgsWZLNG+SkG1Qg3ADheUgWPmr/u98VaqsrFMo9NBNMPV/1y55lrnaq1Tnsem YRSI3fYUdaaGhaNlxLrFXhVjU6WBbcz8oVCQRXX/BwnLMlOdjYXPhsYh1WnUQftWTDjr0m 2SBkvmBI7bgYtmWCphIykCWO050RlPftSwXnFUqGoC3IrTQoUzJ5rUHHvhjl/cQjz+BIl7 eiYM9LmrjF0MDaesefOuea48WAzPy5BfaSX2bv2LWZvVLbTzxi8B41BGugPzftR7T/w0oe G2d7Zuc0cocZjmtHMlR40hsf++tFw46dJ93bAuRZHd6VyTbGjCtjjpxtLxo6AQ== From: Matthias Fischer To: development@lists.ipfire.org Cc: Matthias Fischer Subject: [PATCH] bind: Update to 9.20.22 Date: Thu, 2 Apr 2026 21:24:04 +0200 Message-ID: <20260402192413.3376620-1-matthias.fischer@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 For details see: https://downloads.isc.org/isc/bind9/9.20.22/doc/arm/html/notes.html#notes-for-bind-9-20-22 "Notes for BIND 9.20.22 Security Fixes Fix crash when reconfiguring zone update policy during active updates. We fixed a crash that could occur when running rndc reconfig to change a zone's update policy (e.g., from allow-update to update-policy) while DNS UPDATE requests were being processed for that zone. ISC would like to thank Vitaly Simonovich for bringing this issue to our attention. [GL #5817] Bug Fixes Fix intermittent named crashes during asynchronous zone operations. Asynchronous zone loading and dumping operations occasionally dispatched tasks to the wrong internal event loop. This threading violation triggered internal safety assertions that abruptly terminated named. Strict loop affinity is now enforced for these tasks, ensuring they execute on their designated threads and preventing the crashes. [GL #4882] Count temporal problems with DNSSEC validation as attempts. After the KeyTrap vulnerability (CVE-2023-50387), any temporal DNSSEC errors were originally hard errors that caused validation failures, even if the records had another valid signature. This has been changed; RRSIGs outside of the inception and expiration time are not counted as hard errors. However, these errors were not even counted as validation attempts, so an excessive number of expired RRSIGs would cause some non-cryptographic extra work for the validator. This has been fixed and the temporal errors are now correctly counted as validation attempts. [GL #5760] Fix a possible deadlock in RPZ processing. The named process could hang when processing a maliciously crafted update for a response policy zone (RPZ). This has been fixed. [GL #5775] Fix a crash triggered by rndc modzone on a zone from a configuration file. Calling rndc modzone on a zone that was configured in the configuration file caused a crash. This has been fixed. [GL #5800] Fix the processing of empty catalog zone ACLs. The named process could terminate unexpectedly when processing a catalog zone ACL in an APL resource record that was completely empty. This has been fixed. [GL #5801] Fix a crash triggered by rndc modzone on zone that already existed in NZF file. Calling rndc modzone didn't work properly for a zone that was configured in the configuration file. It could crash if BIND 9 was built without LMDB or if there was already an NZF file for the zone. This has been fixed. [GL #5826] Fix potential resource leak during resolver error handling. Under specific error conditions during query processing, resources were not being properly released, which could eventually lead to unnecessary memory consumption for the server. A potential resource leak in the resolver has been fixed. [GL !11658]" Signed-off-by: Matthias Fischer --- config/rootfiles/common/bind | 10 +++++----- lfs/bind | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind index ad7f23645..63816f380 100644 --- a/config/rootfiles/common/bind +++ b/config/rootfiles/common/bind @@ -241,18 +241,18 @@ usr/bin/nsupdate #usr/include/ns/types.h #usr/include/ns/update.h #usr/include/ns/xfrout.h -usr/lib/libdns-9.20.21.so +usr/lib/libdns-9.20.22.so #usr/lib/libdns.la #usr/lib/libdns.so -usr/lib/libisc-9.20.21.so +usr/lib/libisc-9.20.22.so #usr/lib/libisc.la #usr/lib/libisc.so -usr/lib/libisccc-9.20.21.so +usr/lib/libisccc-9.20.22.so #usr/lib/libisccc.la #usr/lib/libisccc.so -usr/lib/libisccfg-9.20.21.so +usr/lib/libisccfg-9.20.22.so #usr/lib/libisccfg.la #usr/lib/libisccfg.so -usr/lib/libns-9.20.21.so +usr/lib/libns-9.20.22.so #usr/lib/libns.la #usr/lib/libns.so diff --git a/lfs/bind b/lfs/bind index 9a52fcdde..5dfedca9c 100644 --- a/lfs/bind +++ b/lfs/bind @@ -25,7 +25,7 @@ include Config -VER = 9.20.21 +VER = 9.20.22 THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 20c2acac40242516da10cc8e45074de3d5d8906e4c4e216f6d69cba0585816aba4ec77adda8142294623eef5b045ec64cc8a18c721ece6af939741903558454b +$(DL_FILE)_BLAKE2 = 74537646d8c08c4874548b064ab62bab3721d22e2654feed54ea0b61c087018b24f725d0cfaf8298bc71a1be280c753c86449b13e5d9ec26f84ba7e9f61b7a5a install : $(TARGET)