Update to 9.18.7 (#2128609)

https://downloads.isc.org/isc/bind9/9.18.7/doc/arm/html/notes.html#notes-for-bind-9-18-7
2022-09-21 14:33:11 +02:00 · 2022-09-21 14:33:11 +02:00 · bbdbcbc779
commit bbdbcbc779
parent 24465000af
5 changed files with 89 additions and 102 deletions
--- a/.gitignore
+++ b/.gitignore
@ -190,3 +190,5 @@ bind-9.7.2b1.tar.gz
 /bind-9.18.5.tar.xz.asc
 /bind-9.18.6.tar.xz
 /bind-9.18.6.tar.xz.asc
+/bind-9.18.7.tar.xz
+/bind-9.18.7.tar.xz.asc
--- a/bind-9.11-fips-tests.patch
+++ b/bind-9.11-fips-tests.patch
@ -1,4 +1,4 @@
-From 09030b066846a9b7252b5cb4f483d4a55b4639fc Mon Sep 17 00:00:00 2001
+From b1e27453fadcf8ce453beed5b896ad995dfb5534 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Thu, 2 Aug 2018 23:46:45 +0200
 Subject: [PATCH] FIPS tests changes
@ -81,20 +81,18 @@ Date:   Wed Mar 7 10:44:23 2018 +0100
 bin/tests/system/nsupdate/ns1/named.conf.in   |  2 +-
 bin/tests/system/nsupdate/ns2/named.conf.in   |  2 +-
 bin/tests/system/nsupdate/setup.sh            |  6 +-
- bin/tests/system/nsupdate/tests.sh            | 11 ++-
+ bin/tests/system/nsupdate/tests.sh            |  9 ++-
 bin/tests/system/rndc/setup.sh                |  2 +-
 bin/tests/system/rndc/tests.sh                | 22 +++---
 bin/tests/system/tsig/ns1/named.conf.in       | 10 +--
- bin/tests/system/tsig/ns1/rndc5.conf.in       | 10 +++
 bin/tests/system/tsig/setup.sh                |  5 ++
 bin/tests/system/tsig/tests.sh                | 67 ++++++++++++-------
 bin/tests/system/upforwd/ns1/named.conf.in    |  2 +-
 bin/tests/system/upforwd/tests.sh             |  2 +-
- 32 files changed, 159 insertions(+), 106 deletions(-)
- create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
+ 31 files changed, 147 insertions(+), 106 deletions(-)

 diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
-index 745048a..93cb411 100644
+index 8787c6a..b781d0b 100644
 --- a/bin/tests/system/acl/ns2/named1.conf.in
 +++ b/bin/tests/system/acl/ns2/named1.conf.in
@@ -35,12 +35,12 @@ options {
@ -113,7 +111,7 @@ index 745048a..93cb411 100644
 };
 
 diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
-index 21aa991..78e71cc 100644
+index a95b4c1..3f3f471 100644
 --- a/bin/tests/system/acl/ns2/named2.conf.in
 +++ b/bin/tests/system/acl/ns2/named2.conf.in
@@ -35,12 +35,12 @@ options {
@ -132,7 +130,7 @@ index 21aa991..78e71cc 100644
 };
 
 diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
-index 3208c92..bed6325 100644
+index 14cc3fe..9507706 100644
 --- a/bin/tests/system/acl/ns2/named3.conf.in
 +++ b/bin/tests/system/acl/ns2/named3.conf.in
@@ -35,17 +35,17 @@ options {
@ -157,7 +155,7 @@ index 3208c92..bed6325 100644
 };
 
 diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
-index 14e82ed..a22cafe 100644
+index 77cf110..029c91b 100644
 --- a/bin/tests/system/acl/ns2/named4.conf.in
 +++ b/bin/tests/system/acl/ns2/named4.conf.in
@@ -35,12 +35,12 @@ options {
@ -176,7 +174,7 @@ index 14e82ed..a22cafe 100644
 };
 
 diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
-index f43f33c..f4a865a 100644
+index 5ccabf9..6154797 100644
 --- a/bin/tests/system/acl/ns2/named5.conf.in
 +++ b/bin/tests/system/acl/ns2/named5.conf.in
@@ -37,12 +37,12 @@ options {
@ -539,10 +537,10 @@ index 4af25b0..9f202d5 100644
 };
 
 diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
-index 897dc86..e4b6dc1 100644
+index 154bf75..e7a05cd 100644
 --- a/bin/tests/system/checkconf/good.conf
 +++ b/bin/tests/system/checkconf/good.conf
-@@ -270,6 +270,6 @@ dyndb "name" "library.so" {
+@@ -283,6 +283,6 @@ dyndb "name" "library.so" {
 	system;
 };
 key "mykey" {
@ -608,7 +606,7 @@ index 5cab276..d4a7bf3 100644
 };
 
 diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
-index 04fd34b..e5476ea 100644
+index 95158a4..9b9aa0a 100644
 --- a/bin/tests/system/notify/tests.sh
 +++ b/bin/tests/system/notify/tests.sh
@@ -179,7 +179,7 @@ test_start "checking notify to multiple views using tsig"
@ -633,7 +631,7 @@ index 04fd34b..e5476ea 100644
 	grep "test string" "$fnb" > /dev/null &&
 	grep "test string" "$fnc" > /dev/null &&
 diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
-index 81d0c99..effbe2e 100644
+index 2b67360..a734584 100644
 --- a/bin/tests/system/nsupdate/ns1/named.conf.in
 +++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -39,7 +39,7 @@ controls {
@ -646,7 +644,7 @@ index 81d0c99..effbe2e 100644
 };
 
 diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
-index f1a1735..da2b3d1 100644
+index c85eef5..428b6b1 100644
 --- a/bin/tests/system/nsupdate/ns2/named.conf.in
 +++ b/bin/tests/system/nsupdate/ns2/named.conf.in
@@ -34,7 +34,7 @@ controls {
@ -676,26 +674,24 @@ index 50056dc..a4a1a3f 100644
 $TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
 $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
 diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
-index 0863d0a..559def7 100755
+index 0bb9d00..ecbc0df 100755
 --- a/bin/tests/system/nsupdate/tests.sh
 +++ b/bin/tests/system/nsupdate/tests.sh
-@@ -841,7 +841,14 @@ fi
- n=`expr $n + 1`
+@@ -841,7 +841,12 @@ fi
+ n=$((n + 1))
 ret=0
 echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
 -for alg in md5 sha1 sha224 sha256 sha384 sha512; do
-+if $FEATURETEST --md5
-+then
-+	ALGS="md5 sha1 sha224 sha256 sha384 sha512"
-+else
-+	ALGS="sha1 sha224 sha256 sha384 sha512"
+MD5ALG='md5'
+if ! $FEATURETEST --md5; then
+	MD5ALG=''
 +	echo_i "skipping disabled md5 algorithm"
 +fi
-+for alg in $ALGS; do
+for alg in $MD5ALG sha1 sha224 sha256 sha384 sha512; do
     $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
 server 10.53.0.1 ${PORT}
 update add ${alg}.keytests.nil. 600 A 10.10.10.3
-@@ -849,7 +856,7 @@ send
+@@ -849,7 +854,7 @@ send
 END
 done
 sleep 2
@ -718,7 +714,7 @@ index 4dd6fa7..1b79263 100644
 make_key 3 ${EXTRAPORT3} hmac-sha224
 make_key 4 ${EXTRAPORT4} hmac-sha256
 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
-index e678153..e7ec855 100644
+index a66ca15..6ebf78c 100644
 --- a/bin/tests/system/rndc/tests.sh
 +++ b/bin/tests/system/rndc/tests.sh
@@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
@ -778,22 +774,6 @@ index 76cf970..22637af 100644
 
 key "sha1-trunc" {
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
-diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
-new file mode 100644
-index 0000000..0682194
--- /dev/null
-+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
-@@ -0,0 +1,10 @@
-+# Conditionally included when support for MD5 is available
-+key "md5" {
-+	secret "97rnFx24Tfna4mHPfgnerA==";
-+	algorithm hmac-md5;
-+};
-+
-+key "md5-trunc" {
-+	secret "97rnFx24Tfna4mHPfgnerA==";
-+	algorithm hmac-md5-80;
-+};
 diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
 index 34cc73b..d51ff21 100644
 --- a/bin/tests/system/tsig/setup.sh
--- a/bind-9.18-pkcs11-engine-compat-api.patch
+++ b/bind-9.18-pkcs11-engine-compat-api.patch
@ -1,7 +1,7 @@
-From 561356ec1d46abb939e4eed10ee2c9e639eb88db Mon Sep 17 00:00:00 2001
+From 1ecf072a6a556aa386003d1d5b83fe172320e7ed Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Thu, 8 Sep 2022 17:19:20 +0200
-Subject: [PATCH 2/3] Do not use OSSL_PARAM when engine API is compiled
+Subject: [PATCH] Do not use OSSL_PARAM when engine API is compiled

 OpenSSL has deprecated many things in version 3.0. If pkcs11 engine
 should work then no builder from OpenSSL 3.0 API can be used.
@ -16,7 +16,7 @@ working keys loading from the engine passed on command line.
 3 files changed, 189 insertions(+), 184 deletions(-)

 diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
-index d5dbc2e889..96c1d523b7 100644
+index 1a01c2b..7df483f 100644
 --- a/lib/dns/openssldh_link.c
 +++ b/lib/dns/openssldh_link.c
@@ -91,7 +91,7 @@ static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL;
@ -68,16 +68,16 @@ index d5dbc2e889..96c1d523b7 100644
 
 	isc_buffer_add(secret, (unsigned int)secret_len);
 
-@@ -165,7 +165,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
- 
+@@ -166,7 +166,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 static bool
 openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ 	bool ret = true;
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
 +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	DH *dh1, *dh2;
 	const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
 	const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
-@@ -175,9 +175,9 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+@@ -176,9 +176,9 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
 	BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
 	BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
@ -89,7 +89,7 @@ index d5dbc2e889..96c1d523b7 100644
 	dh1 = key1->keydata.dh;
 	dh2 = key2->keydata.dh;
 
-@@ -209,7 +209,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+@@ -210,7 +210,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PUB_KEY, &pub_key2);
 	EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key1);
 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key2);
@ -99,15 +99,15 @@ index d5dbc2e889..96c1d523b7 100644
 	if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 ||
 	    BN_cmp(pub_key1, pub_key2) != 0)
@@ -226,7 +226,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
- 		}
 	}
 
+ err:
 -#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 	if (p1 != NULL) {
 		BN_free(p1);
 	}
-@@ -251,22 +251,23 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+@@ -251,7 +251,8 @@ err:
 	if (priv_key2 != NULL) {
 		BN_clear_free(priv_key2);
 	}
@ -115,11 +115,12 @@ index d5dbc2e889..96c1d523b7 100644
 +#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
 +	*/
 
- 	return (true);
+ 	return (ret);
 }
- 
+@@ -259,15 +260,15 @@ err:
 static bool
 openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+ 	bool ret = true;
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
 +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	DH *dh1, *dh2;
@ -135,7 +136,7 @@ index d5dbc2e889..96c1d523b7 100644
 	dh1 = key1->keydata.dh;
 	dh2 = key2->keydata.dh;
 
-@@ -292,13 +293,13 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+@@ -293,14 +294,14 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2);
 	EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1);
 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2);
@ -143,15 +144,16 @@ index d5dbc2e889..96c1d523b7 100644
 +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) {
- 		return (false);
+ 		DST_RET(false);
 	}
 
+ err:
 -#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 	if (p1 != NULL) {
 		BN_free(p1);
 	}
-@@ -311,12 +312,13 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+@@ -313,12 +314,13 @@ err:
 	if (g2 != NULL) {
 		BN_free(g2);
 	}
@ -159,7 +161,7 @@ index d5dbc2e889..96c1d523b7 100644
 +#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
 +	*/
 
- 	return (true);
+ 	return (ret);
 }
 
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
@ -167,7 +169,7 @@ index d5dbc2e889..96c1d523b7 100644
 static int
 progress_cb(int p, int n, BN_GENCB *cb) {
 	union {
-@@ -347,7 +349,7 @@ progress_cb(EVP_PKEY_CTX *ctx) {
+@@ -349,7 +351,7 @@ progress_cb(EVP_PKEY_CTX *ctx) {
 	}
 	return (1);
 }
@ -176,7 +178,7 @@ index d5dbc2e889..96c1d523b7 100644
 
 static isc_result_t
 openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
-@@ -357,7 +359,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+@@ -359,7 +361,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 		void (*fptr)(int);
 	} u;
 	BIGNUM *p = NULL, *g = NULL;
@ -185,7 +187,7 @@ index d5dbc2e889..96c1d523b7 100644
 	DH *dh = NULL;
 	BN_GENCB *cb = NULL;
 #if !HAVE_BN_GENCB_NEW
-@@ -370,9 +372,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+@@ -372,9 +374,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 	EVP_PKEY_CTX *ctx = NULL;
 	EVP_PKEY *param_pkey = NULL;
 	EVP_PKEY *pkey = NULL;
@ -197,7 +199,7 @@ index d5dbc2e889..96c1d523b7 100644
 	dh = DH_new();
 	if (dh == NULL) {
 		DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
-@@ -386,7 +388,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+@@ -388,7 +390,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 	if (param_ctx == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
@ -206,7 +208,7 @@ index d5dbc2e889..96c1d523b7 100644
 
 	if (generator == 0) {
 		/*
-@@ -406,7 +408,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+@@ -408,7 +410,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 			if (p == NULL || g == NULL) {
 				DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
 			}
@ -215,7 +217,7 @@ index d5dbc2e889..96c1d523b7 100644
 			if (DH_set0_pqg(dh, p, NULL, g) != 1) {
 				DST_RET(dst__openssl_toresult2(
 					"DH_set0_pqg", DST_R_OPENSSLFAILURE));
-@@ -430,7 +432,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+@@ -432,7 +434,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 					DST_R_OPENSSLFAILURE));
 			}
 			params = OSSL_PARAM_BLD_to_param(bld);
@ -224,7 +226,7 @@ index d5dbc2e889..96c1d523b7 100644
 
 		} else {
 			/*
-@@ -443,7 +445,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+@@ -445,7 +447,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 	}
 
 	if (generator != 0) {
@ -233,7 +235,7 @@ index d5dbc2e889..96c1d523b7 100644
 		cb = BN_GENCB_new();
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 		if (cb == NULL) {
-@@ -486,10 +488,10 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+@@ -488,10 +490,10 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 						       DST_R_OPENSSLFAILURE));
 		}
 		params = OSSL_PARAM_BLD_to_param(bld);
@ -246,7 +248,7 @@ index d5dbc2e889..96c1d523b7 100644
 	if (DH_generate_key(dh) == 0) {
 		DST_RET(dst__openssl_toresult2("DH_generate_key",
 					       DST_R_OPENSSLFAILURE));
-@@ -557,12 +559,12 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+@@ -559,12 +561,12 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 
 	key->keydata.pkey = pkey;
 	pkey = NULL;
@ -261,7 +263,7 @@ index d5dbc2e889..96c1d523b7 100644
 	if (dh != NULL) {
 		DH_free(dh);
 	}
-@@ -594,14 +596,14 @@ err:
+@@ -596,14 +598,14 @@ err:
 	if (g != NULL) {
 		BN_free(g);
 	}
@ -278,7 +280,7 @@ index d5dbc2e889..96c1d523b7 100644
 	DH *dh = key->keydata.dh;
 	const BIGNUM *priv_key = NULL;
 
-@@ -626,12 +628,12 @@ openssldh_isprivate(const dst_key_t *key) {
+@@ -628,12 +630,12 @@ openssldh_isprivate(const dst_key_t *key) {
 	}
 
 	return (ret);
@ -293,7 +295,7 @@ index d5dbc2e889..96c1d523b7 100644
 	DH *dh = key->keydata.dh;
 
 	if (dh == NULL) {
-@@ -649,7 +651,7 @@ openssldh_destroy(dst_key_t *key) {
+@@ -651,7 +653,7 @@ openssldh_destroy(dst_key_t *key) {
 
 	EVP_PKEY_free(pkey);
 	key->keydata.pkey = NULL;
@ -302,10 +304,10 @@ index d5dbc2e889..96c1d523b7 100644
 }
 
 static void
-@@ -675,17 +677,17 @@ uint16_fromregion(isc_region_t *region) {
- 
+@@ -678,17 +680,17 @@ uint16_fromregion(isc_region_t *region) {
 static isc_result_t
 openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+ 	isc_result_t ret = ISC_R_SUCCESS;
 -#if OPENSSL_VERSION_NUMBER < 0x30000000L
 +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	DH *dh;
@ -323,7 +325,7 @@ index d5dbc2e889..96c1d523b7 100644
 	REQUIRE(key->keydata.dh != NULL);
 
 	dh = key->keydata.dh;
-@@ -698,7 +700,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+@@ -701,7 +703,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p);
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g);
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
@ -332,16 +334,16 @@ index d5dbc2e889..96c1d523b7 100644
 
 	isc_buffer_availableregion(data, &r);
 
-@@ -745,7 +747,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
- 
+@@ -749,7 +751,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
 	isc_buffer_add(data, dnslen);
 
+ err:
 -#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 	if (p != NULL) {
 		BN_free(p);
 	}
-@@ -755,7 +757,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+@@ -759,7 +761,8 @@ err:
 	if (pub_key != NULL) {
 		BN_free(pub_key);
 	}
@ -349,9 +351,9 @@ index d5dbc2e889..96c1d523b7 100644
 +#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
 +	*/
 
- 	return (ISC_R_SUCCESS);
+ 	return (ret);
 }
-@@ -763,14 +766,14 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+@@ -767,14 +770,14 @@ err:
 static isc_result_t
 openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	isc_result_t ret;
@ -368,7 +370,7 @@ index d5dbc2e889..96c1d523b7 100644
 	BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
 	int key_size;
 	isc_region_t r;
-@@ -782,7 +785,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+@@ -786,7 +789,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 		return (ISC_R_SUCCESS);
 	}
 
@ -377,7 +379,7 @@ index d5dbc2e889..96c1d523b7 100644
 	dh = DH_new();
 	if (dh == NULL) {
 		DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
-@@ -797,7 +800,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+@@ -801,7 +804,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (ctx == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
@ -386,7 +388,7 @@ index d5dbc2e889..96c1d523b7 100644
 
 	/*
 	 * Read the prime length.  1 & 2 are table entries, > 16 means a
-@@ -873,7 +876,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+@@ -877,7 +880,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	key_size = BN_num_bits(p);
 
@ -395,7 +397,7 @@ index d5dbc2e889..96c1d523b7 100644
 	if (DH_set0_pqg(dh, p, NULL, g) != 1) {
 		DST_RET(dst__openssl_toresult2("DH_set0_pqg",
 					       DST_R_OPENSSLFAILURE));
-@@ -889,7 +892,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+@@ -893,7 +896,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 		DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN",
 					       DST_R_OPENSSLFAILURE));
 	}
@ -404,7 +406,7 @@ index d5dbc2e889..96c1d523b7 100644
 
 	if (r.length < 2) {
 		DST_RET(DST_R_INVALIDPUBLICKEY);
-@@ -907,7 +910,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+@@ -911,7 +914,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	isc_buffer_forward(data, plen + glen + publen + 6);
 
@ -413,7 +415,7 @@ index d5dbc2e889..96c1d523b7 100644
 #if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && \
 	(LIBRESSL_VERSION_NUMBER <= 0x2070200fL)
 	/*
-@@ -951,14 +954,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+@@ -955,14 +958,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	key->keydata.pkey = pkey;
 	pkey = NULL;
@ -430,7 +432,7 @@ index d5dbc2e889..96c1d523b7 100644
 	if (dh != NULL) {
 		DH_free(dh);
 	}
-@@ -975,7 +978,7 @@ err:
+@@ -979,7 +982,7 @@ err:
 	if (bld != NULL) {
 		OSSL_PARAM_BLD_free(bld);
 	}
@ -439,7 +441,7 @@ index d5dbc2e889..96c1d523b7 100644
 	if (p != NULL) {
 		BN_free(p);
 	}
-@@ -991,13 +994,13 @@ err:
+@@ -995,13 +998,13 @@ err:
 
 static isc_result_t
 openssldh_tofile(const dst_key_t *key, const char *directory) {
@ -455,7 +457,7 @@ index d5dbc2e889..96c1d523b7 100644
 	dst_private_t priv;
 	unsigned char *bufs[4] = { NULL };
 	unsigned short i = 0;
-@@ -1007,7 +1010,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
+@@ -1011,7 +1014,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
 		return (DST_R_EXTERNALKEY);
 	}
 
@ -464,7 +466,7 @@ index d5dbc2e889..96c1d523b7 100644
 	if (key->keydata.dh == NULL) {
 		return (DST_R_NULLKEY);
 	}
-@@ -1025,7 +1028,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
+@@ -1029,7 +1032,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g);
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key);
@ -473,7 +475,7 @@ index d5dbc2e889..96c1d523b7 100644
 
 	priv.elements[i].tag = TAG_DH_PRIME;
 	priv.elements[i].length = BN_num_bytes(p);
-@@ -1065,7 +1068,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
+@@ -1069,7 +1072,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
 		}
 	}
 
@ -482,7 +484,7 @@ index d5dbc2e889..96c1d523b7 100644
 	if (p != NULL) {
 		BN_free(p);
 	}
-@@ -1078,7 +1081,8 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
+@@ -1082,7 +1085,8 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
 	if (priv_key != NULL) {
 		BN_clear_free(priv_key);
 	}
@ -492,7 +494,7 @@ index d5dbc2e889..96c1d523b7 100644
 
 	return (result);
 }
-@@ -1088,14 +1092,14 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+@@ -1092,14 +1096,14 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t ret;
 	int i;
@ -509,7 +511,7 @@ index d5dbc2e889..96c1d523b7 100644
 	BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
 	int key_size = 0;
 	isc_mem_t *mctx;
-@@ -1113,7 +1117,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+@@ -1117,7 +1121,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		DST_RET(DST_R_EXTERNALKEY);
 	}
 
@ -518,7 +520,7 @@ index d5dbc2e889..96c1d523b7 100644
 	dh = DH_new();
 	if (dh == NULL) {
 		DST_RET(ISC_R_NOMEMORY);
-@@ -1128,7 +1132,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+@@ -1132,7 +1136,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	if (ctx == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
@ -527,7 +529,7 @@ index d5dbc2e889..96c1d523b7 100644
 
 	for (i = 0; i < priv.nelements; i++) {
 		BIGNUM *bn;
-@@ -1155,7 +1159,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+@@ -1159,7 +1163,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		}
 	}
 
@ -536,7 +538,7 @@ index d5dbc2e889..96c1d523b7 100644
 	if (DH_set0_key(dh, pub_key, priv_key) != 1) {
 		DST_RET(dst__openssl_toresult2("DH_set0_key",
 					       DST_R_OPENSSLFAILURE));
-@@ -1202,13 +1206,13 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+@@ -1206,13 +1210,13 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 
 	key->keydata.pkey = pkey;
 	pkey = NULL;
@ -552,7 +554,7 @@ index d5dbc2e889..96c1d523b7 100644
 	if (dh != NULL) {
 		DH_free(dh);
 	}
-@@ -1225,7 +1229,7 @@ err:
+@@ -1229,7 +1233,7 @@ err:
 	if (bld != NULL) {
 		OSSL_PARAM_BLD_free(bld);
 	}
@ -562,7 +564,7 @@ index d5dbc2e889..96c1d523b7 100644
 		BN_free(p);
 	}
 diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
-index 519e88b7e7..04f0d80b5e 100644
+index 519e88b..04f0d80 100644
 --- a/lib/dns/opensslecdsa_link.c
 +++ b/lib/dns/opensslecdsa_link.c
@@ -17,14 +17,14 @@
@ -1045,7 +1047,7 @@ index 519e88b7e7..04f0d80b5e 100644
 		key->keydata.generic = NULL;
 	}
 diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
-index fc905b7d60..867b486a2f 100644
+index fc905b7..867b486 100644
 --- a/lib/dns/opensslrsa_link.c
 +++ b/lib/dns/opensslrsa_link.c
@@ -18,7 +18,7 @@
@ -1550,5 +1552,5 @@ index fc905b7d60..867b486a2f 100644
 		RSA_free(rsa);
 	}
 -- 
-2.37.2
+2.37.3

--- a/bind.spec
+++ b/bind.spec
@ -62,8 +62,8 @@ Conflicts: %1 \
 Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
 Name:     bind
 License:  MPLv2.0
-Version:  9.18.6
-Release:  4%{?dist}
+Version:  9.18.7
+Release:  1%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -954,6 +954,9 @@ fi;
 %endif

 %changelog
+* Wed Sep 21 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.7-1
+- Update to 9.18.7 (#2128609)
+
 * Wed Sep 14 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.6-4
 - Disable yet another test (##2122010)

--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (bind-9.18.6.tar.xz) = 6b31eb56cf25b2cb1d8af0f76f9cac0e0985c78cbe3ba80164d773cb0bf77116dd98b5c4b84e3c74fd35b5da501ee6ba2dc0fae12267104edde2cb2daa1e1ba7
-SHA512 (bind-9.18.6.tar.xz.asc) = 13629b56acb02ca1fe861e6a17e949fee276de83624d972174893e48cc5de650a2a0081262e5e0d6913360861e2c91fed6b808ed8ae702e5cb2e2380eacf163b
+SHA512 (bind-9.18.7.tar.xz) = 2cdceb4125b8759f5225296c6ffecdbb895b0a27dfcfcd98b04b9ad78552d16c16b0452fb823dc47d11cec21d2c6ecb05a107dd3094f8e7419bb9717d68820c5
+SHA512 (bind-9.18.7.tar.xz.asc) = 40030c2259858f1ba7ce4fbcd523025631ed78687ca87863d0f0bcd0fd530d96052e0601808ffa37e59d574a9a9c84bb2ededc66f730b9eaf560a00a6ef29c48