import bind9.16-9.16.23-0.14.el8

SOURCES/bind-9.16-CVE-2022-3094-1.patch

@@ -1,4 +1,4 @@
-From 0c0dc08d3ef26b7411cfe089e8144454831e8af5 Mon Sep 17 00:00:00 2001
+From 18036bb3f435eaa20d60093738c61e5da42a6cfe Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Thu, 1 Sep 2022 16:05:04 -0700
 Subject: [PATCH] add an update quota
@@ -19,8 +19,8 @@ has been exceeded.
  lib/ns/include/ns/server.h |  1 +
  lib/ns/include/ns/stats.h  |  4 +++-
  lib/ns/server.c            |  2 ++
- lib/ns/update.c            | 38 +++++++++++++++++++++++++++++++++++++-
- 8 files changed, 59 insertions(+), 6 deletions(-)
+ lib/ns/update.c            | 37 ++++++++++++++++++++++++++++++++++++-
+ 8 files changed, 58 insertions(+), 6 deletions(-)
 
 diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl
 index 5078115..194625b 100644
@@ -148,7 +148,7 @@ index a970a28..540bc2e 100644
  		isc_quota_destroy(&sctx->tcpquota);
  		isc_quota_destroy(&sctx->xfroutquota);
 diff --git a/lib/ns/update.c b/lib/ns/update.c
-index 546b70a..9a8c309 100644
+index 546b70a..1871438 100644
 --- a/lib/ns/update.c
 +++ b/lib/ns/update.c
 @@ -1544,6 +1544,19 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
@@ -171,7 +171,7 @@ index 546b70a..9a8c309 100644
  	event = (update_event_t *)isc_event_allocate(
  		client->mctx, client, DNS_EVENT_UPDATE, update_action, NULL,
  		sizeof(*event));
-@@ -1676,12 +1689,19 @@ failure:
+@@ -1676,12 +1689,18 @@ failure:
  		       dns_zone_gettype(zone) == dns_zone_mirror);
  		inc_stats(client, zone, ns_statscounter_updaterej);
  	}
@@ -184,7 +184,6 @@ index 546b70a..9a8c309 100644
 -	respond(client, result);
 +	if (result == DNS_R_DROP) {
 +		ns_client_drop(client, result);
-+		isc_nmhandle_detach(&client->reqhandle);
 +	} else {
 +		respond(client, result);
 +	}
@@ -192,7 +191,7 @@ index 546b70a..9a8c309 100644
  	if (zone != NULL) {
  		dns_zone_detach(&zone);
  	}
-@@ -3489,6 +3509,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
+@@ -3489,6 +3508,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
  
  	respond(client, uev->result);
  
@@ -200,7 +199,7 @@ index 546b70a..9a8c309 100644
  	isc_event_free(&event);
  	isc_nmhandle_detach(&client->updatehandle);
  }
-@@ -3505,6 +3526,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) {
+@@ -3505,6 +3525,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) {
  	INSIST(client->nupdates > 0);
  	client->nupdates--;
  	respond(client, DNS_R_SERVFAIL);
@@ -209,7 +208,7 @@ index 546b70a..9a8c309 100644
  	isc_event_free(&event);
  	isc_nmhandle_detach(&client->updatehandle);
  }
-@@ -3542,6 +3565,8 @@ forward_done(isc_task_t *task, isc_event_t *event) {
+@@ -3542,6 +3564,8 @@ forward_done(isc_task_t *task, isc_event_t *event) {
  	client->nupdates--;
  	ns_client_sendraw(client, uev->answer);
  	dns_message_detach(&uev->answer);
@@ -218,7 +217,7 @@ index 546b70a..9a8c309 100644
  	isc_event_free(&event);
  	isc_nmhandle_detach(&client->updatehandle);
  }
-@@ -3576,6 +3601,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
+@@ -3576,6 +3600,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
  	update_event_t *event = NULL;
  	isc_task_t *zonetask = NULL;
  
@@ -237,5 +236,5 @@ index 546b70a..9a8c309 100644
  		client->mctx, client, DNS_EVENT_UPDATE, forward_action, NULL,
  		sizeof(*event));
 -- 
-2.39.1
+2.39.2
 

SOURCES/bind-9.16-CVE-2022-3094-test.patch

@@ -1,4 +1,4 @@
-From 630529ea7d4587703008de1465021bdde2a3a971 Mon Sep 17 00:00:00 2001
+From 54e281c11ee13eabc3c51d6391a58fc90836000c Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Wed, 9 Nov 2022 21:56:16 -0800
 Subject: [PATCH] test failure conditions
@@ -132,7 +132,7 @@ index 7bd13d3..2f690ff 100644
  
 diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
 new file mode 100644
-index 0000000..86d7469
+index 0000000..e15459a
 --- /dev/null
 +++ b/bin/tests/system/upforwd/ns3/named2.conf.in
 @@ -0,0 +1,41 @@
@@ -164,7 +164,7 @@ index 0000000..86d7469
 +
 +key rndc_key {
 +	secret "1234abcd8765";
-+	algorithm @DEFAULT_HMAC@;
++        algorithm hmac-sha256;
 +};
 +
 +controls {
@@ -268,5 +268,5 @@ index 8062d68..20fc46f 100644
  echo_i "exit status: $status"
  [ $status -eq 0 ] || exit 1
 -- 
-2.39.1
+2.39.2
 

SPECS/bind9.16.spec

@@ -57,7 +57,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind9.16
 License:  MPLv2.0
 Version:  9.16.23
-Release:  0.13%{?dist}
+Release:  0.14%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -1156,6 +1156,9 @@ fi;
 %endif
 
 %changelog
+* Sat Feb 25 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.14
+- Handle subtle difference between upstream and rhel (CVE-2022-3094)
+
 * Wed Feb 08 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.13
 - Prevent flooding with UPDATE requests (CVE-2022-3094)
 - Handle RRSIG queries when server-stale is active (CVE-2022-3736)