import bind-9.11.36-3.el8_6.3

SOURCES/bind-9.11-CVE-2021-25220.patch

@@ -1,254 +0,0 @@
-From 1f5cb247ecd20ba57c472138f94856aa83caf042 Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka@isc.org>
-Date: Tue, 1 Mar 2022 09:48:05 +1100
-Subject: [PATCH] Add additional name checks when using a forwarder
-
-When using a forwarder, check that the owner name of response
-records are within the bailiwick of the forwarded name space.
-
-(cherry picked from commit e8df2802ac62016ea68585893eb4310fc3329028)
-
-Check that the forward declaration is unchanged and not overridden
-
-If we are using a fowarder, in addition to checking that names to
-be cached are subdomains of the forwarded namespace, we must also
-check that there are no subsidiary forwarded namespaces which would
-take precedence. To be safe, we don't cache any responses if the
-forwarding configuration has changed since the query was sent.
-
-(cherry picked from commit 590f8698fc876d6d72f75cf35359e7546c3af972)
-
-Check cached names for possible "forward only" clause
-
-When caching additional and glue data *not* from a forwarder, we must
-check that there is no "forward only" clause covering the owner name
-that would take precedence.  Such names would normally be allowed by
-baliwick rules, but a "forward only" zone introduces a new baliwick
-scope.
-
-(cherry picked from commit 4a144fae16e70517be894a971cef1d085ee68ebe)
-
-Look for zones deeper than the current domain or forward name
-
-When caching glue, we need to ensure that there is no closer
-source of truth for the name. If the owner name for the glue
-record would be answered by a locally configured zone, do not
-cache.
-
-(cherry picked from commit 42f8c538d3fb9d075b98d82688aeb71621798754)
-
-Avoid use of compound literals
-
-Compound literals are not used in BIND 9.11, in order to ensure backward
-compatibility with ancient compilers.  Rework the relevant parts of the
-BIND 9.11 backport of the CVE-2021-25220 fix so that compound literals
-are not used.
-
-(cherry picked from commit d4b1efbcbd4dfb8c6ef303968992440c5bdeed15)
----
- lib/dns/resolver.c | 130 +++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 125 insertions(+), 5 deletions(-)
-
-diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index c912f3aea8..2c68973899 100644
---- a/lib/dns/resolver.c
-+++ b/lib/dns/resolver.c
-@@ -63,6 +63,7 @@
- #include <dns/stats.h>
- #include <dns/tsig.h>
- #include <dns/validator.h>
-+#include <dns/zone.h>
- 
- #ifdef WANT_QUERYTRACE
- #define RTRACE(m)       isc_log_write(dns_lctx, \
-@@ -312,6 +313,8 @@ struct fetchctx {
- 	bool			ns_ttl_ok;
- 	uint32_t			ns_ttl;
- 	isc_counter_t *			qc;
-+	dns_fixedname_t			fwdfname;
-+	dns_name_t			*fwdname;
- 
- 	/*%
- 	 * The number of events we're waiting for.
-@@ -3393,6 +3396,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
- 		if (result == ISC_R_SUCCESS) {
- 			fwd = ISC_LIST_HEAD(forwarders->fwdrs);
- 			fctx->fwdpolicy = forwarders->fwdpolicy;
-+			dns_name_copy(domain, fctx->fwdname, NULL);
- 			if (fctx->fwdpolicy == dns_fwdpolicy_only &&
- 			    isstrictsubdomain(domain, &fctx->domain)) {
- 				fcount_decr(fctx);
-@@ -4422,6 +4426,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
- 	fctx->restarts = 0;
- 	fctx->querysent = 0;
- 	fctx->referrals = 0;
-+
-+	fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
-+
- 	TIME_NOW(&fctx->start);
- 	fctx->timeouts = 0;
- 	fctx->lamecount = 0;
-@@ -4480,8 +4487,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
- 		domain = dns_fixedname_initname(&fixed);
- 		result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname,
- 					    domain, &forwarders);
--		if (result == ISC_R_SUCCESS)
-+		if (result == ISC_R_SUCCESS) {
- 			fctx->fwdpolicy = forwarders->fwdpolicy;
-+			dns_name_copy(domain, fctx->fwdname, NULL);
-+		}
- 
- 		if (fctx->fwdpolicy != dns_fwdpolicy_only) {
- 			/*
-@@ -6231,6 +6240,112 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
- 		rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
- }
- 
-+/*
-+ * Returns true if 'name' is external to the namespace for which
-+ * the server being queried can answer, either because it's not a
-+ * subdomain or because it's below a forward declaration or a
-+ * locally served zone.
-+ */
-+static inline bool
