On 16 July 2025 we (Internet Systems Consortium) disclosed one
vulnerability affecting our BIND 9 software:
- CVE-2025-40777: A possible assertion failure when
'stale-answer-client-timeout' is set to '0'
https://kb.isc.org/docs/cve-2025-40777
New versions of BIND 9 are available from https://www.isc.org/downloads
Operators and package maintainers who prefer to apply patches
selectively can find individual vulnerability-specific patches in the
"patches" subdirectory of each published release directory:
- https://downloads.isc.org/isc/bind9/9.20.11/patches/
- https://downloads.isc.org/isc/bind9/9.21.10/patches/
With the public announcement of these vulnerabilities, the embargo
period is ended and any updated software packages that have been
prepared may be released.
