From d71ca201e010791201b9ebeb6e47e044f43f1254 Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Tue, 19 May 2026 19:55:51 -0400
Subject: [PATCH] import UBI bind-9.16.23-40.el9_8.1

---
 ...perly-process-extra-nameserver-lines.patch | 38 +++++++++++
 SOURCES/bind-chroot.tmpfiles.d                | 38 +++++++++++
 SOURCES/bind.tmpfiles.d                       |  9 +++
 SOURCES/named-chroot.files                    |  2 +
 SOURCES/named.sysusers                        |  3 +
 SPECS/bind.spec                               | 68 ++++++++++++++-----
 6 files changed, 140 insertions(+), 18 deletions(-)
 create mode 100644 SOURCES/bind-9.16-properly-process-extra-nameserver-lines.patch
 create mode 100644 SOURCES/bind-chroot.tmpfiles.d
 create mode 100644 SOURCES/named.sysusers

diff --git a/SOURCES/bind-9.16-properly-process-extra-nameserver-lines.patch b/SOURCES/bind-9.16-properly-process-extra-nameserver-lines.patch
new file mode 100644
index 0000000..abfa7cf
--- /dev/null
+++ b/SOURCES/bind-9.16-properly-process-extra-nameserver-lines.patch
@@ -0,0 +1,38 @@
+diff --git a/CHANGES b/CHANGES
+index 2b12128544..42c13c9dbd 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,3 +1,7 @@
++6173.	[bug]		Properly process extra "nameserver" lines in
++			resolv.conf otherwise the next line is not properly
++			processed. [GL #4066]
++
+ 	--- 9.16.23 released ---
+ 
+ 5752.	[bug]		Fix an assertion failure caused by missing member zones
+diff --git a/lib/irs/resconf.c b/lib/irs/resconf.c
+index da6066db7b..775f4e86a4 100644
+--- a/lib/irs/resconf.c
++++ b/lib/irs/resconf.c
+@@ -286,10 +286,6 @@ resconf_parsenameserver(irs_resconf_t *conf, FILE *fp) {
+ 	int cp;
+ 	isc_result_t result;
+ 
+-	if (conf->numns == RESCONFMAXNAMESERVERS) {
+-		return (ISC_R_SUCCESS);
+-	}
+-
+ 	cp = getword(fp, word, sizeof(word));
+ 	if (strlen(word) == 0U) {
+ 		return (ISC_R_UNEXPECTEDEND); /* Nothing on line. */
+@@ -301,6 +297,10 @@ resconf_parsenameserver(irs_resconf_t *conf, FILE *fp) {
+ 		return (ISC_R_UNEXPECTEDTOKEN); /* Extra junk on line. */
+ 	}
+ 
++	if (conf->numns == RESCONFMAXNAMESERVERS) {
++		return (ISC_R_SUCCESS);
++	}
++
+ 	result = add_server(conf->mctx, word, &conf->nameservers);
+ 	if (result != ISC_R_SUCCESS) {
+ 		return (result);
diff --git a/SOURCES/bind-chroot.tmpfiles.d b/SOURCES/bind-chroot.tmpfiles.d
new file mode 100644
index 0000000..13992fd
--- /dev/null
+++ b/SOURCES/bind-chroot.tmpfiles.d
@@ -0,0 +1,38 @@
+# vim: ft=conf:
+# TODO: these definitions are in different form in rpm spec %files chroot section
+# find a way to have it defined only once
+#defattr(0664,root,named,-)
+c /var/named/chroot/dev/null    0664 root named - 1:3
+c /var/named/chroot/dev/random  0664 root named - 1:8
+c /var/named/chroot/dev/urandom 0664 root named - 1:9
+c /var/named/chroot/dev/zero    0664 root named - 1:5
+#defattr(0640,root,named,0750)
+d /var/named/chroot             0750 root named -
+d /var/named/chroot/dev         0750 root named -
+d /var/named/chroot/etc         0750 root named -
