[Buildroot] [PATCH v2] package/bind: security bump version to 9.20.17

[Buildroot] [PATCH v2] package/bind: security bump version to 9.20.17

[Giulio Benetti]

Release notes:
https://ftp.isc.org/isc/bind9/9.20.17/doc/arm/html/notes.html

Changelog:
https://ftp.isc.org/isc/bind9/9.20.17/doc/arm/html/changelog.html

Fixes CVE-2025-40775 & CVE-2025-40777.

NOTE: Libraries libcap, liburcu are now mandatory.
Add local patch pending upstream to fix uclibc build failure.

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
---
V1->V2:
* Fix commit log adding missing CVEs
---
 .../bind/0001-Fix-building-on-uclibc.patch    | 39 +++++++++++++++++++
 package/bind/Config.in                        | 15 ++++---
 package/bind/bind.hash                        |  4 +-
 package/bind/bind.mk                          |  4 +-
 4 files changed, 53 insertions(+), 9 deletions(-)
 create mode 100644 package/bind/0001-Fix-building-on-uclibc.patch

diff --git a/package/bind/0001-Fix-building-on-uclibc.patch b/package/bind/0001-Fix-building-on-uclibc.patch
new file mode 100644
index 0000000000..94e28112b3
--- /dev/null
+++ b/package/bind/0001-Fix-building-on-uclibc.patch
@@ -0,0 +1,39 @@
+From 9c197d4cf09214806d5d9ca68a40327cc06b5bfe Mon Sep 17 00:00:00 2001
+From: Giulio Benetti <giulio.benetti@benettiengineering.com>
+Date: Sat, 3 Jan 2026 22:59:39 +0100
+Subject: [PATCH] Fix building on uclibc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While building on uclibc this error is thrown:
+In file included from ./include/dns/log.h:20,
+                 from callbacks.c:19:
+../../lib/isc/include/isc/log.h:141:9: error: unknown type name ‘off_t’
+  141 |         off_t maximum_size;
+      |         ^~~~~
+
+This is due to missing include unistd.h, so let's add it on top of
+isc/log.h
+
+Upstream: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11421
+Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
+---
+ lib/isc/include/isc/log.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/isc/include/isc/log.h b/lib/isc/include/isc/log.h
+index 5a9a7a1bb3..e2bec5355d 100644
+--- a/lib/isc/include/isc/log.h
++++ b/lib/isc/include/isc/log.h
+@@ -19,6 +19,7 @@
+ #include <stdbool.h>
+ #include <stdio.h>
+ #include <syslog.h> /* XXXDCL NT */
++#include <unistd.h>
+ 
+ #include <isc/formatcheck.h>
+ #include <isc/lang.h>
+-- 
+2.47.3
+
diff --git a/package/bind/Config.in b/package/bind/Config.in
index 512e948ca2..6f5f14a6bb 100644
--- a/package/bind/Config.in
+++ b/package/bind/Config.in
@@ -1,10 +1,14 @@
 config BR2_PACKAGE_BIND
 	bool "bind"
-	depends on BR2_USE_MMU # fork(), libuv
+	depends on BR2_USE_MMU # fork(), libcap, libuv
 	depends on BR2_TOOLCHAIN_HAS_SYNC_4 # libuv
-	depends on BR2_TOOLCHAIN_HAS_THREADS_NPTL # libuv
+	depends on BR2_TOOLCHAIN_HAS_THREADS # liburcu, libuv
+	depends on BR2_INSTALL_LIBSTDCPP # liburcu
 	depends on !BR2_STATIC_LIBS # libuv
 	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # libuv
+	depends on BR2_PACKAGE_LIBURCU_ARCH_SUPPORTS # liburcu
+	select BR2_PACKAGE_LIBCAP
+	select BR2_PACKAGE_LIBURCU
 	select BR2_PACKAGE_LIBUV
 	select BR2_PACKAGE_OPENSSL
 	help
@@ -44,8 +48,9 @@ config BR2_PACKAGE_BIND_TOOLS
 
