.bind-dyndb-ldap.metadata

@@ -1 +0,0 @@
-fa27009509513d06a65b5aa16b612824280221c6 SOURCES/bind-dyndb-ldap-11.6.tar.bz2

.gitignore

@@ -1 +1,57 @@
-SOURCES/bind-dyndb-ldap-11.6.tar.bz2
+bind-dyndb-ldap-0.1.0b.tar.bz2
+/bind-dyndb-ldap-0.2.0.tar.bz2
+/bind-dyndb-ldap-1.0.0b1.tar.gz
+/bind-dyndb-ldap-1.0.0rc1.tar.bz2
+/bind-dyndb-ldap-1.1.0a1.tar.bz2
+/bind-dyndb-ldap-1.1.0a2.tar.bz2
+/bind-dyndb-ldap-1.1.0b1.tar.bz2
+/bind-dyndb-ldap-1.1.0b2.tar.bz2
+/bind-dyndb-ldap-1.1.0rc1.tar.bz2
+/bind-dyndb-ldap-2.0-20120921git7710d89.tar.bz2
+/bind-dyndb-ldap-2.0-20121009git6a86b1.tar.gz
+/bind-dyndb-ldap-2.1.tar.bz2
+/bind-dyndb-ldap-2.3.tar.bz2
+/bind-dyndb-ldap-2.4.tar.bz2
+/bind-dyndb-ldap-2.5.tar.bz2
+/bind-dyndb-ldap-2.6.tar.bz2
+/bind-dyndb-ldap-3.0.tar.bz2
+/bind-dyndb-ldap-3.1.tar.bz2
+/bind-dyndb-ldap-3.2.tar.bz2
+/bind-dyndb-ldap-3.3.tar.bz2
+/bind-dyndb-ldap-3.4.tar.bz2
+/bind-dyndb-ldap-3.5.tar.bz2
+/bind-dyndb-ldap-4.1.tar.bz2
+/bind-dyndb-ldap-4.3.tar.bz2
+/bind-dyndb-ldap-5.0.tar.bz2
+/bind-dyndb-ldap-5.1.tar.bz2
+/bind-dyndb-ldap-5.2.tar.bz2
+/bind-dyndb-ldap-5.3.tar.bz2
+/bind-dyndb-ldap-6.0.tar.bz2
+/bind-dyndb-ldap-6.1.tar.bz2
+/bind-dyndb-ldap-6.1.tar.bz2.asc
+/bind-dyndb-ldap-7.0.tar.bz2
+/bind-dyndb-ldap-7.0.tar.bz2.asc
+/bind-dyndb-ldap-8.0.tar.bz2
+/bind-dyndb-ldap-8.0.tar.bz2.asc
+/bind-dyndb-ldap-9.0.tar.bz2
+/bind-dyndb-ldap-9.0.tar.bz2.asc
+/bind-dyndb-ldap-10.0.tar.bz2
+/bind-dyndb-ldap-10.0.tar.bz2.asc
+/bind-dyndb-ldap-10.1.tar.bz2
+/bind-dyndb-ldap-10.1.tar.bz2.asc
+/bind-dyndb-ldap-11.0.tar.bz2
+/bind-dyndb-ldap-11.0.tar.bz2.asc
+/bind-dyndb-ldap-11.1.tar.bz2
+/bind-dyndb-ldap-11.1.tar.bz2.asc
+/bind-dyndb-ldap-11.2.tar.bz2
+/bind-dyndb-ldap-11.2.tar.bz2.asc
+/bind-dyndb-ldap-11.3.tar.bz2
+/bind-dyndb-ldap-11.3.tar.bz2.asc
+/bind-dyndb-ldap-11.5.tar.bz2
+/bind-dyndb-ldap-11.5.tar.bz2.asc
+/bind-dyndb-ldap-11.6.tar.bz2
+/bind-dyndb-ldap-11.6.tar.bz2.asc
+/bind-dyndb-ldap-11.7.tar.bz2
+/bind-dyndb-ldap-11.7.tar.bz2.asc
+/bind-dyndb-ldap-11.9.tar.bz2
+/bind-dyndb-ldap-11.9.tar.bz2.asc

0001-Modify-empty-zone-conflicts-under-exclusive-mode_rhbz#2129844.patch

@@ -1,7 +1,8 @@
 From 7b4c1e28b3e64f7cd075599472e349510f8d33da Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+From: Petr Menšík <pemensik@redhat.com>
-Date: Wed, 14 Sep 2022 17:10:11 +0200
+Date: Sep 14 2022 15:23:20 +0000
-Subject: [PATCH] Modify empty zone conflicts under exclusive mode
+Subject: Modify empty zone conflicts under exclusive mode
+
 
 Does not accept new request when exclusive mode is active. Zone table
 can be modified even after main fwd entries have been added. Ensure
@@ -10,9 +11,8 @@ empty zones handling keeps exclusive mode active.
 Exclusive mode were mentioned as the only protection it had by bind
 maintainer:
 https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6637#note_308928
+
 ---
- src/fwd.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/src/fwd.c b/src/fwd.c
 index 24f6e53..0a3c673 100644
@@ -32,6 +32,4 @@ index 24f6e53..0a3c673 100644
  
  cleanup:
  	run_exclusive_exit(inst, lock_state);
--- 
-2.37.3
 

SOURCES/0002-add-rwlock-before-include-zt-h.patch

@@ -1,10 +0,0 @@
---- a/src/zone_register.h	2020-09-14 11:11:52.000000000 -0400
-+++ a/src/zone_register.h	2022-10-11 10:01:35.293730147 -0400
-@@ -5,6 +5,7 @@
- #ifndef _LD_ZONE_REGISTER_H_
- #define _LD_ZONE_REGISTER_H_
- 
-+#include <isc/rwlock.h>
- #include <dns/zt.h>
- 
- #include "settings.h"

SOURCES/bind-dyndb-ldap-11.6.tar.bz2.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl+7wQUACgkQRxniuKu/
-YhrK4Q/7B3njZOLSN1nor1ftoGGgXHvOvAGZTH+S0aI/u2bGfMIy3iT6NCcXZaVy
-LftvbYUKZ1zT92LYyTng7d8qgc8B7fmIAHPKye2uuxfPgwYkqdBLLKOMoAjbijjI
-P3Qkoee9bAF89wjnEnyfE9beJ9Vwe6PQLuCovIIauYEfhXjazOhSt7aDpYQ1X5Ui
-WyUKMhbO9WZ+TokW6wMTLGC8eCJdIJz0OXrROsLp6KZW4Y4wxf/zcU/XztDmEcOm
-DIeDir1ohp8xyssfBYr9tmamD+FzoU9+oR1+WjQav/pxFBqezzm7U3cvq9PrQ7SK
-Q5jpmeNOTvoUjnEMBW/AXPxth0yXVX3XlIYjhVX3R4r/ZXwmK1g6hqsT2kSbCvAS
-/DR7yfou2SQLuH1z6qs6vd+IdTYVpsHMBBdQtHSeZ5701fyJgIABI98oMMV/KplL
-bwfL/uhTPjuH1nett7h7NuINiVET0Yy63/CRicQs199ORGLVBaQ+AVCxj33m5NH/
-ggMKhA5VNmMSSvyI/TiytLbqhjw29kjRo4/vDEqv1co9fB2J2MBdTCtSF4gixB0n
-da/W6PnKiS45f0NdqpU5oUxLDTni+hYrQV1GXavdnx8lpnab9jlJO6vOZSCodSS+
-0eMJRH7knFDrY7EEjbUD7/pPZphPQUamvecmYhgn+La4SHkf2wA=
-=cGu/
------END PGP SIGNATURE-----

bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch

@@ -0,0 +1,76 @@
+From c7801fabb1597c4d4b18b21fcfcf6ab064040ba5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Wed, 7 Aug 2024 16:19:46 +0200
+Subject: [PATCH] Detect presence of dns_zone_setmaxrrperset
+
+Because it were backported into bind-9.16 branch by upstream and testing
+of simpler variant fails in some cases. This assumes these call do not
+appear only after 9.18.28, but may be backported into previous versions.
+Tests just call presence and assumes dns_db_setmaxtypepername will be
+present also.
+---
+ configure.ac      |  4 ++++
+ src/ldap_driver.c | 25 +++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index faac214..b897c2b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -137,6 +137,10 @@ AC_CHECK_LIB([dns], [dns_db_setservestalettl],
+   [AC_DEFINE([HAVE_DNS_SERVESTALE], 1, [Define if dns library provides dns_db_setservestalettl])]
+ )
+ 
++AC_CHECK_LIB([dns], [dns_db_setmaxrrperset],
++  [AC_DEFINE([HAVE_DNS_DB_SETMAXRRPERSET], 1, [Define if dns library provides dns_db_setmaxrrperset])]
++)
++
+ dnl Older autoconf (2.59, for example) doesn't define docdir
+ [[ ! -n "$docdir" ]] && docdir='${datadir}/doc/${PACKAGE_TARNAME}'
+ AC_SUBST([docdir])
+diff --git a/src/ldap_driver.c b/src/ldap_driver.c
+index 5f9e00a..29896d4 100644
+--- a/src/ldap_driver.c
++++ b/src/ldap_driver.c
+@@ -909,6 +909,27 @@ adjusthashsize(dns_db_t *db, size_t size) {
+ }
+ #endif
+ 
++#if HAVE_DNS_DB_SETMAXRRPERSET
++/* Calls added to fix CVE-2024-1737 in 9.18.28 */
++static void
++setmaxrrperset(dns_db_t *db, uint32_t value) {
++	ldapdb_t *ldapdb = (ldapdb_t *) db;
++
++	REQUIRE(VALID_LDAPDB(ldapdb));
++
++	return dns_db_setmaxrrperset(ldapdb->rbtdb, value);
++}
++
++static void
++setmaxtypepername(dns_db_t *db, uint32_t value) {
++	ldapdb_t *ldapdb = (ldapdb_t *) db;
++
++	REQUIRE(VALID_LDAPDB(ldapdb));
++
++	return dns_db_setmaxtypepername(ldapdb->rbtdb, value);
++}
++#endif
++
+ static dns_dbmethods_t ldapdb_methods = {
+ 	attach,
+ 	detach,
+@@ -969,6 +990,10 @@ static dns_dbmethods_t ldapdb_methods = {
+ #if LIBDNS_VERSION_MAJOR >= 1606
+ 	adjusthashsize, /* adjusthashsize */
+ #endif
++#if HAVE_DNS_DB_SETMAXRRPERSET
++	setmaxrrperset, /* setmaxrrperset */
++	setmaxtypepername, /* setmaxtypepername */
++#endif
+ };
+ 
+ isc_result_t ATTR_NONNULLS
+-- 
+2.45.2
+

bind-dyndb-ldap-11.2-servestale.patch

@@ -0,0 +1,73 @@
+From fecc0fd86f598807129ea9fa1e4e7b74cf2aba21 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Mon, 11 Nov 2019 17:36:58 +0100
+Subject: [PATCH] Add support for servestale records
+
+Serve-stale support includes two new database methods. Add wrapper into
+ldap database.
+---
+ configure.ac      |  5 +++++
+ src/ldap_driver.c | 24 ++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index d05bad9..7997898 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -120,6 +120,11 @@ int main(void) {
+ [AC_MSG_ERROR([Cross compiling is not supported.])]
+ )
+ 
++dnl dns_db_setservestalettl() can be backported, detect support
++AC_CHECK_LIB([dns], [dns_db_setservestalettl],
++  [AC_DEFINE([HAVE_DNS_SERVESTALE], 1, [Define if dns library provides dns_db_setservestalettl])]
++)
++
+ dnl Older autoconf (2.59, for example) doesn't define docdir
+ [[ ! -n "$docdir" ]] && docdir='${datadir}/doc/${PACKAGE_TARNAME}'
+ AC_SUBST([docdir])
+diff --git a/src/ldap_driver.c b/src/ldap_driver.c
+index b9161fe..dcf65d0 100644
+--- a/src/ldap_driver.c
++++ b/src/ldap_driver.c
+@@ -823,6 +823,26 @@ nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name)
+ 	return dns_db_nodefullname(ldapdb->rbtdb, node, name);
+ }
+ 
++#ifdef HAVE_DNS_SERVESTALE
++static isc_result_t
++setservestalettl(dns_db_t *db, dns_ttl_t ttl) {
++	ldapdb_t *ldapdb = (ldapdb_t *) db;
++
++	REQUIRE(VALID_LDAPDB(ldapdb));
++
++	return dns_db_setservestalettl(ldapdb->rbtdb, ttl);
++}
++
++static isc_result_t
++getservestalettl(dns_db_t *db, dns_ttl_t *ttl) {
++	ldapdb_t *ldapdb = (ldapdb_t *) db;
++
++	REQUIRE(VALID_LDAPDB(ldapdb));
++
++	return dns_db_getservestalettl(ldapdb->rbtdb, ttl);
++}
++#endif
++
+ static dns_dbmethods_t ldapdb_methods = {
+ 	attach,
+ 	detach,
+@@ -869,6 +889,10 @@ static dns_dbmethods_t ldapdb_methods = {
+ 	hashsize,
+ 	nodefullname,
+ 	NULL, // getsize method not implemented (related BZ1353563)
++#ifdef HAVE_DNS_SERVESTALE
++	setservestalettl,
++	getservestalettl,
++#endif
+ };
+ 
+ isc_result_t ATTR_NONNULLS
+-- 
+2.20.1
+

