From 0c8f5f2ed91600b04ba639ef9c4c5ced3286cb3b Mon Sep 17 00:00:00 2001
From: Noah Meyerhans <frodo@morgul.net>
Date: Mon, 25 May 2026 11:09:01 -0400
Subject: [PATCH] bind: bump to 9.20.23

Resolves several security issues:

- CVE-2026-3592: Limit resolver server list size.
- CVE-2026-3039: Fix GSS-API resource leak.
- CVE-2026-5950: Avoid unbounded recursion loop.
- CVE-2026-5947: Fix crash in resolver when SIG(0)-signed responses are
  received under load.
- CVE-2026-3593: Add system test for HTTP/2 SETTINGS frame flood.
- CVE-2026-5946: Disable recursion, UPDATE, and NOTIFY for non-IN views.

Complete list of changes is available upstream at
https://ftp.isc.org/isc/bind9/9.20.23/doc/arm/html/changelog.html

Signed-off-by: Noah Meyerhans <frodo@morgul.net>
(cherry picked from commit ea421564d333b53b847434aaed2cd4d8a74954f0)
---
 net/bind/Makefile                                   |  4 ++--
 net/bind/patches/fix-usr-allow-rndc-addzone#1.patch | 12 ++++++------
 net/bind/patches/fix-usr-allow-rndc-addzone#2.patch |  2 +-
 net/bind/patches/fix-usr-allow-rndc-addzone#4.patch |  2 +-
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/net/bind/Makefile b/net/bind/Makefile
index 65c273d856..9d52d45e50 100644
--- a/net/bind/Makefile
+++ b/net/bind/Makefile
@@ -9,7 +9,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bind
-PKG_VERSION:=9.20.21
+PKG_VERSION:=9.20.23
 PKG_RELEASE:=1
 USERID:=bind=57:bind=57
 
@@ -22,7 +22,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:= \
 	https://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) \
 	https://ftp.isc.org/isc/bind9/$(PKG_VERSION)
-PKG_HASH:=15e1b5a227d2890f7c4e823a6ea018de70ee2f3a0e859cbff3d82aad8590de03
+PKG_HASH:=5d4475aed3f9e500ef554b2b14d972bdb83d33de214a9b3be92918ea46908371
 
 PKG_FIXUP:=autoreconf
 PKG_REMOVE_FILES:=aclocal.m4 libtool.m4
diff --git a/net/bind/patches/fix-usr-allow-rndc-addzone#1.patch b/net/bind/patches/fix-usr-allow-rndc-addzone#1.patch
index a08f69331b..25ee1f7117 100644
--- a/net/bind/patches/fix-usr-allow-rndc-addzone#1.patch
+++ b/net/bind/patches/fix-usr-allow-rndc-addzone#1.patch
@@ -13,15 +13,15 @@ restore the automatic zone to the view.
 
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
-@@ -13931,6 +13931,7 @@ do_addzone(named_server_t *server, ns_cf
+@@ -13919,6 +13919,7 @@ do_addzone(named_server_t *server, ns_cf
  	   bool redirect, isc_buffer_t **text) {
  	isc_result_t result, tresult;
  	dns_zone_t *zone = NULL;
 +	dns_zone_t *oldzone = NULL;
+ 	bool locked = false;
  #ifndef HAVE_LMDB
  	FILE *fp = NULL;
- 	bool cleanup_config = false;
-@@ -13949,7 +13950,13 @@ do_addzone(named_server_t *server, ns_cf
+@@ -13937,7 +13938,13 @@ do_addzone(named_server_t *server, ns_cf
  	} else {
  		result = dns_view_findzone(view, name, DNS_ZTFIND_EXACT, &zone);
  		if (result == ISC_R_SUCCESS) {
@@ -36,7 +36,7 @@ restore the automatic zone to the view.
  		}
  	}
  	if (result != ISC_R_NOTFOUND) {
-@@ -13958,6 +13965,10 @@ do_addzone(named_server_t *server, ns_cf
+@@ -13946,6 +13953,10 @@ do_addzone(named_server_t *server, ns_cf
  
  	isc_loopmgr_pause(named_g_loopmgr);
  
@@ -47,7 +47,7 @@ restore the automatic zone to the view.
  #ifndef HAVE_LMDB
  	/*
  	 * Make sure we can open the configuration save file
-@@ -14062,6 +14073,11 @@ do_addzone(named_server_t *server, ns_cf
+@@ -14050,6 +14061,11 @@ do_addzone(named_server_t *server, ns_cf
  		/* Remove the zone from the zone table */
  		dns_view_delzone(view, zone);
  		goto cleanup;
@@ -59,7 +59,7 @@ restore the automatic zone to the view.
  	}
  
  	/* Flag the zone as having been added at runtime */
-@@ -14078,6 +14094,22 @@ do_addzone(named_server_t *server, ns_cf
+@@ -14066,6 +14082,22 @@ do_addzone(named_server_t *server, ns_cf
  
  cleanup:
  
diff --git a/net/bind/patches/fix-usr-allow-rndc-addzone#2.patch b/net/bind/patches/fix-usr-allow-rndc-addzone#2.patch
index 5a0805b9f2..580f9138a8 100644
--- a/net/bind/patches/fix-usr-allow-rndc-addzone#2.patch
+++ b/net/bind/patches/fix-usr-allow-rndc-addzone#2.patch
@@ -85,7 +85,7 @@ Subject: [PATCH 2/4] Check if adding new zone can replace an automatic empty
 +};
 --- a/bin/tests/system/addzone/tests.sh
 +++ b/bin/tests/system/addzone/tests.sh
-@@ -68,6 +68,35 @@ n=$((n + 1))
+@@ -88,6 +88,35 @@ n=$((n + 1))
  if [ $ret != 0 ]; then echo_i "failed"; fi
  status=$((status + ret))
  
diff --git a/net/bind/patches/fix-usr-allow-rndc-addzone#4.patch b/net/bind/patches/fix-usr-allow-rndc-addzone#4.patch
index 1e49c12d56..395b9af567 100644
--- a/net/bind/patches/fix-usr-allow-rndc-addzone#4.patch
+++ b/net/bind/patches/fix-usr-allow-rndc-addzone#4.patch
@@ -10,7 +10,7 @@ Subject: [PATCH 4/4] fixup! Check if adding new zone can replace an automatic
 
 --- a/bin/tests/system/addzone/tests.sh
 +++ b/bin/tests/system/addzone/tests.sh
-@@ -84,6 +84,23 @@ n=$((n + 1))
+@@ -104,6 +104,23 @@ n=$((n + 1))
  if [ $ret != 0 ]; then echo_i "failed"; fi
  status=$((status + ret))