Stay Secure with the Latest Linux Advisories

security advisoryfedoracritical

Fedora 42: bind9-next Critical DNSSEC Issues Fix 2025-d9f9394ecd

Update to 9.21.14 (rhbz#2394406) Security Fixes: DNSSEC validation fails if matching but invalid DNSKEY is found. (CVE-2025-8677) Address various spoofing attacks. (CVE-2025-40778) Cache-poisoning due to weak pseudo-random number generator. (CVE-2025-40780). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-d9f9394ecd 2025-11-16 00:54:19.352420+00:00 -------------------------------------------------------------------------------- Name : bind9-next Product : Fedora 42 Version : 9.21.14 Release : 2.fc42 URL : https://www.isc.org/bind/ Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Description : BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. -------------------------------------------------------------------------------- Update Information: Update to 9.21.14 (rhbz#2394406) Security Fixes: DNSSEC validation fails if matching but invalid DNSKEY is found. (CVE-2025-8677) Address various spoofing attacks. (CVE-2025-40778) Cache-poisoning due to weak pseudo-random number generator. (CVE-2025-40780) New Features: Add dnssec-policy keys configuration check to named-checkconf. Add support for synthetic records. Support for zone-specific plugins. Support for additional tokens in the zone file name template. Removed Features: Remove randomized RRset ordering. and bug fixes https://downloads.isc.org/isc/bind9/9.21.14/doc/arm/html/notes.html#notes-for- bind-9-21-14 -------------------------------------------------------------------------------- ChangeLog: * Thu Nov 6 2025 Petr Men\u0161k - 32:9.21.14-2 - Prevent SERVFAIL on dual signed zones with one unsupported signature (rhbz#2413104) * Thu Nov 6 2025Petr Men\u0161k - 32:9.21.14-1 - Update to 9.21.14 (rhbz#2394406) * Thu Nov 6 2025 Petr Men\u0161k - 32:9.21.11-6 - Meson libs include version in upstream already -------------------------------------------------------------------------------- References: [ 1 ] Bug #2394406 - bind9-next-9.21.14 is available https://bugzilla.redhat.com/show_bug.cgi?id=2394406 [ 2 ] Bug #2396295 - named-chroot fails to start: isc_dir_chroot: not implemented https://bugzilla.redhat.com/show_bug.cgi?id=2396295 [ 3 ] Bug #2406399 - CVE-2025-40778 [Severity: High] bind9: Cache poisoning attacks with unsolicited RRs https://bugzilla.redhat.com/show_bug.cgi?id=2406399 [ 4 ] Bug #2413104 - Regression with disabled algorithms after CVE-2025-8677 fixes https://bugzilla.redhat.com/show_bug.cgi?id=2413104 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-d9f9394ecd' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . BIND update for Fedora 42 addresses critical spoofing and cache-poisoning issues with security fixes listed.. BIND DNS security update, Fedora 42 advisory, DNSSEC cache poisoning, spoofing vulnerability. . Severity: Critical. LinuxSecurity.com Team

Nov 16, 2025 •Critical Fedora