bind-dyndb-ldap-11.6-bind-9.16.10.patch

@@ -0,0 +1,38 @@
+From 2ddd4bf55e325071566aa1c78e3681c3239895da Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Mon, 11 Jan 2021 21:39:25 +0100
+Subject: [PATCH] Add compatibility with BIND 9.16.10 API change
+
+One parameter was added to function used internally by plugin. Nothing
+like -nsec3param auto is supported by LDAP plugin. It is safe to set
+resalt false always. Salt can be changed via LDAP, but has to be
+specified manually.
+---
+ src/ldap_helper.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/ldap_helper.c b/src/ldap_helper.c
+index a81a9d228..3b4ae5c67 100644
+--- a/src/ldap_helper.c
++++ b/src/ldap_helper.c
+@@ -1792,10 +1792,17 @@ zone_master_reconfigure_nsec3param(settings_set_t *zone_settings,
+ 			  dns_rdatatype_nsec3param, origin, nsec3p_str,
+ 			  &nsec3p_rdata));
+ 	CHECK(dns_rdata_tostruct(nsec3p_rdata, &nsec3p_rr, NULL));
++#if LIBDNS_VERSION_MAJOR > 1609
++	CHECK(dns_zone_setnsec3param(secure, nsec3p_rr.hash, nsec3p_rr.flags,
++				     nsec3p_rr.iterations,
++				     nsec3p_rr.salt_length, nsec3p_rr.salt,
++				     true, false));
++#else
+ 	CHECK(dns_zone_setnsec3param(secure, nsec3p_rr.hash, nsec3p_rr.flags,
+ 				     nsec3p_rr.iterations,
+ 				     nsec3p_rr.salt_length, nsec3p_rr.salt,
+ 				     true));
++#endif
+ 
+ cleanup:
+ 	if (nsec3p_rdata != NULL) {
+-- 
+2.26.2
+

bind-dyndb-ldap-11.6-bind-9.16.11.patch

@@ -0,0 +1,38 @@
+From f4aec4d37447cc274b90c129ea15a008473ed02d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 21 Jan 2021 17:30:54 +0100
+Subject: [PATCH] Yet another change to support BIND 9.16.11 API change
+
+Another change with another release, new parameter is added again.
+Add another ifdef to keep compatibility with both versions.
+---
+ src/zone.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/zone.c b/src/zone.c
+index d0b71b194..7ce1769b3 100644
+--- a/src/zone.c
++++ b/src/zone.c
+@@ -17,6 +17,7 @@
+ #include <dns/zone.h>
+ 
+ #include "util.h"
++#include "config.h"
+ 
+ /**
+  * Write given diff to zone journal. Journal will be created
+@@ -61,7 +62,11 @@ zone_soaserial_updatetuple(dns_updatemethod_t method, dns_difftuple_t *soa_tuple
+ 	REQUIRE(soa_tuple->rdata.type == dns_rdatatype_soa);
+ 
+ 	serial = dns_soa_getserial(&soa_tuple->rdata);
++#if LIBDNS_VERSION_MAJOR >= 1611
++	serial = dns_update_soaserial(serial, method, NULL);
++#else
+ 	serial = dns_update_soaserial(serial, method);
++#endif
+ 	dns_soa_setserial(serial, &soa_tuple->rdata);
+ 	if (new_serial != NULL)
+ 		*new_serial = serial;
+-- 
+2.26.2
+

bind-dyndb-ldap-11.6-bind-9.16.9.patch

@@ -0,0 +1,30 @@
+From 2a732bb03812878a9cc00d27d6c80f3993520626 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 26 Nov 2020 17:31:21 +0100
+Subject: [PATCH] Support BIND 9.16.9
+
+Two new functions were added to database interface. They are more
+related to caching server and not authoritative. Add just null pointers,
+returning not supporter error if used.
+---
+ src/ldap_driver.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/ldap_driver.c b/src/ldap_driver.c
+index 2f6574ea5..c524b7cc5 100644
+--- a/src/ldap_driver.c
++++ b/src/ldap_driver.c
+@@ -959,6 +959,10 @@ static dns_dbmethods_t ldapdb_methods = {
+ 	setservestalettl,
+ 	getservestalettl,
+ #endif
++#if LIBDNS_VERSION_MAJOR >= 1609
++	NULL, /* setservestalerefresh */
++	NULL, /* getservestalerefresh */
++#endif
+ #if LIBDNS_VERSION_MAJOR >= 1600
+ 	NULL, /* setgluecachestats */
+ #endif
+-- 
+2.26.2
+

bind-dyndb-ldap-11.9-bind-9.16.17.patch

@@ -0,0 +1,35 @@
+From d7d3032de7f5d3dd3cffea6064549b63a9ad7d59 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 17 Jun 2021 17:57:52 +0200
+Subject: [PATCH] Skip isc_bind9 check on BIND 9.16.17+
+
+Reference variable refvar from dns_dyndbctx_t were removed. Removed was
+also flag requesting different namespace. Skip that check on last stable
+version, it should eval to false on all versions anyway.
+---
+ src/ldap_driver.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/ldap_driver.c b/src/ldap_driver.c
+index e9f1005ee..5f9e00af1 100644
+--- a/src/ldap_driver.c
++++ b/src/ldap_driver.c
+@@ -1156,6 +1156,7 @@ dyndb_init(isc_mem_t *mctx, const char *name, const char *parameters,
+ 	RUNTIME_CHECK(isc_once_do(&library_init_once, library_init)
+ 		      == ISC_R_SUCCESS);
+ 
++#if LIBDNS_VERSION_MAJOR < 1617
+ 	/*
+ 	 * Depending on how dlopen() was called, we may not have
+ 	 * access to named's global namespace, in which case we need
+@@ -1168,6 +1169,7 @@ dyndb_init(isc_mem_t *mctx, const char *name, const char *parameters,
+ 		isc_hash_set_initializer(dctx->hashinit);
+ 		log_debug(5, "registering library from dynamic ldap driver, %p != %p.", dctx->refvar, &isc_bind9);
+ 	}
++#endif
+ 
+ 	log_debug(2, "registering dynamic ldap driver for %s.", name);
+ 
+-- 
+2.31.1
+

bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch

@@ -0,0 +1,24 @@
+diff --git a/src/mldap.c b/src/mldap.c
+index 92a330c..79efddb 100644
+--- a/src/mldap.c
++++ b/src/mldap.c
+@@ -50,18 +50,7 @@
+ static unsigned char uuid_rootname_ndata[]
+ 	= { 4, 'u', 'u', 'i', 'd', 4, 'l', 'd', 'a', 'p', 0 };
+ static unsigned char uuid_rootname_offsets[] = { 0, 5, 10 };
+-static dns_name_t uuid_rootname =
+-{
+-	DNS_NAME_MAGIC,
+-	uuid_rootname_ndata,
+-	sizeof(uuid_rootname_ndata),
+-	sizeof(uuid_rootname_offsets),
+-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+-	uuid_rootname_offsets,
+-	NULL,
+-	{ (void *)-1, (void *)-1 },
+-	{ NULL, NULL }
+-};
++static dns_name_t uuid_rootname = DNS_NAME_INITABSOLUTE(uuid_rootname_ndata, uuid_rootname_offsets);
+ 
+ struct mldapdb {
+ 	isc_mem_t	*mctx;

bind-dyndb-ldap.spec

@@ -1,39 +1,49 @@
+
 %define VERSION %{version}
 
-%define bind_version 32:9.11.26-1
+%define bind_version 32:9.16.23-19
 
-%if 0%{?fedora} >= 31 || 0%{?rhel} >= 9
+%if 0%{?fedora} >= 31 || 0%{?rhel} > 8
-    %global openssl_pkcs11_version 0.4.10-2
+    %global openssl_pkcs11_version 0.4.10-6
-    %global softhsm_version 2.6.0
+    %global softhsm_version 2.5.0-4
 %else
     %global with_bind_pkcs11 1
 %endif
 
 Name:           bind-dyndb-ldap
-Version:        11.6
+Version:        11.9
-Release:        4%{?dist}
+Release:        11%{?dist}
 Summary:        LDAP back-end plug-in for BIND
 
-Group:          System Environment/Libraries
 License:        GPLv2+
 URL:            https://releases.pagure.org/bind-dyndb-ldap
 Source0:        https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2
 Source1:        https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2.asc
 
-Patch0001:      0001-Modify-empty-zone-conflicts-under-exclusive-mode_rhbz#2133036.patch
+Patch1:         bind-dyndb-ldap-11.9-bind-9.16.17.patch
-Patch0002:      0002-add-rwlock-before-include-zt-h.patch
+Patch2:         0001-Modify-empty-zone-conflicts-under-exclusive-mode_rhbz#2129844.patch
+# https://pagure.io/bind-dyndb-ldap/pull-request/229
+Patch3:         https://pagure.io/bind-dyndb-ldap/raw/dbbcc2f07ea6955c6b0b5a719f8058c54b1d750c#/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch
+# https://pagure.io/bind-dyndb-ldap/pull-request/235
+Patch4:         bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch
 
-BuildRequires:  bind-devel >= %{bind_version}, bind-lite-devel >= %{bind_version}, bind-pkcs11-devel >= %{bind_version}
+BuildRequires:  bind-devel >= %{bind_version}, bind-lite-devel >= %{bind_version}
 BuildRequires:  krb5-devel
 BuildRequires:  openldap-devel
 BuildRequires:  libuuid-devel
 BuildRequires:  automake, autoconf, libtool
 
 %if %{with bind_pkcs11}
-Requires:       bind-pkcs11 >= %{bind_version}, bind-pkcs11-utils >= %{bind_version}
+BuildRequires:  bind-pkcs11-devel >= %{bind_version}
+BuildRequires: make
+Requires(pre): bind-pkcs11 >= %{bind_version}
+Requires: bind-pkcs11 >= %{bind_version}
+Requires: bind-pkcs11-utils >= %{bind_version}
 %else
 Requires: softhsm >= %{softhsm_version}
 Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
+Requires(pre): bind >= %{bind_version}
+Requires: bind >= %{bind_version}
 %endif
 
 %description
@@ -43,21 +53,17 @@ off of your LDAP server.
 
 
 %prep
-%setup -q -n %{name}-%{VERSION}
+%autosetup -n %{name}-%{VERSION} -p1
-
-for p in %patches; do
-    %__patch -p1 -i $p
-done
 
 %build
 autoreconf -fiv
+export BIND9_CFLAGS='-I /usr/include/bind9 -DHAVE_TLS -DHAVE_THREAD_LOCAL'
 %configure
-make %{?_smp_mflags}
+%make_build
 
 
 %install
-rm -rf %{buildroot}
+%make_install
-make install DESTDIR=%{buildroot}
 mkdir -m 770 -p %{buildroot}/%{_localstatedir}/named/dyndb-ldap
 
 # Remove unwanted files
@@ -66,6 +72,8 @@ rm -r %{buildroot}%{_datadir}/doc/%{name}
 
 
 %post
+[ -f /etc/named.conf ] || exit 0
+
 # Transform named.conf if it still has old-style API.
 PLATFORM=$(uname -m)
 
@@ -107,64 +115,147 @@ sed -i.bak -e "$SEDSCRIPT" /etc/named.conf
 
 
 %files
-%defattr(-,root,root,-)
 %doc NEWS README.md COPYING doc/{example,schema}.ldif
 %dir %attr(770, root, named) %{_localstatedir}/named/dyndb-ldap
 %{_libdir}/bind/ldap.so
 
 
 %changelog
-* Thu Oct 13 2022 Rafael Jeffman <rjeffman@redhat.com> - 11.6-4
+* Fri Sep 06 2024 Petr Menšík <pemensik@redhat.com> - 11.9-11
+- Bump version above RHEL 9.5
+
+* Wed Aug 07 2024 Petr Menšík <pemensik@redhat.com> - 11.9-10
+- Rebuilt for BIND CVE-2024-1737 fixes (CVE-2024-1737)
+
+* Thu Feb 22 2024 Petr Menšík <pemensik@redhat.com> - 11.9-9
+- Rebuild required for BIND changes for KeyTrap change (CVE-2023-50387)
+
+* Wed Oct 19 2022 Rafael Jeffman <rjeffman<redhat.com> - 11.9-8
 - Modify empty zone conflicts under exclusive mode
-  Resolves: rhbz#2126877
+  Resolves: rhbz#2129844, rhbz#2130614
 
-* Wed Dec 22 2021 Alexander Bokovoy <abokovoy@redhat.com> - 11.6-3
+* Fri Nov 26 2021 Petr Menšík <pemensik@redhat.com> - 11.9-7
-- Rebuild against bind 9.11.36
+- Rebuilt for BIND 9.16.23 (#2019575)
-- Resolves: rhbz#2022762
 
-* Thu Jan 07 2021 Rob Crittenden <rcritten@redhat.com> - 11.6-2
+* Wed Aug 25 2021 Petr Menšík <pemensik@redhat.com> - 11.9-6
-- Rebuild against bind 9.11.26
+- Rebuilt for BIND 9.16.20 with correct target
-- Resolves: rhbz#1904612
+
+* Tue Aug 24 2021 Petr Menšík <pemensik@redhat.com> - 11.9-5
+- Rebuilt for BIND 9.16.20
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 11.9-4
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Thu Jul 22 2021 Petr Menšík <pemensik@redhat.com> - 11.9-3
+- Rebuilt for BIND 9.16.19 (#1960273)
+
+* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 11.9-2
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Tue May 25 2021 Alexander Bokovoy <abokovoy@redhat.com> - 11.9-1
+- Upstream release 11.9
+- Rebuilt for BIND 9.16.15+
+- Resolves: rhbz#1960273
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 11.7-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Feb 24 2021 Alexander Bokovoy <abokovoy@redhat.com> - 11.7-1
+- Upstream release 11.7
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 11.6-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 22 2021 Petr Menšík <pemensik@redhat.com> - 11.6-6
+- Rebuilt for BIND 9.16.11
+
+* Fri Jan 15 2021 Petr Menšík <pemensik@redhat.com> - 11.6-5
+- Rebuilt for BIND 9.16.10
+
+* Tue Jan 12 2021 Petr Menšík <pemensik@redhat.com> - 11.6-4
+- Support BIND 9.16.10
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Thu Dec 17 2020 Alexander Bokovoy <abokovoy@redhat.com> - 11.6-3
+- Both require bind and require it for pre-install script
+- Resolves: rhbz#1902811
+
+* Thu Dec 17 2020 Alexander Bokovoy <abokovoy@redhat.com> - 11.6-2
+- Fix requires to bind: require bind installed before bind-dyndb-ldap
+  as we depend on named group
 
 * Mon Nov 23 2020 Alexander Bokovoy <abokovoy@redhat.com> - 11.6-1
-- New upstream release
+- Upstream release 11.6
-- Resolves: rhbz#1891735
+- Use reference counting semantics in destructors according to BIND version
+
+* Wed Nov 18 2020 Alexander Bokovoy <abokovoy@redhat.com> - 11.5-1
+- Upstream release 11.5
+- Use OpenSSL pkcs11 engine in BIND instead of native PKCS11
+
+* Fri Oct 23 2020 Petr Menšík <pemensik@redhat.com> - 11.3-5
+- Rebuilt for bind 9.11.24
+
+* Fri Aug 21 2020 Petr Menšík <pemensik@redhat.com> - 11.3-4
+- Rebuilt for bind 9.11.22
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 11.3-3
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 11.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 
 * Mon Jun 08 2020 Alexander Bokovoy <abokovoy@redhat.com> - 11.3-1
-- New upstream release
+- Upstream release 11.3
-- Resolves: rhbz#1845211
 
-* Mon May 11 2020 Alexander Bokovoy <abokovoy@redhat.com> - 11.2-4
+* Tue Mar 31 2020 Petr Menšík <pemensik@redhat.com> - 11.2-5
-- Rebuild against bind 9.11.18
+- Rebuilt for bind 9.11.17
-  Resolves: rhbz#1834264
 
-* Wed Nov 27 2019 Alexander Bokovoy <abokovoy@redhat.com> - 11.2-3
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 11.2-4
-- Rebuild against bind 9.11.13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-  Related: RHBZ#1762813
 
-* Mon Nov 18 2019 Thomas Woerner <twoerner@redhat.com> - 11.2-2
+* Mon Nov 25 2019 Petr Menšík <pemensik@redhat.com> - 11.2-3
+- Rebuilt for bind 9.11.13
+
+* Mon Nov 11 2019 Petr Menšík <pemensik@redhat.com> - 11.2-2
 - Add support for serve-stale, detected on build time
-  Patch by Petr Menšík <pemensik@redhat.com>
-  Related: RHBZ#1762813
 