-+name_external(dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
-+	isc_result_t result;
-+	dns_forwarders_t *forwarders = NULL;
-+	dns_fixedname_t fixed, zfixed;
-+	dns_name_t *fname = dns_fixedname_initname(&fixed);
-+	dns_name_t *zfname = dns_fixedname_initname(&zfixed);
-+	dns_name_t *apex = NULL;
-+	dns_name_t suffix;
-+	dns_zone_t *zone = NULL;
-+	unsigned int labels;
-+	dns_namereln_t rel;
-+	/*
-+	 * The following two variables do not influence code flow; they are
-+	 * only necessary for calling dns_name_fullcompare().
-+	 */
-+	int _orderp = 0;
-+	unsigned int _nlabelsp = 0;
-+
-+	apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
-+
-+	/*
-+	 * The name is outside the queried namespace.
-+	 */
-+	rel = dns_name_fullcompare(name, apex, &_orderp, &_nlabelsp);
-+	if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
-+		return (true);
-+	}
-+
-+	/*
-+	 * If the record lives in the parent zone, adjust the name so we
-+	 * look for the correct zone or forward clause.
-+	 */
-+	labels = dns_name_countlabels(name);
-+	if (dns_rdatatype_atparent(type) && labels > 1U) {
-+		dns_name_init(&suffix, NULL);
-+		dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
-+		name = &suffix;
-+	} else if (rel == dns_namereln_equal) {
-+		/* If 'name' is 'apex', no further checking is needed. */
-+		return (false);
-+	}
-+
-+	/*
-+	 * If there is a locally served zone between 'apex' and 'name'
-+	 * then don't cache.
-+	 */
-+	LOCK(&fctx->res->view->lock);
-+	if (fctx->res->view->zonetable != NULL) {
-+		unsigned int options = DNS_ZTFIND_NOEXACT;
-+		result = dns_zt_find(fctx->res->view->zonetable, name, options,
-+				     zfname, &zone);
-+		if (zone != NULL) {
-+			dns_zone_detach(&zone);
-+		}
-+		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
-+			if (dns_name_fullcompare(zfname, apex, &_orderp,
-+						 &_nlabelsp) ==
-+			    dns_namereln_subdomain)
-+			{
-+				UNLOCK(&fctx->res->view->lock);
-+				return (true);
-+			}
-+		}
-+	}
-+	UNLOCK(&fctx->res->view->lock);
-+
-+	/*
-+	 * Look for a forward declaration below 'name'.
-+	 */
-+	result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, fname,
-+				    &forwarders);
-+
-+	if (ISFORWARDER(fctx->addrinfo)) {
-+		/*
-+		 * See if the forwarder declaration is better.
-+		 */
-+		if (result == ISC_R_SUCCESS) {
-+			return (!dns_name_equal(fname, fctx->fwdname));
-+		}
-+
-+		/*
-+		 * If the lookup failed, the configuration must have
-+		 * changed: play it safe and don't cache.
-+		 */
-+		return (true);
-+	} else if (result == ISC_R_SUCCESS &&
-+		   forwarders->fwdpolicy == dns_fwdpolicy_only &&
-+		   !ISC_LIST_EMPTY(forwarders->fwdrs))
-+	{
-+		/*
-+		 * If 'name' is covered by a 'forward only' clause then we
-+		 * can't cache this repsonse.
-+		 */
-+		return (true);
-+	}
-+
-+	return (false);
-+}
-+
- static isc_result_t
- check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
- 	      dns_section_t section)
-@@ -6259,7 +6374,7 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
- 	result = dns_message_findname(rmessage, section, addname,
- 				      dns_rdatatype_any, 0, &name, NULL);
- 	if (result == ISC_R_SUCCESS) {
--		external = !dns_name_issubdomain(name, &fctx->domain);
-+		external = name_external(name, type, fctx);
- 		if (type == dns_rdatatype_a) {
- 			for (rdataset = ISC_LIST_HEAD(name->list);
- 			     rdataset != NULL;
-@@ -7141,6 +7256,13 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
- 			break;
- 
- 		case dns_namereln_subdomain:
-+			/*
-+			 * Don't accept DNAME from parent namespace.
-+			 */
-+			if (name_external(name, dns_rdatatype_dname, fctx)) {
-+				continue;
-+			}
-+
- 			/*
- 			 * In-scope DNAME records must have at least
- 			 * as many labels as the domain being queried.
-@@ -7376,11 +7498,9 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
- 	 */
- 	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
- 	while (!done && result == ISC_R_SUCCESS) {
--		bool external;
- 		name = NULL;
- 		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
--		external = !dns_name_issubdomain(name, &fctx->domain);
--		if (!external) {
-+		if (!name_external(name, dns_rdatatype_ns, fctx)) {
- 			/*
- 			 * We expect to find NS or SIG NS rdatasets, and
- 			 * nothing else.
--- 
-2.34.1
-

