!140 [sync] PR-136: fix CVE-2023-3341 CVE-2024-11187

From: @openeuler-sync-bot 
Reviewed-by: @xiangyu2020 
Signed-off-by: @xiangyu2020

backport-0001-CVE-2024-1737.patch

@@ -0,0 +1,94 @@
+From fdabf4b9570a60688f9f7d1e88d885f7a3718bca Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Fri, 1 Mar 2024 08:26:07 +0100
+Subject: [PATCH 1/3] Add a limit to the number of RRs in RRSets
+ 
+Previously, the number of RRs in the RRSets were internally unlimited.
+As the data structure that holds the RRs is just a linked list, and
+there are places where we just walk through all of the RRs, adding an
+RRSet with huge number of RRs inside would slow down processing of said
+RRSets.
+ 
+The fix for end-of-life branches make the limit compile-time only for
+simplicity and the limit can be changed at the compile time by adding
+following define to CFLAGS:
+ 
+    -DDNS_RDATASET_MAX_RECORDS=<limit>
+ 
+(cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e)
+ 
+Conflict:NA
+Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/5360c90612abf51deb4a80b30e1da84fd61212a5
+ 
+---
+ bind/bind-9.11.36/configure           |  2 +-
+ bind/bind-9.11.36/configure.ac        |  2 +-
+ bind/bind-9.11.36/lib/dns/rdataslab.c | 12 ++++++++++++
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+ 
+diff --git a/bind/bind-9.11.36/configure b/bind/bind-9.11.36/configure
+index 368112f..736ff49 100755
+--- a/bind/bind-9.11.36/configure
++++ b/bind/bind-9.11.36/configure
+@@ -12185,7 +12185,7 @@ fi
+ XTARGETS=
+ case "$enable_developer" in
+ yes)
+-	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
++	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
+ 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
+ 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
+ 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
+diff --git a/bind/bind-9.11.36/configure.ac b/bind/bind-9.11.36/configure.ac
+index 030c4d7..cc36b6c 100644
+--- a/bind/bind-9.11.36/configure.ac
++++ b/bind/bind-9.11.36/configure.ac
+@@ -100,7 +100,7 @@ AC_ARG_ENABLE(developer,
+ XTARGETS=
+ case "$enable_developer" in
+ yes)
+-	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
++	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
+ 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
+ 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
+ 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
+diff --git a/bind/bind-9.11.36/lib/dns/rdataslab.c b/bind/bind-9.11.36/lib/dns/rdataslab.c
+index b0f77b1..347b7d2 100644
+--- a/bind/bind-9.11.36/lib/dns/rdataslab.c
++++ b/bind/bind-9.11.36/lib/dns/rdataslab.c
+@@ -115,6 +115,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
+ }
+ #endif
+ 
++#ifndef DNS_RDATASET_MAX_RECORDS
++#define DNS_RDATASET_MAX_RECORDS 100
++#endif /* DNS_RDATASET_MAX_RECORDS */
++
+ isc_result_t
+ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+ 			   isc_region_t *region, unsigned int reservelen)
+@@ -161,6 +165,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+ 		return (ISC_R_SUCCESS);
+ 	}
+ 
++	if (nitems > DNS_RDATASET_MAX_RECORDS) {
++		return (DNS_R_TOOMANYRECORDS);
++	}
++
+ 	if (nitems > 0xffff)
+ 		return (ISC_R_NOSPACE);
+ 
+@@ -654,6 +662,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
+ #endif
+ 	INSIST(ocount > 0 && ncount > 0);
+ 
++	if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
++		return (DNS_R_TOOMANYRECORDS);
++	}
++
+ #if DNS_RDATASET_FIXED
+ 	oncount = ncount;
+ #endif
+-- 
+2.33.0
+

backport-0002-CVE-2024-1737.patch

@@ -0,0 +1,125 @@
+From dfcadc2085c8844b5836aff2b5ea51fb60c34868 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Wed, 29 May 2024 08:43:39 +0200
+Subject: [PATCH 2/3] Add a limit to the number of RR types for single name
+ 
+Previously, the number of RR types for a single owner name was limited
+only by the maximum number of the types (64k).  As the data structure
+that holds the RR types for the database node is just a linked list, and
+there are places where we just walk through the whole list (again and
+again), adding a large number of RR types for a single owner named with
+would slow down processing of such name (database node).
+ 
+Add a hard-coded limit (100) to cap the number of the RR types for a single
+owner.  The limit can be changed at the compile time by adding following
+define to CFLAGS:
+ 
+    -DDNS_RBTDB_MAX_RTYPES=<limit>
+ 
+Conflict:Context Adaptation
+Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/5360c90612abf51deb4a80b30e1da84fd61212a5
+ 
+---
+ bind/bind-9.11.36/configure       |  2 +-
+ bind/bind-9.11.36/configure.ac    |  2 +-
+ bind/bind-9.11.36/lib/dns/rbtdb.c | 17 +++++++++++++++++
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+ 
+diff --git a/bind/bind-9.11.36/configure b/bind/bind-9.11.36/configure
+index 736ff49..8e881e3 100755
+--- a/bind/bind-9.11.36/configure
++++ b/bind/bind-9.11.36/configure
+@@ -12185,7 +12185,7 @@ fi
+ XTARGETS=
+ case "$enable_developer" in
+ yes)
+-	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
++	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
+ 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
+ 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
+ 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
+diff --git a/bind/bind-9.11.36/configure.ac b/bind/bind-9.11.36/configure.ac
+index cc36b6c..0eab441 100644
+--- a/bind/bind-9.11.36/configure.ac
++++ b/bind/bind-9.11.36/configure.ac
+@@ -100,7 +100,7 @@ AC_ARG_ENABLE(developer,
+ XTARGETS=
+ case "$enable_developer" in
+ yes)
+-	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
++	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
+ 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
+ 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
+ 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
+diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
+index 3d76ca1..0cfef36 100644
+--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
++++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
+@@ -6190,6 +6190,10 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
+ 	RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
+ }
+ 
++#ifndef DNS_RBTDB_MAX_RTYPES
++#define DNS_RBTDB_MAX_RTYPES 100
++#endif /* DNS_RBTDB_MAX_RTYPES */
++
+ /*
+  * write lock on rbtnode must be held.
+  */
+@@ -6210,6 +6214,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 	rbtdb_rdatatype_t negtype, sigtype;
+ 	dns_trust_t trust;
+ 	int idx;
++	uint32_t ntypes;
+ 
+ 	/*
+ 	 * Add an rdatasetheader_t to a node.
+@@ -6272,6 +6277,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 					set_ttl(rbtdb, topheader, 0);
+ 					mark_stale_header(rbtdb, topheader);
+ 				}
++				ntypes = 0;
+ 				goto find_header;
+ 			}
+ 			/*
+@@ -6293,9 +6299,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			 * check for an extant non-stale NODATA ncache
+ 			 * entry which covers the same type as the RRSIG.
+ 			 */
++			ntypes = 0;
+ 			for (topheader = rbtnode->data;
+ 			     topheader != NULL;
+ 			     topheader = topheader->next) {
++				ntypes++;
+ 				if ((topheader->type ==
+ 					RBTDB_RDATATYPE_NCACHEANY) ||
+ 					(newheader->type == sigtype &&
+@@ -6339,9 +6347,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 		}
+ 	}
+ 
++	ntypes = 0;
+ 	for (topheader = rbtnode->data;
+ 	     topheader != NULL;
+ 	     topheader = topheader->next) {
++		ntypes++;
+ 		if (prio_type(topheader->type)) {
+ 			prioheader = topheader;
+ 		}
+@@ -6700,6 +6710,13 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			/*
+ 			 * No rdatasets of the given type exist at the node.
+ 			 */
++
++			if (ntypes > DNS_RBTDB_MAX_RTYPES) {
++				free_rdataset(rbtdb, rbtdb->common.mctx,
++					      newheader);
++				return (ISC_R_QUOTA);
++			}
++
+ 			newheader->down = NULL;
+ 
+ 			if (prio_type(newheader->type)) {
+-- 
+2.33.0
+

