From c8279f7c69b8288a06a8f73a840826ef177e060f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 1 Nov 2025 04:47:49 -0400 Subject: [PATCH 1/6] Fix incorrect length checks for BRID and HHIT records Fix incorrect length checks in the towire_*() methods for BRID and HHIT records to prevent assertion failures when trying to serve short records. (cherry picked from commit 14e299995f8f1dd8faeb7c5395a5a0c12b0f43f4) --- lib/dns/rdata/generic/brid_68.c | 2 +- lib/dns/rdata/generic/hhit_67.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/dns/rdata/generic/brid_68.c b/lib/dns/rdata/generic/brid_68.c index 3dbae97309..316a822cd3 100644 --- a/lib/dns/rdata/generic/brid_68.c +++ b/lib/dns/rdata/generic/brid_68.c @@ -84,7 +84,7 @@ fromwire_brid(ARGS_FROMWIRE) { static isc_result_t towire_brid(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_brid); - REQUIRE(rdata->length >= 3); + REQUIRE(rdata->length > 0); UNUSED(cctx); diff --git a/lib/dns/rdata/generic/hhit_67.c b/lib/dns/rdata/generic/hhit_67.c index d117aa6ef0..b66e1a7386 100644 --- a/lib/dns/rdata/generic/hhit_67.c +++ b/lib/dns/rdata/generic/hhit_67.c @@ -84,7 +84,7 @@ fromwire_hhit(ARGS_FROMWIRE) { static isc_result_t towire_hhit(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_hhit); - REQUIRE(rdata->length >= 3); + REQUIRE(rdata->length > 0); UNUSED(cctx); From 2ab0a4433606c646fd79ca95275aedfc8ccd40b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 8 Jan 2026 16:12:53 +0100 Subject: [PATCH 2/6] Generate changelog for BIND 9.20.18 --- doc/arm/changelog.rst | 1 + doc/changelog/changelog-9.20.18.rst | 105 ++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 doc/changelog/changelog-9.20.18.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 3109532212..e2554aceaa 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.20.18.rst .. include:: ../changelog/changelog-9.20.17.rst .. include:: ../changelog/changelog-9.20.16.rst .. include:: ../changelog/changelog-9.20.15.rst diff --git a/doc/changelog/changelog-9.20.18.rst b/doc/changelog/changelog-9.20.18.rst new file mode 100644 index 0000000000..e1400444a1 --- /dev/null +++ b/doc/changelog/changelog-9.20.18.rst @@ -0,0 +1,105 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.20.18 +------------ + +Security Fixes +~~~~~~~~~~~~~~ + +- [CVE-2025-13878] Fix incorrect length checks for BRID and HHIT + records. ``d4c0d61701`` + + Malformed BRID and HHIT records could trigger an assertion failure. + This has been fixed. + + ISC would like to thank Vlatko Kosturjak from Marlink Cyber for + bringing this vulnerability to our attention. :gl:`#5616` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Support compilation with cmocka 2.0.0+ ``bb9234c6ce`` + + The `assert_in_range()` function was deprecated in favor of + `assert_int_in_range()` and `assert_uint_in_range()`. Add + compatibility shims for cmocka<2.0.0 and use the new functions. + :gl:`#5699` :gl:`!11437` + +- Add more information to the rndc recursing output about fetches. + ``9766feb4df`` + + This adds more information about the active fetches for debugging and + diagnostic purposes. :gl:`!11358` + +Bug Fixes +~~~~~~~~~ + +- Make key rollovers more robust. ``7a70d05b5d`` + + A manual rollover when the zone is in an invalid DNSSEC state causes + predecessor keys to be removed too quickly. Additional safeguards to + prevent this have been added. DNSSEC records will not be removed from + the zone until the underlying state machine has moved back into a + valid DNSSEC state. :gl:`#5458` :gl:`!11329` + +- Fix a catalog zones issue when a member zone could fail to load. + ``95cbc2c327`` + + A catalog zone's member zone could fail to load in some rare cases, + when the internally generated zone configuration string was exceeding + 512 bytes. That condition only was not enough for the issue to arise, + but it was a necessary condition. This could happen, for example, if + the catalog zone's default primary servers list contained a large + number