 endif
 
-comment "bind needs a toolchain w/ NPTL, dynamic library, gcc >= 4.9"
+comment "bind needs a toolchain w/ threads, dynamic library, C++, gcc >= 4.9"
 	depends on BR2_USE_MMU
 	depends on BR2_TOOLCHAIN_HAS_SYNC_4
-	depends on !BR2_TOOLCHAIN_HAS_THREADS_NPTL || BR2_STATIC_LIBS \
-		|| !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS \
+		|| BR2_INSTALL_LIBSTDCPP || !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 \
+		|| BR2_PACKAGE_LIBURCU_ARCH_SUPPORTS
diff --git a/package/bind/bind.hash b/package/bind/bind.hash
index d601e87b75..625cad572f 100644
--- a/package/bind/bind.hash
+++ b/package/bind/bind.hash
@@ -1,4 +1,4 @@
-# Verified from https://ftp.isc.org/isc/bind9/9.18.41/bind-9.18.41.tar.xz.asc
+# Verified from https://ftp.isc.org/isc/bind9/9.20.17/bind-9.20.17.tar.xz.asc
 # with key D99CCEAF879747014F038D63182E23579462EFAA
-sha256  6ddc1d981511c4da0b203b0513af131e5d15e5f1c261145736fe1f35dd1fe79d  bind-9.18.41.tar.xz
+sha256  5cc89a09da0917eb1ddf640cc07c172ff44fa9bbf3a34ada4b6a2f7ee70ff1c8  bind-9.20.17.tar.xz
 sha256  9734825d67a3ac967b2c2f7c9a83c9e5db1c2474dbe9599157c3a4188749ebd4  COPYRIGHT
diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index 8b336ab781..c32357f67d 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-BIND_VERSION = 9.18.41
+BIND_VERSION = 9.20.17
 BIND_SOURCE= bind-$(BIND_VERSION).tar.xz
 BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION)
 BIND_INSTALL_STAGING = YES
@@ -32,7 +32,7 @@ BIND_CONF_OPTS = \
 	--disable-static \
 	--with-openssl=$(STAGING_DIR)/usr
 
-BIND_DEPENDENCIES = host-pkgconf libuv openssl
+BIND_DEPENDENCIES = host-pkgconf libcap liburcu libuv openssl
 
 BIND_CFLAGS = $(TARGET_CFLAGS)
 
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/bind: security bump version to 9.20.17

[Peter Korsgaard]

>>>>> "Giulio" == Giulio Benetti <giulio.benetti@benettiengineering.com> writes:

 > Release notes:
 > https://ftp.isc.org/isc/bind9/9.20.17/doc/arm/html/notes.html

 > Changelog:
 > https://ftp.isc.org/isc/bind9/9.20.17/doc/arm/html/changelog.html

How about instead first bumping to 9.18.44, which also includes security
fixes and can be backported to 2025.02.x before moving to 9.20.x?

https://ftp.isc.org/isc/bind9/9.18.44/doc/arm/html/notes.html#security-fixes


 > Fixes CVE-2025-40775 & CVE-2025-40777.

Those are both 9.20.x-only issues:

https://kb.isc.org/docs/cve-2025-40775
https://kb.isc.org/docs/cve-2025-40777

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/bind: security bump version to 9.20.17

[Giulio Benetti]

Hello Peter,

On 2/3/26 12:28, Peter Korsgaard wrote:
>>>>>> "Giulio" == Giulio Benetti <giulio.benetti@benettiengineering.com> writes:
> 
>   > Release notes:
>   > https://ftp.isc.org/isc/bind9/9.20.17/doc/arm/html/notes.html
> 
>   > Changelog:
>   > https://ftp.isc.org/isc/bind9/9.20.17/doc/arm/html/changelog.html
> 
> How about instead first bumping to 9.18.44, which also includes security
> fixes and can be backported to 2025.02.x before moving to 9.20.x?
rrrrrrrrrrr>
> https://ftp.isc.org/isc/bind9/9.18.44/doc/arm/html/notes.html#security-fixes

then I'm going to send a patch for this.

> 
>   > Fixes CVE-2025-40775 & CVE-2025-40777.
> 
> Those are both 9.20.x-only issues:
> 
> https://kb.isc.org/docs/cve-2025-40775
> https://kb.isc.org/docs/cve-2025-40777

Yes but comparing version 9.18.41 and version 9.20.17
the only new CVEs were only those 2:

in branch 9.18.x up to version 9.18.41 CVEs are:
https://kb.isc.org/docs/cve-2025-8677
https://kb.isc.org/docs/cve-2025-40778
https://kb.isc.org/docs/cve-2025-40780
https://kb.isc.org/docs/cve-2024-12705
https://kb.isc.org/docs/cve-2024-11187

while in branch 9.20.x up to version 9.20.17 CVEs are:
https://kb.isc.org/docs/cve-2025-8677
https://kb.isc.org/docs/cve-2025-40778
https://kb.isc.org/docs/cve-2025-40780
https://kb.isc.org/docs/cve-2025-40777
https://kb.isc.org/docs/cve-2025-40775
https://kb.isc.org/docs/cve-2024-12705
https://kb.isc.org/docs/cve-2024-11187

That's why I've pointed only those 2 CVEs. Was it correct?
-- 
Giulio Benetti
CEO&CTO@Benetti Engineering
https://www.linkedin.com/company/benetti-engineering/
https://www.linkedin.com/in/giulio-benetti-79975951/

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH] package/bind: security bump version to 9.18.44

[Giulio Benetti]

Release notes:
https://ftp.isc.org/isc/bind9/9.18.44/doc/arm/html/notes.html

Changelog:
https://ftp.isc.org/isc/bind9/9.18.44/doc/arm/html/changelog.html

Fixes CVE-2025-13878.

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
---
 package/bind/bind.hash | 4 ++--
 package/bind/bind.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/bind/bind.hash b/package/bind/bind.hash
index d601e87b75..aaf3519ced 100644
--- a/package/bind/bind.hash
+++ b/package/bind/bind.hash
@@ -1,4 +1,4 @@
-# Verified from https://ftp.isc.org/isc/bind9/9.18.41/bind-9.18.41.tar.xz.asc
+# Verified from https://ftp.isc.org/isc/bind9/9.18.44/bind-9.18.44.tar.xz.asc
 # with key D99CCEAF879747014F038D63182E23579462EFAA
-sha256  6ddc1d981511c4da0b203b0513af131e5d15e5f1c261145736fe1f35dd1fe79d  bind-9.18.41.tar.xz
+sha256  81f5035a25c576af1a93f0061cf70bde6d00a0c7bd1274abf73f5b5389a6f82d  bind-9.18.44.tar.xz
 sha256  9734825d67a3ac967b2c2f7c9a83c9e5db1c2474dbe9599157c3a4188749ebd4  COPYRIGHT
diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index 8b336ab781..041541b037 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-BIND_VERSION = 9.18.41
+BIND_VERSION = 9.18.44
 BIND_SOURCE= bind-$(BIND_VERSION).tar.xz
 BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION)
 BIND_INSTALL_STAGING = YES
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/bind: security bump version to 9.20.17

[Peter Korsgaard]

>>>>> "Giulio" == Giulio Benetti <giulio.benetti@benettiengineering.com> writes:

Hi,

 >> https://ftp.isc.org/isc/bind9/9.18.44/doc/arm/html/notes.html#security-fixes

 > then I'm going to send a patch for this.

Great!

 > That's why I've pointed only those 2 CVEs. Was it correct?

No, they were fixes for issues only introduced in the 9.20.x series, so
we were never vulnerable to them.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/bind: security bump version to 9.18.44

[Peter Korsgaard]

>>>>> "Giulio" == Giulio Benetti <giulio.benetti@benettiengineering.com> writes:

 > Release notes:
 > https://ftp.isc.org/isc/bind9/9.18.44/doc/arm/html/notes.html

 > Changelog:
 > https://ftp.isc.org/isc/bind9/9.18.44/doc/arm/html/changelog.html

 > Fixes CVE-2025-13878.

 > Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/bind: security bump version to 9.20.17

[Giulio Benetti]

On 2/4/26 10:46, Peter Korsgaard wrote:
>   > That's why I've pointed only those 2 CVEs. Was it correct?
> 
> No, they were fixes for issues only introduced in the 9.20.x series, so
> we were never vulnerable to them.

But if we were bumping to 9.20.17 they were required, correct?

That's why I've pointed them in the commit log.