backport-0003-CVE-2024-1737.patch

@@ -0,0 +1,52 @@
+From b27c6bcce894786a8e082eafd59eccbf6f2731cb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Mon, 17 Jun 2024 11:40:40 +0200
+Subject: [PATCH] Expand the list of the priority types and move it to db_p.h
+ 
+Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of
+the priority types that are put at the beginning of the slabheader list
+for faster access and to avoid eviction when there are more types than
+the max-types-per-name limit.
+ 
+Conflict:NA
+Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/b27c6bcce894786a8e082eafd59eccbf6f2731cb
+ 
+---
+ bind/bind-9.11.36/lib/dns/rbtdb.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+ 
+diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
+index 0cfef36..0aed13c 100644
+--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
++++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
+@@ -1171,6 +1171,8 @@ prio_type(rbtdb_rdatatype_t type) {
+ 	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
+ 	case dns_rdatatype_a:
+ 	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
++	case dns_rdatatype_mx:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_mx):
+ 	case dns_rdatatype_aaaa:
+ 	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
+ 	case dns_rdatatype_nsec:
+@@ -1183,6 +1185,18 @@ prio_type(rbtdb_rdatatype_t type) {
+ 	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
+ 	case dns_rdatatype_cname:
+ 	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
++	case dns_rdatatype_dname:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname):
++	case dns_rdatatype_dnskey:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dnskey):
++	case dns_rdatatype_srv:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_srv):
++	case dns_rdatatype_txt:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_txt):
++	case dns_rdatatype_ptr:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ptr):
++	case dns_rdatatype_naptr:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_naptr):
+ 		return (true);
+ 	}
+ 	return (false);
+-- 
+2.33.0
+

backport-0004-CVE-2024-1737.patch

@@ -0,0 +1,185 @@
+From 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120 Mon Sep 17 00:00:00 2001
+From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= <ondrej@isc.org>
+Date: Mon, 17 Jun 2024 11:40:40 +0200
+Subject: Be smarter about refusing to add many RR types to the database
+ 
+Instead of outright refusing to add new RR types to the cache, be a bit
+smarter:
+ 
+1. If the new header type is in our priority list, we always add either
+   positive or negative entry at the beginning of the list.
+ 
+2. If the new header type is negative entry, and we are over the limit,
+   we mark it as ancient immediately, so it gets evicted from the cache
+   as soon as possible.
+ 
+3. Otherwise add the new header after the priority headers (or at the
+   head of the list).
+ 
+4. If we are over the limit, evict the last entry on the normal header
+   list.
+ 
+(cherry picked from commit 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120)
+ 
+Conflict:NA
+Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/57cd34441a1b4ecc9874a4a106c2c95b8d7a3120
+ 
+---
+ bind/bind-9.11.36/lib/dns/rbtdb.c | 71 +++++++++++++++++++++++++------
+ 1 file changed, 59 insertions(+), 12 deletions(-)
+ 
+diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
+index 0aed13c..d2c4097 100644
+--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
++++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
+@@ -6208,6 +6208,26 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
+ #define DNS_RBTDB_MAX_RTYPES 100
+ #endif /* DNS_RBTDB_MAX_RTYPES */
+ 
++static bool
++overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
++	UNUSED(rbtdb);
++
++	if (DNS_RBTDB_MAX_RTYPES == 0) {
++		return (false);
++	}
++
++	return (ntypes >= DNS_RBTDB_MAX_RTYPES);
++}
++
++static bool
++prio_header(rdatasetheader_t *header) {
++	if (NEGATIVE(header) && prio_type(RBTDB_RDATATYPE_EXT(header->type))) {
++		return (true);
++	}
++
++	return (prio_type(header->type));
++}
++
+ /*
+  * write lock on rbtnode must be held.
+  */
+@@ -6218,7 +6238,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ {
+ 	rbtdb_changed_t *changed = NULL;
+ 	rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
+-	rdatasetheader_t *prioheader = NULL;
++	rdatasetheader_t *prioheader = NULL, *expireheader = NULL;
+ 	unsigned char *merged;
+ 	isc_result_t result;
+ 	bool header_nx;
+@@ -6228,7 +6248,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 	rbtdb_rdatatype_t negtype, sigtype;
+ 	dns_trust_t trust;
+ 	int idx;
+-	uint32_t ntypes;
++	uint32_t ntypes = 0;
+ 
+ 	/*
+ 	 * Add an rdatasetheader_t to a node.
+@@ -6291,7 +6311,6 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 					set_ttl(rbtdb, topheader, 0);
+ 					mark_stale_header(rbtdb, topheader);
+ 				}
+-				ntypes = 0;
+ 				goto find_header;
+ 			}
+ 			/*
+@@ -6301,8 +6320,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			for (topheader = rbtnode->data;
+ 			     topheader != NULL;
+ 			     topheader = topheader->next)
+-				if (topheader->type == sigtype)
++				if (topheader->type == sigtype) {
+ 					sigheader = topheader;
++					break;
++				}
+ 			negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
+ 		} else {
+ 			/*
+@@ -6313,11 +6334,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			 * check for an extant non-stale NODATA ncache
+ 			 * entry which covers the same type as the RRSIG.
+ 			 */
+-			ntypes = 0;
+ 			for (topheader = rbtnode->data;
+ 			     topheader != NULL;
+ 			     topheader = topheader->next) {
+-				ntypes++;
+ 				if ((topheader->type ==
+ 					RBTDB_RDATATYPE_NCACHEANY) ||
+ 					(newheader->type == sigtype &&
+@@ -6361,12 +6380,16 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 		}
+ 	}
+ 
+-	ntypes = 0;
+ 	for (topheader = rbtnode->data;
+ 	     topheader != NULL;
+ 	     topheader = topheader->next) {
+-		ntypes++;
+-		if (prio_type(topheader->type)) {
++		if (IS_CACHE(rbtdb) && ACTIVE(topheader, now)) {
++			++ntypes;
++			expireheader = topheader;
++		} else if (!IS_CACHE(rbtdb)) {
++			++ntypes;
++		}
++		if (prio_header(topheader)) {
+ 			prioheader = topheader;
+ 		}
+ 		if (topheader->type == newheader->type ||
+@@ -6724,8 +6747,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			/*
+ 			 * No rdatasets of the given type exist at the node.
+ 			 */
+-
+-			if (ntypes > DNS_RBTDB_MAX_RTYPES) {
++			if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
+ 				free_rdataset(rbtdb, rbtdb->common.mctx,
+ 					      newheader);
+ 				return (ISC_R_QUOTA);
+@@ -6733,7 +6755,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 
+ 			newheader->down = NULL;
+ 
+-			if (prio_type(newheader->type)) {
++			if (prio_header(newheader)) {
+ 				/* This is a priority type, prepend it */
+ 				newheader->next = rbtnode->data;
+ 				rbtnode->data = newheader;
+@@ -6746,6 +6768,31 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 				newheader->next = rbtnode->data;
+ 				rbtnode->data = newheader;
+ 			}
++
++			if (IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
++				if (expireheader == NULL) {
++					expireheader = newheader;
++				}
++				if (NEGATIVE(newheader) &&
++				    !prio_header(newheader))
++				{
++					/*
++					 * Add the new non-priority negative
++					 * header to the database only
++					 * temporarily.
++					 */
++					expireheader = newheader;
++				}
++
++				set_ttl(rbtdb, expireheader, 0);
++				mark_stale_header(rbtdb, expireheader);
++				/*
++				 * FIXME: In theory, we should mark the RRSIG
++				 * and the header at the same time, but there is
++				 * no direct link between those two header, so
++				 * we would have to check the whole list again.
++				 */
++			}
+ 		}
+ 	}
+ 
+-- 
+2.33.0
+

backport-0028-CVE-2023-3341.patch

@@ -0,0 +1,176 @@
+From 820b0cceef0b67b041973da4041ea53d5e276363 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Tue, 20 Jun 2023 15:21:36 +1000
+Subject: [PATCH] Limit isccc_cc_fromwire recursion depth
+ 
+Named and rndc do not need a lot of recursion so the depth is
+set to 10.
+ 
+Conflict: NA
+Reference: https://downloads.isc.org/isc/bind9/9.16.44/patches/0001-CVE-2023-3341.patch
+
+---
+ bind/bind-9.11.36/lib/isccc/cc.c              | 40 ++++++++++++++-----
+ .../lib/isccc/include/isccc/result.h          |  4 +-
+ bind/bind-9.11.36/lib/isccc/result.c          |  5 ++-
+ 3 files changed, 37 insertions(+), 12 deletions(-)
+
+diff --git a/bind/bind-9.11.36/lib/isccc/cc.c b/bind/bind-9.11.36/lib/isccc/cc.c
+index e012685..e830054 100644
+--- a/bind/bind-9.11.36/lib/isccc/cc.c
++++ b/bind/bind-9.11.36/lib/isccc/cc.c
+@@ -53,6 +53,10 @@
+ 
+ #define MAX_TAGS		256
+ #define DUP_LIFETIME		900
++#ifndef ISCCC_MAXDEPTH
++#define ISCCC_MAXDEPTH \
++	10 /* Big enough for rndc which just sends a string each way. */
++#endif
+ 
+ typedef isccc_sexpr_t *sexpr_ptr;
+ 
+@@ -561,19 +565,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
+ 
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+-	       uint32_t algorithm, isccc_sexpr_t **alistp);
++	       uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
+ 
+ static isc_result_t
+-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
++list_fromwire(isccc_region_t *source, unsigned int depth,
++	      isccc_sexpr_t **listp);
+ 
+ static isc_result_t
+-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
++value_fromwire(isccc_region_t *source, unsigned int depth,
++	       isccc_sexpr_t **valuep) {
+ 	unsigned int msgtype;
+ 	uint32_t len;
+ 	isccc_sexpr_t *value;
+ 	isccc_region_t active;
+ 	isc_result_t result;
+ 
++	if (depth > ISCCC_MAXDEPTH) {
++		return (ISCCC_R_MAXDEPTH);
++	}
++
+ 	if (REGION_SIZE(*source) < 1 + 4)
+ 		return (ISC_R_UNEXPECTEDEND);
+ 	GET8(msgtype, source->rstart);
+@@ -591,9 +601,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+ 		} else
+ 			result = ISC_R_NOMEMORY;
+ 	} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
+-		result = table_fromwire(&active, NULL, 0, valuep);
++		result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
+ 	else if (msgtype == ISCCC_CCMSGTYPE_LIST)
+-		result = list_fromwire(&active, valuep);
++		result = list_fromwire(&active, depth + 1, valuep);
+ 	else
+ 		result = ISCCC_R_SYNTAX;
+ 
+@@ -602,7 +612,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+ 
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+-	       uint32_t algorithm, isccc_sexpr_t **alistp)
++	    	uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp)
+ {
+ 	char key[256];
+ 	uint32_t len;
+@@ -613,6 +623,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+ 
+ 	REQUIRE(alistp != NULL && *alistp == NULL);
+ 
++	if (depth > ISCCC_MAXDEPTH) {
++		return (ISCCC_R_MAXDEPTH);
++	}
++
+ 	checksum_rstart = NULL;
+ 	first_tag = true;
+ 	alist = isccc_alist_create();
+@@ -628,7 +642,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+ 		GET_MEM(key, len, source->rstart);
+ 		key[len] = '\0';	/* Ensure NUL termination. */
+ 		value = NULL;
+-		result = value_fromwire(source, &value);
++		result = value_fromwire(source, depth + 1, &value);
+ 		if (result != ISC_R_SUCCESS)
+ 			goto bad;
+ 		if (isccc_alist_define(alist, key, value) == NULL) {
+@@ -661,14 +675,20 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+ }
+ 
+ static isc_result_t
+-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
++list_fromwire(isccc_region_t *source, unsigned int depth,
++	      isccc_sexpr_t **listp)
++{
+ 	isccc_sexpr_t *list, *value;
+ 	isc_result_t result;
+ 
++	if (depth > ISCCC_MAXDEPTH) {
++		return (ISCCC_R_MAXDEPTH);
++	}
++
+ 	list = NULL;
+ 	while (!REGION_EMPTY(*source)) {
+ 		value = NULL;
+-		result = value_fromwire(source, &value);
++		result = value_fromwire(source, depth + 1, &value);
+ 		if (result != ISC_R_SUCCESS) {
+ 			isccc_sexpr_free(&list);
+ 			return (result);
+@@ -699,7 +719,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
+ 	if (version != 1)
+ 		return (ISCCC_R_UNKNOWNVERSION);
+ 
+-	return (table_fromwire(source, secret, algorithm, alistp));
++	return (table_fromwire(source, secret, algorithm, 0, alistp));
+ }
+ 
+ static isc_result_t
+diff --git a/bind/bind-9.11.36/lib/isccc/include/isccc/result.h b/bind/bind-9.11.36/lib/isccc/include/isccc/result.h
+index 6c79dd7..9e4fd7c 100644
+--- a/bind/bind-9.11.36/lib/isccc/include/isccc/result.h
++++ b/bind/bind-9.11.36/lib/isccc/include/isccc/result.h
+@@ -47,8 +47,10 @@
+ #define ISCCC_R_CLOCKSKEW		(ISC_RESULTCLASS_ISCCC + 4)
+ /*% Duplicate */
+ #define ISCCC_R_DUPLICATE		(ISC_RESULTCLASS_ISCCC + 5)
++/*% Maximum recursion depth */
++#define ISCCC_R_MAXDEPTH        (ISC_RESULTCLASS_ISCCC + 6)
+ 
+-#define ISCCC_R_NRESULTS 		6	/*%< Number of results */
++#define ISCCC_R_NRESULTS 		7	/*%< Number of results */
+ 
+ ISC_LANG_BEGINDECLS
+ 
+diff --git a/bind/bind-9.11.36/lib/isccc/result.c b/bind/bind-9.11.36/lib/isccc/result.c
+index 8419bbb..60d76b5 100644
+--- a/bind/bind-9.11.36/lib/isccc/result.c
++++ b/bind/bind-9.11.36/lib/isccc/result.c
+@@ -40,7 +40,9 @@ static const char *text[ISCCC_R_NRESULTS] = {
+ 	"bad auth",				/* 3 */
+ 	"expired",				/* 4 */
+ 	"clock skew",				/* 5 */
+-	"duplicate"				/* 6 */
++	"duplicate",	   		/* 6 */
++	"max depth"	   			/* 7 */
++
+ };
+ 
+ static const char *ids[ISCCC_R_NRESULTS] = {
+@@ -50,6 +52,7 @@ static const char *ids[ISCCC_R_NRESULTS] = {
+ 	"ISCCC_R_EXPIRED",
+ 	"ISCCC_R_CLOCKSKEW",
+ 	"ISCCC_R_DUPLICATE",
++	"ISCCC_R_MAXDEPTH"
+ };
+ 
+ #define ISCCC_RESULT_RESULTSET			2
+-- 
+2.43.0
+

backport-0029-CVE-2024-11187.patch

@@ -0,0 +1,244 @@
+From fa7b7973e36056440dd688c7f312c89600d4f8cf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Thu, 14 Nov 2024 10:37:29 +0100
+Subject: [PATCH] Limit the additional processing for large RDATA sets
+ 
+When answering queries, don't add data to the additional section if
+the answer has more than 13 names in the RDATA.  This limits the
+number of lookups into the database(s) during a single client query,
+reducing query processing load.
+ 
+Also, don't append any additional data to type=ANY queries. The
+answer to ANY is already big enough.
+ 
+(cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408)
+ 
+Conflict:Context adaptation
+Reference:https://downloads.isc.org/isc/bind9/9.18.33/patches/0001-CVE-2024-11187.patch
+
+---
+ bind/bind-9.11.36/bin/named/query.c                  |  7 ++++---
+ .../bin/tests/system/additional/tests.sh             |  2 +-
+ .../bin/tests/system/resolver/ns4/named.noaa         |  5 -----
+ bind/bind-9.11.36/bin/tests/system/resolver/tests.sh |  8 ++++++++
+ bind/bind-9.11.36/lib/dns/include/dns/rdataset.h     | 10 +++++++++-
+ bind/bind-9.11.36/lib/dns/rdataset.c                 |  8 +++++++-
+ bind/bind-9.11.36/lib/dns/resolver.c                 | 12 ++++++------
+ 7 files changed, 35 insertions(+), 17 deletions(-)
+ delete mode 100644 bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa
+
+diff --git a/bind/bind-9.11.36/bin/named/query.c b/bind/bind-9.11.36/bin/named/query.c
+index f109805..965d104 100644
+--- a/bind/bind-9.11.36/bin/named/query.c
++++ b/bind/bind-9.11.36/bin/named/query.c
+@@ -1827,7 +1827,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
+ 		 */
+ 		eresult = dns_rdataset_additionaldata(trdataset,
+ 						      query_addadditional,
+-						      client);
++						      client, DNS_RDATASET_MAXADDITIONAL);
+ 	}
+ 
+  cleanup:
+@@ -2433,7 +2433,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
+ 	additionalctx.client = client;
+ 	additionalctx.rdataset = rdataset;
+ 	(void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
+-					  &additionalctx);
++					  &additionalctx, DNS_RDATASET_MAXADDITIONAL);
+ 	CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done");
+ }
+ 
+@@ -2770,7 +2770,8 @@ query_addrrset(ns_client_t *client, dns_name_t **namep,
+ 	 * To the current response for 'client', add the answer RRset
+ 	 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
+ 	 * owner name '*namep', to section 'section', unless they are
+-	 * already there.  Also add any pertinent additional data.
++	 * already there.  Also add any pertinent additional data, unless
++	 * the query was for type ANY.
+ 	 *
+ 	 * If 'dbuf' is not NULL, then '*namep' is the name whose data is
+ 	 * stored in 'dbuf'.  In this case, query_addrrset() guarantees that
+diff --git a/bind/bind-9.11.36/bin/tests/system/additional/tests.sh b/bind/bind-9.11.36/bin/tests/system/additional/tests.sh
+index 6400723..c82f85d 100644
+--- a/bind/bind-9.11.36/bin/tests/system/additional/tests.sh
++++ b/bind/bind-9.11.36/bin/tests/system/additional/tests.sh
+@@ -261,7 +261,7 @@ n=`expr $n + 1`
+ echo_i "testing with 'minimal-any no;' ($n)"
+ ret=0
+ $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
+-grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
++grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+     echo_i "failed"; status=`expr status + 1`
+ fi
+diff --git a/bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa b/bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa
+deleted file mode 100644
+index 3b121ad..0000000
+--- a/bind/bind-9.11.36/bin/tests/system/resolver/ns4/named.noaa
++++ /dev/null
+@@ -1,5 +0,0 @@
+-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+-
+-See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+-
+-Add -T noaa.
+diff --git a/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh b/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh
+index 6eb52fe..bf37467 100755
+--- a/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh
++++ b/bind/bind-9.11.36/bin/tests/system/resolver/tests.sh
+@@ -281,6 +281,10 @@ done
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+ 
++stop_server ns4
++touch ns4/named.noaa
++start_server --noclean --restart --port ${PORT} ns4 || ret=1
++
+ n=`expr $n + 1`
+ echo_i "RT21594 regression test check setup ($n)"
+ ret=0
+@@ -317,6 +321,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+ 
++stop_server ns4
++rm ns4/named.noaa
++start_server --noclean --restart --port ${PORT} ns4 || ret=1
++
+ n=`expr $n + 1`
+ echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
+ ret=0
+diff --git a/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h b/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h
+index ed9119a..a446673 100644
+--- a/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h
++++ b/bind/bind-9.11.36/lib/dns/include/dns/rdataset.h
+@@ -53,6 +53,8 @@
+ #include <dns/types.h>
+ #include <dns/rdatastruct.h>
+ 
++#define DNS_RDATASET_MAXADDITIONAL 13
++
+ ISC_LANG_BEGINDECLS
+ 
+ typedef enum {
+@@ -471,7 +473,8 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
+ 
+ isc_result_t
+ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+-			    dns_additionaldatafunc_t add, void *arg);
++				dns_additionaldatafunc_t add, void *arg,
++			    size_t limit);
+ /*%<
+  * For each rdata in rdataset, call 'add' for each name and type in the
+  * rdata which is subject to additional section processing.
+@@ -490,10 +493,15 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+  *\li	If a call to dns_rdata_additionaldata() is not successful, the
+  *	result returned will be the result of dns_rdataset_additionaldata().
+  *
++ *\li	If 'limit' is non-zero and the number of the rdatasets is larger
++ *	than 'limit', no additional data will be processed.
++ *
+  * Returns:
+  *
+  *\li	#ISC_R_SUCCESS
+  *
++ *\li	#DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
++ *
+  *\li	Any error that dns_rdata_additionaldata() can return.
+  */
+ 
+diff --git a/bind/bind-9.11.36/lib/dns/rdataset.c b/bind/bind-9.11.36/lib/dns/rdataset.c
+index b42dea5..370ff09 100644
+--- a/bind/bind-9.11.36/lib/dns/rdataset.c
++++ b/bind/bind-9.11.36/lib/dns/rdataset.c
+@@ -28,6 +28,7 @@
+ #include <dns/ncache.h>
+ #include <dns/rdata.h>
+ #include <dns/rdataset.h>
++#include <dns/result.h>
+ 
+ static const char *trustnames[] = {
+ 	"none",
+@@ -607,7 +608,8 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
+ 
+ isc_result_t
+ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+-			    dns_additionaldatafunc_t add, void *arg)
++			    dns_additionaldatafunc_t add, void *arg,
++				size_t limit)
+ {
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+ 	isc_result_t result;
+@@ -620,6 +622,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+ 	REQUIRE(DNS_RDATASET_VALID(rdataset));
+ 	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
+ 
++	if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
++		return DNS_R_TOOMANYRECORDS;
++	}
++
+ 	result = dns_rdataset_first(rdataset);
+ 	if (result != ISC_R_SUCCESS)
+ 		return (result);
+diff --git a/bind/bind-9.11.36/lib/dns/resolver.c b/bind/bind-9.11.36/lib/dns/resolver.c
+index 4afd2af..d58cddb 100644
+--- a/bind/bind-9.11.36/lib/dns/resolver.c
++++ b/bind/bind-9.11.36/lib/dns/resolver.c
+@@ -6462,7 +6462,7 @@ chase_additional(fetchctx_t *fctx, dns_message_t *rmessage) {
+ 				rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
+ 				(void)dns_rdataset_additionaldata(rdataset,
+ 								  check_related,
+-								  &chkarg);
++								  &chkarg, 0);
+ 				rescan = true;
+ 			}
+ 		}
+@@ -7097,7 +7097,7 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message,
+ 		chkarg.fctx = fctx;
+ 		chkarg.rmessage = message;
+ 		(void)dns_rdataset_additionaldata(ns_rdataset, check_related,
+-						  &chkarg);
++						  &chkarg, 0);
+ #if CHECK_FOR_GLUE_IN_ANSWER
+ 		/*
+ 		 * Look in the answer section for "glue" that is incorrectly
+@@ -7113,7 +7113,7 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message,
+ 			chkarg.fcx = fctx;
+ 			chkarg.rmessage = message;
+ 			(void)dns_rdataset_additionaldata(ns_rdataset,
+-							  check_answer, &chkarg);
++							  check_answer, &chkarg, 0);
+ 		}
+ #endif
+ 		FCTX_ATTR_CLR(fctx, FCTX_ATTR_GLUING);
+@@ -7355,7 +7355,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
+ 			chkarg.rmessage = message;
+ 			(void)dns_rdataset_additionaldata(rdataset,
+ 							  check_related,
+-							  &chkarg);
++							  &chkarg, 0);
+ 		}
+ 	} else if (aname != NULL) {
+ 		dns_chkarg_t chkarg;
+@@ -7383,7 +7383,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
+ 		chkarg.fctx = fctx;
+ 		chkarg.rmessage = message;
+ 		(void)dns_rdataset_additionaldata(ardataset, check_related,
+-						  &chkarg);
++						  &chkarg, 0);
+ 		for (sigrdataset = ISC_LIST_HEAD(aname->list);
+ 		     sigrdataset != NULL;
+ 		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
+@@ -7546,7 +7546,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
+ 					(void)dns_rdataset_additionaldata(
+ 							rdataset,
+ 							check_related,
+-							&chkarg);
++							&chkarg, 0);
+ 					done = true;
+ 				}
+ 			}
+-- 
+2.43.0
+

backport-CVE-2024-1975.patch

@@ -0,0 +1,240 @@
+From bef3d2cca3552100bbe44790c8c1a4f5bef06798 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
+Date: Thu, 16 May 2024 12:10:41 +0200
+Subject: [PATCH] Remove support for SIG(0) message verification
+ 
+Conflict:Case adaptation and some documents are not incorporated.
+Reference:https://downloads.isc.org/isc/bind9/9.18.28/patches/0003-CVE-2024-1975.patch
+ 
+---
+ bind/bind-9.11.36/bin/named/client.c          |  7 ++
+ .../bin/tests/system/tsiggss/authsock.pl      |  5 +
+ .../bin/tests/system/tsiggss/tests.sh         | 12 ++-
+ .../bin/tests/system/upforwd/tests.sh         |  9 +-
+ bind/bind-9.11.36/lib/dns/message.c           | 92 ++-----------------
+ 5 files changed, 32 insertions(+), 93 deletions(-)
+ 
+diff --git a/bind/bind-9.11.36/bin/named/client.c b/bind/bind-9.11.36/bin/named/client.c
+index 15fcfcd..95bf8e6 100644
+--- a/bind/bind-9.11.36/bin/named/client.c
++++ b/bind/bind-9.11.36/bin/named/client.c
+@@ -3012,6 +3012,13 @@ client_request(isc_task_t *task, isc_event_t *event) {
+ 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+ 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+ 			      "request is signed by a nonauthoritative key");
++	} else if (result == DNS_R_NOTVERIFIEDYET &&
++		   client->message->sig0 != NULL)
++	{
++		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
++			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
++			      "request has a SIG(0) signature but its support "
++			      "was removed (CVE-2024-1975)");
+ 	} else {
+ 		char tsigrcode[64];
+ 		isc_buffer_t b;
+diff --git a/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl b/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl
+index ab3833d..0b231ee 100644
+--- a/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl
++++ b/bind/bind-9.11.36/bin/tests/system/tsiggss/authsock.pl
+@@ -31,6 +31,10 @@ if (!defined($path)) {
+ 	exit(1);
+ }
+ 
++# Enable output autoflush so that it's not lost when the parent sends TERM.
++select STDOUT;
++$| = 1;
++
+ unlink($path);
+ my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or
+     die "unable to create socket $path";
+@@ -53,6 +57,7 @@ if ($timeout != 0) {
+ }
+ 
+ while (my $client = $server->accept()) {
++	printf("accept()\n");
+ 	$client->recv(my $buf, 8, 0);
+ 	my ($version, $req_len) = unpack('N N', $buf);
+ 
+diff --git a/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh b/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh
+index 456ce61..fcd3b1f 100644
+--- a/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh
++++ b/bind/bind-9.11.36/bin/tests/system/tsiggss/tests.sh
+@@ -116,7 +116,7 @@ status=$((status+ret))
+ 
+ echo_i "testing external update policy (CNAME) with auth sock ($n)"
+ ret=0
+-$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
++$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > authsock.log 2>&1 &
+ sleep 1
+ test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
+ n=$((n+1))
+@@ -130,17 +130,19 @@ n=$((n+1))
+ if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+ 
+-echo_i "testing external policy with SIG(0) key ($n)"
++echo_i "testing external policy with unsupported SIG(0) key ($n)"
+ ret=0
+-$NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
++$NSUPDATE -R $RANDFILE -d -k ns1/Kkey.example.nil.*.private <<END >nsupdate.out${n} 2>&1 || true
++debug
+ server 10.53.0.1 ${PORT}
+ zone example.nil
+ update add fred.example.nil 120 cname foo.bar.
+ send
+ END
+ output=`$DIG $DIGOPTS +short cname fred.example.nil.`
+-[ -n "$output" ] || ret=1
+-[ $ret -eq 0 ] || echo_i "failed"
++# update must have failed - SIG(0) signer is not supported
++[ -n "$output" ] && ret=1
++grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1
+ n=$((n+1))
+ if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+diff --git a/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh b/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh
+index 1cf8d3b..19563a1 100644
+--- a/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh
++++ b/bind/bind-9.11.36/bin/tests/system/upforwd/tests.sh
+@@ -177,18 +177,21 @@ n=`expr $n + 1`
+ 
+ if test -f keyname
+ then
+-	echo_i "checking update forwarding to with sig0 ($n)"
++	echo_i "checking update forwarding to with sig0 (expected to fail) ($n)"
+ 	ret=0
+ 	keyname=`cat keyname`
