From 291d05be3491f5a9f40d33ca2897d34e4d373500 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Sat, 1 Nov 2025 04:47:49 -0400
Subject: [PATCH 1/5] Fix incorrect length checks for BRID and HHIT records

Fix incorrect length checks in the towire_*() methods for BRID and HHIT
records to prevent assertion failures when trying to serve short
records.

(cherry picked from commit 14e299995f8f1dd8faeb7c5395a5a0c12b0f43f4)
---
 lib/dns/rdata/generic/brid_68.c | 2 +-
 lib/dns/rdata/generic/hhit_67.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/rdata/generic/brid_68.c b/lib/dns/rdata/generic/brid_68.c
index 11afb16e33..ac3bbb35ae 100644
--- a/lib/dns/rdata/generic/brid_68.c
+++ b/lib/dns/rdata/generic/brid_68.c
@@ -85,7 +85,7 @@ fromwire_brid(ARGS_FROMWIRE) {
 static isc_result_t
 towire_brid(ARGS_TOWIRE) {
 	REQUIRE(rdata->type == dns_rdatatype_brid);
-	REQUIRE(rdata->length >= 3);
+	REQUIRE(rdata->length > 0);
 
 	UNUSED(cctx);
 
diff --git a/lib/dns/rdata/generic/hhit_67.c b/lib/dns/rdata/generic/hhit_67.c
index 8b51a82ddb..c0b57730e7 100644
--- a/lib/dns/rdata/generic/hhit_67.c
+++ b/lib/dns/rdata/generic/hhit_67.c
@@ -85,7 +85,7 @@ fromwire_hhit(ARGS_FROMWIRE) {
 static isc_result_t
 towire_hhit(ARGS_TOWIRE) {
 	REQUIRE(rdata->type == dns_rdatatype_hhit);
-	REQUIRE(rdata->length >= 3);
+	REQUIRE(rdata->length > 0);
 
 	UNUSED(cctx);
 

From 56c4fdb7ff0d6523df903ea1d989205aaeba52ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= <nicki@isc.org>
Date: Thu, 8 Jan 2026 16:42:08 +0100
Subject: [PATCH 2/5] Generate changelog for BIND 9.18.44

---
 doc/arm/changelog.rst               |  1 +
 doc/changelog/changelog-9.18.44.rst | 53 +++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 doc/changelog/changelog-9.18.44.rst

diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst
index ad7a7c128a..5925f8ce4f 100644
--- a/doc/arm/changelog.rst
+++ b/doc/arm/changelog.rst
@@ -18,6 +18,7 @@ Changelog
    development. Regular users should refer to :ref:`Release Notes <relnotes>`
    for changes relevant to them.
 
+.. include:: ../changelog/changelog-9.18.44.rst
 .. include:: ../changelog/changelog-9.18.43.rst
 .. include:: ../changelog/changelog-9.18.42.rst
 .. include:: ../changelog/changelog-9.18.41.rst
diff --git a/doc/changelog/changelog-9.18.44.rst b/doc/changelog/changelog-9.18.44.rst
new file mode 100644
index 0000000000..4118fa3858
--- /dev/null
+++ b/doc/changelog/changelog-9.18.44.rst
@@ -0,0 +1,53 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+BIND 9.18.44
+------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- [CVE-2025-13878] Fix incorrect length checks for BRID and HHIT
+  records. ``d556bde123``
+
+  Malformed BRID and HHIT records could trigger an assertion failure.
+  This has been fixed.
+
+  ISC would like to thank Vlatko Kosturjak from Marlink Cyber for
+  bringing this vulnerability to our attention. :gl:`#5616`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Support compilation with cmocka 2.0.0+ ``184df12da4``
+
+  The `assert_in_range()` function was deprecated in favor of
+  `assert_int_in_range()` and `assert_uint_in_range()`. Add
+  compatibility shims for cmocka<2.0.0 and use the new functions.
+  :gl:`#5699` :gl:`!11438`
+
+Bug Fixes
+~~~~~~~~~
+
+- Allow glue in delegations with QTYPE=ANY. ``21ad0222b7``
+
+  When a query for type ANY triggered a delegation response, all
+  additional data was omitted from the response, including mandatory
+  glue. This has been corrected. :gl:`#5659` :gl:`!11368`
+
+- Reconfigure NSEC3 opt-out zone to NSEC causes zone to be invalid.
+  ``53cfe984e3``
+
+  A zone that is signed with NSEC3, opt-out enabled, and then
+  reconfigured to use NSEC, causes the zone to be published with missing
+  NSEC records. This has been fixed. :gl:`#5679` :gl:`!11402`
+
+

From dd6998527c196ad522b95ae6280820ea7122cdd9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= <nicki@isc.org>
Date: Thu, 8 Jan 2026 16:42:51 +0100
Subject: [PATCH 3/5] Prepare release notes for BIND 9.18.44

