Hello Security Team, Today I investigated CVE-2025-40775/bind9, which was initially marked as <not-affected> for bookworm and bullseye. However, I believe that this is incorrect.
Based on the description given in the upstream issue [0] (which is linked from the fixing commit linked in the security tracker), I traced the flow throw the older code bases present in bookworm and bullseye. I found that the abort in question appears to be reachable like this: name.c:dns_name_toregion() -> REQUIRE() -> abort() While the code looks very different from that of 9.20 (which is the oldest backported fix from upstream), there still appears to be a path through the code, when the tsig signature algorithm is invalid, that will produce the behavior described in the CVE and which the upstream commit addresses. I have removed the <not-affected> tag referencing bullseye, and I recommend that you do the same for the one referencing bookworm. Regards, -Roberto [0] https://gitlab.isc.org/isc-projects/bind9/-/issues/5300 -- Roberto C. Sánchez
