import bind-9.16.23-24.el9_5

i9c changed/i9c/bind-9.16.23-24.el9_5
MSVSphere Packaging Team 1 day ago
parent d6e28d93a3
commit dc2f53ef00
Signed by: sys_gitsync
GPG Key ID: B2B0B9F29E528FE8

@ -0,0 +1,34 @@
From beeb4527b25c8d48842bbc78f100b716df118699 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 9 Jul 2024 16:06:02 +0200
Subject: [PATCH] Increase even further hazard pointers after KeyTrap
Extends even more change Downstream specific changes related to KeyTrap,
which added safety guards into hazard pointers. Because it seems they
are not still enough. Add fixed base to accomodate common threads like
main app thread and ldap worker threads. Multiply one more, just to be
sure. We do not want to hit maximal limit again.
---
lib/isc/managers.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/isc/managers.c b/lib/isc/managers.c
index 3bdca99..fffff78 100644
--- a/lib/isc/managers.c
+++ b/lib/isc/managers.c
@@ -26,9 +26,10 @@ isc_managers_create(isc_mem_t *mctx, size_t workers, size_t quantum,
/*
* We have ncpus network threads, ncpus old network threads - make
* it 4x just to be on the safe side. One additional for slow netmgr
- * thread.
+ * thread. One extra to be safe. Add base for main application thread
+ * or bind-dyndb-ldap worker threads.
*/
- isc_hp_init(5 * workers);
+ isc_hp_init(6 + 6 * workers);
REQUIRE(netmgrp != NULL && *netmgrp == NULL);
isc__netmgr_create(mctx, workers, &netmgr);
--
2.45.2

@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.16.23
Release: 18%{?dist}.6
Release: 24%{?dist}
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -155,24 +155,25 @@ Patch202: bind-9.16-isc-mempool-attach.patch
Patch203: bind-9.16-isc_hp-CVE-2023-50387.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/1237d73cd1120b146ee699bbae7b2fe837cf2f98
Patch204: bind-9.16-CVE-2023-6516-test.patch
Patch205: bind-9.16-CVE-2024-1975.patch
Patch205: bind-9.16-isc_hp-additional.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/26c9da5f2857b72077c17e06ac79f068c63782cc
# https://gitlab.isc.org/isc-projects/bind9/commit/c5ebda6deb0997dc520b26fa0639891459de5cb6
# https://gitlab.isc.org/isc-projects/bind9/commit/d56d2a32b861e81c2aaaabd309c4c58b629ede32
# https://gitlab.isc.org/isc-projects/bind9/commit/dfcadc2085c8844b5836aff2b5ea51fb60c34868
# https://gitlab.isc.org/isc-projects/bind9/commit/fdabf4b9570a60688f9f7d1e88d885f7a3718bca
# https://gitlab.isc.org/isc-projects/bind9/commit/8ef414a7f38a04cfc11df44adaedaf3126fa3878
Patch206: bind-9.16-CVE-2024-1737.patch
Patch206: bind-9.16-CVE-2024-1975.patch
Patch207: bind-9.16-CVE-2024-1737.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/a61be8eef0ee0ca8fd8036ccb61c6f9b728158ce
Patch207: bind-9.18-CVE-2024-4076.patch
Patch208: bind-9.18-CVE-2024-4076.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/2f2f0a900b9baf5e6eba02a82e2fe9e967dc1760
Patch209: bind-9.16-CVE-2024-1737-records.patch
Patch210: bind-9.16-CVE-2024-1737-records-test.patch
Patch210: bind-9.16-CVE-2024-1737-records.patch
Patch211: bind-9.16-CVE-2024-1737-records-test.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/3f1826f2f78792e95f56da7af3a35c46b4d6d9af
Patch211: bind-9.16-CVE-2024-1737-types.patch
Patch212: bind-9.16-CVE-2024-1737-types-test.patch
Patch212: bind-9.16-CVE-2024-1737-types.patch
Patch213: bind-9.16-CVE-2024-1737-types-test.patch
# backport issue fix
Patch213: bind-9.16-CVE-2024-1737-records-test2.patch
Patch214: bind-9.16-CVE-2024-1737-records-test2.patch
%{?systemd_ordering}
Requires: coreutils
@ -186,6 +187,9 @@ Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires(post): ((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls))
Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls))
Recommends: bind-utils bind-dnssec-utils
# Fixes of CVE-2023-50387 and CVE-2023-50868 caused ABI change
# Enforce updated rebuild is accepted only
Conflicts: bind-dyndb-ldap < 11.9-9
BuildRequires: gcc, make
BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
BuildRequires: libidn2-devel, libxml2-devel
@ -506,14 +510,15 @@ in HTML and PDF format.
%patch202 -p1 -b .mempool-attach
%patch203 -p1 -b .isc_hp-CVE-2023-50387
%patch204 -p1 -b .CVE-2023-6516-test
%patch205 -p1 -b .CVE-2024-1975
%patch206 -p1 -b .CVE-2024-1737
%patch207 -p1 -b .CVE-2024-4076
%patch209 -p1 -b .CVE-2024-1737-records
%patch210 -p1 -b .CVE-2024-1737-records-test
%patch211 -p1 -b .CVE-2024-1737-types
%patch212 -p1 -b .CVE-2024-1737-types-test
%patch213 -p1 -b .CVE-2024-1737-records-test2
%patch205 -p1 -b .RHEL-39131
%patch206 -p1 -b .CVE-2024-1975
%patch207 -p1 -b .CVE-2024-1737
%patch208 -p1 -b .CVE-2024-4076
%patch210 -p1 -b .CVE-2024-1737-records
%patch211 -p1 -b .CVE-2024-1737-records-test
%patch212 -p1 -b .CVE-2024-1737-types
%patch213 -p1 -b .CVE-2024-1737-types-test
%patch214 -p1 -b .CVE-2024-1737-records-test2
%if %{with PKCS11}
%patch135 -p1 -b .config-pkcs11
@ -1242,21 +1247,26 @@ fi;
%endif
%changelog
* Fri Aug 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18.6
* Fri Aug 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-24
- Minor fix of reclimit test backport (CVE-2024-1737)
* Wed Aug 07 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18.5
* Wed Aug 07 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-23
- Backport addition of max-records-per-type and max-records-per-type options
* Thu Jul 18 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18.2
* Thu Jul 18 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-22
- Resolve CVE-2024-1975
- Resolve CVE-2024-1737
- Resolve CVE-2024-4076
- Add ability to change runtime limits for max types and records per name
* Mon Mar 25 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18.1
- Rebuild with correct z-stream tag again
* Tue Jul 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-21
- Increase size of hazard pointer array (RHEL-39131)
* Tue May 28 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-20
- Ensure bind CVE fixes hits public Stream repository
* Fri Apr 12 2024 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-19
- Ensure incompatible bind-dyndb-ldap is not accepted
* Mon Mar 25 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18
- Prevent crashing at masterformat system test (CVE-2023-6516)

Loading…
Cancel
Save