+-	$NSUPDATE -k $keyname.private -- - <<EOF
++        # SIG(0) is removed, update is expected to fail.
++        {
++        $NSUPDATE -k $keyname.private -- - <<EOF
+ 	server 10.53.0.3 ${PORT}
+ 	zone example2
+ 	update add unsigned.example2. 600 A 10.10.10.1
+ 	update add unsigned.example2. 600 TXT Foo
+ 	send
+ EOF
++        } >nsupdate.out.$n 2>&1 && ret=1
+ 	$DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n
+-	grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
++	grep "status: NOERROR" dig.out.ns1.test$n > /dev/null && ret=1
+ 	if [ $ret != 0 ] ; then echo_i "failed"; fi
+ 	status=`expr $status + $ret`
+ 	n=`expr $n + 1`
+diff --git a/bind/bind-9.11.36/lib/dns/message.c b/bind/bind-9.11.36/lib/dns/message.c
+index 2812ab5..0c71f79 100644
+--- a/bind/bind-9.11.36/lib/dns/message.c
++++ b/bind/bind-9.11.36/lib/dns/message.c
+@@ -3214,102 +3214,24 @@ dns_message_dumpsig(dns_message_t *msg, char *txt1) {
+ 
+ isc_result_t
+ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
+-	isc_buffer_t b, msgb;
++	isc_buffer_t msgb;
+ 
+ 	REQUIRE(DNS_MESSAGE_VALID(msg));
+ 
+-	if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL)
++	if (msg->tsigkey == NULL && msg->tsig == NULL) {
+ 		return (ISC_R_SUCCESS);
++	}
+ 
+ 	INSIST(msg->saved.base != NULL);
+ 	isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
+ 	isc_buffer_add(&msgb, msg->saved.length);
+-	if (msg->tsigkey != NULL || msg->tsig != NULL) {
+ #ifdef SKAN_MSG_DEBUG
+-		dns_message_dumpsig(msg, "dns_message_checksig#1");
++	dns_message_dumpsig(msg, "dns_message_checksig#1");
+ #endif
+-		if (view != NULL)
+-			return (dns_view_checksig(view, &msgb, msg));
+-		else
+-			return (dns_tsig_verify(&msgb, msg, NULL, NULL));
++	if (view != NULL) {
++		return (dns_view_checksig(view, &msgb, msg));
+ 	} else {
+-		dns_rdata_t rdata = DNS_RDATA_INIT;
+-		dns_rdata_sig_t sig;
+-		dns_rdataset_t keyset;
+-		isc_result_t result;
+-
+-		result = dns_rdataset_first(msg->sig0);
+-		INSIST(result == ISC_R_SUCCESS);
+-		dns_rdataset_current(msg->sig0, &rdata);
+-
+-		/*
+-		 * This can occur when the message is a dynamic update, since
+-		 * the rdata length checking is relaxed.  This should not
+-		 * happen in a well-formed message, since the SIG(0) is only
+-		 * looked for in the additional section, and the dynamic update
+-		 * meta-records are in the prerequisite and update sections.
+-		 */
+-		if (rdata.length == 0)
+-			return (ISC_R_UNEXPECTEDEND);
+-
+-		result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
+-		if (result != ISC_R_SUCCESS)
+-			return (result);
+-
+-		dns_rdataset_init(&keyset);
+-		if (view == NULL)
+-			return (DNS_R_KEYUNAUTHORIZED);
+-		result = dns_view_simplefind(view, &sig.signer,
+-					     dns_rdatatype_key /* SIG(0) */,
+-					     0, 0, false, &keyset, NULL);
+-
+-		if (result != ISC_R_SUCCESS) {
+-			/* XXXBEW Should possibly create a fetch here */
+-			result = DNS_R_KEYUNAUTHORIZED;
+-			goto freesig;
+-		} else if (keyset.trust < dns_trust_secure) {
+-			/* XXXBEW Should call a validator here */
+-			result = DNS_R_KEYUNAUTHORIZED;
+-			goto freesig;
+-		}
+-		result = dns_rdataset_first(&keyset);
+-		INSIST(result == ISC_R_SUCCESS);
+-		for (;
+-		     result == ISC_R_SUCCESS;
+-		     result = dns_rdataset_next(&keyset))
+-		{
+-			dst_key_t *key = NULL;
+-
+-			dns_rdata_reset(&rdata);
+-			dns_rdataset_current(&keyset, &rdata);
+-			isc_buffer_init(&b, rdata.data, rdata.length);
+-			isc_buffer_add(&b, rdata.length);
+-
+-			result = dst_key_fromdns(&sig.signer, rdata.rdclass,
+-						 &b, view->mctx, &key);
+-			if (result != ISC_R_SUCCESS)
+-				continue;
+-			if (dst_key_alg(key) != sig.algorithm ||
+-			    dst_key_id(key) != sig.keyid ||
+-			    !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
+-			      dst_key_proto(key) == DNS_KEYPROTO_ANY))
+-			{
+-				dst_key_free(&key);
+-				continue;
+-			}
+-			result = dns_dnssec_verifymessage(&msgb, msg, key);
+-			dst_key_free(&key);
+-			if (result == ISC_R_SUCCESS)
+-				break;
+-		}
+-		if (result == ISC_R_NOMORE)
+-			result = DNS_R_KEYUNAUTHORIZED;
+-
+- freesig:
+-		if (dns_rdataset_isassociated(&keyset))
+-			dns_rdataset_disassociate(&keyset);
+-		dns_rdata_freestruct(&sig);
+-		return (result);
++		return (dns_tsig_verify(&msgb, msg, NULL, NULL));
+ 	}
+ }
+ 
+-- 
+2.33.0
+