---
 doc/arm/notes.rst           |  1 +
 doc/notes/notes-9.18.44.rst | 42 +++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 doc/notes/notes-9.18.44.rst

diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst
index 2f32c5622c..9ff2fe7abe 100644
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@@ -45,6 +45,7 @@ The list of known issues affecting the latest version in the 9.18 branch can be
 found at
 https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.18
 
+.. include:: ../notes/notes-9.18.44.rst
 .. include:: ../notes/notes-9.18.43.rst
 .. include:: ../notes/notes-9.18.42.rst
 .. include:: ../notes/notes-9.18.41.rst
diff --git a/doc/notes/notes-9.18.44.rst b/doc/notes/notes-9.18.44.rst
new file mode 100644
index 0000000000..6961232164
--- /dev/null
+++ b/doc/notes/notes-9.18.44.rst
@@ -0,0 +1,42 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.44
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- [CVE-2025-13878] Fix incorrect length checks for BRID and HHIT
+  records.
+
+  Malformed BRID and HHIT records could trigger an assertion failure.
+  This has been fixed.
+
+  ISC would like to thank Vlatko Kosturjak from Marlink Cyber for
+  bringing this vulnerability to our attention. :gl:`#5616`
+
+Bug Fixes
+~~~~~~~~~
+
+- Allow glue in delegations with QTYPE=ANY.
+
+  When a query for type ANY triggered a delegation response, all
+  additional data was omitted from the response, including mandatory
+  glue. This has been corrected. :gl:`#5659`
+
+- Reconfigure NSEC3 opt-out zone to NSEC causes zone to be invalid.
+
+  A zone that is signed with NSEC3, opt-out enabled, and then
+  reconfigured to use NSEC, causes the zone to be published with missing
+  NSEC records. This has been fixed. :gl:`#5679`
+
+

From 6c1265a06e11d55b2b6b8472cb512ee8ae541e23 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= <nicki@isc.org>
Date: Thu, 8 Jan 2026 16:44:00 +0100
Subject: [PATCH 4/5] Tweak and reword release notes

---
 doc/notes/notes-9.18.44.rst | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/doc/notes/notes-9.18.44.rst b/doc/notes/notes-9.18.44.rst
index 6961232164..7dad690525 100644
--- a/doc/notes/notes-9.18.44.rst
+++ b/doc/notes/notes-9.18.44.rst
@@ -15,11 +15,11 @@ Notes for BIND 9.18.44
 Security Fixes
 ~~~~~~~~~~~~~~
 
-- [CVE-2025-13878] Fix incorrect length checks for BRID and HHIT
-  records.
+- Fix incorrect length checks for BRID and HHIT records.
+  :cve:`2025-13878`
 
-  Malformed BRID and HHIT records could trigger an assertion failure.
-  This has been fixed.
+  Malformed BRID and HHIT records could trigger an assertion
+  failure. This has been fixed.
 
   ISC would like to thank Vlatko Kosturjak from Marlink Cyber for
   bringing this vulnerability to our attention. :gl:`#5616`
@@ -31,12 +31,13 @@ Bug Fixes
 
   When a query for type ANY triggered a delegation response, all
   additional data was omitted from the response, including mandatory
-  glue. This has been corrected. :gl:`#5659`
+  glue. This has been fixed. :gl:`#5659`
 
-- Reconfigure NSEC3 opt-out zone to NSEC causes zone to be invalid.
+- Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be
+  invalid.
 
-  A zone that is signed with NSEC3, opt-out enabled, and then
-  reconfigured to use NSEC, causes the zone to be published with missing
-  NSEC records. This has been fixed. :gl:`#5679`
+  A zone that was signed with NSEC3, had opt-out enabled, and was then
+  reconfigured to use NSEC, was published with missing NSEC records.
+  This has been fixed. :gl:`#5679`
 
 

From 2e74eea40c7cb263cd07ec08a70b05eb133ec1f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= <nicki@isc.org>
Date: Fri, 9 Jan 2026 14:38:25 +0100
Subject: [PATCH 5/5] Update BIND version for release

---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index f28d234fd1..3581a20668 100644
--- a/configure.ac
+++ b/configure.ac
@@ -17,7 +17,7 @@
 m4_define([bind_VERSION_MAJOR], 9)dnl
 m4_define([bind_VERSION_MINOR], 18)dnl
 m4_define([bind_VERSION_PATCH], 44)dnl
-m4_define([bind_VERSION_EXTRA], -dev)dnl
+m4_define([bind_VERSION_EXTRA], )dnl
 m4_define([bind_DESCRIPTION], [(Extended Support Version)])dnl
 m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl
 m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl