CVS commit: pkgsrc/net/bind918

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/net/bind918
From: "Takahiro Kambe" <taca%netbsd.org@localhost>
Date: Wed, 22 Oct 2025 14:32:27 +0000

Module Name:    pkgsrc
Committed By:   taca
Date:           Wed Oct 22 14:32:26 UTC 2025

Modified Files:
        pkgsrc/net/bind918: Makefile distinfo
        pkgsrc/net/bind918/patches: patch-config.h.in

Log Message:
net/bind918: update to 9.18.41

BIND 9.18.41 (2025-10-22)

Security Fixes

* DNSSEC validation fails if matching but invalid DNSKEY is
  found. (CVE-2025-8677)

  Previously, if a matching but cryptographically invalid key was
  encountered during DNSSEC validation, the key was skipped and not counted
  towards validation failures.  named now treats such DNSSEC keys as hard
  failures and the DNSSEC validation fails immediately, instead of
  continuing with the next DNSKEYs in the RRset.

  ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One Security
  and Privacy Laboratory at Nankai University for bringing this
  vulnerability to our attention.  [GL #5343]

* Address various spoofing attacks. (CVE-2025-40778)

  Previously, several issues could be exploited to poison a DNS cache with
  spoofed records for zones which were not DNSSEC-signed or if the resolver
  was configured to not do DNSSEC validation.  These issues were assigned
  CVE-2025-40778 and have now been fixed.

  As an additional layer of protection, named no longer accepts DNAME
  records or extraneous NS records in the AUTHORITY section unless these are
  received via spoofing-resistant transport (TCP, UDP with DNS cookies,
  TSIG, or SIG(0)).

  ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin
  Duan from Tsinghua University for bringing this vulnerability to our
  attention.  [GL #5414]

* Cache-poisoning due to weak pseudo-random number
  generator. (CVE-2025-40780)

  It was discovered during research for an upcoming academic paper that a
  xoshiro128** internal state can be recovered by an external 3rd party,
  allowing the prediction of UDP ports and DNS IDs in outgoing queries.
  This could lead to an attacker spoofing the DNS answers with great
  efficiency and poisoning the DNS cache.

  The internal random generator has been changed to a cryptographically
  secure pseudo-random generator.

  ISC would like to thank Prof.  Amit Klein and Omer Ben Simhon from Hebrew
  University of Jerusalem for bringing this vulnerability to our attention.
  [GL #5484]

New Features

* Support for parsing HHIT and BRID records has been added.

  [GL #5444]

Removed Features

* Deprecate the "tkey-domain" statement.

  Mark the tkey-domain statement as deprecated since it is only used by code
  implementing TKEY Mode 2 (Diffie-Hellman), which was removed from newer
  BIND 9 branches.  [GL #4204]

* Deprecate the "tkey-gssapi-credential" statement.

  The tkey-gssapi-keytab statement allows GSS-TSIG to be set up in a simpler
  and more reliable way than using the tkey-gssapi-credential statement and
  setting environment variables (e.g. KRB5_KTNAME).  Therefore, the
  tkey-gssapi-credential statement has been deprecated; tkey-gssapi-keytab
  should be used instead.

  For configurations currently using a combination of both
  tkey-gssapi-keytab and tkey-gssapi-credential, the latter should be
  dropped and the keytab pointed to by tkey-gssapi-keytab should now only
  contain the credential previously specified by tkey-gssapi-credential.
  [GL #4204]

Bug Fixes

* Prevent spurious SERVFAILs for certain 0-TTL resource records.

  Under certain circumstances, BIND 9 can return SERVFAIL when updating
  existing entries in the cache with new NS, A, AAAA, or DS records that
  have a TTL of zero.  [GL #5294]

* Missing DNSSEC information when CD bit is set in query.

  The RRSIGs for glue records were not being cached correctly for CD=1
  queries.  This has been fixed. [GL #5502]


To generate a diff of this commit:
cvs rdiff -u -r1.57 -r1.58 pkgsrc/net/bind918/Makefile
cvs rdiff -u -r1.31 -r1.32 pkgsrc/net/bind918/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind918/patches/patch-config.h.in

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/bind918/Makefile
diff -u pkgsrc/net/bind918/Makefile:1.57 pkgsrc/net/bind918/Makefile:1.58
--- pkgsrc/net/bind918/Makefile:1.57    Sun Sep 21 21:37:07 2025
+++ pkgsrc/net/bind918/Makefile Wed Oct 22 14:32:26 2025
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.57 2025/09/21 21:37:07 wiz Exp $
+# $NetBSD: Makefile,v 1.58 2025/10/22 14:32:26 taca Exp $
 
 DISTNAME=      bind-${BIND_VERSION}
 PKGNAME=       ${DISTNAME:S/-P/pl/}
-PKGREVISION=   1
 CATEGORIES=    net
 MASTER_SITES=  https://downloads.isc.org/isc/bind9/${BIND_VERSION}/
 EXTRACT_SUFX=  .tar.xz
@@ -16,7 +15,7 @@ CONFLICTS+=   host-[0-9]*
 
 MAKE_JOBS_SAFE=        no
 
-BIND_VERSION=  9.18.39
+BIND_VERSION=  9.18.41
 
 BUILD_DEFS+=   BIND_DIR VARBASE
 

Index: pkgsrc/net/bind918/distinfo
diff -u pkgsrc/net/bind918/distinfo:1.31 pkgsrc/net/bind918/distinfo:1.32
--- pkgsrc/net/bind918/distinfo:1.31    Sun Aug 24 08:56:59 2025
+++ pkgsrc/net/bind918/distinfo Wed Oct 22 14:32:26 2025
@@ -1,12 +1,12 @@
-$NetBSD: distinfo,v 1.31 2025/08/24 08:56:59 taca Exp $
+$NetBSD: distinfo,v 1.32 2025/10/22 14:32:26 taca Exp $
 
-BLAKE2s (bind-9.18.39.tar.xz) = 6a342d34718f49cde2c296c099f70ee7f5d4e79ee0ae75d896bf7fb0315d3797
-SHA512 (bind-9.18.39.tar.xz) = fd6d45c9cb9c599d8770c18801fad2f177faf3a8af82948800d186ae6dc9eb2c894b61802def0841eb722c615c93c077b55368204f0cf2737a3c50d949efca07
-Size (bind-9.18.39.tar.xz) = 5383056 bytes
+BLAKE2s (bind-9.18.41.tar.xz) = 8171c1d2b407f6474d47ff54169ddaebf029cdb6253dd5be1091290a3ce283b1
+SHA512 (bind-9.18.41.tar.xz) = aba4a0add07f1feb2825852faeed14bc946628b818adac93401890cd67ead17c2fd8d820bca70ba7f8c2788dc65195baccc93f87249fb7e47077354341ff0839
+Size (bind-9.18.41.tar.xz) = 5427116 bytes
 SHA1 (patch-bin_named_main.c) = 4e4a763c478f1fcecb7e65968cf6ca20dacf01f1
 SHA1 (patch-bin_named_os.c) = 5ecb0883076575d8ac5fcad68f9daad6c9be0d0b
 SHA1 (patch-bin_named_server.c) = 52190897c4c4b141d98ca5bca7cc3eb4c83ac584
-SHA1 (patch-config.h.in) = 6072793048cdf590863046355eeffa1d93524c36
+SHA1 (patch-config.h.in) = e3fe4028524e8d236017cb4da43114206839201f
 SHA1 (patch-configure.ac) = 65f4255300a0ab3b6b663fe59412570fd7b08675
 SHA1 (patch-lib_dns_byaddr.c) = 647ddaaaf040233e18d1a87d83bc2bd63d2a20e3
 SHA1 (patch-lib_dns_gssapi__link.c) = 72296598b0bdd2a57d0f38ecf1775e2898a041c6

Index: pkgsrc/net/bind918/patches/patch-config.h.in
diff -u pkgsrc/net/bind918/patches/patch-config.h.in:1.1 pkgsrc/net/bind918/patches/patch-config.h.in:1.2
--- pkgsrc/net/bind918/patches/patch-config.h.in:1.1    Sun Dec 11 01:57:55 2022
+++ pkgsrc/net/bind918/patches/patch-config.h.in        Wed Oct 22 14:32:26 2025
@@ -1,11 +1,11 @@
-$NetBSD: patch-config.h.in,v 1.1 2022/12/11 01:57:55 sekiya Exp $
+$NetBSD: patch-config.h.in,v 1.2 2025/10/22 14:32:26 taca Exp $
 
 * Based on NetBSD, add support for blocklist(blacklist).
 
---- config.h.in.orig   2022-03-07 08:48:03.000000000 +0000
+--- config.h.in.orig   2025-10-18 10:21:42.458286762 +0000
 +++ config.h.in
-@@ -54,6 +54,12 @@
- /* Define to 1 if you have the `BN_GENCB_new' function. */
+@@ -33,6 +33,12 @@
+ /* Define to 1 if you have the 'BN_GENCB_new' function. */
  #undef HAVE_BN_GENCB_NEW
  
 +/* Define to 1 if blacklist is supported. */

Prev by Date: CVS commit: pkgsrc/lang/python314
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/lang/python314
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index