Upgrade bind to 9.20.9 for CVE-2025-40775 and remove patches #13893
Conversation
microsoft-github-policy-service
bot
added
security
fasttrack/3.0
Co-authored-by: kgodara912 <[email protected]>
Co-authored-by: kgodara912 <[email protected]>
Copilot
AI
changed the title
SPECS/bind/bind.spec
Outdated
| @@ -536,6 +533,10 @@ fi; | |||
| %{_mandir}/man1/named-nzd2nzf.1* | |||
|
|
|||
| %changelog | |||
| * Tue May 26 2025 CBL-Mariner Servicing Account <[email protected]> - 9.20.9-1 | |||
There was a problem hiding this comment.
Change Tue May 26 2025 to Mon May 26 2025
There was a problem hiding this comment.
Fixed in 64a9ba2. Changed the day from Tuesday to Monday for May 26, 2025.
SPECS/bind/bind.spec
Outdated
| * Tue May 26 2025 CBL-Mariner Servicing Account <[email protected]> - 9.20.9-1 | ||
| - Auto-upgrade to 9.20.9 - for CVE-2025-40775 | ||
| - Remove nongit-fix.patch and fix-maybe-uninitialized-warning-in-dlz_mysqldyn_mod.patch | ||
|
|
||
| * Tue Feb 11 2025 Andrew Phelps <[email protected]> - 9.20.5-4 |
There was a problem hiding this comment.
Make Tue Feb 11 2025 to Tue Mar 11 2025
There was a problem hiding this comment.
Fixed in 64a9ba2. Changed the month from February to March for 2025.
Co-authored-by: kgodara912 <[email protected]>
mfrw
added
the
CVEFixReadyForMaintainerReview
|
@Kanishk-Bansal for patch removal review as he previously added no git patch. |
PawelWMS
removed
the
CVEFixReadyForMaintainerReview
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| @@ -1,6 +1,6 @@ | |||
| { | |||
| "Signatures": { | |||
| "bind-9.20.5.tar.xz": "19274fd739c023772b4212a0b6c201cf4364855fa7e6a7d3db49693f55db1ab8", | |||
| "bind-9.20.9.tar.xz": "3d26900ed9c9a859073ffea9b97e292c1248dad18279b17b05fcb23c3091f86d", | |||
There was a problem hiding this comment.
@kgodara912, are you the owner of this PR? If so, could you also extend the summary with a link or other information pointing to where it's said that the CVE is fixed in version 9.20.9? I found it, but we want to streamline the review process and include all relevant information in the PR itself, so it's easier to understand why we've made specific patching decisions if we ever analyze a PR in the future.
There was a problem hiding this comment.
The PR description should be extended with a link to ISC's security advisory for CVE-2025-40775, which would be available at https://kb.isc.org/docs/cve-2025-40775. This would provide the official reference showing that version 9.20.9 addresses this vulnerability.
| @@ -32,9 +32,6 @@ Source13: named.rwtab | |||
| Source14: named-chroot.files | |||
| Source15: https://gitlab.isc.org/isc-projects/dlz-modules/-/archive/main/dlz-modules-main.tar.gz | |||
|
|
|||
| Patch0: nongit-fix.patch | |||
| Patch1: fix-maybe-uninitialized-warning-in-dlz_mysqldyn_mod.patch | |||
There was a problem hiding this comment.
@kgodara912, could you add an explanation in the summary why we could remove these patches now? Is the uninitialized warning fixed now upstream?
There was a problem hiding this comment.
The explanation for the removal of these patches should be added to the PR summary:
-
nongit-fix.patch: This was a workaround for build issues when bind is not downloaded via git. This issue has been fixed in upstream version 9.20.9.
-
fix-maybe-uninitialized-warning-in-dlz_mysqldyn_mod.patch: This was fixing a compiler warning in the mysqldyn module. The upstream code in 9.20.9 has addressed this issue, making the patch unnecessary.
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addressesI tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
This PR implements the BIND upgrade from 9.20.5 to 9.20.9 to address CVE-2025-40775 in the fasttrack/3.0 branch.
Changes
nongit-fix.patch(workaround for when bind is not downloaded via git)fix-maybe-uninitialized-warning-in-dlz_mysqldyn_mod.patch(warning fix for a module)The patches were intentionally omitted from this upgrade as they are no longer needed for version 9.20.9, simplifying the package maintenance.
Testing
Verified that the spec file builds and no longer references the removed patches.
Related Issue
Fixes CVE-2025-40775
Warning
Firewall rules blocked me from connecting to one or more addresses
I tried to connect to the following addresses, but was blocked by firewall rules:
downloads.isc.orgcurl -L -O REDACTED(dns block)ftp.isc.orgcurl -L -O REDACTED(dns block)If you need me to access, download, or install something from one of these locations, you can either:
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.