SOURCES/bind-9.11-rh2101712.patch

@@ -0,0 +1,232 @@
+From fff2960981a3294ac641968a17558c8d7eecf74d Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 24 Aug 2022 12:21:50 +1000
+Subject: [PATCH] Have dns_zt_apply lock the zone table
+
+There where a number of places where the zone table should have
+been locked, but wasn't, when dns_zt_apply was called.
+
+Added a isc_rwlocktype_t type parameter to dns_zt_apply and adjusted
+all calls to using it.  Removed locks in callers.
+
+Modified upstream commit for v9_11
+---
+ bin/named/server.c       | 11 ++++++-----
+ bin/named/statschannel.c |  8 ++++----
+ lib/dns/include/dns/zt.h |  4 ++--
+ lib/dns/tests/zt_test.c  |  3 ++-
+ lib/dns/view.c           |  3 ++-
+ lib/dns/zt.c             | 34 +++++++++++++++++++---------------
+ 6 files changed, 35 insertions(+), 28 deletions(-)
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index 9826588e6d..0b4b309461 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -8723,8 +8723,8 @@ load_configuration(const char *filename, ns_server_t *server,
+ 		    strcmp(view->name, "_bind") != 0)
+ 		{
+ 			dns_view_setviewrevert(view);
+-			(void)dns_zt_apply(view->zonetable, false,
+-					   removed, view);
++			(void)dns_zt_apply(view->zonetable, isc_rwlocktype_read,
++					   false, removed, view);
+ 		}
+ 		dns_view_detach(&view);
+ 	}
+@@ -10090,8 +10090,8 @@ add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
+ 	ISC_LIST_INIT(vle->zonelist);
+ 	ISC_LIST_APPEND(dctx->viewlist, vle, link);
+ 	if (dctx->dumpzones)
+-		result = dns_zt_apply(view->zonetable, true,
+-				      add_zone_tolist, dctx);
++		result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
++				      true, add_zone_tolist, dctx);
+ 	return (result);
+ }
+ 
+@@ -11367,7 +11367,8 @@ ns_server_sync(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
+ 		for (view = ISC_LIST_HEAD(server->viewlist);
+ 		     view != NULL;
+ 		     view = ISC_LIST_NEXT(view, link)) {
+-			result = dns_zt_apply(view->zonetable, false,
++			result = dns_zt_apply(view->zonetable,
++					      isc_rwlocktype_none, false,
+ 					      synczone, &cleanup);
+ 			if (result != ISC_R_SUCCESS &&
+ 			    tresult == ISC_R_SUCCESS)
+diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
+index 12ab048469..9828df0f4e 100644
+--- a/bin/named/statschannel.c
++++ b/bin/named/statschannel.c
+@@ -1833,8 +1833,8 @@ generatexml(ns_server_t *server, uint32_t flags,
+ 		if ((flags & STATS_XML_ZONES) != 0) {
+ 			TRY0(xmlTextWriterStartElement(writer,
+ 						       ISC_XMLCHAR "zones"));
+-			result = dns_zt_apply(view->zonetable, true,
+-					      zone_xmlrender, writer);
++			result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
++					      true, zone_xmlrender, writer);
+ 			if (result != ISC_R_SUCCESS)
+ 				goto error;
+ 			TRY0(xmlTextWriterEndElement(writer)); /* /zones */
+@@ -2489,8 +2489,8 @@ generatejson(ns_server_t *server, size_t *msglen,
+ 			CHECKMEM(za);
+ 
+ 			if ((flags & STATS_JSON_ZONES) != 0) {
+-				result = dns_zt_apply(view->zonetable, true,
+-						      zone_jsonrender, za);
++				result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
++						      true, zone_jsonrender, za);
+ 				if (result != ISC_R_SUCCESS) {
+ 					goto error;
+ 				}
+diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
+index e658e5bb67..94212250da 100644
+--- a/lib/dns/include/dns/zt.h
++++ b/lib/dns/include/dns/zt.h
+@@ -177,11 +177,11 @@ dns_zt_freezezones(dns_zt_t *zt, bool freeze);
+  */
+ 
+ isc_result_t
+-dns_zt_apply(dns_zt_t *zt, bool stop,
++dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop,
+ 	     isc_result_t (*action)(dns_zone_t *, void *), void *uap);
+ 
+ isc_result_t
+-dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
++dns_zt_apply2(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub,
+ 	      isc_result_t (*action)(dns_zone_t *, void *), void *uap);
+ /*%<
+  * Apply a given 'action' to all zone zones in the table.
+diff --git a/lib/dns/tests/zt_test.c b/lib/dns/tests/zt_test.c
+index 3f1e812d60..ee75303a50 100644
+--- a/lib/dns/tests/zt_test.c
++++ b/lib/dns/tests/zt_test.c
+@@ -145,7 +145,8 @@ apply(void **state) {
+ 	assert_non_null(view->zonetable);
+ 
+ 	assert_int_equal(nzones, 0);
+-	result = dns_zt_apply(view->zonetable, false, count_zone, &nzones);
++	result = dns_zt_apply2(view->zonetable, isc_rwlocktype_read, false, NULL,
++			      count_zone, &nzones);
+ 	assert_int_equal(result, ISC_R_SUCCESS);
+ 	assert_int_equal(nzones, 1);
+ 
+diff --git a/lib/dns/view.c b/lib/dns/view.c
+index f01b4dea0f..bd1ced2863 100644
+--- a/lib/dns/view.c
++++ b/lib/dns/view.c
+@@ -676,7 +676,8 @@ dns_view_dialup(dns_view_t *view) {
+ 	REQUIRE(DNS_VIEW_VALID(view));
+ 	REQUIRE(view->zonetable != NULL);
+ 
+-	(void)dns_zt_apply(view->zonetable, false, dialup, NULL);
++	(void)dns_zt_apply2(view->zonetable, isc_rwlocktype_read, false, NULL,
++			   dialup, NULL);
+ }
+ 
+ void
+diff --git a/lib/dns/zt.c b/lib/dns/zt.c
+index 3f12e247e0..af65740325 100644
+--- a/lib/dns/zt.c
++++ b/lib/dns/zt.c
+@@ -202,7 +202,8 @@ flush(dns_zone_t *zone, void *uap) {
+ static void
+ zt_destroy(dns_zt_t *zt) {
+ 	if (zt->flush) {
+-		(void)dns_zt_apply(zt, false, flush, NULL);
++		(void)dns_zt_apply(zt, isc_rwlocktype_none,
++				   false, flush, NULL);
+ 	}
+ 	isc_refcount_destroy(&zt->references);
+ 	dns_rbt_destroy(&zt->table);
+@@ -249,9 +250,7 @@ dns_zt_load(dns_zt_t *zt, bool stop) {
+ 
+ 	REQUIRE(VALID_ZT(zt));
+ 
+-	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+-	result = dns_zt_apply(zt, stop, load, NULL);
+-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
++	result = dns_zt_apply2(zt, isc_rwlocktype_read, stop, NULL, load, NULL);
+ 	return (result);
+ }
+ 
+@@ -293,7 +292,7 @@ dns_zt_asyncload2(dns_zt_t *zt, dns_zt_allloaded_t alldone, void *arg,
+ 	 * Prevent loads_pending going to zero while kicking off the loads.
+ 	 */
+ 	zt->loads_pending++;
+-	result = dns_zt_apply2(zt, false, NULL, asyncload, &params);
++	result = dns_zt_apply2(zt, isc_rwlocktype_none, false, NULL, asyncload, &params);
+ 	pending = --zt->loads_pending;
+ 	if (pending != 0) {
+ 		zt->loaddone = alldone;
+@@ -342,9 +341,7 @@ dns_zt_loadnew(dns_zt_t *zt, bool stop) {
+ 
+ 	REQUIRE(VALID_ZT(zt));
+ 
+-	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+-	result = dns_zt_apply(zt, stop, loadnew, NULL);
+-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
++	result = dns_zt_apply(zt, isc_rwlocktype_read, stop, loadnew, NULL);
+ 	return (result);
+ }
+ 
+@@ -366,9 +363,7 @@ dns_zt_freezezones(dns_zt_t *zt, bool freeze) {
+ 
+ 	REQUIRE(VALID_ZT(zt));
+ 
+-	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+-	result = dns_zt_apply2(zt, false, &tresult, freezezones, &freeze);
+-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
++	result = dns_zt_apply2(zt, isc_rwlocktype_read, false, &tresult, freezezones, &freeze);
+ 	if (tresult == ISC_R_NOTFOUND)
+ 		tresult = ISC_R_SUCCESS;
+ 	return ((result == ISC_R_SUCCESS) ? tresult : result);
+@@ -490,14 +485,14 @@ dns_zt_setviewrevert(dns_zt_t *zt) {
+ }
+ 
+ isc_result_t
+-dns_zt_apply(dns_zt_t *zt, bool stop,
++dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop,
+ 	     isc_result_t (*action)(dns_zone_t *, void *), void *uap)
+ {
+-	return (dns_zt_apply2(zt, stop, NULL, action, uap));
++	return (dns_zt_apply2(zt, lock, stop, NULL, action, uap));
+ }
+ 
+ isc_result_t
+-dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
++dns_zt_apply2(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub,
+ 	      isc_result_t (*action)(dns_zone_t *, void *), void *uap)
+ {
+ 	dns_rbtnode_t *node;
+@@ -508,6 +503,10 @@ dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
+ 	REQUIRE(VALID_ZT(zt));
+ 	REQUIRE(action != NULL);
+ 
++	if (lock != isc_rwlocktype_none) {
++		RWLOCK(&zt->rwlock, lock);
++	}
++
+ 	dns_rbtnodechain_init(&chain, zt->mctx);
+ 	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
+ 	if (result == ISC_R_NOTFOUND) {
+@@ -538,8 +537,13 @@ dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
+ 
+  cleanup:
+ 	dns_rbtnodechain_invalidate(&chain);
+-	if (sub != NULL)
++	if (sub != NULL) {
+ 		*sub = tresult;
++	}
++
++	if (lock != isc_rwlocktype_none) {
++		RWUNLOCK(&zt->rwlock, lock);
++	}
+ 
+ 	return (result);
+ }
+-- 
+2.37.2
+

