As reported by users of another distribution vanilla bind-9.16.11 crashes with a config file using named acls because of a bug. Reproducible: Always Steps to Reproduce: Use named acls in your bind config. Update to net-dns/bind-9.16.11 Restart bind Actual Results: Crashes with SIGSEGV caused by bug Expected Results: It should work flawlessly as earlier versions did. There is a patch which fixed the crash when being included in the patches section of the ebuild: https://sources.debian.org/data/main/b/bind9/1:9.16.11-2/debian/patches/0003-fix-segv-with-named-acl.patch You should also find a similar patch upstream, but it seems to be not included before upcoming bind 9.16.12: https://gitlab.isc.org/isc-projects/bind9/-/issues/2413
Please read the description in bugzilla (you see it when you try to create a new bug): "Critical: The software crashes, hangs, or causes you to lose data" In my opinion SIGSEGV on service startup fulfills the criteria "software crashes". Upgrading from a previously working config causes DNS servers to stop working unexpectedly (you can't start the service anymore).
I do not expect this bug being fixed at all, there is pending security release this week which will make this version eliminated (not to say the status does not make me look into bugs quicker)
(In reply to Mikle Kolyada from comment #2) > I do not expect this bug being fixed at all, there is pending security > release this week which will make this version eliminated (not to say the > status does not make me look into bugs quicker) If I understand you correctly you are not going to create a new -r1 ebuild with: --- /usr/portage/net-dns/bind-9.16.11.ebuild 2021-01-26 11:09:22.000000000 +0100 +++ /usr/portage/net-dns/bind-9.16.11-r1.ebuild 2021-02-13 18:24:04.095315825 +0100 @@ -86,6 +86,7 @@ PATCHES=( "${FILESDIR}/ldap-library-path-on-multilib-machines.patch" + "${FILESDIR}/0003-fix-segv-with-named-acl.patch" ) and the referenced Debian patch (or another one from ISC) being added to /usr/portage/net-dns/bind/files as you don't want to create ebuilds which will be obsolete in a few days and instead replace this ebuild (and any others referencing 9.16.11) completely with the upcoming release which probably should have this patch already included. This is totally reasonable, but in my opinion keeping "Critical" (this is the severity field and not the priority field) wouldn't prevent you from later "RESOLVING" this bug by removing the buggy ebuild and replacing it with an ebuild of the next security release.
Is this still present in bind-9.16.12?
No (bug was fixed). From the change log of 9.16.12: 5571. [bug] named failed to start when its configuration included a zone with a non-builtin "allow-update" ACL attached. [GL #2413]
I just wanted someone to confirm, thank you! Due to security vulns 9.16.12 is the only version in the tree, that said we can close the ticket :)
