bind: bump to 9.20.21

Fixes several security issues:

- CVE-2026-1519 Fix unbounded NSEC3 iterations when validating
  referrals to unsigned delegations.
- CVE-2026-3104 Fix memory leaks in code preparing DNSSEC proofs of
  non-existence.
- CVE-2026-3119 Prevent a crash in code processing queries containing
  a TKEY record.
- CVE-2026-3591 Fix a stack use-after-return flaw in SIG(0) handling
  code.

Signed-off-by: Noah Meyerhans <redacted>

diff --git a/net/bind/Makefile b/net/bind/Makefile
index fa709878d1750f76b04c7da5534e268b923f8f18..497b0aa449ebf2ca48fdcfbac9f592900777f712 100644 (file)
--- a/net/bind/Makefile
+++ b/net/bind/Makefile
@@ -9,8 +9,8 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bind
-PKG_VERSION:=9.20.18
-PKG_RELEASE:=2
+PKG_VERSION:=9.20.21
+PKG_RELEASE:=1
 USERID:=bind=57:bind=57
 
 PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
@@ -22,7 +22,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:= \
        https://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) \
        https://ftp.isc.org/isc/bind9/$(PKG_VERSION)
-PKG_HASH:=dfc546c990ac4515529cd45c4dd995862b18ae8a2d0cb29208e8896a5d325331
+PKG_HASH:=15e1b5a227d2890f7c4e823a6ea018de70ee2f3a0e859cbff3d82aad8590de03
 
 PKG_INSTALL:=1
 PKG_BUILD_FLAGS:=no-mips16

diff --git a/net/bind/patches/fix-usr-allow-rndc-addzone#1.patch b/net/bind/patches/fix-usr-allow-rndc-addzone#1.patch
index 9d7f313e503b1e990f2c794179d9733f5bda18e6..a08f69331b1caf1fc2c84e3e8f3d8d176765d884 100644 (file)
--- a/net/bind/patches/fix-usr-allow-rndc-addzone#1.patch
+++ b/net/bind/patches/fix-usr-allow-rndc-addzone#1.patch
@@ -13,7 +13,7 @@ restore the automatic zone to the view.
 
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
-@@ -13946,6 +13946,7 @@ do_addzone(named_server_t *server, ns_cf
+@@ -13931,6 +13931,7 @@ do_addzone(named_server_t *server, ns_cf
           bool redirect, isc_buffer_t **text) {
        isc_result_t result, tresult;
        dns_zone_t *zone = NULL;
@@ -21,7 +21,7 @@ restore the automatic zone to the view.
  #ifndef HAVE_LMDB
        FILE *fp = NULL;
        bool cleanup_config = false;
-@@ -13964,7 +13965,13 @@ do_addzone(named_server_t *server, ns_cf
+@@ -13949,7 +13950,13 @@ do_addzone(named_server_t *server, ns_cf
        } else {
                result = dns_view_findzone(view, name, DNS_ZTFIND_EXACT, &zone);
                if (result == ISC_R_SUCCESS) {
@@ -36,7 +36,7 @@ restore the automatic zone to the view.
                }
        }
        if (result != ISC_R_NOTFOUND) {
-@@ -13973,6 +13980,10 @@ do_addzone(named_server_t *server, ns_cf
+@@ -13958,6 +13965,10 @@ do_addzone(named_server_t *server, ns_cf
  
        isc_loopmgr_pause(named_g_loopmgr);
  
@@ -47,7 +47,7 @@ restore the automatic zone to the view.
  #ifndef HAVE_LMDB
        /*
         * Make sure we can open the configuration save file
-@@ -14077,6 +14088,11 @@ do_addzone(named_server_t *server, ns_cf
+@@ -14062,6 +14073,11 @@ do_addzone(named_server_t *server, ns_cf
                /* Remove the zone from the zone table */
                dns_view_delzone(view, zone);
                goto cleanup;
@@ -59,7 +59,7 @@ restore the automatic zone to the view.
        }
  
        /* Flag the zone as having been added at runtime */
-@@ -14093,6 +14109,22 @@ do_addzone(named_server_t *server, ns_cf
+@@ -14078,6 +14094,22 @@ do_addzone(named_server_t *server, ns_cf
  
  cleanup: