Log message:
net/bind918: update to 9.18.49

BIND 9.18.49 (2026-05-20)

Security Fixes

* Limit resolver server list size. (CVE-2026-3592)

  When resolving a domain with many nameservers that shared overlapping IP
  addresses (e.g., 10 NS records all pointing at the same set of addresses),
  BIND could previously waste time querying duplicate addresses and build up
  excessively large server lists.  Addresses in the resolver's server list
  are now deduplicated so that each unique IP is only queried once per
  resolution attempt, regardless of how many NS records point to it.  The
  number of addresses stored per nameserver name is also now capped at six
  (combined A and AAAA), preventing memory and CPU overhead from domains
  with unusually large NS/glue sets.

  ISC would like to thank Shuhan Zhang from Tsinghua University for
  reporting this issue.  [GL #5641]

* Fix GSS-API resource leak. (CVE-2026-3039)

  A memory leak was fixed where each GSS-API TKEY negotiation leaked a
  security context inside the GSS library.  An unauthenticated attacker
  could exhaust server memory by sending repeated TKEY queries to a server
  with tkey-gssapi-keytab configured.  The leaked memory was allocated by
  the GSS library, bypassing BIND's memory accounting.

  Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now rejected,
  as BIND never supported it correctly and Kerberos/SPNEGO completes in a
  single round.

  ISC would like to thank Vitaly Simonovich for bringing this vulnerability
  to our attention.  [GL #5752]

* Disable recursion, UPDATE, and NOTIFY for non-IN views. (CVE-2026-5946)

  Recursion, dynamic updates (UPDATE), and zone change notifications
  (NOTIFY) are now disabled for views with a class other than IN (such as
  CHAOS or HESIOD); authoritative service for non-IN zones
  (e.g. version.bind in class CHAOS) continues to work as before.  Servers
  configured with recursion yes; in a non-IN view log a warning at startup,
  and named-checkconf flags the same condition.  UPDATE and NOTIFY messages
  that specify the meta-classes ANY or NONE in the question section are now
  rejected with FORMERR.

  This addresses a set of closely related security issues collectively
  identified as CVE-2026-5946.  ISC would like to thank Mcsky23 for bringing
  these issues to our attention.  [GL #5784]

* Avoid unbounded recursion loop. (CVE-2026-5950)

  A bug during bad server handling could cause the resolver to enter an
  infinite loop, continuously sending queries to an upstream server with no
  exit condition, until the resolver query timeout was hit.  This has been
  fixed.

  ISC would like to thank Billy Baraja (BielraX) for bringing this issue to
  our attention.  [GL #5804]

* Fix outgoing zone transfers' quota issue.

  Unauthorized clients could consume the entire outgoing zone-transfer quota
  and block authorized zone transfer clients.  This has been fixed.  [GL
  #3589]

Feature Changes

* Fix CPU spikes and slow queries when cache approaches memory limit.

  Cache cleanup is now spread probabilistically to avoid CPU usage spikes
  and a drop in query throughput.  [GL #5891]

Bug Fixes

* Fix named crash when processing SIG records in dynamic updates.
  [GL #5818]
* Fix rndc modzone behavior for a zone in named.conf.  [GL #5826]
* Fix zone verification of NSEC3 signed zones.  [GL #5834]
* Prevent a crash when using both dns64 and filter-aaaa.  [GL #5854]
* Fixed an assertion failure when processing catalog zones.  [GL #5858]
* Prevent malicious DNSSEC zones from exhausting validator CPU.  [GL #5881]
* Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits.
  [GL #5903]
* Prevent crafted queries from degrading RRL performance.  [GL #5906]
* Fix a bug in allow-query/allow-transfer catalog zone custom properties.
  [GL #5941]
* Fix a memory leak issue in catalog zones.  [GL #5943]
* Fix suppressed missing-glue check in named-checkzone.
* Reject record sets too large to serve in DNS.  [GL !11963]

Log message:
net/bind918: update to 9.18.48

9.18.48 (2026-04-01)

Security Fixes

* Fix crash when reconfiguring zone update policy during active updates.

