bind920: update to version 9.20.21.

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: bind920: update to version 9.20.21.
From: Havard Eidnes (via pkgsrc-wip) <commit-notify%pkgsrc.org@localhost>
Date: Sat, 28 Mar 2026 09:10:57 +0000

Module Name:	pkgsrc-wip
Committed By:	Havard Eidnes <he%NetBSD.org@localhost>
Pushed By:	he
Date:		Sat Mar 28 10:10:28 2026 +0100
Changeset:	9c8ad2fc70c041dab812896057e948a6b8669c6e

Modified Files:
	bind920/Makefile
	bind920/distinfo

Log Message:
bind920: update to version 9.20.21.

Pkgsrc changes:
 * Update checksums

Upstream changes:

BIND 9.20.21
------------

Security Fixes
~~~~~~~~~~~~~~

- [CVE-2026-1519] Fix unbounded NSEC3 iterations when validating
  referrals to unsigned delegations. ``5af03a06066``

  DNSSEC-signed zones may contain high iteration-count NSEC3 records,
  which prove that certain delegations are insecure. Previously, a
  validating resolver encountering such a delegation processed these
  iterations up to the number given, which could be a maximum of 65,535.
  This has been addressed by introducing a processing limit, set at 50.
  Now, if such an NSEC3 record is encountered, the delegation will be
  treated as insecure.

  ISC would like to thank Samy Medjahed/Ap4sh for bringing this
  vulnerability to our attention. :gl:`#5708`

- [CVE-2026-3104] Fix memory leaks in code preparing DNSSEC proofs of
  non-existence. ``13215b9cbbf``

  An attacker controlling a DNSSEC-signed zone could trigger a memory
  leak in the logic preparing DNSSEC proofs of non-existence, by
  creating more than :any:`max-records-per-type` RRSIGs for NSEC
  records. These memory leaks have been fixed.

  ISC would like to thank Vitaly Simonovich for bringing this
  vulnerability to our attention. :gl:`#5742`

- [CVE-2026-3119] Prevent a crash in code processing queries containing
  a TKEY record. ``308baa89105``

  The :iscman:`named` process could terminate unexpectedly when
  processing a correctly signed query containing a TKEY record. This has
  been fixed.

  ISC would like to thank Vitaly Simonovich for bringing this
  vulnerability to our attention. :gl:`#5748`

- [CVE-2026-3591] Fix a stack use-after-return flaw in SIG(0) handling
  code. ``aaaae0fd97e``

  A stack use-after-return flaw in SIG(0) handling code could enable ACL
  bypass and/or assertion failures in certain circumstances. This flaw
  has been fixed.

  ISC would like to thank Mcsky23 for bringing this vulnerability to our
  attention. :gl:`#5754`

Bug Fixes
~~~~~~~~~

- Resolve "key defined in view is not found" ``819fe452745``

  Commit `2956e4fc` hardened the `key` name check when used in
  `primaries` to reject the configuration if the key was not defined,
  rather than simply checking whether the key name was correctly formed.

  However, the key name check didn't include the view configuration,
  causing keys not to be recognized if they were defined inside the view
  and not at the global level.  This regression is now fixed.
  :gl:`#5761` :gl:`!11613`

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=9c8ad2fc70c041dab812896057e948a6b8669c6e

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 bind920/Makefile | 2 +-
 bind920/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diffs:
diff --git a/bind920/Makefile b/bind920/Makefile
index 8671a6bc66..3d93c20c7e 100644
--- a/bind920/Makefile
+++ b/bind920/Makefile
@@ -15,7 +15,7 @@ CONFLICTS+=	host-[0-9]*
 
 MAKE_JOBS_SAFE=	no
 
-BIND_VERSION=	9.20.20
+BIND_VERSION=	9.20.21
 
 BUILD_DEFS+=	BIND_DIR VARBASE
 
diff --git a/bind920/distinfo b/bind920/distinfo
index d7aa48e7c4..76f14a064e 100644
--- a/bind920/distinfo
+++ b/bind920/distinfo
@@ -1,6 +1,6 @@
 $NetBSD: distinfo,v 1.20 2024/07/23 13:50:32 taca Exp $
 
-BLAKE2s (bind-9.20.20.tar.xz) = 82ffd9cd57b3ea8f04b48f778e95f6c87609a5bef0f5ee37f4fcb39f85dc74ca
-SHA512 (bind-9.20.20.tar.xz) = 46cd2983bdf45f65e3f134c5ae13b04b574836839dc6efac701146cf6a216a42ffa84b6f7267596b6b92b391e7845aa055031417053a3ebaa718cfc51db1ada7
-Size (bind-9.20.20.tar.xz) = 5802548 bytes
+BLAKE2s (bind-9.20.21.tar.xz) = 3b4949d5a66eca85b0354efe1d571070a279b773c8c4e90783a5b418072efe80
+SHA512 (bind-9.20.21.tar.xz) = f0f566a243268a579a7c97409409699aa66a08e82982d48046c83d9dfd01f8a9c337af7bb80018773667fcc98a5e6fb9f244ac28e72688ab04a494337605c616
+Size (bind-9.20.21.tar.xz) = 5808576 bytes
 SHA1 (patch-configure.ac) = d3b9bb82c8e164135b93a76d5c53ad40521226e2

Prev by Date: Update syncthing to 2.0.15 and remove lock to go 1.25
Next by Date: TODO: + wlroots-0.20.
Previous by Thread: Update syncthing to 2.0.15 and remove lock to go 1.25
Next by Thread: TODO: + wlroots-0.20.
Indexes:

Home | Main Index | Thread Index | Old Index