+d /var/named/chroot/etc/named   0750 root named -
+d /var/named/chroot/etc/pki     0750 root named -
+d /var/named/chroot/etc/pki/dnssec-keys 0750 root named -
+d /var/named/chroot/etc/crypto-policies 0750 root named -
+d /var/named/chroot/etc/crypto-policies/back-ends 0750 root named -
+d /var/named/chroot/var         0750 root named -
+d /var/named/chroot/run         0750 root named -
+#defattr(-,root,root,-)
+d /var/named/chroot/usr             - root root -
+d /var/named/chroot/usr/lib64       - root root -
+d /var/named/chroot/usr/lib64/bind  - root root -
+d /var/named/chroot/usr/lib64/named - root root -
+d /var/named/chroot/usr/share/GeoIP - root root -
+d /var/named/chroot/usr/share/named - root root -
+d /var/named/chroot/proc            - root root -
+d /var/named/chroot/proc/sys        - root root -
+d /var/named/chroot/proc/sys/net    - root root -
+d /var/named/chroot/proc/sys/net/ipv4 - root root -
+#defattr(0660,root,named,01770)
+d /var/named/chroot/var/named   01770 root named -
+#defattr(0660,named,named,0770)
+d /var/named/chroot/var/tmp      0770 named named -
+d /var/named/chroot/var/log      0770 named named -
+#defattr(-,named,named,-)
+d /var/named/chroot/run/named       - named named -
+L /var/named/chroot/var/run         - named named - ../run
diff --git a/SOURCES/bind.tmpfiles.d b/SOURCES/bind.tmpfiles.d
index 640a656..95d4975 100644
--- a/SOURCES/bind.tmpfiles.d
+++ b/SOURCES/bind.tmpfiles.d
@@ -1 +1,10 @@
+# vim: ft=conf:
 d /run/named 0755 named named -
+d /var/named 01770 root named -
+d /var/named/slaves  0770 named named -
+d /var/named/data    0770 named named -
+d /var/named/dynamic 0770 named named -
+L /var/named/named.ca        0640 named named - ../../../usr/share/named/named.ca
+L /var/named/named.localhost 0640 named named - ../../../usr/share/named/named.localhost
+L /var/named/named.loopback  0640 named named - ../../../usr/share/named/named.loopback
+L /var/named/named.empty     0640 named named - ../../../usr/share/named/named.empty
diff --git a/SOURCES/named-chroot.files b/SOURCES/named-chroot.files
index 75e6aa1..8511722 100644
--- a/SOURCES/named-chroot.files
+++ b/SOURCES/named-chroot.files
@@ -3,6 +3,7 @@
 # if they are missing or empty in target directory.
 /etc/localtime
 /etc/named.root.key
+/etc/named.ca
 /etc/named.conf
 /etc/named.rfc1912.zones
 /etc/rndc.conf
@@ -19,6 +20,7 @@
 /usr/lib64/named
 /usr/lib/named
 /usr/share/GeoIP
+/usr/share/named
 /run/named
 /proc/sys/net/ipv4/ip_local_port_range
 # Warning: the order is important
diff --git a/SOURCES/named.sysusers b/SOURCES/named.sysusers
new file mode 100644
index 0000000..f173c78
--- /dev/null
+++ b/SOURCES/named.sysusers
@@ -0,0 +1,3 @@
+#Type Name       ID                  GECOS              Home directory Shell
+u     named      25                 "Named"             /var/named     /sbin/nologin
+g     named      25
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index 45967cb..2dbb0a9 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -25,14 +25,12 @@
 %bcond_with    DOCPDF
 %bcond_with    TSAN
 
