diff --git a/SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch b/SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch
new file mode 100644
index 0000000..aa0476f
--- /dev/null
+++ b/SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch
@@ -0,0 +1,85 @@
+From 8a9b9ff5a8b2443f7df4f60397ad215931ba44f1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Tue, 7 Jan 2025 15:22:40 +0100
+Subject: [PATCH] Isolate using the -T noaa flag only for part of the resolver
+ test
+
+Instead of running the whole resolver/ns4 server with -T noaa flag,
+use it only for the part where it is actually needed.  The -T noaa
+could interfere with other parts of the test because the answers don't
+have the authoritative-answer bit set, and we could have false
+positives (or false negatives) in the test because the authoritative
+server doesn't follow the DNS protocol for all the tests in the resolver
+system test.
+
+(cherry picked from commit e51d4d3b88af00d6667f2055087ebfc47fb3107c)
+---
+ bin/tests/system/conf.sh.in              | 12 ++++++++++++
+ bin/tests/system/resolver/ns4/named.noaa |  5 -----
+ bin/tests/system/resolver/tests.sh       |  8 ++++++++
+ 3 files changed, 20 insertions(+), 5 deletions(-)
+ delete mode 100644 bin/tests/system/resolver/ns4/named.noaa
+
+diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
+index 06852f5..f77f7de 100644
+--- a/bin/tests/system/conf.sh.in
++++ b/bin/tests/system/conf.sh.in
+@@ -305,6 +305,18 @@ digcomp() {
+     return $result
+ }
+ 
++start_server() {
++    $PERL "$SYSTEMTESTTOP/start.pl" "$SYSTESTDIR" "$@"
++}
++
++stop_server() {
++    $PERL "$SYSTEMTESTTOP/stop.pl" "$SYSTESTDIR" "$@"
++}
++
++send() {
++    $PERL "$SYSTEMTESTTOP/send.pl" "$@"
++}
++
+ #
+ # Useful functions in test scripts
+ #
+diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa
+deleted file mode 100644
+index 3b121ad..0000000
+--- a/bin/tests/system/resolver/ns4/named.noaa
++++ /dev/null
+@@ -1,5 +0,0 @@
+-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+-
+-See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+-
+-Add -T noaa.
+diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
+index 6eb52fe..bf37467 100755
+--- a/bin/tests/system/resolver/tests.sh
++++ b/bin/tests/system/resolver/tests.sh
+@@ -281,6 +281,10 @@ done
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+ 
++stop_server ns4
++touch ns4/named.noaa
++start_server --noclean --restart --port ${PORT} ns4 || ret=1
++
+ n=`expr $n + 1`
+ echo_i "RT21594 regression test check setup ($n)"
+ ret=0
+@@ -317,6 +321,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+ 
++stop_server ns4
++rm ns4/named.noaa
++start_server --noclean --restart --port ${PORT} ns4 || ret=1
++
+ n=`expr $n + 1`
+ echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
+ ret=0
+-- 
+2.48.1
+
diff --git a/SOURCES/bind-9.18-CVE-2024-11187.patch b/SOURCES/bind-9.18-CVE-2024-11187.patch
new file mode 100644
index 0000000..8ccfe06
--- /dev/null
+++ b/SOURCES/bind-9.18-CVE-2024-11187.patch
@@ -0,0 +1,151 @@
+From ca6c3446ef07d89fd3a28b6979d947af2ab5754f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Thu, 14 Nov 2024 10:37:29 +0100
+Subject: [PATCH] Limit the additional processing for large RDATA sets
+
+When answering queries, don't add data to the additional section if
+the answer has more than 13 names in the RDATA.  This limits the
+number of lookups into the database(s) during a single client query,
+reducing query processing load.
+
+Also, don't append any additional data to type=ANY queries. The
+answer to ANY is already big enough.
+
+(cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408)
+PatchNumber: 47
+---
+ bin/named/query.c                    | 14 ++++++++------
+ bin/tests/system/additional/tests.sh |  2 +-
+ lib/dns/include/dns/rdataset.h       | 12 ++++++++++++
+ lib/dns/rdataset.c                   | 12 ++++++++++++
+ 4 files changed, 33 insertions(+), 7 deletions(-)
+
+diff --git a/bin/named/query.c b/bin/named/query.c
+index 51a29a8..e023d74 100644
+--- a/bin/named/query.c
++++ b/bin/named/query.c
+@@ -1835,9 +1835,10 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
+ 		 * section, it's helpful if we add the SRV additional data
+ 		 * as well.
