Those issues were announced here: https://www.openwall.com/lists/oss-security/2025/10/22/1
Whiteboard: (none) => MGA9TOOCVE: (none) => CVE-2025-8677, CVE-2025-40778, CVE-2025-40780Source RPM: (none) => bind-9.18.39-2.mga10.src.rpm, bind-9.18.39-1.mga9.src.rpmStatus comment: (none) => Fixed upstream in 9.18.41
Assigning to MikeR as you have done the most recent bind version updates (one very recently, 9.18.39). Note the MGA9TOO please.
Assignee: bugsquad => mhrambo3501
Cauldron fixed with new version bind-9.18.41-1.mga10. Package patched for Mageia 9. Advisory: ======================== Patched bind package fixes security vulnerabilities: It was discovered that bind has several vulnerabilities. Resource exhaustion via malformed DNSKEY handling (CVE-2025-8677). Cache poisoning attacks with unsolicited RRs (CVE-2025-40778). Cache poisoning due to weak PRNG (CVE-2025-40780). References: https://www.openwall.com/lists/oss-security/2025/10/22/1 https://www.cvedetails.com/cve/CVE-2025-8677/ https://www.cvedetails.com/cve/CVE-2025-40778/ https://www.cvedetails.com/cve/CVE-2025-40780/ ======================== Updated packages in core/updates_testing: ======================== bind-9.18.39-1.1.mga9.x86_64.rpm bind-chroot-9.18.39-1.1.mga9.x86_64.rpm bind-devel-9.18.39-1.1.mga9.x86_64.rpm bind-dnssec-utils-9.18.39-1.1.mga9.x86_64.rpm bind-utils-9.18.39-1.1.mga9.x86_64.rpm lib64bind9.18.39-9.18.39-1.1.mga9.x86_64.rpm from bind-9.18.39-1.1.mga9.src.rpm testing procedure https://bugs.mageia.org/show_bug.cgi?id=33972#c3
Whiteboard: MGA9TOO => (none)Version: Cauldron => 9Keywords: (none) => has_procedure
Assignee: mhrambo3501 => qa-bugs
Keywords: (none) => advisory
MGA9-64 server Plasma Wayland on Compaq H000SB No installation issues. Opened firewall for DNS. $ nslookup mach2 Server: 192.168.2.1 Address: 192.168.2.1#53 Name: mach2.hviaene.thuis Address: 192.168.2.2 [tester9@mach3 ~]$ dig mach2 ; <<>> DiG 9.18.39 <<>> mach2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8924 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: bc8ddb3fbda252e4010000006904bacc2dc7c07af5e14103 (good) ;; QUESTION SECTION: ;mach2. IN A ;; AUTHORITY SECTION: . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2025103100 1800 900 604800 86400 ;; Query time: 10 msec ;; SERVER: 192.168.2.1#53(192.168.2.1) (UDP) ;; WHEN: Fri Oct 31 14:34:07 CET 2025 ;; MSG SIZE rcvd: 137 Still not knowing what I do exactly, nor what the bind server reaally need, I copy named.conf and zone files from earlier and put them anywhere in /etc and /var/lib/named. Then changed net config to point to own laptop as primary DNS server and # systemctl restart named [root@mach3 ~]# systemctl -l status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; preset: disabled) Active: active (running) since Fri 2025-10-31 15:55:11 CET; 2s ago Process: 174127 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "> Process: 174130 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 174131 (named) Tasks: 6 (limit: 8805) Memory: 23.3M CPU: 370ms CGroup: /system.slice/named.service └─174131 /usr/sbin/named -u named -c /etc/named.conf Oct 31 15:55:11 mach3.hviaene.thuis named[174131]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53 Oct 31 15:55:11 mach3.hviaene.thuis named[174131]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53 Oct 31 15:55:11 mach3.hviaene.thuis named[174131]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53 Oct 31 15:55:11 mach3.hviaene.thuis named[174131]: network unreachable resolving './NS/IN': 2001:500:a8::e#53 Oct 31 15:55:11 mach3.hviaene.thuis named[174131]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete) Oct 31 15:55:11 mach3.hviaene.thuis named[174131]: managed-keys-zone: Key 38696 for zone . is now trusted (acceptance timer complete) Oct 31 15:55:11 mach3.hviaene.thuis named[174131]: checkhints: b.root-servers.net/A (170.247.170.2) missing from hints Oct 31 15:55:11 mach3.hviaene.thuis named[174131]: checkhints: b.root-servers.net/A (199.9.14.201) extra record in hints Oct 31 15:55:11 mach3.hviaene.thuis named[174131]: checkhints: b.root-servers.net/AAAA (2801:1b8:10::b) missing from hints Oct 31 15:55:11 mach3.hviaene.thuis named[174131]: checkhints: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints And then i get response $ nslookup mach2 Server: 192.168.2.3 Address: 192.168.2.3#53 Name: mach2.hviaene.thuis Address: 192.168.2.2 So to me it works as in bug 33972.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0254.html
Status: NEW => RESOLVEDResolution: (none) => FIXED