-* Thu Nov 07 2019 Alexander Bokovoy <abokovoy@redhat.com> - 11.2-1
+* Tue Nov 05 2019 Alexander Bokovoy <abokovoy@redhat.com> - 11.2-1
-- New upstream release
+- New upstream release v11.2
-- Support BIND9 9.11.11
-- Resolves: rhbz#1762813
 
-* Fri Aug 16 2019 Alexander Bokovoy <abokovoy@redhat.com> - 11.1-14
+* Tue Aug 27 2019 Petr Menšík <pemensik@redhat.com> - 11.1-20
+- Rebuilt for bind 9.11.10
+
+* Fri Aug 16 2019 Alexander Bokovoy <abokovoy@redhat.com> - 11.1-19
 - Fix attribute templating in case of a missing default value
-- Resolves: rhbz#1741896
+- Resolves: rhbz#1705072
 
-* Mon Oct 15 2018 Petr Menšík <pemensik@redhat.com> - 11.1-13
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11.1-18
-- Move setting of named selinux boolean to bind (#1639410)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
-* Wed Aug 08 2018 Alexander Bokovoy <abokovoy@redhat.com> - 11.1-12
+* Wed Jul 17 2019 Petr Menšík <pemensik@redhat.com> - 11.1-17
-- Make sure we explicitly require openssl-devel for a build
+- Rebuilt for bind 9.11.8
-- Resolves: rhbz#1613942
 
-* Mon Jul 23 2018 Petr Menšík <pemensik@redhat.com> - 11.1-11
+* Tue Jun 11 2019 Petr Menšík <pemensik@redhat.com> - 11.1-16
-- Rebuild against BIND 9.11.4
+- Rebuilt for bind 9.11.7
+
+* Fri May 03 2019 Petr Menšík <pemensik@redhat.com> - 11.1-15
+- Rebuilt for bind 9.11.6
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11.1-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Nov 05 2018 Petr Menšík <pemensik@redhat.com> - 11.1-13
+- Support for bind 9.11.5 headers
+
+* Thu Jul 12 2018 Petr Menšík <pemensik@redhat.com> - 11.1-12
+- Require bind with writable home, update to 9.11.4
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 11.1-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Thu Mar 01 2018 Petr Menšík <pemensik@redhat.com> - 11.1-10
 - Rebuild for bind 9.11.3. Minor tweaks to compile.

gating.yaml

@@ -0,0 +1,7 @@
+# recipients: abokovoy, frenaud, kaleem, ftrivino
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

remove_duplicate_const.patch

@@ -0,0 +1,25 @@
+From 3a4ad363879da129669dbb5ed10f6b0a1b7778af Mon Sep 17 00:00:00 2001
+From: Tomas Krizek <tkrizek@redhat.com>
+Date: Thu, 9 Feb 2017 17:52:59 +0100
+Subject: [PATCH] Remove duplicate const declaration specifier
+
+---
+ src/ldap_helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/ldap_helper.c b/src/ldap_helper.c
+index 5de9f69f6957fd838f7f7a73dd755db98b0ee8d5..1fa0ec9adfa2b9ca589587244da03cc6f0584919 100644
+--- a/src/ldap_helper.c
++++ b/src/ldap_helper.c
+@@ -2349,7 +2349,7 @@ free_rdatalist(isc_mem_t *mctx, dns_rdatalist_t *rdlist)
+  * @retval  others         Unexpected errors.
+  */
+ static isc_result_t ATTR_NONNULLS ATTR_CHECKRESULT
+-ldap_substitute_rr_template(isc_mem_t *mctx, const settings_set_t const * set,
++ldap_substitute_rr_template(isc_mem_t *mctx, const settings_set_t * set,
+ 			    ld_string_t *orig_val, ld_string_t **output) {
+ 	isc_result_t result;
+ 	regex_t regex;
+-- 
+2.9.3
+

sources

@@ -0,0 +1,2 @@
+SHA512 (bind-dyndb-ldap-11.9.tar.bz2) = e8887c450375c2cda062bc6f08eee6505a784dc4f49ba69ba2f46d8d3e1ff3b94adabbcb3ffb978b3b138829d26bfde47d32f35707ca9ecbd0480b59a0e0d964
+SHA512 (bind-dyndb-ldap-11.9.tar.bz2.asc) = ad379cbfd868117c79d9c900abc9f510007c95cac45c42e8b1b0656f060f60cba5b9fe40ce7a44a106f7442fe6892ffb4809e0c4c059f07a1f9fbadb5731f554