Skip to content

Upgrade bind to 9.20.9 for CVE-2025-40775 #13893

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: fasttrack/3.0
Choose a base branch
from
+16 −13
Open

Upgrade bind to 9.20.9 for CVE-2025-40775 #13893

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
90d45d0
Initial plan for issue
Copilot May 26, 2025
00c048e
Update spec, signatures and manifest for bind 9.20.9
Copilot May 26, 2025
6b26d2e
Fix %changelog date format for bind upgrade
Copilot May 26, 2025
64a9ba2
Fix day-of-week in changelog entries
Copilot May 26, 2025
2bce08c
Merge branch 'fasttrack/3.0' into copilot/fix-dbba3ef7-7a75-4cac-aa87…
PawelWMS May 27, 2025
273ff2e
Merge branch 'fasttrack/3.0' into copilot/fix-dbba3ef7-7a75-4cac-aa87…
PawelWMS May 29, 2025
abe5cbf
Add back nongit-fix.patch and fix-maybe-uninitialized-warning-in-dlz_…
Copilot Jun 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion SPECS/bind/bind.signatures.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"Signatures": {
"bind-9.20.5.tar.xz": "19274fd739c023772b4212a0b6c201cf4364855fa7e6a7d3db49693f55db1ab8",
"bind-9.20.9.tar.xz": "3d26900ed9c9a859073ffea9b97e292c1248dad18279b17b05fcb23c3091f86d",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kgodara912, are you the owner of this PR? If so, could you also extend the summary with a link or other information pointing to where it's said that the CVE is fixed in version 9.20.9? I found it, but we want to streamline the review process and include all relevant information in the PR itself, so it's easier to understand why we've made specific patching decisions if we ever analyze a PR in the future.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description should be extended with a link to ISC's security advisory for CVE-2025-40775, which would be available at https://kb.isc.org/docs/cve-2025-40775. This would provide the official reference showing that version 9.20.9 addresses this vulnerability.

"dlz-modules-main.tar.gz": "884bef3535317a7757ad0e3556a27e2ed1a80f5b1040bce4074780c8719667d0",
"generate-rndc-key.sh": "da0964516a9abe4074e262a1d0b7f63e63b2150c4cc2dddaaca029010383c422",
"named-chroot.files": "5dbc7bd2a21836fb86cb740a2d4d72eb9f2b4f341996cd0c8ae9c39e95c0d76c",
9 changes: 6 additions & 3 deletions SPECS/bind/bind.spec
View file
Original file line number Diff line number Diff line change
@@ -9,8 +9,8 @@

Summary: Domain Name System software
Name: bind
Version: 9.20.5
Release: 4%{?dist}
Version: 9.20.9
Release: 1%{?dist}
License: ISC
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -536,7 +536,10 @@ fi;
%{_mandir}/man1/named-nzd2nzf.1*

%changelog
* Tue Feb 11 2025 Andrew Phelps <anphel@microsoft.com> - 9.20.5-4
* Mon May 26 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 9.20.9-1
- Auto-upgrade to 9.20.9 - for CVE-2025-40775

* Tue Mar 11 2025 Andrew Phelps <anphel@microsoft.com> - 9.20.5-4
- Remove duplicate shared object files in base and devel packages
- Remove duplicate files from utils package
- Add requires for bind-libs from base package
14 changes: 7 additions & 7 deletions SPECS/bind/nongit-fix.patch
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
From a93a15295ac2690f587711b26af84d6292d2aa1b Mon Sep 17 00:00:00 2001
From: Kanishk Bansal <kbkanishk975@gmail.com>
Date: Tue, 4 Feb 2025 06:49:17 +0000
Subject: [PATCH] Fix issue where bind directory isn't downloaded via git
From 87098009404ea5d372be6268bd1d1ce356c1a4f5 Mon Sep 17 00:00:00 2001
From: Kshitiz Godara <kgodara@microsoft.com>
Date: Mon, 2 Jun 2025 16:33:19 +0000
Subject: [PATCH 2/2] non-git download issue

---
configure.ac | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 168a77a..37c0acd 100644
index 9701cdb..b7c84f6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,7 +19,7 @@ m4_define([bind_VERSION_MINOR], 20)dnl
m4_define([bind_VERSION_PATCH], 5)dnl
m4_define([bind_VERSION_PATCH], 9)dnl
m4_define([bind_VERSION_EXTRA], )dnl
m4_define([bind_DESCRIPTION], [(Stable Release)])dnl
-m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl
@@ -32,5 +32,5 @@ index 168a77a..37c0acd 100644

#
--
2.43.0
2.45.3

4 changes: 2 additions & 2 deletions cgmanifest.json
View file
Original file line number Diff line number Diff line change
@@ -1097,8 +1097,8 @@
"type": "other",
"other": {
"name": "bind",
"version": "9.20.5",
"downloadUrl": "https://ftp.isc.org/isc/bind9/9.20.5/bind-9.20.5.tar.xz"
"version": "9.20.9",
"downloadUrl": "https://ftp.isc.org/isc/bind9/9.20.9/bind-9.20.9.tar.xz"
}
}
},