CVS commit: [pkgsrc-2026Q1] pkgsrc/net/bind918

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2026Q1] pkgsrc/net/bind918
From: "Maya Rashish" <maya%netbsd.org@localhost>
Date: Thu, 21 May 2026 03:07:44 +0000

Module Name:    pkgsrc
Committed By:   maya
Date:           Thu May 21 03:07:44 UTC 2026

Modified Files:
        pkgsrc/net/bind918 [pkgsrc-2026Q1]: Makefile distinfo

Log Message:
Pullup ticket #7123 - requested by taca
net/bind918: Security fix

Revisions pulled up:
- net/bind918/Makefile                                          1.68
- net/bind918/distinfo                                          1.40

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Wed May 20 13:07:16 UTC 2026

   Modified Files:
        pkgsrc/net/bind918: Makefile distinfo

   Log Message:
   net/bind918: update to 9.18.49

   BIND 9.18.49 (2026-05-20)

   Security Fixes

   * Limit resolver server list size. (CVE-2026-3592)

     When resolving a domain with many nameservers that shared overlapping IP
     addresses (e.g., 10 NS records all pointing at the same set of addresses),
     BIND could previously waste time querying duplicate addresses and build up
     excessively large server lists.  Addresses in the resolver's server list
     are now deduplicated so that each unique IP is only queried once per
     resolution attempt, regardless of how many NS records point to it.  The
     number of addresses stored per nameserver name is also now capped at six
     (combined A and AAAA), preventing memory and CPU overhead from domains
     with unusually large NS/glue sets.

     ISC would like to thank Shuhan Zhang from Tsinghua University for
     reporting this issue.  [GL #5641]

   * Fix GSS-API resource leak. (CVE-2026-3039)

     A memory leak was fixed where each GSS-API TKEY negotiation leaked a
     security context inside the GSS library.  An unauthenticated attacker
     could exhaust server memory by sending repeated TKEY queries to a server
     with tkey-gssapi-keytab configured.  The leaked memory was allocated by
     the GSS library, bypassing BIND's memory accounting.

     Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now rejected,
     as BIND never supported it correctly and Kerberos/SPNEGO completes in a
     single round.

     ISC would like to thank Vitaly Simonovich for bringing this vulnerability
     to our attention.  [GL #5752]

   * Disable recursion, UPDATE, and NOTIFY for non-IN views. (CVE-2026-5946)

     Recursion, dynamic updates (UPDATE), and zone change notifications
     (NOTIFY) are now disabled for views with a class other than IN (such as
     CHAOS or HESIOD); authoritative service for non-IN zones
     (e.g. version.bind in class CHAOS) continues to work as before.  Servers
     configured with recursion yes; in a non-IN view log a warning at startup,
     and named-checkconf flags the same condition.  UPDATE and NOTIFY messages
     that specify the meta-classes ANY or NONE in the question section are now
     rejected with FORMERR.

     This addresses a set of closely related security issues collectively
     identified as CVE-2026-5946.  ISC would like to thank Mcsky23 for bringing
     these issues to our attention.  [GL #5784]

   * Avoid unbounded recursion loop. (CVE-2026-5950)

     A bug during bad server handling could cause the resolver to enter an
     infinite loop, continuously sending queries to an upstream server with no
     exit condition, until the resolver query timeout was hit.  This has been
     fixed.

     ISC would like to thank Billy Baraja (BielraX) for bringing this issue to
     our attention.  [GL #5804]

   * Fix outgoing zone transfers' quota issue.

     Unauthorized clients could consume the entire outgoing zone-transfer quota
     and block authorized zone transfer clients.  This has been fixed.  [GL
     #3589]

   Feature Changes

   * Fix CPU spikes and slow queries when cache approaches memory limit.