  We fixed a crash that could occur when running rndc reconfig to change a
  zone's update policy (e.g., from allow-update to update-policy) while DNS
  UPDATE requests were being processed for that zone.

  ISC would like to thank Vitaly Simonovich for bringing this issue to our
  attention.  [GL #5817]

Bug Fixes

* Fix a crash triggered by rndc modzone on a zone from a configuration file.

* Calling rndc modzone on a zone that was configured in the configuration
  file caused a crash.  This has been fixed.  [GL #5800]

* Fix a crash triggered by rndc modzone on zone that already existed in NZF
  file.

  Calling rndc modzone didn't work properly for a zone that was configured
  in the configuration file.  It could crash if BIND 9 was built without
  LMDB or if there was already an NZF file for the zone.  This has been
  fixed.  [GL #5826]

Log message:
net/bind918: update to 9.18.47

This is security release and from release announce:

Our March 2026 maintenance releases of BIND 9 are available and can be \ 
downloaded from the links below.  Packages and container images provided by ISC \ 
will be updated later today.

In addition to bug fixes and feature improvements, these releases also contain \ 
fixes for security vulnerabilities.  More information can be found in the \ 
following Security Advisories:

    https://kb.isc.org/docs/cve-2026-1519
    https://kb.isc.org/docs/cve-2026-3104
    https://kb.isc.org/docs/cve-2026-3119
    https://kb.isc.org/docs/cve-2026-3591

A link to each newly-released version follows.  Each release directory includes \ 
a complete source tarball, cryptographic signature, and release notes.  The \ 
release notes provide a summary of significant changes, and should be reviewed \ 
before upgrading.

  - Current supported stable branches:

    - 9.18.47  - https://downloads.isc.org/isc/bind9/9.18.47/
    - 9.20.21  - https://downloads.isc.org/isc/bind9/9.20.21/

  - Experimental development branch:

    - 9.21.20  - https://downloads.isc.org/isc/bind9/9.21.20/

Log message:
net/bind918: update to 9.18.46

9.18.46 (2026-02-27)

Bug Fixes

* A stale answer could have been served in case of multiple upstream
  failures when following CNAME chains. This has been fixed. [GL #5751]

Log message:
net/bind918: update to 9.18.45

BIND 9.18.45 (2026-02-18)

Feature Changes

* Update requirements for system test suite.
* Python 3.10 or newer is now required for running the system test suite.
  The required Python packages and their version requirements are now
  tracked in the file bin/tests/system/requirements.txt.
  [GL #5690] [GL #5614]

Bug Fixes

* Fix implementation of BRID and HHIT record types. [GL #5710]
* Fix implementation of DSYNC record type. [GL #5711]

Log message:
net/bind918: update to 9.18.44

This release contains security fix, <https://kb.isc.org/docs/cve-2025-13878>.
9.18.44 (2026-01-21)

Security Fixes

* Fix incorrect length checks for BRID and HHIT records. (CVE-2025-13878)

* Malformed BRID and HHIT records could trigger an assertion failure. This
  has been fixed.

* ISC would like to thank Vlatko Kosturjak from Marlink Cyber for bringing
  this vulnerability to our attention.  [GL #5616]

Bug Fixes

* Allow glue in delegations with QTYPE=ANY.

* When a query for type ANY triggered a delegation response, all additional
  data was omitted from the response, including mandatory glue.  This has
  been fixed. [GL #5659]

Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be invalid.

* A zone that was signed with NSEC3, had opt-out enabled, and was then
  reconfigured to use NSEC, was published with missing NSEC records.  This
  has been fixed.  [GL #5679]

Log message:
*: recursive bump for abseil-20260107.0 shlib version bump

Log message:
bind918: use SED instead of HEAD, since SED is defined earlier