I would recommend requesting downstream fixes in the mean time. Any
distribution channel delivering bind packages can include patches
already merged into bind-9.18 branch. They may not be aware the problem
exists, because it happens only for less common domains.
Give them
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11211 MR link
to any your bind distributor and request fixes. They may arrive sooner
than new bind release, but they have to know about the problem first.
If you build from sources, then use cherry-pick to include fixing commit
from it on top of last release. What is what I do for Fedora packages
for example.
I would not have noticed it myself if I were not included in cc by Bjørn
Mork. I would be surprised if most of redistributors were unaware there
is any problem at this moment.
Regards,
Petr
On 06/11/2025 19:58, Kelsey Cummings wrote:
Ondřej, do you have an ETA for (9.18) releases which contain the fixes?
On 11/4/2025 4:27 AM, Ondřej Surý wrote:
Agreed.
I would suggest doing a full bug report into an issue next time and
including all the relevant details instead of piggybacking on an
internal issue.
There is a subtle difference between #5570 and the issue reported
below, and thus these are two distinct bugs.
Ondrej
--
Ondřej Surý (He/Him)
[email protected]
My working hours and your working hours may be different. Please do
not feel obligated to reply outside your normal working hours.
On 4. 11. 2025, at 7:21, Petr Menšík via bind-users
<[email protected]> wrote:
Unfortunately this is a rare moment, when Ondřej is not correct.
This affects all versions, which included fix for CVE-2025-8677.
Yes, I verified also our builds are affected. Fedora 9.18.41
contains the same problem, but OpenSSL library does not prevent
usage of 5 and 7 algorithms there. It is not visible.
But in any case, similar reports should contain delv +vtrace output
from your side. Especially because it should be able to reproduce it
on any system, which disables RSASHA1 and RSASHA1NSEC3 algorithms.
But delv tool shows wrong behaviour only on CentOS 9 or CentOS 10
derivatives. On other systems it seems unaffected on the first glance.
Development version contains code modifications, which has similar
problem in a bit different place and with different fix needed. But
unlike original assumption it affects also stable versions.
Cheers,
Petr
--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