+ 		 */
+-		eresult = dns_rdataset_additionaldata(trdataset,
+-						      query_addadditional,
+-						      client);
++		eresult = dns_rdataset_additionaldata2(trdataset,
++						       query_addadditional,
++						       client,
++						       DNS_RDATASET_MAXADDITIONAL);
+ 	}
+ 
+  cleanup:
+@@ -2432,7 +2433,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
+ 						       rdataset->rdclass);
+ 	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
+ 
+-	if (NOADDITIONAL(client))
++	if (NOADDITIONAL(client) || client->query.qtype == dns_rdatatype_any)
+ 		return;
+ 
+ 	/*
+@@ -2442,8 +2443,9 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
+ 	 */
+ 	additionalctx.client = client;
+ 	additionalctx.rdataset = rdataset;
+-	(void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
+-					  &additionalctx);
++	(void)dns_rdataset_additionaldata2(rdataset, query_addadditional2,
++					   &additionalctx,
++					   DNS_RDATASET_MAXADDITIONAL);
+ 	CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done");
+ }
+ 
+diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh
+index 6400723..a33cc8a 100644
+--- a/bin/tests/system/additional/tests.sh
++++ b/bin/tests/system/additional/tests.sh
+@@ -261,7 +261,7 @@ n=`expr $n + 1`
+ echo_i "testing with 'minimal-any no;' ($n)"
+ ret=0
+ $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
+-grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
++grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+     echo_i "failed"; status=`expr status + 1`
+ fi
+diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
+index 710e97c..b3532f6 100644
+--- a/lib/dns/include/dns/rdataset.h
++++ b/lib/dns/include/dns/rdataset.h
+@@ -53,6 +53,8 @@
+ #include <dns/types.h>
+ #include <dns/rdatastruct.h>
+ 
++#define DNS_RDATASET_MAXADDITIONAL 13
++
+ ISC_LANG_BEGINDECLS
+ 
+ typedef enum {
+@@ -501,13 +503,23 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+  *\li	If a call to dns_rdata_additionaldata() is not successful, the
+  *	result returned will be the result of dns_rdataset_additionaldata().
+  *
++ *\li	If 'limit' is non-zero and the number of the rdatasets is larger
++ *	than 'limit', no additional data will be processed.
++ *
+  * Returns:
+  *
+  *\li	#ISC_R_SUCCESS
+  *
++ *\li	#DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
++ *
+  *\li	Any error that dns_rdata_additionaldata() can return.
+  */
+ 
++isc_result_t
++dns_rdataset_additionaldata2(dns_rdataset_t	   *rdataset,
++			     dns_additionaldatafunc_t add, void *arg,
++			     size_t limit);
++
+ isc_result_t
+ dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+ 			dns_rdataset_t *neg, dns_rdataset_t *negsig);
+diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
+index b42dea5..5160acf 100644
+--- a/lib/dns/rdataset.c
++++ b/lib/dns/rdataset.c
+@@ -28,6 +28,7 @@
+ #include <dns/ncache.h>
+ #include <dns/rdata.h>
+ #include <dns/rdataset.h>
++#include <dns/result.h>
+ 
+ static const char *trustnames[] = {
+ 	"none",
+@@ -608,6 +609,13 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
+ isc_result_t
+ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+ 			    dns_additionaldatafunc_t add, void *arg)
++{
++	return dns_rdataset_additionaldata2(rdataset, add, arg, 0);
++}
++
++isc_result_t
++dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
++			    dns_additionaldatafunc_t add, void *arg, size_t limit)
+ {
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+ 	isc_result_t result;
+@@ -620,6 +628,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+ 	REQUIRE(DNS_RDATASET_VALID(rdataset));
+ 	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
+ 
++	if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
++		return DNS_R_TOOMANYRECORDS;
++	}
++
+ 	result = dns_rdataset_first(rdataset);
+ 	if (result != ISC_R_SUCCESS)
+ 		return (result);
+-- 
+2.48.1
+
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index 3a0e3a8..6797010 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -68,7 +68,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.11.36
-Release:  16%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.2
+Release:  16%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.4
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -197,6 +197,9 @@ Patch205: bind-9.11-CVE-2024-1975.patch
 Patch206: bind-9.11-CVE-2024-1737.patch
 # RH downstream, allow changing by environment
 Patch208: bind-9.11-CVE-2024-1737-runtime-env.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/commit/c6e6a7af8ac6b575dd3657b0f5cf4248d734c2b0
+Patch209: bind-9.18-CVE-2024-11187-pre-test.patch
+Patch210: bind-9.18-CVE-2024-11187.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -568,58 +571,60 @@ are used for building ISC DHCP.
