- Detect presence of dns_zone_setmaxrrperset

- Update bind version to 9.16.23-16

SOURCES/0001-detect-presence-of-dns_zone_setmaxrrperset.patch

@@ -0,0 +1,75 @@
+From 33a671ebd0c4019c6ebb7e46a8329dbcdb4cc18d Mon Sep 17 00:00:00 2001
+From: Petr Menšík <pemensik@redhat.com>
+Date: Aug 07 2024 14:19:46 +0000
+Subject: Detect presence of dns_zone_setmaxrrperset
+
+
+Because it were backported into bind-9.16 branch by upstream and testing
+of simpler variant fails in some cases. This assumes these call do not
+appear only after 9.18.28, but may be backported into previous versions.
+Tests just call presence and assumes dns_db_setmaxtypepername will be
+present also.
+
+---
+ configure.ac      |  4 ++++
+ src/ldap_driver.c | 25 +++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index b4a85e2..5b6b975 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -137,6 +137,10 @@ AC_CHECK_LIB([dns], [dns_db_setservestalettl],
+   [AC_DEFINE([HAVE_DNS_SERVESTALE], 1, [Define if dns library provides dns_db_setservestalettl])]
+ )
+ 
++AC_CHECK_LIB([dns], [dns_db_setmaxrrperset],
++  [AC_DEFINE([HAVE_DNS_DB_SETMAXRRPERSET], 1, [Define if dns library provides dns_db_setmaxrrperset])]
++)
++
+ dnl Older autoconf (2.59, for example) doesn't define docdir
+ [[ ! -n "$docdir" ]] && docdir='${datadir}/doc/${PACKAGE_TARNAME}'
+ AC_SUBST([docdir])
+diff --git a/src/ldap_driver.c b/src/ldap_driver.c
+index 03d3162..10693fc 100644
+--- a/src/ldap_driver.c
++++ b/src/ldap_driver.c
+@@ -909,6 +909,27 @@ adjusthashsize(dns_db_t *db, size_t size) {
+ }
+ #endif
+ 
++#if HAVE_DNS_DB_SETMAXRRPERSET
++/* Calls added to fix CVE-2024-1737 in 9.18.28 */
++static void
++setmaxrrperset(dns_db_t *db, uint32_t value) {
++	ldapdb_t *ldapdb = (ldapdb_t *) db;
++
++	REQUIRE(VALID_LDAPDB(ldapdb));
++
++	return dns_db_setmaxrrperset(ldapdb->rbtdb, value);
++}
++
++static void
++setmaxtypepername(dns_db_t *db, uint32_t value) {
++	ldapdb_t *ldapdb = (ldapdb_t *) db;
++
++	REQUIRE(VALID_LDAPDB(ldapdb));
++
++	return dns_db_setmaxtypepername(ldapdb->rbtdb, value);
++}
++#endif
++
+ static dns_dbmethods_t ldapdb_methods = {
+ 	attach,
+ 	detach,
+@@ -969,6 +990,10 @@ static dns_dbmethods_t ldapdb_methods = {
+ #if LIBDNS_VERSION_MAJOR >= 1606
+ 	adjusthashsize, /* adjusthashsize */
+ #endif
++#if HAVE_DNS_DB_SETMAXRRPERSET
++	setmaxrrperset, /* setmaxrrperset */
++	setmaxtypepername, /* setmaxtypepername */
++#endif
+ };
+ 
+ isc_result_t ATTR_NONNULLS

SPECS/bind-dyndb-ldap.spec

@@ -1,7 +1,7 @@
 
 %define VERSION %{version}
 
-%define bind_version 32:9.11.17-1
+%define bind_version 32:9.16.23-16
 
 %if 0%{?fedora} >= 31 || 0%{?rhel} > 8
     %global openssl_pkcs11_version 0.4.10-6
@@ -12,7 +12,7 @@
 
 Name:           bind-dyndb-ldap
 Version:        11.9
-Release:        9%{?dist}.alma.1
+Release:        10%{?dist}.alma.1
 Summary:        LDAP back-end plug-in for BIND
 
 License:        GPLv2+
@@ -24,6 +24,8 @@ Patch1:         bind-dyndb-ldap-11.9-bind-9.16.17.patch
 Patch2:         0001-Modify-empty-zone-conflicts-under-exclusive-mode_rhbz#2129844.patch
 # https://pagure.io/bind-dyndb-ldap/pull-request/229
 Patch3:         https://pagure.io/bind-dyndb-ldap/raw/dbbcc2f07ea6955c6b0b5a719f8058c54b1d750c#/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch
+# https://pagure.io/bind-dyndb-ldap/pull-request/235
+Patch4:         0001-detect-presence-of-dns_zone_setmaxrrperset.patch
 
 BuildRequires:  bind-devel >= %{bind_version}, bind-lite-devel >= %{bind_version}
 BuildRequires:  krb5-devel
@@ -119,7 +121,9 @@ sed -i.bak -e "$SEDSCRIPT" /etc/named.conf
 
 
 %changelog
-* Wed May 01 2024 Eduard Abdullin <eabdullin@almalinu.org> - 11.9-9.alma.1
+* Wed May 01 2024 Eduard Abdullin <eabdullin@almalinu.org> - 11.9-10.alma.1
+- Detect presence of dns_zone_setmaxrrperset
+- Update bind version to 9.16.23-16
 
 * Thu Feb 22 2024 Petr Menšík <pemensik@redhat.com> - 11.9-9
 - Rebuild required for BIND changes for KeyTrap change (CVE-2023-50387)