of items. This has been fixed. :gl:`#5658` :gl:`!11349` + +- Allow glue in delegations with QTYPE=ANY. ``441158ac18`` + + When a query for type ANY triggered a delegation response, all + additional data was omitted from the response, including mandatory + glue. This has been corrected. :gl:`#5659` :gl:`!11283` + +- Adding NSEC3 opt-out records could leave invalid records in chain. + ``1b90296e1f`` + + When creating an NSEC3 opt-out chain, a node in the chain could be + removed too soon, causing the previous NSEC3 being unable to be found, + resulting in invalid NSEC3 records to be left in the zone. This has + been fixed. :gl:`#5671` :gl:`!11340` + +- Fix slow speed of NSEC3 optout large delegation zone signing. + ``88f915b77b`` + + BIND 9.20 takes much more time signing a large delegation zone with + NSEC3 optout compared to version 9.18. This has been restored. + :gl:`#5672` :gl:`!11362` + +- Reconfigure NSEC3 opt-out zone to NSEC causes zone to be invalid. + ``1d0e19c612`` + + A zone that is signed with NSEC3, opt-out enabled, and then + reconfigured to use NSEC, causes the zone to be published with missing + NSEC records. This has been fixed. :gl:`#5679` :gl:`!11401` + +- Fix a possible catalog zone issue during reconfiguration. + ``911b45b2b3`` + + The :iscman:`named` process could terminate unexpectedly during + reconfiguration when a catalog zone update was taking place at the + same time. This has been fixed. :gl:`!11386` + +- Fix the charts in the statistics channel. ``7c7b01dd65`` + + The charts in the statistics channel could sometimes fail to render in + the browser, and were completely disabled for Mozilla-based browsers + for historical reasons. This has been fixed. :gl:`!11364` + + From 64c46390cc5d077ec6408ec19fadd3cb1f7d17ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 8 Jan 2026 16:17:09 +0100 Subject: [PATCH 3/6] Prepare release notes for BIND 9.20.18 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.20.18.rst | 92 +++++++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+) create mode 100644 doc/notes/notes-9.20.18.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 9a4c08ed5f..e77156befc 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.20 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.20 +.. include:: ../notes/notes-9.20.18.rst .. include:: ../notes/notes-9.20.17.rst .. include:: ../notes/notes-9.20.16.rst .. include:: ../notes/notes-9.20.15.rst diff --git a/doc/notes/notes-9.20.18.rst b/doc/notes/notes-9.20.18.rst new file mode 100644 index 0000000000..5381cf6062 --- /dev/null +++ b/doc/notes/notes-9.20.18.rst @@ -0,0 +1,92 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.20.18 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- [CVE-2025-13878] Fix incorrect length checks for BRID and HHIT + records. + + Malformed BRID and HHIT records could trigger an assertion failure. + This has been fixed. + + ISC would like to thank Vlatko Kosturjak from Marlink Cyber for + bringing this vulnerability to our attention. :gl:`#5616` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Add more information to the rndc recursing output about fetches. + + This adds more information about the active fetches for debugging and + diagnostic purposes. + +Bug Fixes +~~~~~~~~~ + +- Make key rollovers more robust. + + A manual rollover when the zone is in an invalid DNSSEC state causes + predecessor keys to be removed too quickly. Additional safeguards to + prevent this have been added. DNSSEC records will not be removed from + the zone until the underlying state machine has moved back into a + valid DNSSEC state. :gl:`#5458` + +- Fix a catalog zones issue when a member zone could fail to load. + + A catalog zone's member zone could fail to load in some rare cases, + when the internally generated zone configuration string was exceeding + 512 bytes. That condition only was not enough for the issue to arise, + but it was a necessary condition. This could happen, for example, if + the catalog zone's default primary servers list contained a large + number of items. This has been fixed. :gl:`#5658` + +- Allow glue in delegations with QTYPE=ANY. + + When a query for type ANY triggered a delegation response, all + additional data was omitted from the response, including mandatory + glue. This has been corrected. :gl:`#5659` + +- Adding NSEC3 opt-out records could leave invalid records in chain. + + When creating an NSEC3 opt-out chain, a node in the chain could be + removed too soon, causing the previous NSEC3 being unable to be found, + resulting in invalid NSEC3 records to be left in the zone. This has + been fixed. :gl:`#5671` + +- Fix slow speed of NSEC3 optout large delegation zone signing. + + BIND 9.20 takes much more time signing a large delegation zone with + NSEC3 optout compared to version 9.18. This has been restored. + :gl:`#5672` + +- Reconfigure NSEC3 opt-out zone to NSEC causes zone to be invalid. + + A zone that is signed with NSEC3, opt-out enabled, and then + reconfigured to use NSEC, causes the zone to be published with missing + NSEC records. This has been fixed. :gl:`#5679` + +- Fix a possible catalog zone issue during reconfiguration. + + The :iscman:`named` process could terminate unexpectedly during + reconfiguration when a catalog zone update was taking place at the + same time. This has been fixed. + +- Fix the charts in the statistics channel. + + The charts in the statistics channel could sometimes fail to render in + the browser, and were completely disabled for Mozilla-based browsers + for historical reasons. This has been fixed. + + From 1589cc4d7403733bc8c7ef918defbe9fe06228fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Fri, 9 Jan 2026 13:22:47 +0100 Subject: [PATCH 4/6] Remove release note for GL #5671 This was already fixed in the previous release. --- doc/notes/notes-9.20.18.rst | 7 ------- 1 file changed, 7 deletions(-) diff --git a/doc/notes/notes-9.20.18.rst b/doc/notes/notes-9.20.18.rst index 5381cf6062..ec0602b2fd 100644 --- a/doc/notes/notes-9.20.18.rst +++ b/doc/notes/notes-9.20.18.rst @@ -58,13 +58,6 @@ Bug Fixes additional data was omitted from the response, including mandatory glue. This has been corrected. :gl:`#5659` -- Adding NSEC3 opt-out records could leave invalid records in chain. - - When creating an NSEC3 opt-out chain, a node in the chain could be - removed too soon, causing the previous NSEC3 being unable to be found, - resulting in invalid NSEC3 records to be left in the zone. This has - been fixed. :gl:`#5671` - - Fix slow speed of NSEC3 optout large delegation zone signing. BIND 9.20 takes much more time signing a large delegation zone with From 2e625f550a025a2e9564a4371f617c681fe6bba1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 8 Jan 2026 16:32:14 +0100 Subject: [PATCH 5/6] Tweak and reword release notes --- doc/notes/notes-9.20.18.rst | 64 +++++++++++++++++++------------------ 1 file changed, 33 insertions(+), 31 deletions(-) diff --git a/doc/notes/notes-9.20.18.rst b/doc/notes/notes-9.20.18.rst index ec0602b2fd..5c28d91b70 100644 --- a/doc/notes/notes-9.20.18.rst +++ b/doc/notes/notes-9.20.18.rst @@ -15,11 +15,11 @@ Notes for BIND 9.20.18 Security Fixes ~~~~~~~~~~~~~~ -- [CVE-2025-13878] Fix incorrect length checks for BRID and HHIT - records. +- Fix incorrect length checks for BRID and HHIT records. + :cve:`2025-13878` - Malformed BRID and HHIT records could trigger an assertion failure. - This has been fixed. + Malformed BRID and HHIT records could trigger an assertion + failure. This has been fixed. ISC would like to thank Vlatko Kosturjak from Marlink Cyber for bringing this vulnerability to our attention. :gl:`#5616` @@ -27,59 +27,61 @@ Security Fixes Feature Changes ~~~~~~~~~~~~~~~ -- Add more information to the rndc recursing output about fetches. +- Add more information to the :option:`rndc recursing` output about + fetches. - This adds more information about the active fetches for debugging and - diagnostic purposes. + This adds more information about active fetches, for debugging and + diagnostic purposes. :gl:`!11305` Bug Fixes ~~~~~~~~~ -- Make key rollovers more robust. +- Make DNSSEC key rollovers more robust. - A manual rollover when the zone is in an invalid DNSSEC state causes + A manual rollover when the zone was in an invalid DNSSEC state caused predecessor keys to be removed too quickly. Additional safeguards to - prevent this have been added. DNSSEC records will not be removed from - the zone until the underlying state machine has moved back into a - valid DNSSEC state. :gl:`#5458` + prevent this have been added: DNSSEC records are not removed from the + zone until the underlying state machine has moved back into a valid + DNSSEC state. :gl:`#5458` -- Fix a catalog zones issue when a member zone could fail to load. +- Fix a catalog zone issue, where member zones could fail to load. - A catalog zone's member zone could fail to load in some rare cases, - when the internally generated zone configuration string was exceeding - 512 bytes. That condition only was not enough for the issue to arise, - but it was a necessary condition. This could happen, for example, if - the catalog zone's default primary servers list contained a large - number of items. This has been fixed. :gl:`#5658` + A catalog zone member zone could fail to load in some rare cases, when + the internally generated zone configuration string exceeded 512 bytes. + That condition by itself was not enough for the issue to arise, but it + was necessary. This could happen if, for example, the catalog zone's + default primary servers list contained a large number of items. This + has been fixed. :gl:`#5658` - Allow glue in delegations with QTYPE=ANY. When a query for type ANY triggered a delegation response, all additional data was omitted from the response, including mandatory - glue. This has been corrected. :gl:`#5659` + glue. This has been fixed. :gl:`#5659` -- Fix slow speed of NSEC3 optout large delegation zone signing. +- Fix slow speed when signing a large delegation zone with NSEC3 + opt-out. - BIND 9.20 takes much more time signing a large delegation zone with - NSEC3 optout compared to version 9.18. This has been restored. - :gl:`#5672` + BIND 9.20+ took much longer signing a large delegation zone with NSEC3 + opt-out compared to version 9.18. This has been fixed. :gl:`#5672` -- Reconfigure NSEC3 opt-out zone to NSEC causes zone to be invalid. +- Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be + invalid. - A zone that is signed with NSEC3, opt-out enabled, and then - reconfigured to use NSEC, causes the zone to be published with missing - NSEC records. This has been fixed. :gl:`#5679` + A zone that was signed with NSEC3, had opt-out enabled, and was then + reconfigured to use NSEC, was published with missing NSEC records. + This has been fixed. :gl:`#5679` - Fix a possible catalog zone issue during reconfiguration. The :iscman:`named` process could terminate unexpectedly during reconfiguration when a catalog zone update was taking place at the - same time. This has been fixed. + same time. This has been fixed. :gl:`!11366` - Fix the charts in the statistics channel. The charts in the statistics channel could sometimes fail to render in - the browser, and were completely disabled for Mozilla-based browsers - for historical reasons. This has been fixed. + the browser and were completely disabled for Mozilla-based browsers, + for historical reasons. This has been fixed. :gl:`!11018` From 0d2e0d8fac7533145533c4e9942322c229a422c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Fri, 9 Jan 2026 14:33:16 +0100 Subject: [PATCH 6/6] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index c91e36694d..057ae04fc3 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 20)dnl m4_define([bind_VERSION_PATCH], 18)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Stable Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl