Update to 9.18.8 (#2136100)

https://downloads.isc.org/isc/bind9/9.18.8/doc/arm/html/notes.html#notes-for-bind-9-18-8
2022-10-22 20:16:47 +02:00 · 2022-10-22 20:16:47 +02:00 · 99fd53a106
commit 99fd53a106
parent e6424d1a09
8 changed files with 24 additions and 1920 deletions
--- a/.gitignore
+++ b/.gitignore
@ -192,3 +192,5 @@ bind-9.7.2b1.tar.gz
 /bind-9.18.6.tar.xz.asc
 /bind-9.18.7.tar.xz
 /bind-9.18.7.tar.xz.asc
+/bind-9.18.8.tar.xz
+/bind-9.18.8.tar.xz.asc
--- a/bind-9.11-fips-tests.patch
+++ b/bind-9.11-fips-tests.patch
@ -1,4 +1,4 @@
-From b1e27453fadcf8ce453beed5b896ad995dfb5534 Mon Sep 17 00:00:00 2001
+From 2ad42c7c23858f12d977526d6ebc3465907d7b1b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Thu, 2 Aug 2018 23:46:45 +0200
 Subject: [PATCH] FIPS tests changes
@ -428,10 +428,10 @@ index 364f94b..9518f82 100644
 };
 
 diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
-index bbffe07..80da0fe 100644
+index 01a13cf..3711c63 100644
 --- a/bin/tests/system/allow-query/tests.sh
 +++ b/bin/tests/system/allow-query/tests.sh
-@@ -200,7 +200,7 @@ rndc_reload ns2 10.53.0.2
+@@ -201,7 +201,7 @@ rndc_reload ns2 10.53.0.2
 
 echo_i "test $n: key allowed - query allowed"
 ret=0
@ -440,7 +440,7 @@ index bbffe07..80da0fe 100644
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -213,7 +213,7 @@ rndc_reload ns2 10.53.0.2
+@@ -214,7 +214,7 @@ rndc_reload ns2 10.53.0.2
 
 echo_i "test $n: key not allowed - query refused"
 ret=0
@ -449,7 +449,7 @@ index bbffe07..80da0fe 100644
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
-@@ -227,7 +227,7 @@ rndc_reload ns2 10.53.0.2
+@@ -228,7 +228,7 @@ rndc_reload ns2 10.53.0.2
 
 echo_i "test $n: key disallowed - query refused"
 ret=0
@ -458,7 +458,7 @@ index bbffe07..80da0fe 100644
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
-@@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2
+@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2
 
 echo_i "test $n: views key allowed - query allowed"
 ret=0
@ -467,7 +467,7 @@ index bbffe07..80da0fe 100644
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -379,7 +379,7 @@ rndc_reload ns2 10.53.0.2
+@@ -380,7 +380,7 @@ rndc_reload ns2 10.53.0.2
 
 echo_i "test $n: views key not allowed - query refused"
 ret=0
@ -476,7 +476,7 @@ index bbffe07..80da0fe 100644
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
-@@ -393,7 +393,7 @@ rndc_reload ns2 10.53.0.2
+@@ -394,7 +394,7 @@ rndc_reload ns2 10.53.0.2
 
 echo_i "test $n: views key disallowed - query refused"
 ret=0
@ -485,7 +485,7 @@ index bbffe07..80da0fe 100644
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
-@@ -533,7 +533,7 @@ status=`expr $status + $ret`
+@@ -534,7 +534,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "test $n: zone key allowed - query allowed"
 ret=0
@ -494,7 +494,7 @@ index bbffe07..80da0fe 100644
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -543,7 +543,7 @@ status=`expr $status + $ret`
+@@ -544,7 +544,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "test $n: zone key not allowed - query refused"
 ret=0
@ -503,7 +503,7 @@ index bbffe07..80da0fe 100644
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
-@@ -554,7 +554,7 @@ status=`expr $status + $ret`
+@@ -555,7 +555,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "test $n: zone key disallowed - query refused"
 ret=0
@ -513,16 +513,18 @@ index bbffe07..80da0fe 100644
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
 diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
-index 1421281..424afb8 100644
+index 3a8e401..82e720d 100644
 --- a/bin/tests/system/catz/ns1/named.conf.in
 +++ b/bin/tests/system/catz/ns1/named.conf.in
-@@ -122,5 +122,5 @@ view "ch" ch {
+@@ -122,7 +122,7 @@ view "ch" ch {
 
 key tsig_key. {
 	secret "LSAnCU+Z";
 -	algorithm hmac-md5;
 +	algorithm hmac-sha256;
 };
+ 
+ key next_key. {
 diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
 index 4af25b0..9f202d5 100644
 --- a/bin/tests/system/checkconf/bad-tsig.conf
--- a/bind-9.18-doc-arm-rhel9.patch
+++ b/bind-9.18-doc-arm-rhel9.patch
@ -1,46 +0,0 @@
-diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst
-index 0d72000..f4810ae 100644
--- a/doc/arm/dnssec.inc.rst
-+++ b/doc/arm/dnssec.inc.rst
-@@ -282,7 +282,7 @@ NSEC3
- 
- To sign using :ref:`NSEC3 <advanced_discussions_nsec3>` instead of :ref:`NSEC
- <advanced_discussions_nsec>`, add an NSEC3PARAM record to the initial update
-request. The :term:`OPTOUT <opt-out>` bit in the NSEC3
-+request. The :term:`OPTOUT <Opt-out>` bit in the NSEC3
- chain can be set in the flags field of the
- NSEC3PARAM record.
- 
-diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
-index ef6c1c7..b59b0ac 100644
--- a/doc/arm/reference.rst
-+++ b/doc/arm/reference.rst
-@@ -35,7 +35,7 @@ The file :file:`named.conf` may contain three types of entities:
- 
-    Block
-       :ref:`Blocks <configuration_blocks>` are containers for :term:`statements
-      <statement>` which either have common functionality - for example,
-+      <Statement>` which either have common functionality - for example,
-       the definition of a cryptographic key in a :namedconf:ref:`key` block - or which
-       define the scope of the statement - for example, a statement which appears
-       in a :namedconf:ref:`zone` block has scope only for that zone.
-@@ -68,7 +68,7 @@ The file :file:`named.conf` may contain three types of entities:
-         more argument/value pairs. The :any:`also-notify` statement may take a number
-         of such argument/value pairs, such as ``also-notify port 5353;``,
-         where ``port`` is the argument and ``5353`` is the corresponding value.
-      - Statements can appear in a single :term:`block` - for
-+      - Statements can appear in a single :term:`block <Block>` - for
-         example, an :namedconf:ref:`algorithm` statement can appear only in a
-         :namedconf:ref:`key` block - or in multiple blocks - for example, an
-         :any:`also-notify` statement can appear in an :namedconf:ref:`options`
-@@ -6550,8 +6550,8 @@ The following options can be specified in a :any:`dnssec-policy` statement:
-     of the indicated length.
- 
-     .. warning::
-       Do not use extra :term:`iterations`, :term:`salt`, and
-       :term:`opt-out` unless their implications are fully understood.
-+       Do not use extra :term:`iterations <Iterations>`, :term:`salt <Salt>`, and
-+       :term:`opt-out <Opt-out>` unless their implications are fully understood.
-        A higher number of iterations causes interoperability problems and opens
-        servers to CPU-exhausting DoS attacks.
- 
--- a/bind-9.18-pkcs11-engine-compat-api.patch
+++ b/bind-9.18-pkcs11-engine-compat-api.patch
--- a/bind-9.18-pkcs11-engine-init.patch
+++ b/bind-9.18-pkcs11-engine-init.patch
@ -1,48 +0,0 @@
-From 87a2eac7a8264a0e8d64a8db85d44ec22454e256 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Wed, 7 Sep 2022 13:46:31 +0200
-Subject: [PATCH 1/3] Add ENGINE_init and ENGINE_finish calls
-
-According to manual page of ENGINE_init, it should be called explicitly
-before any key operations happens. Make it active whole lifetime.
---
- lib/dns/openssl_link.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index 333f34cb37..a3f63885fa 100644
--- a/lib/dns/openssl_link.c
-+++ b/lib/dns/openssl_link.c
-@@ -85,14 +85,20 @@ dst__openssl_init(const char *engine) {
- 			result = DST_R_NOENGINE;
- 			goto cleanup_rm;
- 		}
-+		if (!ENGINE_init(e)) {
-+			result = DST_R_NOENGINE;
-+			goto cleanup_rm;
-+		}
- 		/* This will init the engine. */
- 		if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
- 			result = DST_R_NOENGINE;
-			goto cleanup_rm;
-+			goto cleanup_init;
- 		}
- 	}
- 
- 	return (ISC_R_SUCCESS);
-+cleanup_init:
-+	ENGINE_finish(e);
- cleanup_rm:
- 	if (e != NULL) {
- 		ENGINE_free(e);
-@@ -108,6 +114,7 @@ void
- dst__openssl_destroy(void) {
- #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
- 	if (e != NULL) {
-+		ENGINE_finish(e);
- 		ENGINE_free(e);
- 	}
- 	e = NULL;
-- 
-2.37.2
-
--- a/bind-9.18-pkcs11-engine-remove-deadcode.patch
+++ b/bind-9.18-pkcs11-engine-remove-deadcode.patch
@ -1,245 +0,0 @@
-From cc8edfc6670ba97434bc5acb595539fd9c7d9123 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Thu, 8 Sep 2022 16:33:38 +0200
-Subject: [PATCH 3/3] Remove engine related parts for OpenSSL 3.0
-
-OpenSSL just cannot work with mixing ENGINE_* api mixed with OSSL_PARAM
-builders. But it can be built in legacy mode, where deprecated but still
-working API would be used.
-
-It can work under OpenSSL 3.0, but only if using legacy code paths
-matching OpenSSL 1.1 calls and functions.
-
-Remove fromlabel processing by OpenSSL 3.0 only functions. They can
-return later with a proper provider support for pkcs11.
---
- lib/dns/opensslecdsa_link.c | 55 -------------------------------------
- lib/dns/opensslrsa_link.c   | 32 ---------------------
- 2 files changed, 87 deletions(-)
-
-diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
-index 04f0d80b5e..f04f076e42 100644
--- a/lib/dns/opensslecdsa_link.c
-+++ b/lib/dns/opensslecdsa_link.c
-@@ -1311,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
- 	isc_result_t ret = ISC_R_SUCCESS;
- 	ENGINE *e;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	EC_KEY *eckey = NULL;
- 	EC_KEY *pubeckey = NULL;
- 	int group_nid;
-#else
-	size_t len;
-	const char *curve_name, *nist_curve_name;
-	char buf[128]; /* Sufficient for all of the supported curves' names. */
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 	EVP_PKEY *pkey = NULL;
- 	EVP_PKEY *pubpkey = NULL;
- 
-@@ -1336,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 		DST_RET(DST_R_NOENGINE);
- 	}
- 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	if (key->key_alg == DST_ALG_ECDSA256) {
- 		group_nid = NID_X9_62_prime256v1;
- 	} else {
- 		group_nid = NID_secp384r1;
- 	}
-#else
-	/* Get the expected curve names */
-	if (key->key_alg == DST_ALG_ECDSA256) {
-		curve_name = "prime256v1";
-		nist_curve_name = "P-256";
-	} else {
-		curve_name = "secp384r1";
-		nist_curve_name = "P-384";
-	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
- 	/* Load private key. */
- 	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
-@@ -1363,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 	if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
- 		DST_RET(DST_R_INVALIDPRIVATEKEY);
- 	}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
- 	if (eckey == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-@@ -1371,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) {
- 		DST_RET(DST_R_INVALIDPRIVATEKEY);
- 	}
-#else
-	len = 0;
-	if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
-					   buf, sizeof buf, &len) != 1 ||
-	    len == 0 || len >= sizeof buf)
-	{
-		DST_RET(DST_R_INVALIDPRIVATEKEY);
-	}
-	if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
-	    strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
-	{
-		DST_RET(DST_R_INVALIDPRIVATEKEY);
-	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
- 	/* Load public key. */
- 	pubpkey = ENGINE_load_public_key(e, label, NULL, NULL);
-@@ -1396,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 	if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) {
- 		DST_RET(DST_R_INVALIDPUBLICKEY);
- 	}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey);
- 	if (pubeckey == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-@@ -1404,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) {
- 		DST_RET(DST_R_INVALIDPUBLICKEY);
- 	}
-#else
-	len = 0;
-	if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME,
-					   buf, sizeof buf, &len) != 1 ||
-	    len == 0 || len >= sizeof buf)
-	{
-		DST_RET(DST_R_INVALIDPUBLICKEY);
-	}
-	if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
-	    strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
-	{
-		DST_RET(DST_R_INVALIDPUBLICKEY);
-	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
- 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
- 	}
-#else
-	if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) {
-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
- 	key->label = isc_mem_strdup(key->mctx, label);
- 	key->engine = isc_mem_strdup(key->mctx, engine);
-@@ -1442,14 +1389,12 @@ err:
- 	if (pkey != NULL) {
- 		EVP_PKEY_free(pkey);
- 	}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	if (pubeckey != NULL) {
- 		EC_KEY_free(pubeckey);
- 	}
- 	if (eckey != NULL) {
- 		EC_KEY_free(eckey);
- 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
- 	return (ret);
- #else
-diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
-index 867b486a2f..cf350610ba 100644
--- a/lib/dns/opensslrsa_link.c
-+++ b/lib/dns/opensslrsa_link.c
-@@ -1167,7 +1167,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 		key->engine = isc_mem_strdup(key->mctx, engine);
- 		key->label = isc_mem_strdup(key->mctx, label);
- 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 		rsa = EVP_PKEY_get1_RSA(pkey);
- 		if (rsa == NULL) {
- 			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-@@ -1176,16 +1175,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
- 		}
- 		RSA_get0_key(rsa, NULL, &ex, NULL);
-#else
-		if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) !=
-		    ISC_R_SUCCESS) {
-			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-		}
-		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) !=
-		    1) {
-			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-		}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
- 		if (ex == NULL) {
- 			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-@@ -1437,12 +1426,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 	ENGINE *e = NULL;
- 	isc_result_t ret = ISC_R_SUCCESS;
- 	EVP_PKEY *pkey = NULL, *pubpkey = NULL;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	RSA *rsa = NULL, *pubrsa = NULL;
- 	const BIGNUM *ex = NULL;
-#else
-	BIGNUM *ex = NULL;
-#endif
- 
- 	UNUSED(pin);
- 
-@@ -1459,12 +1444,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 		DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
- 					       DST_R_OPENSSLFAILURE));
- 	}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	pubrsa = EVP_PKEY_get1_RSA(pubpkey);
- 	if (pubrsa == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
- 	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
- 	if (pkey == NULL) {
-@@ -1475,7 +1458,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 	key->engine = isc_mem_strdup(key->mctx, engine);
- 	key->label = isc_mem_strdup(key->mctx, label);
- 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	rsa = EVP_PKEY_get1_RSA(pkey);
- 	if (rsa == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-@@ -1484,14 +1466,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
- 	}
- 	RSA_get0_key(rsa, NULL, &ex, NULL);
-#else
-	if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) {
-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-	}
-	if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) {
-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
- 	if (ex == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-@@ -1505,18 +1479,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 	pkey = NULL;
- 
- err:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	if (rsa != NULL) {
- 		RSA_free(rsa);
- 	}
- 	if (pubrsa != NULL) {
- 		RSA_free(pubrsa);
- 	}
-#else
-	if (ex != NULL) {
-		BN_free(ex);
-	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 	if (pkey != NULL) {
- 		EVP_PKEY_free(pkey);
- 	}
-- 
-2.37.2
-
--- a/bind.spec
+++ b/bind.spec
@ -62,8 +62,8 @@ Conflicts: %1 \
 Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
 Name:     bind
 License:  MPL-2.0
-Version:  9.18.7
-Release:  3%{?dist}
+Version:  9.18.8
+Release:  1%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -99,16 +99,8 @@ Source49: named-chroot.files
 Patch10: bind-9.5-PIE.patch
 Patch16: bind-9.16-redhat_doc.patch
 Patch22: bind-9.11-fips-tests.patch
-# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5385
-# https://bugzilla.redhat.com/show_bug.cgi?id=2122841
-Patch23: bind-9.18-pkcs11-engine-init.patch
-Patch24: bind-9.18-pkcs11-engine-compat-api.patch
-Patch25: bind-9.18-pkcs11-engine-remove-deadcode.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2122010
 Patch26: bind-9.18-unittest-netmgr-unstable.patch
-# Fix building ARM docs in EPEL9
-# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6815
-Patch27: bind-9.18-doc-arm-rhel9.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -957,6 +949,9 @@ fi;
 %endif

 %changelog
+* Sat Oct 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.8-1
+- Update to 9.18.8 (#2136100)
+
 * Fri Sep 30 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.7-3
 - Update License to SPDX identifier
 - Enable automatic restart on crashes
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (bind-9.18.7.tar.xz) = 2cdceb4125b8759f5225296c6ffecdbb895b0a27dfcfcd98b04b9ad78552d16c16b0452fb823dc47d11cec21d2c6ecb05a107dd3094f8e7419bb9717d68820c5
-SHA512 (bind-9.18.7.tar.xz.asc) = 40030c2259858f1ba7ce4fbcd523025631ed78687ca87863d0f0bcd0fd530d96052e0601808ffa37e59d574a9a9c84bb2ededc66f730b9eaf560a00a6ef29c48
+SHA512 (bind-9.18.8.tar.xz) = ea6cad5276269a320fa1e666544888ed88b9d058ecab56c82aebff24e841a4ad221ce9c1209b1258884d71f7c03eed4d1c6a7e1922780073644344bc939a0e89
+SHA512 (bind-9.18.8.tar.xz.asc) = 06a880eb3af14e760f52ab5bd666b6512487d724a16a0fdf646ad9a07f17249e68a9a59ddf902f9111aee6450d96ed8dfe36d6fb433808f993d9bbc6dd4e665c