From dc2f53ef004bec767b5a39b3048b56f8aad3f255 Mon Sep 17 00:00:00 2001
From: MSVSphere Packaging Team <packager@msvsphere-os.ru>
Date: Wed, 13 Nov 2024 16:02:54 +0300
Subject: [PATCH] import bind-9.16.23-24.el9_5

---
 SOURCES/bind-9.16-isc_hp-additional.patch | 34 ++++++++++++++
 SPECS/bind.spec                           | 54 ++++++++++++++---------
 2 files changed, 66 insertions(+), 22 deletions(-)
 create mode 100644 SOURCES/bind-9.16-isc_hp-additional.patch

diff --git a/SOURCES/bind-9.16-isc_hp-additional.patch b/SOURCES/bind-9.16-isc_hp-additional.patch
new file mode 100644
index 0000000..63c633e
--- /dev/null
+++ b/SOURCES/bind-9.16-isc_hp-additional.patch
@@ -0,0 +1,34 @@
+From beeb4527b25c8d48842bbc78f100b716df118699 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Tue, 9 Jul 2024 16:06:02 +0200
+Subject: [PATCH] Increase even further hazard pointers after KeyTrap
+
+Extends even more change Downstream specific changes related to KeyTrap,
+which added safety guards into hazard pointers. Because it seems they
+are not still enough. Add fixed base to accomodate common threads like
+main app thread and ldap worker threads. Multiply one more, just to be
+sure. We do not want to hit maximal limit again.
+---
+ lib/isc/managers.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/isc/managers.c b/lib/isc/managers.c
+index 3bdca99..fffff78 100644
+--- a/lib/isc/managers.c
++++ b/lib/isc/managers.c
+@@ -26,9 +26,10 @@ isc_managers_create(isc_mem_t *mctx, size_t workers, size_t quantum,
+ 	/*
+ 	 * We have ncpus network threads, ncpus old network threads - make
+ 	 * it 4x just to be on the safe side. One additional for slow netmgr
+-	 * thread.
++	 * thread. One extra to be safe. Add base for main application thread
++	 * or bind-dyndb-ldap worker threads.
+ 	 */
+-	isc_hp_init(5 * workers);
++	isc_hp_init(6 + 6 * workers);
+ 
+ 	REQUIRE(netmgrp != NULL && *netmgrp == NULL);
+ 	isc__netmgr_create(mctx, workers, &netmgr);
+-- 
+2.45.2
+
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index 5422706..20a162a 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -54,7 +54,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  18%{?dist}.6
+Release:  24%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -155,24 +155,25 @@ Patch202: bind-9.16-isc-mempool-attach.patch
 Patch203: bind-9.16-isc_hp-CVE-2023-50387.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/1237d73cd1120b146ee699bbae7b2fe837cf2f98
 Patch204: bind-9.16-CVE-2023-6516-test.patch
-Patch205: bind-9.16-CVE-2024-1975.patch
+Patch205: bind-9.16-isc_hp-additional.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/26c9da5f2857b72077c17e06ac79f068c63782cc
 # https://gitlab.isc.org/isc-projects/bind9/commit/c5ebda6deb0997dc520b26fa0639891459de5cb6
 # https://gitlab.isc.org/isc-projects/bind9/commit/d56d2a32b861e81c2aaaabd309c4c58b629ede32
 # https://gitlab.isc.org/isc-projects/bind9/commit/dfcadc2085c8844b5836aff2b5ea51fb60c34868
 # https://gitlab.isc.org/isc-projects/bind9/commit/fdabf4b9570a60688f9f7d1e88d885f7a3718bca
 # https://gitlab.isc.org/isc-projects/bind9/commit/8ef414a7f38a04cfc11df44adaedaf3126fa3878
-Patch206: bind-9.16-CVE-2024-1737.patch
+Patch206: bind-9.16-CVE-2024-1975.patch
+Patch207: bind-9.16-CVE-2024-1737.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/a61be8eef0ee0ca8fd8036ccb61c6f9b728158ce
-Patch207: bind-9.18-CVE-2024-4076.patch
+Patch208: bind-9.18-CVE-2024-4076.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/2f2f0a900b9baf5e6eba02a82e2fe9e967dc1760
-Patch209: bind-9.16-CVE-2024-1737-records.patch
-Patch210: bind-9.16-CVE-2024-1737-records-test.patch
+Patch210: bind-9.16-CVE-2024-1737-records.patch
+Patch211: bind-9.16-CVE-2024-1737-records-test.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/3f1826f2f78792e95f56da7af3a35c46b4d6d9af
-Patch211: bind-9.16-CVE-2024-1737-types.patch
-Patch212: bind-9.16-CVE-2024-1737-types-test.patch
+Patch212: bind-9.16-CVE-2024-1737-types.patch
+Patch213: bind-9.16-CVE-2024-1737-types-test.patch
 # backport issue fix
-Patch213: bind-9.16-CVE-2024-1737-records-test2.patch
+Patch214: bind-9.16-CVE-2024-1737-records-test2.patch
 