backport-optimize-the-slabheader-placement-for-certain-RRtype.patch

@@ -0,0 +1,98 @@
+From 8ef414a7f38a04cfc11df44adaedaf3126fa3878 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Mon, 29 Jan 2024 16:36:30 +0100
+Subject: [PATCH] Optimize the slabheader placement for certain RRTypes
+ 
+Mark the infrastructure RRTypes as "priority" types and place them at
+the beginning of the rdataslab header data graph.  The non-priority
+types either go right after the priority types (if any).
+ 
+(cherry picked from commit 3ac482be7fd058d284e89873021339579fad0615)
+ 
+Conflict:NA
+Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/8ef414a7f38a04cfc11df44adaedaf3126fa3878
+ 
+---
+ bind/bind-9.11.36/lib/dns/rbtdb.c | 44 +++++++++++++++++++++++++++++--
+ 1 file changed, 42 insertions(+), 2 deletions(-)
+ 
+diff --git a/bind/bind-9.11.36/lib/dns/rbtdb.c b/bind/bind-9.11.36/lib/dns/rbtdb.c
+index 3ee1876..3d76ca1 100644
+--- a/bind/bind-9.11.36/lib/dns/rbtdb.c
++++ b/bind/bind-9.11.36/lib/dns/rbtdb.c
+@@ -1164,6 +1164,30 @@ set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
+ 		isc_heap_decreased(heap, header->heap_index);
+ }
+ 
++static bool
++prio_type(rbtdb_rdatatype_t type) {
++	switch (type) {
++	case dns_rdatatype_soa:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
++	case dns_rdatatype_a:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
++	case dns_rdatatype_aaaa:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
++	case dns_rdatatype_nsec:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec):
++	case dns_rdatatype_nsec3:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3):
++	case dns_rdatatype_ns:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns):
++	case dns_rdatatype_ds:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
++	case dns_rdatatype_cname:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
++		return (true);
++	}
++	return (false);
++}
++
+ /*%
+  * These functions allow the heap code to rank the priority of each
+  * element.  It returns true if v1 happens "sooner" than v2.
+@@ -6176,6 +6200,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ {
+ 	rbtdb_changed_t *changed = NULL;
+ 	rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
++	rdatasetheader_t *prioheader = NULL;
+ 	unsigned char *merged;
+ 	isc_result_t result;
+ 	bool header_nx;
+@@ -6317,6 +6342,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 	for (topheader = rbtnode->data;
+ 	     topheader != NULL;
+ 	     topheader = topheader->next) {
++		if (prio_type(topheader->type)) {
++			prioheader = topheader;
++		}
+ 		if (topheader->type == newheader->type ||
+ 		    topheader->type == negtype)
+ 			break;
+@@ -6672,9 +6700,21 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			/*
+ 			 * No rdatasets of the given type exist at the node.
+ 			 */
+-			newheader->next = rbtnode->data;
+ 			newheader->down = NULL;
+-			rbtnode->data = newheader;
++
++			if (prio_type(newheader->type)) {
++				/* This is a priority type, prepend it */
++				newheader->next = rbtnode->data;
++				rbtnode->data = newheader;
++			} else if (prioheader != NULL) {
++				/* Append after the priority headers */
++				newheader->next = prioheader->next;
++				prioheader->next = newheader;
++			} else {
++				/* There were no priority headers */
++				newheader->next = rbtnode->data;
++				rbtnode->data = newheader;
++			}
+ 		}
+ 	}
+ 
+-- 
+2.33.0
+ 