 %setup -q -n %{name}-%{BINDVERSION}
 
 # Common patches
-%patch10 -p1 -b .PIE
-%patch16 -p1 -b .redhat_doc
+%patch -P 10 -p1 -b .PIE
+%patch -P 16 -p1 -b .redhat_doc
 %ifnarch alpha ia64
-%patch72 -p1 -b .64bit
+%patch -P 72 -p1 -b .64bit
 %endif
-%patch102 -p1 -b .rh452060
-%patch106 -p1 -b .rh490837
-%patch109 -p1 -b .rh478718
-%patch112 -p1 -b .rh645544
-%patch130 -p1 -b .libdb
-%patch131 -p1 -b .multlib-conflict
-%patch140 -p1 -b .rh1410433
-%patch145 -p1 -b .rh1205168
-%patch153 -p1 -b .export_suffix
-%patch154 -p1 -b .oot-man
-%patch155 -p1 -b .pk11-internal
-%patch156 -p1 -b .fips-code
-%patch157 -p1 -b .fips-tests
-%patch159 -p1 -b .host-idn-disable
-%patch164 -p1 -b .fips-includes
-%patch165 -p1 -b .rt31459
-%patch166 -p1 -b .rt46047
-%patch167 -p1 -b .rh1668682
-%patch168 -p1 -b .random_test-disable
-%patch174 -p1 -b .rh1737407
-%patch175 -p1 -b .json-c
-%patch177 -p1 -b .serve-stale
-%patch178 -p1 -b .time-monotonic
-%patch183 -p1 -b .rh1980757
-%patch184 -p1 -b .rh2030239
-%patch185 -p1 -b .CVE-2021-25220
-%patch186 -p1 -b .CVE-2021-25220-test
-%patch188 -p1 -b .CVE-2022-38177
-%patch189 -p1 -b .CVE-2022-38178
-%patch190 -p1 -b .rh2101712
-%patch191 -p1 -b .CVE-2022-2795
-%patch192 -p1 -b .rh2133889
-%patch193 -p1 -b .CVE-2022-3094
-%patch194 -p1 -b .CVE-2022-3094
-%patch195 -p1 -b .CVE-2022-3094
-%patch196 -p1 -b .CVE-2022-3094-test
-%patch197 -p1 -b .CVE-2023-2828
-%patch198 -p1 -b .CVE-2023-3341
-%patch199 -p1 -b .RHEL-11785
-%patch200 -p1 -b .b.root-servers.net
-%patch201 -p1 -b .CVE-2023-4408
-%patch202 -p1 -b .CVE-2023-50387+50868
-%patch203 -p1 -b .CVE-2023-2828-fixup
-%patch204 -p1 -b .CVE-2023-50387-fixup
-%patch205 -p1 -b .CVE-2024-1975
-%patch206 -p1 -b .CVE-2024-1737
-%patch208 -p1 -b .CVE-2024-1737-env
+%patch -P 102 -p1 -b .rh452060
+%patch -P 106 -p1 -b .rh490837
+%patch -P 109 -p1 -b .rh478718
+%patch -P 112 -p1 -b .rh645544
+%patch -P 130 -p1 -b .libdb
+%patch -P 131 -p1 -b .multlib-conflict
+%patch -P 140 -p1 -b .rh1410433
+%patch -P 145 -p1 -b .rh1205168
+%patch -P 153 -p1 -b .export_suffix
+%patch -P 154 -p1 -b .oot-man
+%patch -P 155 -p1 -b .pk11-internal
+%patch -P 156 -p1 -b .fips-code
+%patch -P 157 -p1 -b .fips-tests
+%patch -P 159 -p1 -b .host-idn-disable
+%patch -P 164 -p1 -b .fips-includes
+%patch -P 165 -p1 -b .rt31459
+%patch -P 166 -p1 -b .rt46047
+%patch -P 167 -p1 -b .rh1668682
+%patch -P 168 -p1 -b .random_test-disable
+%patch -P 174 -p1 -b .rh1737407
+%patch -P 175 -p1 -b .json-c
+%patch -P 177 -p1 -b .serve-stale
+%patch -P 178 -p1 -b .time-monotonic
+%patch -P 183 -p1 -b .rh1980757
+%patch -P 184 -p1 -b .rh2030239
+%patch -P 185 -p1 -b .CVE-2021-25220
+%patch -P 186 -p1 -b .CVE-2021-25220-test
+%patch -P 188 -p1 -b .CVE-2022-38177
+%patch -P 189 -p1 -b .CVE-2022-38178
