From 7fe31e189255cf58dcbdad511d1573419013b93f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 20 May 2020 13:25:26 +0200
Subject: [PATCH] Update to 9.16.3

Changes some solib versions and fixes two important CVEs:
CVE-2020-8616 CVE-2020-8617
---
 bind-9.11-tests-pkcs11.patch  | 39 -----------------------------------
 bind-9.14-config-pkcs11.patch |  9 ++++----
 bind.spec                     | 17 ++++++++-------
 3 files changed, 14 insertions(+), 51 deletions(-)
 delete mode 100644 bind-9.11-tests-pkcs11.patch

diff --git a/bind-9.11-tests-pkcs11.patch b/bind-9.11-tests-pkcs11.patch
deleted file mode 100644
index cdba1b0..0000000
--- a/bind-9.11-tests-pkcs11.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 84fc64b556d5b5145eb7831393b856a26a818dc1 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Fri, 1 Mar 2019 15:55:46 +0100
-Subject: [PATCH] Detect correctly pkcs11 support
-
-It fails now always, because oot builds are not supported by
-cleanpkcs11.sh.
----
- bin/tests/system/cleanpkcs11.sh | 2 +-
- bin/tests/system/conf.sh.in     | 1 +
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/bin/tests/system/cleanpkcs11.sh b/bin/tests/system/cleanpkcs11.sh
-index b974708..3bbef4c 100644
---- a/bin/tests/system/cleanpkcs11.sh
-+++ b/bin/tests/system/cleanpkcs11.sh
-@@ -12,6 +12,6 @@
- SYSTEMTESTTOP=.
- . $SYSTEMTESTTOP/conf.sh
- 
--if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi
-+if [ ! -x "$PK11DESTROY" ]; then exit 1; fi
- 
- $PK11DEL -w0 > /dev/null 2>&1
-diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
-index e7831d8..aa2d841 100644
---- a/bin/tests/system/conf.sh.in
-+++ b/bin/tests/system/conf.sh.in
-@@ -52,6 +52,7 @@ NSLOOKUP=$TOP/bin/dig/nslookup
- NSUPDATE=$TOP/bin/nsupdate/nsupdate
- NZD2NZF=$TOP/bin/tools/named-nzd2nzf
- PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
-+PK11DESTROY=$TOP/bin/pkcs11/pkcs11-destroy
- PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
- PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
- RESOLVE=$TOP/lib/samples/resolve
--- 
-2.20.1
-
diff --git a/bind-9.14-config-pkcs11.patch b/bind-9.14-config-pkcs11.patch
index a71d772..bfc6e45 100644
--- a/bind-9.14-config-pkcs11.patch
+++ b/bind-9.14-config-pkcs11.patch
@@ -1,4 +1,4 @@
-From 2d8abd838870b58629ce55df411b6ba1b2c7288f Mon Sep 17 00:00:00 2001
+From 124c9e4c0500e7589ee63376e8f860f4abc675f2 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Fri, 18 Oct 2019 21:30:52 +0200
 Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h
@@ -26,15 +26,16 @@ index 1f5165a..ef3e70c 100644
  
  ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 diff --git a/configure.ac b/configure.ac
-index c69bc37..de6a248 100644
+index fde41dc..e5cc3cd 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -883,9 +883,13 @@ AS_CASE([$enable_native_pkcs11],
+@@ -889,10 +889,14 @@ AS_CASE([$enable_native_pkcs11],
  AC_SUBST([PKCS11_TEST])
  AC_SUBST([PKCS11_TOOLS])
  
 +USE_PKCS11='-DUSE_PKCS11=0'
 +USE_OPENSSL='-DUSE_OPENSSL=0'
+ AC_SUBST([CRYPTO])
  AS_CASE([$CRYPTO],
 -	[pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])],
 -	[AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])])
@@ -46,7 +47,7 @@ index c69bc37..de6a248 100644
  # preparation for automake
  # AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"])
 diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
-index bce2a9f..ef9d045 100644
+index 116e2d2..99bdf5b 100644
 --- a/lib/dns/dst_internal.h
 +++ b/lib/dns/dst_internal.h
 @@ -38,6 +38,13 @@
diff --git a/bind.spec b/bind.spec
index 0161355..48f91e8 100644
--- a/bind.spec
+++ b/bind.spec
@@ -53,18 +53,18 @@
 # no more isc-config.sh and bind9-config
 
 # lib*.so.X versions of selected libraries
-%global sover_dns 1602
-%global sover_isc 1602
-%global sover_irs 1600
+%global sover_dns 1603
+%global sover_isc 1603
+%global sover_irs 1601
 %global sover_isccfg 1600
-%global sover_ns 1602
+%global sover_ns 1603
 
 
 Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
 Name:     bind
 License:  MPLv2.0
-Version:  9.16.2
-Release:  4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Version:  9.16.3
+Release:  1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -121,7 +121,6 @@ Patch157:bind-9.11-fips-tests.patch
 Patch164:bind-9.11-rh1666814.patch
 Patch170:bind-9.11-feature-test-named.patch
 Patch171:bind-9.11-tests-variants.patch
-Patch172:bind-9.11-tests-pkcs11.patch
 
 Requires(post):   systemd
 Requires(preun):  systemd
@@ -435,7 +434,6 @@ This package provides a module which allows commands to be sent to rndc directly
 %patch164 -p1 -b .rh1666814
 %patch170 -p1 -b .featuretest-named
 %patch171 -p1 -b .test-variant
-%patch172 -p1 -b .test-pkcs11
 
 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@@ -1159,6 +1157,9 @@ fi;
 
 
 %changelog
+* Wed May 20 2020 Petr Menšík <pemensik@redhat.com> - 32:9.16.3-1
+- Update to 9.16.3
+
 * Mon Apr 27 2020 Petr Menšík <pemensik@redhat.com> - 32:9.16.2-4
 - Enable PKCS#11 builds again