bind: bump to 9.20.23

Resolves several security issues:

- CVE-2026-3592: Limit resolver server list size.
- CVE-2026-3039: Fix GSS-API resource leak.
- CVE-2026-5950: Avoid unbounded recursion loop.
- CVE-2026-5947: Fix crash in resolver when SIG(0)-signed responses are
  received under load.
- CVE-2026-3593: Add system test for HTTP/2 SETTINGS frame flood.
- CVE-2026-5946: Disable recursion, UPDATE, and NOTIFY for non-IN views.

Complete list of changes is available upstream at
https://ftp.isc.org/isc/bind9/9.20.23/doc/arm/html/changelog.html

Signed-off-by: Noah Meyerhans <redacted>

diff --git a/net/bind/Makefile b/net/bind/Makefile
index 52633726ea9d596f454fb232cecce871aea110e0..31caa6e4d8e6fb690943084d168c01ee0e0ca707 100644 (file)
--- a/net/bind/Makefile
+++ b/net/bind/Makefile
@@ -9,8 +9,8 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bind
-PKG_VERSION:=9.20.21
-PKG_RELEASE:=2
+PKG_VERSION:=9.20.23
+PKG_RELEASE:=1
 USERID:=bind=57:bind=57
 
 PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
@@ -22,7 +22,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:= \
        https://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) \
        https://ftp.isc.org/isc/bind9/$(PKG_VERSION)
-PKG_HASH:=15e1b5a227d2890f7c4e823a6ea018de70ee2f3a0e859cbff3d82aad8590de03
+PKG_HASH:=5d4475aed3f9e500ef554b2b14d972bdb83d33de214a9b3be92918ea46908371
 
 PKG_INSTALL:=1
 PKG_BUILD_FLAGS:=no-mips16

diff --git a/net/bind/patches/fix-usr-allow-rndc-addzone#1.patch b/net/bind/patches/fix-usr-allow-rndc-addzone#1.patch
index a08f69331b1caf1fc2c84e3e8f3d8d176765d884..25ee1f71177c4dd015ec9be9d87426849ff5ee26 100644 (file)
--- a/net/bind/patches/fix-usr-allow-rndc-addzone#1.patch
+++ b/net/bind/patches/fix-usr-allow-rndc-addzone#1.patch
@@ -13,15 +13,15 @@ restore the automatic zone to the view.
 
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
-@@ -13931,6 +13931,7 @@ do_addzone(named_server_t *server, ns_cf
+@@ -13919,6 +13919,7 @@ do_addzone(named_server_t *server, ns_cf
           bool redirect, isc_buffer_t **text) {
        isc_result_t result, tresult;
        dns_zone_t *zone = NULL;
 +      dns_zone_t *oldzone = NULL;
+       bool locked = false;
  #ifndef HAVE_LMDB
        FILE *fp = NULL;
-       bool cleanup_config = false;
-@@ -13949,7 +13950,13 @@ do_addzone(named_server_t *server, ns_cf
+@@ -13937,7 +13938,13 @@ do_addzone(named_server_t *server, ns_cf
        } else {
                result = dns_view_findzone(view, name, DNS_ZTFIND_EXACT, &zone);
                if (result == ISC_R_SUCCESS) {
@@ -36,7 +36,7 @@ restore the automatic zone to the view.
                }
        }
        if (result != ISC_R_NOTFOUND) {
-@@ -13958,6 +13965,10 @@ do_addzone(named_server_t *server, ns_cf
+@@ -13946,6 +13953,10 @@ do_addzone(named_server_t *server, ns_cf
  
        isc_loopmgr_pause(named_g_loopmgr);
  
@@ -47,7 +47,7 @@ restore the automatic zone to the view.
  #ifndef HAVE_LMDB
        /*
         * Make sure we can open the configuration save file
-@@ -14062,6 +14073,11 @@ do_addzone(named_server_t *server, ns_cf
+@@ -14050,6 +14061,11 @@ do_addzone(named_server_t *server, ns_cf
                /* Remove the zone from the zone table */
                dns_view_delzone(view, zone);
                goto cleanup;
@@ -59,7 +59,7 @@ restore the automatic zone to the view.
        }
  
        /* Flag the zone as having been added at runtime */
-@@ -14078,6 +14094,22 @@ do_addzone(named_server_t *server, ns_cf
+@@ -14066,6 +14082,22 @@ do_addzone(named_server_t *server, ns_cf
  
  cleanup:
  

diff --git a/net/bind/patches/fix-usr-allow-rndc-addzone#2.patch b/net/bind/patches/fix-usr-allow-rndc-addzone#2.patch
index 5a0805b9f25c5ed6dc71ddcfd1c46a672c49903c..580f9138a8977e68447ef81b62c93a5947ed96f8 100644 (file)
--- a/net/bind/patches/fix-usr-allow-rndc-addzone#2.patch
+++ b/net/bind/patches/fix-usr-allow-rndc-addzone#2.patch
@@ -85,7 +85,7 @@ Subject: [PATCH 2/4] Check if adding new zone can replace an automatic empty
 +};
 --- a/bin/tests/system/addzone/tests.sh
 +++ b/bin/tests/system/addzone/tests.sh
-@@ -68,6 +68,35 @@ n=$((n + 1))
+@@ -88,6 +88,35 @@ n=$((n + 1))
  if [ $ret != 0 ]; then echo_i "failed"; fi
  status=$((status + ret))
  

diff --git a/net/bind/patches/fix-usr-allow-rndc-addzone#4.patch b/net/bind/patches/fix-usr-allow-rndc-addzone#4.patch
index 1e49c12d5625c7417b8808101da6a50bf05c7278..395b9af56759025d570f815cb449fb5d454f3134 100644 (file)
--- a/net/bind/patches/fix-usr-allow-rndc-addzone#4.patch
+++ b/net/bind/patches/fix-usr-allow-rndc-addzone#4.patch
@@ -10,7 +10,7 @@ Subject: [PATCH 4/4] fixup! Check if adding new zone can replace an automatic
 
 --- a/bin/tests/system/addzone/tests.sh
 +++ b/bin/tests/system/addzone/tests.sh
-@@ -84,6 +84,23 @@ n=$((n + 1))
+@@ -104,6 +104,23 @@ n=$((n + 1))
  if [ $ret != 0 ]; then echo_i "failed"; fi
  status=$((status + ret))