     Cache cleanup is now spread probabilistically to avoid CPU usage spikes
     and a drop in query throughput.  [GL #5891]

   Bug Fixes

   * Fix named crash when processing SIG records in dynamic updates.
     [GL #5818]
   * Fix rndc modzone behavior for a zone in named.conf.  [GL #5826]
   * Fix zone verification of NSEC3 signed zones.  [GL #5834]
   * Prevent a crash when using both dns64 and filter-aaaa.  [GL #5854]
   * Fixed an assertion failure when processing catalog zones.  [GL #5858]
   * Prevent malicious DNSSEC zones from exhausting validator CPU.  [GL #5881]
   * Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits.
     [GL #5903]
   * Prevent crafted queries from degrading RRL performance.  [GL #5906]
   * Fix a bug in allow-query/allow-transfer catalog zone custom properties.
     [GL #5941]
   * Fix a memory leak issue in catalog zones.  [GL #5943]
   * Fix suppressed missing-glue check in named-checkzone.
   * Reject record sets too large to serve in DNS.  [GL !11963]


To generate a diff of this commit:
cvs rdiff -u -r1.66.2.1 -r1.66.2.2 pkgsrc/net/bind918/Makefile
cvs rdiff -u -r1.38.2.1 -r1.38.2.2 pkgsrc/net/bind918/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/bind918/Makefile
diff -u pkgsrc/net/bind918/Makefile:1.66.2.1 pkgsrc/net/bind918/Makefile:1.66.2.2
--- pkgsrc/net/bind918/Makefile:1.66.2.1        Sun Apr  5 16:12:57 2026
+++ pkgsrc/net/bind918/Makefile Thu May 21 03:07:44 2026
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.66.2.1 2026/04/05 16:12:57 maya Exp $
+# $NetBSD: Makefile,v 1.66.2.2 2026/05/21 03:07:44 maya Exp $
 
 DISTNAME=      bind-${BIND_VERSION}
 PKGNAME=       ${DISTNAME:S/-P/pl/}
@@ -15,7 +15,7 @@ CONFLICTS+=   host-[0-9]*
 
 MAKE_JOBS_SAFE=        no
 
-BIND_VERSION=  9.18.48
+BIND_VERSION=  9.18.49
 
 BUILD_DEFS+=   BIND_DIR VARBASE
 

Index: pkgsrc/net/bind918/distinfo
diff -u pkgsrc/net/bind918/distinfo:1.38.2.1 pkgsrc/net/bind918/distinfo:1.38.2.2
--- pkgsrc/net/bind918/distinfo:1.38.2.1        Sun Apr  5 16:12:57 2026
+++ pkgsrc/net/bind918/distinfo Thu May 21 03:07:44 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.38.2.1 2026/04/05 16:12:57 maya Exp $
+$NetBSD: distinfo,v 1.38.2.2 2026/05/21 03:07:44 maya Exp $
 
-BLAKE2s (bind-9.18.48.tar.xz) = e13114efe5651bef075e5296cdad8f7a667e6b15467d77f8b561b11886709717
-SHA512 (bind-9.18.48.tar.xz) = 9c93fe60e8fdfa140cfd535beaf42b368aed885aa97669f990f100c8d75d02cb2b0423f87e8b0f36315fda5bb998e18b7bf8d3d649e9ffe32a4724947a5bebe7
-Size (bind-9.18.48.tar.xz) = 5452356 bytes
+BLAKE2s (bind-9.18.49.tar.xz) = 9427430160992a3d37f561326f2e7ce3894ae8e60ad45c039b68ba5f24e5b4d6
+SHA512 (bind-9.18.49.tar.xz) = e5259db8b9fdb3940d4e1d95978514692777a3675fc85a83db30e049d80d8150d10e672d51eeb885a94c6bbd4573ff8fe49248117c24ff155197a24a26b09544
+Size (bind-9.18.49.tar.xz) = 5476288 bytes
 SHA1 (patch-bin_named_main.c) = 4e4a763c478f1fcecb7e65968cf6ca20dacf01f1
 SHA1 (patch-bin_named_os.c) = 5ecb0883076575d8ac5fcad68f9daad6c9be0d0b
 SHA1 (patch-bin_named_server.c) = 52190897c4c4b141d98ca5bca7cc3eb4c83ac584

Prev by Date: CVS commit: [pkgsrc-2026Q1] pkgsrc/lang
Next by Date: CVS commit: [pkgsrc-2026Q1] pkgsrc/doc
Previous by Thread: CVS commit: [pkgsrc-2026Q1] pkgsrc/lang
Next by Thread: CVS commit: [pkgsrc-2026Q1] pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index