-%{?!bind_uid:  %global bind_uid  25}
-%{?!bind_gid:  %global bind_gid  25}
 %{!?_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 %global        bind_dir          /var/named
 %global        chroot_prefix     %{bind_dir}/chroot
 %global        chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\
                                          %{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\
-                                         %{_libdir}/bind %{_libdir}/named %{_datadir}/GeoIP /proc/sys/net/ipv4
+                                         %{_libdir}/bind %{_libdir}/named %{_datadir}/{GeoIP,named} /proc/sys/net/ipv4
 
 %global        selinuxbooleans   named_write_master_zones=1
 
@@ -56,7 +54,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  34%{?dist}.2
+Release:  40%{?dist}.1
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -87,6 +85,8 @@ Source46: named-setup-rndc.service
 Source47: named-pkcs11.service
 Source48: setup-named-softhsm.sh
 Source49: named-chroot.files
+Source50: named.sysusers
+Source51: bind-chroot.tmpfiles.d
 
 # Common patches
 Patch10: bind-9.5-PIE.patch
@@ -199,12 +199,15 @@ Patch224: bind-9.16-CVE-2025-40780.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/50479358efdf432d690415131b74b5df158a9d69
 # https://gitlab.isc.org/isc-projects/bind9/commit/33a7db1fe964e55b76b4ac003ecc56cc67028bd9
 Patch225: bind-9.16-CVE-2025-40778.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7942
+Patch226: bind-9.16-properly-process-extra-nameserver-lines.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/commit/a5e8d2354385d4f42a58113b16960d85ec306b09
-Patch226: bind-9.16-CVE-2026-1519.patch
+Patch227: bind-9.16-CVE-2026-1519.patch
 
 %{?systemd_ordering}
+# https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers
+%{?sysusers_requires_compat}
 Requires:       coreutils
-Requires(pre):  shadow-utils
 Requires(post): shadow-utils
 Requires(post): glibc-common
 Requires(post): grep
@@ -767,6 +770,9 @@ install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir}
 install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir}
 install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir}
 
+mkdir -p ${RPM_BUILD_ROOT}%{_sysusersdir}
+install -m 644 %{SOURCE50} ${RPM_BUILD_ROOT}%{_sysusersdir}/named.conf
+
 %if %{with PKCS11}
 install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir}
 %else
@@ -871,21 +877,28 @@ touch ${RPM_BUILD_ROOT}%{_sysconfdir}/rndc.{key,conf}
 install -m 644 %{SOURCE27} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.root.key
 install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}%{_sysconfdir}/trusted-key.key
 mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/named
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/named
+install -p -m 644 %{SOURCE17} ${RPM_BUILD_ROOT}%{_datadir}/named/named.ca
+install -p -m 644 %{SOURCE18} ${RPM_BUILD_ROOT}%{_datadir}/named/named.localhost
+install -p -m 644 %{SOURCE19} ${RPM_BUILD_ROOT}%{_datadir}/named/named.loopback
+install -p -m 644 %{SOURCE20} ${RPM_BUILD_ROOT}%{_datadir}/named/named.empty
 
 # data files:
 mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named
-install -m 640 %{SOURCE17} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.ca
-install -m 640 %{SOURCE18} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.localhost
-install -m 640 %{SOURCE19} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.loopback
-install -m 640 %{SOURCE20} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.empty
-install -m 640 %{SOURCE23} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.rfc1912.zones
+# Create duplicate copies for maximal backward compatibility
+install -p -m 644 %{SOURCE17} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.ca
+install -p -m 644 %{SOURCE18} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.localhost
+install -p -m 644 %{SOURCE19} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.loopback
+install -p -m 644 %{SOURCE20} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.empty
+install -p -m 640 %{SOURCE23} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.rfc1912.zones
 
 # sample bind configuration files for %%doc:
 mkdir -p sample/etc sample/var/named/{data,slaves}
 install -m 644 %{SOURCE25} sample/etc/named.conf
-# Copy default configuration to %%doc to make it usable from system-config-bind
+# Copy default configuration to %%doc
 install -m 644 %{SOURCE16} named.conf.default
 install -m 644 %{SOURCE23} sample/etc/named.rfc1912.zones
+# Extra copies in documentation too.
 install -m 644 %{SOURCE18} %{SOURCE19} %{SOURCE20}  sample/var/named
 install -m 644 %{SOURCE17} sample/var/named/named.ca
 for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do 
@@ -895,15 +908,15 @@ done
 :;
 
 mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
-install -m 644 %{SOURCE35} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/named.conf
+install -p -m 644 %{SOURCE35} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/named.conf
+install -p -m 644 %{SOURCE51} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/%{name}-chroot.conf
 
 mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d
-install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
+install -p -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
 
 %pre
 if [ "$1" -eq 1 ]; then
-  /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
-  /usr/sbin/useradd  -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :;
+  %sysusers_create_compat %{SOURCE50}
 fi;
 :;
 
@@ -1022,6 +1035,7 @@ fi;
 %{_unitdir}/named.service
 %{_unitdir}/named-setup-rndc.service
 %{_sbindir}/named-journalprint
+%{_sysusersdir}/named.conf
 %{_sbindir}/named-checkconf
 %{_bindir}/named-rrchecker
 %{_bindir}/mdig
@@ -1054,6 +1068,7 @@ fi;
 %dir %{_localstatedir}/named/dynamic
 %ghost %{_localstatedir}/log/named.log
 %defattr(0640,root,named,0750)
+%{_datadir}/named/
 %config %verify(not link) %{_localstatedir}/named/named.ca
 %config %verify(not link) %{_localstatedir}/named/named.localhost
 %config %verify(not link) %{_localstatedir}/named/named.loopback
@@ -1149,6 +1164,7 @@ fi;
 %{_unitdir}/named-chroot.service
 %{_unitdir}/named-chroot-setup.service
 %{_libexecdir}/setup-named-chroot.sh
+%{_tmpfilesdir}/%{name}-chroot.conf
 %defattr(0664,root,named,-)
 %ghost %dev(c,1,3) %verify(not mtime) %{chroot_prefix}/dev/null
 %ghost %dev(c,1,8) %verify(not mtime) %{chroot_prefix}/dev/random
@@ -1172,6 +1188,7 @@ fi;
 %dir %{chroot_prefix}/%{_libdir}/bind
 %dir %{chroot_prefix}/%{_libdir}/named
 %dir %{chroot_prefix}/%{_datadir}/GeoIP
+%dir %{chroot_prefix}/%{_datadir}/named
 %{chroot_prefix}/proc
 %defattr(0660,root,named,01770)
 %dir %{chroot_prefix}%{_localstatedir}/named
@@ -1245,11 +1262,26 @@ fi;
 %endif
 
 %changelog
-* Fri Mar 27 2026 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-34.2
+* Fri Mar 27 2026 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-40.1
 - Prevent Denial of Service via maliciously crafted DNSSEC-validated zone
   (CVE-2026-1519)
 
-* Wed Oct 29 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-34.1
+* Wed Jan 28 2026 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-40
+- Add forgotten _libdir/named into bind-chroot tmpfiles (RHEL-135629)
+
+* Thu Jan 22 2026 Fedor Vorobev <fvorobev@redhat.com> - 32:9.16.23-39
+- Backport fix for nameserver line processing. (RHEL-79714) 
+
+* Fri Dec 12 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-38
+- Add sysusers named user creation (RHEL-132053)
+
+* Fri Dec 12 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-37
+- Create /var/named directories for bind-chroot (RHEL-132053)
+
+* Wed Oct 29 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-36
+- Copy named.* files from /var/named into /usr/share/named
+
+* Wed Oct 29 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-35
 - Prevent cache poisoning due to weak PRNG (CVE-2025-40780)
 - Replace downstream fixes with upstream changes
 - Address various spoofing attacks (CVE-2025-40778)