SOURCES/bind-9.11-rh2133889.patch

@@ -0,0 +1,26 @@
+From c8f5b31f0637315c1c45d0287f05fcad2250f40f Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 13 Oct 2022 15:35:46 +0200
+Subject: [PATCH] Add include to rwlocktype_t to dns/zt.h
+
+It got broken as part of bug #2101712 fix. Introduced new definition,
+which passes during bind build, but breaks bind-dyndb-ldap build.
+---
+ lib/dns/include/dns/zt.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
+index 9421225..64c24d6 100644
+--- a/lib/dns/include/dns/zt.h
++++ b/lib/dns/include/dns/zt.h
+@@ -18,6 +18,7 @@
+ #include <stdbool.h>
+ 
+ #include <isc/lang.h>
++#include <isc/rwlock.h>
+ 
+ #include <dns/types.h>
+ 
+-- 
+2.37.3
+

SPECS/bind.spec

@@ -68,7 +68,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.11.36
-Release:  5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release:  3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.3
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -158,10 +158,11 @@ Patch178:bind-9.11-dhcp-time-monotonic.patch
 Patch183:bind-9.11-rh1980757.patch
 # modified, https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3067
 Patch184: bind-9.15-resolver-ntasks.patch
-Patch185: bind-9.11-CVE-2021-25220.patch
-Patch186: bind-9.11-CVE-2021-25220-test.patch
 Patch188: bind-9.16-CVE-2022-38177.patch
 Patch189: bind-9.16-CVE-2022-38178.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6695
+Patch190: bind-9.11-rh2101712.patch
+Patch192: bind-9.11-rh2133889.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -557,10 +558,10 @@ are used for building ISC DHCP.
 %patch178 -p1 -b .time-monotonic
 %patch183 -p1 -b .rh1980757
 %patch184 -p1 -b .rh2030239
-%patch185 -p1 -b .CVE-2021-25220
-%patch186 -p1 -b .CVE-2021-25220-test
 %patch188 -p1 -b .CVE-2022-38177
 %patch189 -p1 -b .CVE-2022-38178
+%patch190 -p1 -b .rh2101712
+%patch192 -p1 -b .rh2133889
 
 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1613,15 +1614,17 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
-* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-5
+* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-3.3
+- Correct regression preventing bind-dyndb-ldap build (#2101712)
+
+* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-3.2
+- Prevent freeing zone during statistics rendering (#2101712)
+
+* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-3.1
 - Fix memory leak in ECDSA verify processing (CVE-2022-38177)
 - Fix memory leak in EdDSA verify processing (CVE-2022-38178)
 
-* Wed Apr 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-4
-- Tighten cache protection against record from forwarders (CVE-2021-25220)
-- Include test of forwarders
-
-* Thu Feb 10 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-2
+* Thu Feb 10 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-3
 - Reduce memory used per-view on machine with few processors (#2030239)
 
 * Tue Dec 21 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-2