bugfix-cancel-rebind6-timer-after-ipv6-expire.patch

@@ -0,0 +1,54 @@
+From 6fced85ebcd9563ceb78675d0f4ff3e3d0eea90b Mon Sep 17 00:00:00 2001
+From: huyizhen <huyizhen2@huawei.com>
+Date: Thu, 24 Oct 2024 21:36:06 +0800
+Subject: huawei-cancel-rebind6-timer-after-ipv6-expire
+
+Solve below question:
+Oct 23 16:38:04 localhost dhclient[141133]: PRC: Address 6636::3c depreferred.
+Oct 23 16:38:04 localhost dhclient[141133]: XMT: Rebind on enp4s0, interval 00ms.
+Oct 23 16:38:04 localhost dhclient[141133]: Impossible condition at dhc6.c:279.
+Oct 23 16:38:04 localhost dhclient[141133]:
+Oct 23 16:38:04 localhost dhclient[141133]: If you think you have received this message due to a bug rather
+Oct 23 16:38:04 localhost dhclient[141133]: than a configuration issue please read the section on submitting
+Oct 23 16:38:04 localhost dhclient[141133]: bugs on either our web page at www.isc.org or in the README file
+Oct 23 16:38:04 localhost dhclient[141133]: before submitting a bug. These pages explain the proper
+Oct 23 16:38:04 localhost dhclient[141133]: process and the information we find helpful for debugging.
+Oct 23 16:38:04 localhost dhclient[141133]:
+Oct 23 16:38:04 localhost dhclient[141133]: exiting.
+
+The reason is:
+1. After the REBIND message is retransmitted for the second time, the REBIND timer checks whether the REBIND message
+is received 5 seconds later and sets the RT field to 0. (Because the 5s timer expires when the timer expires, no next
+retransmission will occur.)
+2. After 5s, the DEPREFER timer is triggered first. The DEPREFER timer considers that the REBIND timer expires and set
+MRD field to 0, but the previously set REBIND timer is not canceled.
+3. The REBIND timer is triggered immediately. Because the MRD is set to 0, the retransmission timer considers that the
+maximum retransmission duration is not limited and attempts to continue the retransmission.
+4. During the retransmission process, the RT value is 0 (retransmission is performed after 0s), and the process exits.
+As a result, the DHCP6 function becomes abnormal.
+
+Solution:
+Cencle REBIND timer when DEPREFER timer considers that the REBIND timer expires.
+
+---
+ client/dhc6.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/client/dhc6.c b/client/dhc6.c
+index 88fd07d..2dbea60 100644
+--- a/client/dhc6.c
++++ b/client/dhc6.c
+@@ -4656,6 +4656,10 @@ dhc6_check_times(struct client_state *client)
+ 		 * depreffed an address.
+ 		 */
+ 		client->MRD = hi_expire - cur_time;
++		/* Rebind expired, cancel rebind(do_refresh6) timer. */
++		if (client->MRD == 0) {
++			cancel_timeout(do_refresh6, client);
++		}
+ 		break;
+ 
+ 	      default:
+-- 
+2.33.0
+

dhcp.spec

@@ -3,7 +3,7 @@
 
 Name:      dhcp
 Version:   4.4.3
-Release:   6
+Release:   10
 Summary:   Dynamic host configuration protocol software
 #Please don't change the epoch on this package
 Epoch:     12
@@ -61,6 +61,16 @@ Patch42: backport-CVE-2022-2795.patch
 Patch43: backport-CVE-2022-38177.patch
 Patch44: backport-CVE-2022-38178.patch
 Patch45: IAID-is-output-has-hexe-if-it-contains-or.patch
+Patch46: support-for-building-with-clang.patch
+Patch47: bugfix-cancel-rebind6-timer-after-ipv6-expire.patch
+Patch48: backport-CVE-2024-1975.patch
+Patch49: backport-optimize-the-slabheader-placement-for-certain-RRtype.patch
+Patch50: backport-0001-CVE-2024-1737.patch
+Patch51: backport-0002-CVE-2024-1737.patch
+Patch52: backport-0003-CVE-2024-1737.patch
+Patch53: backport-0004-CVE-2024-1737.patch
+Patch54: backport-0028-CVE-2023-3341.patch
+Patch55: backport-0029-CVE-2024-11187.patch
 
 BuildRequires: gcc autoconf automake libtool openldap-devel krb5-devel libcap-ng-devel
 BuildRequires: systemd systemd-devel
@@ -309,6 +319,30 @@ exit 0
 %{_mandir}/man3/omapi.3.gz
 
 %changelog
+* Thu Mar 20 2025 zhangpan <zhangpan103@h-partners.com> - 12:4.4.3-10
+- Type:CVE
+- ID:NA
+- SUG:restart
+- DESC:fix CVE-2023-3341 CVE-2024-11187
+
+* Mon Nov 11 2024 huyizhen <huyizhen2@huawei.com> - 12:4.4.3-9
+- Type:CVE
+- ID:NA
+- SUG:restart
+- DESC:fix CVE-2024-1975,CVE-2024-1737
+
+* Tue Nov 05 2024 huyizhen <huyizhen2@huawei.com> - 12:4.4.3-8
+- Type:bugfix
+- ID:NA
+- SUG:restart
+- DESC:cancel rebind6 timer after ipv6 expire
+
+* Wed Mar 20 2024 cf-zhao <zhaochuanfeng@huawei.com> - 12:4.4.3-7
+- Type:enhancement
+- ID:NA
+- SUG:build with clang
+- DESC:Support for building with clang
+
 * Sat Jan 20 2024 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-6
 - Type:bugfix
 - ID:

support-for-building-with-clang.patch

@@ -0,0 +1,29 @@
+From eb6f6bd959c2f496e4db1a90ea0629bbf9b12185 Mon Sep 17 00:00:00 2001
+From: cf-zhao <zhaochuanfeng@huawei.com>
+Date: Thu, 21 Mar 2024 13:04:26 +0800
+Subject: [PATCH] Support for building with clang
+
+---
+ client/dhclient.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/client/dhclient.c b/client/dhclient.c
+index 3e31dbf..a1f8849 100644
+--- a/client/dhclient.c
++++ b/client/dhclient.c
+@@ -48,7 +48,12 @@
+ /*
+  * Defined in stdio.h when _GNU_SOURCE is set, but we don't want to define
+  * that when building ISC code.
++ * When build with clang, there is also a macro defined in stdio2.h,
++ * undefine it so that we still use the prototype in stdio.h.
+  */
++#ifdef asprintf
++#undef asprintf
++#endif
+ extern int asprintf(char **strp, const char *fmt, ...);
+ 
+ TIME default_lease_time = 43200; /* 12 hours... */
+-- 
+2.33.0
+