+%patch -P 190 -p1 -b .rh2101712
+%patch -P 191 -p1 -b .CVE-2022-2795
+%patch -P 192 -p1 -b .rh2133889
+%patch -P 193 -p1 -b .CVE-2022-3094
+%patch -P 194 -p1 -b .CVE-2022-3094
+%patch -P 195 -p1 -b .CVE-2022-3094
+%patch -P 196 -p1 -b .CVE-2022-3094-test
+%patch -P 197 -p1 -b .CVE-2023-2828
+%patch -P 198 -p1 -b .CVE-2023-3341
+%patch -P 199 -p1 -b .RHEL-11785
+%patch -P 200 -p1 -b .b.root-servers.net
+%patch -P 201 -p1 -b .CVE-2023-4408
+%patch -P 202 -p1 -b .CVE-2023-50387+50868
+%patch -P 203 -p1 -b .CVE-2023-2828-fixup
+%patch -P 204 -p1 -b .CVE-2023-50387-fixup
+%patch -P 205 -p1 -b .CVE-2024-1975
+%patch -P 206 -p1 -b .CVE-2024-1737
+%patch -P 208 -p1 -b .CVE-2024-1737-env
+%patch -P 209 -p1 -b .CVE-2024-11187-pre-test
+%patch -P 210 -p1 -b .CVE-2024-11187
 
 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -635,20 +640,20 @@ find bin lib/lwres/man -name '*.docbook' -exec \
       -i '{}' ';'
 
 %if %{with PKCS11}
-%patch150 -p1 -b .engine-pkcs11
+%patch -P 150 -p1 -b .engine-pkcs11
 cp -r bin/named{,-pkcs11}
 cp -r bin/dnssec{,-pkcs11}
 cp -r lib/isc{,-pkcs11}
 cp -r lib/dns{,-pkcs11}
-%patch136 -p1 -b .dist_pkcs11
-%patch149 -p1 -b .kyua-pkcs11
+%patch -P 136 -p1 -b .dist_pkcs11
+%patch -P 149 -p1 -b .kyua-pkcs11
 %endif
 
 %if %{with SDB}
-%patch101 -p1 -b .old-api
+%patch -P 101 -p1 -b .old-api
 mkdir bin/named-sdb
 cp -r bin/named/* bin/named-sdb
-%patch11 -p1 -b .sdbsrc
+%patch -P 11 -p1 -b .sdbsrc
 # SDB ldap
 cp -fp contrib/sdb/ldap/ldapdb.[ch] bin/named-sdb
 # SDB postgreSQL
@@ -667,14 +672,14 @@ cp -fp %{SOURCE7} bin/sdb_tools/Makefile.in
 cp -fp contrib/sdb/ldap/{zone2ldap.1,zone2ldap.c} bin/sdb_tools
 cp -fp contrib/sdb/pgsql/zonetodb.c bin/sdb_tools
 cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools
-%patch12 -p1 -b .sdb
-%patch17 -p1 -b .fix_sdb_ldap
-%patch18 -p1 -b .fix_zone2ldap
-%patch137 -p1 -b .strlcat_fix
+%patch -P 12 -p1 -b .sdb
+%patch -P 17 -p1 -b .fix_sdb_ldap
+%patch -P 18 -p1 -b .fix_zone2ldap
+%patch -P 137 -p1 -b .strlcat_fix
 %endif
 
-%patch133 -p1 -b .rh640538
-%patch134 -p1 -b .rh669163
+%patch -P 133 -p1 -b .rh640538
+%patch -P 134 -p1 -b .rh669163
 
 # Sparc and s390 arches need to use -fPIE
 %ifarch sparcv9 sparc64 s390 s390x
@@ -1672,6 +1677,13 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
+* Thu Feb 06 2025 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-16.4
+- Change patches applying to use -P parameter
+
+* Wed Feb 05 2025 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-16.3
+- Limit additional section records CPU processing (CVE-2024-11187)
+- Correct ANY queries to not have additional data appended
+
 * Tue Aug 06 2024 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-16.2
 - Rebuild after CI change