[Buildroot] [PATCH] package/bind: security bump version to 9.20.17

[Buildroot] [PATCH] package/bind: security bump version to 9.20.17

[Giulio Benetti]

Release notes:
https://ftp.isc.org/isc/bind9/9.20.17/doc/arm/html/notes.html

Changelog:
https://ftp.isc.org/isc/bind9/9.20.17/doc/arm/html/changelog.html

No new CVEs fixed compared to version 9.18.41.
NOTE: Libraries libcap, liburcu are now mandatory.
Add local patch pending upstream to fix uclibc build failure.

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
---
 .../bind/0001-Fix-building-on-uclibc.patch    | 39 +++++++++++++++++++
 package/bind/Config.in                        | 15 ++++---
 package/bind/bind.hash                        |  4 +-
 package/bind/bind.mk                          |  4 +-
 4 files changed, 53 insertions(+), 9 deletions(-)
 create mode 100644 package/bind/0001-Fix-building-on-uclibc.patch

diff --git a/package/bind/0001-Fix-building-on-uclibc.patch b/package/bind/0001-Fix-building-on-uclibc.patch
new file mode 100644
index 0000000000..94e28112b3
--- /dev/null
+++ b/package/bind/0001-Fix-building-on-uclibc.patch
@@ -0,0 +1,39 @@
+From 9c197d4cf09214806d5d9ca68a40327cc06b5bfe Mon Sep 17 00:00:00 2001
+From: Giulio Benetti <giulio.benetti@benettiengineering.com>
+Date: Sat, 3 Jan 2026 22:59:39 +0100
+Subject: [PATCH] Fix building on uclibc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While building on uclibc this error is thrown:
+In file included from ./include/dns/log.h:20,
+                 from callbacks.c:19:
+../../lib/isc/include/isc/log.h:141:9: error: unknown type name ‘off_t’
+  141 |         off_t maximum_size;
+      |         ^~~~~
+
+This is due to missing include unistd.h, so let's add it on top of
+isc/log.h
+
+Upstream: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11421
+Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
+---
+ lib/isc/include/isc/log.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/isc/include/isc/log.h b/lib/isc/include/isc/log.h
+index 5a9a7a1bb3..e2bec5355d 100644
+--- a/lib/isc/include/isc/log.h
++++ b/lib/isc/include/isc/log.h
+@@ -19,6 +19,7 @@
+ #include <stdbool.h>
+ #include <stdio.h>
+ #include <syslog.h> /* XXXDCL NT */
++#include <unistd.h>
+ 
+ #include <isc/formatcheck.h>
+ #include <isc/lang.h>
+-- 
+2.47.3
+
diff --git a/package/bind/Config.in b/package/bind/Config.in
index 512e948ca2..6f5f14a6bb 100644
--- a/package/bind/Config.in
+++ b/package/bind/Config.in
@@ -1,10 +1,14 @@
 config BR2_PACKAGE_BIND
 	bool "bind"
-	depends on BR2_USE_MMU # fork(), libuv
+	depends on BR2_USE_MMU # fork(), libcap, libuv
 	depends on BR2_TOOLCHAIN_HAS_SYNC_4 # libuv
-	depends on BR2_TOOLCHAIN_HAS_THREADS_NPTL # libuv
+	depends on BR2_TOOLCHAIN_HAS_THREADS # liburcu, libuv
+	depends on BR2_INSTALL_LIBSTDCPP # liburcu
 	depends on !BR2_STATIC_LIBS # libuv
 	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # libuv
+	depends on BR2_PACKAGE_LIBURCU_ARCH_SUPPORTS # liburcu
+	select BR2_PACKAGE_LIBCAP
+	select BR2_PACKAGE_LIBURCU
 	select BR2_PACKAGE_LIBUV
 	select BR2_PACKAGE_OPENSSL
 	help
@@ -44,8 +48,9 @@ config BR2_PACKAGE_BIND_TOOLS
 
