Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Fedora 42: bind9-next Critical DNSSEC Issues Fix 2025-d9f9394ecd

fedora
Calendar Grey November 16, 2025
Dist Fedora Esm H88
BIND update for Fedora 42 addresses critical spoofing and cache-poisoning issues with security fixes listed.
Update to 9.21.14 (rhbz#2394406) Security Fixes: DNSSEC validation fails if matching but invalid DNSKEY is found

Summary

BIND (Berkeley Internet Name Domain) is an implementation of the DNS

(Domain Name System) protocols. BIND includes a DNS server (named),

which resolves host names to IP addresses; a resolver library

(routines for applications to use when interfacing with DNS); and

tools for verifying that the DNS server is operating properly.

Update Information:

Update to 9.21.14 (rhbz#2394406) Security Fixes: DNSSEC validation fails if matching but invalid DNSKEY is found. (CVE-2025-8677) Address various spoofing attacks. (CVE-2025-40778) Cache-poisoning due to weak pseudo-random number generator. (CVE-2025-40780) New Features: Add dnssec-policy keys configuration check to named-checkconf. Add support for synthetic records. Support for zone-specific plugins. Support for additional tokens in the zone file name template. Removed Features: Remove randomized RRset ordering. and bug fixes https://downloads.isc.org/isc/bind9/9.21.14/doc/arm/html/notes.html#notes-for- bind-9-21-14

Topics%20covered

Topics Covered

security advisory fedora critical cache poisoning DNSSEC spoofing attacks

Change Log

* Thu Nov 6 2025 Petr Men\u0161k - 32:9.21.14-2 - Prevent SERVFAIL on dual signed zones with one unsupported signature (rhbz#2413104) * Thu Nov 6 2025 Petr Men\u0161k - 32:9.21.14-1 - Update to 9.21.14 (rhbz#2394406) * Thu Nov 6 2025 Petr Men\u0161k - 32:9.21.11-6 - Meson libs include version in upstream already

References


[ 1 ] Bug #2394406 - bind9-next-9.21.14 is available https://bugzilla.redhat.com/show_bug.cgi?id=2394406 [ 2 ] Bug #2396295 - named-chroot fails to start: isc_dir_chroot: not implemented https://bugzilla.redhat.com/show_bug.cgi?id=2396295 [ 3 ] Bug #2406399 - CVE-2025-40778 [Severity: High] bind9: Cache poisoning attacks with unsolicited RRs https://bugzilla.redhat.com/show_bug.cgi?id=2406399 [ 4 ] Bug #2413104 - Regression with disabled algorithms after CVE-2025-8677 fixes https://bugzilla.redhat.com/show_bug.cgi?id=2413104

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-d9f9394ecd' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: bind9-next
Product: Fedora 42
Version: 9.21.14
Release: 2.fc42
URL: https://www.isc.org/bind/
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server

Topics%20covered

Topics Covered

security advisory fedora critical cache poisoning DNSSEC spoofing attacks

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here