2 changed files with 69 additions and 22 deletions
--- a/SOURCES/bind-9.16-isc_hp-additional.patch
+++ b/SOURCES/bind-9.16-isc_hp-additional.patch
@ -0,0 +1,34 @@
 From beeb4527b25c8d48842bbc78f100b716df118699 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Tue, 9 Jul 2024 16:06:02 +0200
 Subject: [PATCH] Increase even further hazard pointers after KeyTrap
 Extends even more change Downstream specific changes related to KeyTrap,
 which added safety guards into hazard pointers. Because it seems they
 are not still enough. Add fixed base to accomodate common threads like
 main app thread and ldap worker threads. Multiply one more, just to be
 sure. We do not want to hit maximal limit again.
 ---
 lib/isc/managers.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/lib/isc/managers.c b/lib/isc/managers.c
 index 3bdca99..fffff78 100644
 --- a/lib/isc/managers.c
 +++ b/lib/isc/managers.c
@@ -26,9 +26,10 @@ isc_managers_create(isc_mem_t *mctx, size_t workers, size_t quantum,
 	/*
 	 * We have ncpus network threads, ncpus old network threads - make
 	 * it 4x just to be on the safe side. One additional for slow netmgr
 -	 * thread.
 +	 * thread. One extra to be safe. Add base for main application thread
 +	 * or bind-dyndb-ldap worker threads.
 	 */
 -	isc_hp_init(5 * workers);
 +	isc_hp_init(6 + 6 * workers);
 	REQUIRE(netmgrp != NULL && *netmgrp == NULL);
 	isc__netmgr_create(mctx, workers, &netmgr);
 -- 
 2.45.2
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@ -54,7 +54,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  18%{?dist}.6
+Release:  24%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -155,24 +155,25 @@ Patch202: bind-9.16-isc-mempool-attach.patch
 Patch203: bind-9.16-isc_hp-CVE-2023-50387.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/1237d73cd1120b146ee699bbae7b2fe837cf2f98
 Patch204: bind-9.16-CVE-2023-6516-test.patch
-Patch205: bind-9.16-CVE-2024-1975.patch
+Patch205: bind-9.16-isc_hp-additional.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/26c9da5f2857b72077c17e06ac79f068c63782cc
 # https://gitlab.isc.org/isc-projects/bind9/commit/c5ebda6deb0997dc520b26fa0639891459de5cb6
 # https://gitlab.isc.org/isc-projects/bind9/commit/d56d2a32b861e81c2aaaabd309c4c58b629ede32
 # https://gitlab.isc.org/isc-projects/bind9/commit/dfcadc2085c8844b5836aff2b5ea51fb60c34868
 # https://gitlab.isc.org/isc-projects/bind9/commit/fdabf4b9570a60688f9f7d1e88d885f7a3718bca
 # https://gitlab.isc.org/isc-projects/bind9/commit/8ef414a7f38a04cfc11df44adaedaf3126fa3878
-Patch206: bind-9.16-CVE-2024-1737.patch
+Patch206: bind-9.16-CVE-2024-1975.patch
 Patch207: bind-9.16-CVE-2024-1737.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/a61be8eef0ee0ca8fd8036ccb61c6f9b728158ce
-Patch207: bind-9.18-CVE-2024-4076.patch
+Patch208: bind-9.18-CVE-2024-4076.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/2f2f0a900b9baf5e6eba02a82e2fe9e967dc1760
-Patch209: bind-9.16-CVE-2024-1737-records.patch
+Patch210: bind-9.16-CVE-2024-1737-records.patch
-Patch210: bind-9.16-CVE-2024-1737-records-test.patch
+Patch211: bind-9.16-CVE-2024-1737-records-test.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/3f1826f2f78792e95f56da7af3a35c46b4d6d9af
-Patch211: bind-9.16-CVE-2024-1737-types.patch
+Patch212: bind-9.16-CVE-2024-1737-types.patch
-Patch212: bind-9.16-CVE-2024-1737-types-test.patch
+Patch213: bind-9.16-CVE-2024-1737-types-test.patch
 # backport issue fix
-Patch213: bind-9.16-CVE-2024-1737-records-test2.patch
+Patch214: bind-9.16-CVE-2024-1737-records-test2.patch
 %{?systemd_ordering}
 Requires:       coreutils
@ -186,6 +187,9 @@ Requires:       bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
 Requires(post): ((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls))
 Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls))
 Recommends:     bind-utils bind-dnssec-utils
 # Fixes of CVE-2023-50387 and CVE-2023-50868 caused ABI change
 # Enforce updated rebuild is accepted only
 Conflicts:      bind-dyndb-ldap < 11.9-9
 BuildRequires:  gcc, make
 BuildRequires:  openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
 BuildRequires:  libidn2-devel, libxml2-devel
@ -506,14 +510,15 @@ in HTML and PDF format.
 %patch202 -p1 -b .mempool-attach
 %patch203 -p1 -b .isc_hp-CVE-2023-50387
 %patch204 -p1 -b .CVE-2023-6516-test
-%patch205 -p1 -b .CVE-2024-1975
+%patch205 -p1 -b .RHEL-39131
-%patch206 -p1 -b .CVE-2024-1737
+%patch206 -p1 -b .CVE-2024-1975
-%patch207 -p1 -b .CVE-2024-4076
+%patch207 -p1 -b .CVE-2024-1737
-%patch209 -p1 -b .CVE-2024-1737-records
+%patch208 -p1 -b .CVE-2024-4076
-%patch210 -p1 -b .CVE-2024-1737-records-test
+%patch210 -p1 -b .CVE-2024-1737-records
-%patch211 -p1 -b .CVE-2024-1737-types
+%patch211 -p1 -b .CVE-2024-1737-records-test
-%patch212 -p1 -b .CVE-2024-1737-types-test
+%patch212 -p1 -b .CVE-2024-1737-types
-%patch213 -p1 -b .CVE-2024-1737-records-test2
+%patch213 -p1 -b .CVE-2024-1737-types-test
 %patch214 -p1 -b .CVE-2024-1737-records-test2
 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@ -1242,21 +1247,29 @@ fi;
 %endif
 %changelog
-* Fri Aug 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18.6
+* Wed Oct 16 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 9.16.23-24
 - Rebuilt for MSVSphere 9.5
 * Fri Aug 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-24
 - Minor fix of reclimit test backport (CVE-2024-1737)
-* Wed Aug 07 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18.5
+* Wed Aug 07 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-23
 - Backport addition of max-records-per-type and max-records-per-type options
-* Thu Jul 18 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18.2
+* Thu Jul 18 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-22
 - Resolve CVE-2024-1975
 - Resolve CVE-2024-1737
 - Resolve CVE-2024-4076
 - Add ability to change runtime limits for max types and records per name
-* Mon Mar 25 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18.1
+* Tue Jul 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-21
- Rebuild with correct z-stream tag again
+- Increase size of hazard pointer array (RHEL-39131)
 * Tue May 28 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-20
 - Ensure bind CVE fixes hits public Stream repository
 * Fri Apr 12 2024 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-19
 - Ensure incompatible bind-dyndb-ldap is not accepted
 * Mon Mar 25 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-18
 - Prevent crashing at masterformat system test (CVE-2023-6516)