Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Fedora 43: bind9-next Security Update CVE-2025-8677 Cache Poisoning

fedora
Calendar Grey November 16, 2025
Dist Fedora Esm H88
Update for Fedora 43's bind9-next fixes DNSSEC issues and cache poisoning vulnerabilities, enhancing security.
Update to 9.21.14 (rhbz#2394406) Security Fixes: DNSSEC validation fails if matching but invalid DNSKEY is found

Summary

BIND (Berkeley Internet Name Domain) is an implementation of the DNS

(Domain Name System) protocols. BIND includes a DNS server (named),

which resolves host names to IP addresses; a resolver library

(routines for applications to use when interfacing with DNS); and

tools for verifying that the DNS server is operating properly.

Update Information:

Update to 9.21.14 (rhbz#2394406) Security Fixes: DNSSEC validation fails if matching but invalid DNSKEY is found. (CVE-2025-8677) Address various spoofing attacks. (CVE-2025-40778) Cache-poisoning due to weak pseudo-random number generator. (CVE-2025-40780) New Features: Add dnssec-policy keys configuration check to named-checkconf. Add support for synthetic records. Support for zone-specific plugins. Support for additional tokens in the zone file name template. Removed Features: Remove randomized RRset ordering. and bug fixes https://downloads.isc.org/isc/bind9/9.21.14/doc/arm/html/notes.html#notes-for- bind-9-21-14

Topics%20covered

Topics Covered

security advisory fedora cache poisoning spoofing DNSSEC bind9-next

Change Log

* Thu Nov 6 2025 Petr Men\u0161k - 32:9.21.14-2 - Prevent SERVFAIL on dual signed zones with one unsupported signature (rhbz#2413104) * Thu Nov 6 2025 Petr Men\u0161k - 32:9.21.14-1 - Update to 9.21.14 (rhbz#2394406) * Tue Oct 7 2025 Petr Men\u0161k - 32:9.21.12-4 - Update a bit sample named.conf * Thu Sep 11 2025 Petr Men\u0161k - 32:9.21.12-3 - Meson libs include version in upstream already * Wed Sep 10 2025 Petr Men\u0161k - 32:9.21.12-1 - Update to 9.21.12 (rhbz#2394406) * Wed Sep 10 2025 Petr Men\u0161k - 32:9.21.11-6 - Return back fortify=3 source * Tue Sep 9 2025 Petr Men\u0161k - 32:9.21.11-5 - Remove separate license subpackage

References


[ 1 ] Bug #2394406 - bind9-next-9.21.14 is available https://bugzilla.redhat.com/show_bug.cgi?id=2394406 [ 2 ] Bug #2396295 - named-chroot fails to start: isc_dir_chroot: not implemented https://bugzilla.redhat.com/show_bug.cgi?id=2396295 [ 3 ] Bug #2406399 - CVE-2025-40778 [Severity: High] bind9: Cache poisoning attacks with unsolicited RRs https://bugzilla.redhat.com/show_bug.cgi?id=2406399 [ 4 ] Bug #2413104 - Regression with disabled algorithms after CVE-2025-8677 fixes https://bugzilla.redhat.com/show_bug.cgi?id=2413104

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-b68f7f541d' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: bind9-next
Product: Fedora 43
Version: 9.21.14
Release: 2.fc43
URL: https://www.isc.org/bind/
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server

Topics%20covered

Topics Covered

security advisory fedora cache poisoning spoofing DNSSEC bind9-next

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here