Otherwise really I don't get it

Giulio

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/bind: security bump version to 9.20.17

[Peter Korsgaard]

>>>>> "Giulio" == Giulio Benetti <giulio.benetti@benettiengineering.com> writes:

 > On 2/4/26 10:46, Peter Korsgaard wrote:
 >> > That's why I've pointed only those 2 CVEs. Was it correct?
 >> No, they were fixes for issues only introduced in the 9.20.x series,
 >> so
 >> we were never vulnerable to them.

 > But if we were bumping to 9.20.17 they were required, correct?

Yes, if we were to move to 9.20.x then we should naturally not move to a
version that introduces new known vulnerabilities - But as the version
we used before was not vulnerable to those issues it would be wrong to
say that the version bump fixes those two issues (E.G. the LTS
maintainers would think that they have to go to 9.20.x to fix security
issues, which is not the case).

> Otherwise really I don't get it

Hopefully the above makes it more clear?

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/bind: security bump version to 9.20.17

[Giulio Benetti]

> 
> Il giorno 4 feb 2026, alle ore 10:55, Peter Korsgaard <peter@korsgaard.com> ha scritto:
> 
> 
>> 
>>>>>> "Giulio" == Giulio Benetti <giulio.benetti@benettiengineering.com> writes:
> 
>> On 2/4/26 10:46, Peter Korsgaard wrote:
>>>> That's why I've pointed only those 2 CVEs. Was it correct?
>>> No, they were fixes for issues only introduced in the 9.20.x series,
>>> so
>>> we were never vulnerable to them.
> 
>> But if we were bumping to 9.20.17 they were required, correct?
> 
> Yes, if we were to move to 9.20.x then we should naturally not move to a
> version that introduces new known vulnerabilities - But as the version
> we used before was not vulnerable to those issues it would be wrong to
> say that the version bump fixes those two issues (E.G. the LTS
> maintainers would think that they have to go to 9.20.x to fix security
> issues, which is not the case).
> 
>> Otherwise really I don't get it
> 
> Hopefully the above makes it more clear?

Oh, now I get it! Thanks a lot for clarifying.

Giulio

> 
> --
> Bye, Peter Korsgaard

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/bind: security bump version to 9.18.44

[Thomas Perale via buildroot]

In reply of:
> Release notes:
> https://ftp.isc.org/isc/bind9/9.18.44/doc/arm/html/notes.html
> 
> Changelog:
> https://ftp.isc.org/isc/bind9/9.18.44/doc/arm/html/changelog.html
> 
> Fixes CVE-2025-13878.
> 
> Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>

Applied to 2025.02.x & 2025.11.x. Thanks

> ---
>  package/bind/bind.hash | 4 ++--
>  package/bind/bind.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/bind/bind.hash b/package/bind/bind.hash
> index d601e87b75..aaf3519ced 100644
> --- a/package/bind/bind.hash
> +++ b/package/bind/bind.hash
> @@ -1,4 +1,4 @@
> -# Verified from https://ftp.isc.org/isc/bind9/9.18.41/bind-9.18.41.tar.xz.asc
> +# Verified from https://ftp.isc.org/isc/bind9/9.18.44/bind-9.18.44.tar.xz.asc
>  # with key D99CCEAF879747014F038D63182E23579462EFAA
> -sha256  6ddc1d981511c4da0b203b0513af131e5d15e5f1c261145736fe1f35dd1fe79d  bind-9.18.41.tar.xz
> +sha256  81f5035a25c576af1a93f0061cf70bde6d00a0c7bd1274abf73f5b5389a6f82d  bind-9.18.44.tar.xz
>  sha256  9734825d67a3ac967b2c2f7c9a83c9e5db1c2474dbe9599157c3a4188749ebd4  COPYRIGHT
> diff --git a/package/bind/bind.mk b/package/bind/bind.mk
> index 8b336ab781..041541b037 100644
> --- a/package/bind/bind.mk
> +++ b/package/bind/bind.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -BIND_VERSION = 9.18.41
> +BIND_VERSION = 9.18.44
>  BIND_SOURCE= bind-$(BIND_VERSION).tar.xz
>  BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION)
>  BIND_INSTALL_STAGING = YES
> -- 
> 2.47.3
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot