[9.18] [CVE-2024-12705] sec: usr: DNS-over-HTTP(s) flooding fixes

Fix DNS-over-HTTP(S) implementation issues that arise under heavy
query load. Optimize resource usage for :iscman:`named` instances
that accept queries over DNS-over-HTTP(S).

Previously, :iscman:`named` would process all incoming HTTP/2 data
at once, which could overwhelm the server, especially when dealing
with clients that send requests but don't wait for responses. That
has been fixed. Now, :iscman:`named` handles HTTP/2 data in smaller
chunks and throttles reading until the remote side reads the
response data. It also throttles clients that send too many requests
at once.

Additionally, :iscman:`named` now carefully processes data sent by
some clients, which can be considered "flooding." It logs these
clients and drops connections from them.
:gl:`#4795`

In some cases, :iscman:`named` could leave DNS-over-HTTP(S)
connections in the `CLOSE_WAIT` state indefinitely. That also has
been fixed. ISC would like to thank JF Billaud for thoroughly
investigating the issue and verifying the fix.
:gl:`#5083`

Vulnerability: CVE-2024-12705
Resolves: RHEL-76868

bind9.18.spec

@@ -122,6 +122,8 @@ Patch29: bind-9.18-nsupdate-TLS-tests.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/commit/c6e6a7af8ac6b575dd3657b0f5cf4248d734c2b0
 Patch30: bind-9.18-CVE-2024-11187-pre-test.patch
 Patch31: bind-9.18-CVE-2024-11187.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/commit/e733e624147155d6cbee7f0f150c79c7ac6b54bb
+Patch32: bind-9.18-CVE-2024-12705.patch
 
 %{?systemd_ordering}
 Requires:       coreutils
@@ -971,6 +973,7 @@ fi;
 %changelog
 * Mon Feb 03 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.29-3
 - Limit additional section records CPU processing (CVE-2024-11187)
+- Read HTTPS requests in limited chunks and prevent overload (CVE-2024-12705)
 
 * Mon Jan 27 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.29-2
 - Backport nsupdate TLS support into 9.18 (RHEL-76331)