Rebuild required for BIND changes for KeyTrap change

Resolves: RHBZ#2129844
Resolves: RHBZ#2130614

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>

.bind-dyndb-ldap.metadata

@@ -0,0 +1,2 @@
+2ddce96217240ef58962105e7677e70a52550eec bind-dyndb-ldap-11.9.tar.bz2
+fb28810dcc92aa4846fb9bec910385476bbae402 bind-dyndb-ldap-11.9.tar.bz2.asc

0001-Modify-empty-zone-conflicts-under-exclusive-mode_rhbz#2129844.patch

@@ -0,0 +1,35 @@
+From 7b4c1e28b3e64f7cd075599472e349510f8d33da Mon Sep 17 00:00:00 2001
+From: Petr Menšík <pemensik@redhat.com>
+Date: Sep 14 2022 15:23:20 +0000
+Subject: Modify empty zone conflicts under exclusive mode
+
+
+Does not accept new request when exclusive mode is active. Zone table
+can be modified even after main fwd entries have been added. Ensure
+empty zones handling keeps exclusive mode active.
+
+Exclusive mode were mentioned as the only protection it had by bind
+maintainer:
+https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6637#note_308928
+
+---
+
+diff --git a/src/fwd.c b/src/fwd.c
+index 24f6e53..0a3c673 100644
+--- a/src/fwd.c
++++ b/src/fwd.c
+@@ -595,10 +595,12 @@ fwd_configure_zone(const settings_set_t *set, ldap_instance_t *inst,
+ 		  dns_result_totext(result));
+ 
+ 	/* Handle collisions with automatic empty zones. */
+-	if (isconfigured == true)
++	if (isconfigured == true) {
++		run_exclusive_enter(inst, &lock_state);
+ 		CHECK(empty_zone_handle_conflicts(name,
+ 						  view->zonetable,
+ 						  (fwdpolicy == dns_fwdpolicy_first)));
++	}
+ 
+ cleanup:
+ 	run_exclusive_exit(inst, lock_state);
+

bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch

@@ -0,0 +1,24 @@
+diff --git a/src/mldap.c b/src/mldap.c
+index 92a330c..79efddb 100644
+--- a/src/mldap.c
++++ b/src/mldap.c
+@@ -50,18 +50,7 @@
+ static unsigned char uuid_rootname_ndata[]
+ 	= { 4, 'u', 'u', 'i', 'd', 4, 'l', 'd', 'a', 'p', 0 };
+ static unsigned char uuid_rootname_offsets[] = { 0, 5, 10 };
+-static dns_name_t uuid_rootname =
+-{
+-	DNS_NAME_MAGIC,
+-	uuid_rootname_ndata,
+-	sizeof(uuid_rootname_ndata),
+-	sizeof(uuid_rootname_offsets),
+-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+-	uuid_rootname_offsets,
+-	NULL,
+-	{ (void *)-1, (void *)-1 },
+-	{ NULL, NULL }
+-};
++static dns_name_t uuid_rootname = DNS_NAME_INITABSOLUTE(uuid_rootname_ndata, uuid_rootname_offsets);
+ 
+ struct mldapdb {
+ 	isc_mem_t	*mctx;

bind-dyndb-ldap.spec

@@ -1,7 +1,7 @@
 
 %define VERSION %{version}
 
-%define bind_version 32:9.11.17-1
+%define bind_version 32:9.16.23-19
 
 %if 0%{?fedora} >= 31 || 0%{?rhel} > 8
     %global openssl_pkcs11_version 0.4.10-6
@@ -12,7 +12,7 @@
 
 Name:           bind-dyndb-ldap
 Version:        11.9
-Release:        7%{?dist}
+Release:        9%{?dist}
 Summary:        LDAP back-end plug-in for BIND
 
 License:        GPLv2+
@@ -21,6 +21,9 @@ Source0:        https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2
 Source1:        https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2.asc
 
 Patch1:         bind-dyndb-ldap-11.9-bind-9.16.17.patch
+Patch2:         0001-Modify-empty-zone-conflicts-under-exclusive-mode_rhbz#2129844.patch
+# https://pagure.io/bind-dyndb-ldap/pull-request/229
+Patch3:         https://pagure.io/bind-dyndb-ldap/raw/dbbcc2f07ea6955c6b0b5a719f8058c54b1d750c#/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch
 
 BuildRequires:  bind-devel >= %{bind_version}, bind-lite-devel >= %{bind_version}
 BuildRequires:  krb5-devel
@@ -116,6 +119,13 @@ sed -i.bak -e "$SEDSCRIPT" /etc/named.conf
 
 
 %changelog
+* Thu Feb 22 2024 Petr Menšík <pemensik@redhat.com> - 11.9-9
+- Rebuild required for BIND changes for KeyTrap change (CVE-2023-50387)
+
+* Wed Oct 19 2022 Rafael Jeffman <rjeffman<redhat.com> - 11.9-8
+- Modify empty zone conflicts under exclusive mode
+  Resolves: rhbz#2129844, rhbz#2130614
+
 * Fri Nov 26 2021 Petr Menšík <pemensik@redhat.com> - 11.9-7
 - Rebuilt for BIND 9.16.23 (#2019575)