BIND9 CVE and Pfsense BSD port

WhizzWr

Hi,

How does pfsense handle dependency vulnerability?

BIND9.20 has severity high CVEs released few weeks ago

https://kb.isc.org/docs/cve-2025-40778
https://kb.isc.org/docs/cve-2025-40780

https://kb.isc.org/docs/aa-00913

I see that pfsense port stays on bind920-9.20.6 which is vulnerable.

elvisimprsntr

@WhizzWr

Try running the package upgrade via the command line to install out of bounds updates until Netgate updates package or a provides a patch.

pkg upgrade

I also run the pkg_check.php tool as a cron to send me a notification when there are pkg updates

WhizzWr

@elvisimprsntr

pkg doesn't seem to be functional on the latest pfsense, pkg-static works but it's using pfsense repository.

[25.07.1-RELEASE][admin@pfsense]/root: pkg-static search bind
bind-tools-9.20.6              Command line tools from BIND: delv, dig, host, nslookup...
bind920-9.20.6                 BIND DNS suite with updated DNSSEC and DNS64
pfSense-pkg-bind-9.20_1        BIND DNS suite with updated DNSSEC and DNS64
[25.07.1-RELEASE][admin@pfsense]/root: pkg upgrade
ld-elf.so.1: Shared object "libutil.so.10" not found, required by "pkg"

The patched version is 9.20.15.
https://www.freshports.org/dns/bind920

I'm not sure if it's such a good idea pointing my repo to bsd ports directly as it may breaks other package.

chpalmer

@WhizzWr The latest beta 25.11 appears to already have the latest version if you are so inclined to try it..

WhizzWr

@chpalmer thanks I may try it. Can I switch back to stable channel once it it 25.11 is released?

elvisimprsntr

@WhizzWr

You might be able to install the latest port manually, similar to what we are doing for Tailscale

pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/bind920-9.20.15.pkg

Freshports

You might be able to enable pkg (have not tried, since it works with CE out of the box)

   pkg-static update
   pkg-static install -fy pkg

WhizzWr

@elvisimprsntr thanks for the detailed explanation.

It looks to me bind9 pulls more dependencies.

[admin@pfsense ~]# pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/bind920-9.20.15.pkg
Fetching bind920-9.20.15.pkg:  91%    6 MiB   6.6MB/s    00:00 ETFetching bind920-9.20.15.pkg: 100%    7 MiB   7.2MB/s    00:01   
Installing bind920-9.20.15...
Newer FreeBSD version for package bind920:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1500068
- running kernel: 1500000
Ignore the mismatch and continue? [y/N]: y
package bind920 is already installed, forced install
pkg: Missing dependency 'lmdb'

Failed to install the following 1 package(s): https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/bind920-9.20.15.pkg


[admin@pfsense~]# pkg install lmdb                              Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'lmdb' have been found in the repositories

chpalmer

@WhizzWr said in BIND9 CVE and Pfsense BSD port:

@chpalmer thanks I may try it. Can I switch back to stable channel once it it 25.11 is released?

Yes

WhizzWr

@chpalmer said in BIND9 CVE and Pfsense BSD port:

@WhizzWr said in BIND9 CVE and Pfsense BSD port:

@chpalmer thanks I may try it. Can I switch back to stable channel once it it 25.11 is released?

Yes

I upgraded to the latest Beta, unfortunately it still uses bind9 9.02.13, so still vulnerable to the CVEs.