 %{?systemd_ordering}
 Requires:       coreutils
@@ -186,6 +187,9 @@ Requires:       bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
 Requires(post): ((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls))
 Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls))
 Recommends:     bind-utils bind-dnssec-utils
+# Fixes of CVE-2023-50387 and CVE-2023-50868 caused ABI change
+# Enforce updated rebuild is accepted only
+Conflicts:      bind-dyndb-ldap < 11.9-9
 BuildRequires:  gcc, make
 BuildRequires:  openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
 BuildRequires:  libidn2-devel, libxml2-devel
@@ -506,14 +510,15 @@ in HTML and PDF format.
 %patch202 -p1 -b .mempool-attach
 %patch203 -p1 -b .isc_hp-CVE-2023-50387
 %patch204 -p1 -b .CVE-2023-6516-test
-%patch205 -p1 -b .CVE-2024-1975
-%patch206 -p1 -b .CVE-2024-1737
-%patch207 -p1 -b .CVE-2024-4076
-%patch209 -p1 -b .CVE-2024-1737-records
-%patch210 -p1 -b .CVE-2024-1737-records-test
-%patch211 -p1 -b .CVE-2024-1737-types
-%patch212 -p1 -b .CVE-2024-1737-types-test
-%patch213 -p1 -b .CVE-2024-1737-records-test2
+%patch205 -p1 -b .RHEL-39131
+%patch206 -p1 -b .CVE-2024-1975
+%patch207 -p1 -b .CVE-2024-1737
+%patch208 -p1 -b .CVE-2024-4076
+%patch210 -p1 -b .CVE-2024-1737-records
+%patch211 -p1 -b .CVE-2024-1737-records-test
+%patch212 -p1 -b .CVE-2024-1737-types
+%patch213 -p1 -b .CVE-2024-1737-types-test
+%patch214 -p1 -b .CVE-2024-1737-records-test2
 
 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@@ -1242,21 +1247,26 @@ fi;
 %endif
 
 %changelog
-* Fri Aug 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18.6
+* Fri Aug 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-24
 - Minor fix of reclimit test backport (CVE-2024-1737)
 
-* Wed Aug 07 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18.5
+* Wed Aug 07 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-23
 - Backport addition of max-records-per-type and max-records-per-type options
 
-* Thu Jul 18 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18.2
+* Thu Jul 18 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-22
 - Resolve CVE-2024-1975
 - Resolve CVE-2024-1737
 - Resolve CVE-2024-4076
 - Add ability to change runtime limits for max types and records per name
 
-* Mon Mar 25 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18.1
-- Rebuild with correct z-stream tag again
+* Tue Jul 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-21
+- Increase size of hazard pointer array (RHEL-39131)
 
+* Tue May 28 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-20
+- Ensure bind CVE fixes hits public Stream repository
+
+* Fri Apr 12 2024 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-19
+- Ensure incompatible bind-dyndb-ldap is not accepted
 
 * Mon Mar 25 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18
 - Prevent crashing at masterformat system test (CVE-2023-6516)