 endif
 
-comment "bind needs a toolchain w/ NPTL, dynamic library, gcc >= 4.9"
+comment "bind needs a toolchain w/ threads, dynamic library, C++, gcc >= 4.9"
 	depends on BR2_USE_MMU
 	depends on BR2_TOOLCHAIN_HAS_SYNC_4
-	depends on !BR2_TOOLCHAIN_HAS_THREADS_NPTL || BR2_STATIC_LIBS \
-		|| !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS \
+		|| BR2_INSTALL_LIBSTDCPP || !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 \
+		|| BR2_PACKAGE_LIBURCU_ARCH_SUPPORTS
diff --git a/package/bind/bind.hash b/package/bind/bind.hash
index d601e87b75..625cad572f 100644
--- a/package/bind/bind.hash
+++ b/package/bind/bind.hash
@@ -1,4 +1,4 @@
-# Verified from https://ftp.isc.org/isc/bind9/9.18.41/bind-9.18.41.tar.xz.asc
+# Verified from https://ftp.isc.org/isc/bind9/9.20.17/bind-9.20.17.tar.xz.asc
 # with key D99CCEAF879747014F038D63182E23579462EFAA
-sha256  6ddc1d981511c4da0b203b0513af131e5d15e5f1c261145736fe1f35dd1fe79d  bind-9.18.41.tar.xz
+sha256  5cc89a09da0917eb1ddf640cc07c172ff44fa9bbf3a34ada4b6a2f7ee70ff1c8  bind-9.20.17.tar.xz
 sha256  9734825d67a3ac967b2c2f7c9a83c9e5db1c2474dbe9599157c3a4188749ebd4  COPYRIGHT
diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index 8b336ab781..c32357f67d 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-BIND_VERSION = 9.18.41
+BIND_VERSION = 9.20.17
 BIND_SOURCE= bind-$(BIND_VERSION).tar.xz
 BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION)
 BIND_INSTALL_STAGING = YES
@@ -32,7 +32,7 @@ BIND_CONF_OPTS = \
 	--disable-static \
 	--with-openssl=$(STAGING_DIR)/usr
 
-BIND_DEPENDENCIES = host-pkgconf libuv openssl
+BIND_DEPENDENCIES = host-pkgconf libcap liburcu libuv openssl
 
 BIND_CFLAGS = $(TARGET_CFLAGS)
 
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH] DEVELOPERS: add Giulio Benetti to package bind

[Giulio Benetti]

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
---
 DEVELOPERS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/DEVELOPERS b/DEVELOPERS
index d2b3b34f61..75190bd5c0 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1302,6 +1302,7 @@ F:	configs/mangopi_mq1rdw2_defconfig
 F:	configs/olimex_a*
 F:	configs/rockpro64_defconfig
 F:	package/at/
+F:	package/bind/
 F:	package/binutils/
 F:	package/cryptsetup/
 F:	package/dash/
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/bind: security bump version to 9.20.17

[Thomas Petazzoni via buildroot]

Hello,

On Sun, Jan 04, 2026 at 06:22:25PM +0100, Giulio Benetti wrote:
> Release notes:
> https://ftp.isc.org/isc/bind9/9.20.17/doc/arm/html/notes.html
> 
> Changelog:
> https://ftp.isc.org/isc/bind9/9.20.17/doc/arm/html/changelog.html
> 
> No new CVEs fixed compared to version 9.18.41.

I'm confused: your title says it's a security bump, but your commit
message says there are "no new CVEs fixed compared to version 9.18.41"
(which is the version that we have in Buildroot right now).

So is this a security bump, or not?

Thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] DEVELOPERS: add Giulio Benetti to package bind

[Thomas Petazzoni via buildroot]

On Sun, Jan 04, 2026 at 06:22:26PM +0100, Giulio Benetti wrote:
> Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>

Thanks, applied!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/bind: security bump version to 9.20.17

[Giulio Benetti]

Hello,

On 2/3/26 11:41, Thomas Petazzoni wrote:
> Hello,
> 
> On Sun, Jan 04, 2026 at 06:22:25PM +0100, Giulio Benetti wrote:
>> Release notes:
>> https://ftp.isc.org/isc/bind9/9.20.17/doc/arm/html/notes.html
>>
>> Changelog:
>> https://ftp.isc.org/isc/bind9/9.20.17/doc/arm/html/changelog.html
>>
>> No new CVEs fixed compared to version 9.18.41.
> 
> I'm confused: your title says it's a security bump, but your commit
> message says there are "no new CVEs fixed compared to version 9.18.41"
> (which is the version that we have in Buildroot right now).
> 
> So is this a security bump, or not?

I've re-checked and found out that in version 9.20.17 CVEs [1][2] are
fixed, while in version 9.18.41 not. So this is a Security Bump and
commit log must contain at the end:

'Fixes CVE-2025-40775 & CVE-2025-40777.'

I've compared these twos:
https://ftp.isc.org/isc/bind9/9.20.17/doc/arm/html/changelog.html
https://ftp.isc.org/isc/bind9/9.18.41/doc/arm/html/changelog.html

Just sent a V2.

[1]: https://kb.isc.org/docs/cve-2025-40777
[2]: https://kb.isc.org/docs/cve-2025-40775

Giulio
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] DEVELOPERS: add Giulio Benetti to package bind

[Thomas Perale via buildroot]

In reply of:
> Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>

Applied to 2025.02.x & 2025.11.x. Thanks

> ---
>  DEVELOPERS | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/DEVELOPERS b/DEVELOPERS
> index d2b3b34f61..75190bd5c0 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -1302,6 +1302,7 @@ F:	configs/mangopi_mq1rdw2_defconfig
>  F:	configs/olimex_a*
>  F:	configs/rockpro64_defconfig
>  F:	package/at/
> +F:	package/bind/
>  F:	package/binutils/
>  F:	package/cryptsetup/
>  F:	package/dash/
> -- 
> 2.47.3
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot