diff --git a/backport-fix-build-failure-for-bind-dyndb-ldap.patch b/backport-fix-build-failure-for-bind-dyndb-ldap.patch new file mode 100644 index 0000000000000000000000000000000000000000..d14ac71084cc6401f4c538d22d864275ed3bb5ab --- /dev/null +++ b/backport-fix-build-failure-for-bind-dyndb-ldap.patch @@ -0,0 +1,78 @@ +commit 0ae8ee3b9c6e7d60eaacd957929aec7a508fb777 +Author: Nicki Křížek +Date: Mon Jan 20 16:17:08 2025 +0000 + + [9.16] [CVE-2024-11187] sec: usr: Limit the additional processing for large RDATA sets + + When answering queries, don't add data to the additional section if the answer has more than 13 names in the RDATA. This limits the number of lookups into the database(s) during a single client query, reducing query processing load. + + Backport of MR !750 + + See isc-projects/bind9#5034 + + Merge branch '5034-security-limit-additional-9.16' into 'bind-9.16-release' + + See merge request isc-private/bind9!760 + +Conflict: supplement CVE-2024-11187 +Reference: https://build.opensuse.org/projects/SUSE:SLE-15-SP4:Update/packages/bind.37309/files/bind-9.16-CVE-2024-11187.patch?expand=1 +--- + lib/dns/rdataset.c | 1 + + lib/isc/include/isc/result.h | 3 +-- + lib/isc/result.c | 6 ++---- + 3 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c +index 19a0051..57e3c75 100644 +--- a/lib/dns/rdataset.c ++++ b/lib/dns/rdataset.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + static const char *trustnames[] = { + "none", "pending-additional", +diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h +index 2b14d66..21071c7 100644 +--- a/lib/isc/include/isc/result.h ++++ b/lib/isc/include/isc/result.h +@@ -90,10 +90,9 @@ + #define ISC_R_IPV4PREFIX 69 /*%< IPv4 prefix */ + #define ISC_R_TLSERROR 70 /*%< TLS error */ + #define ISC_R_HTTP2ALPNERROR 71 /*%< ALPN for HTTP/2 failed */ +-#define DNS_R_TOOMANYRECORDS 72 /*%< too many records */ + + /*% Not a result code: the number of results. */ +-#define ISC_R_NRESULTS 73 ++#define ISC_R_NRESULTS 72 + + ISC_LANG_BEGINDECLS + +diff --git a/lib/isc/result.c b/lib/isc/result.c +index a038b6e..72e7a3c 100644 +--- a/lib/isc/result.c ++++ b/lib/isc/result.c +@@ -102,8 +102,7 @@ static const char *description[ISC_R_NRESULTS] = { + "default", /*%< 68 */ + "IPv4 prefix", /*%< 69 */ + "TLS error", /*%< 70 */ +- "ALPN for HTTP/2 failed", /*%< 71 */ +- "too many records" /*%< 72 */ ++ "ALPN for HTTP/2 failed" /*%< 71 */ + }; + + static const char *identifier[ISC_R_NRESULTS] = { "ISC_R_SUCCESS", +@@ -177,8 +176,7 @@ static const char *identifier[ISC_R_NRESULTS] = { "ISC_R_SUCCESS", + "ISC_R_DEFAULT", + "ISC_R_IPV4PREFIX", + "ISC_R_TLSERROR", +- "ISC_R_HTTP2ALPNERROR", +- "DNS_R_TOOMANYRECODES" }; ++ "ISC_R_HTTP2ALPNERROR" }; + + #define ISC_RESULT_RESULTSET 2 + #define ISC_RESULT_UNAVAILABLESET 3 +-- +2.33.0 diff --git a/bind.spec b/bind.spec index ec4810aad4c1b59170ce1decd0fe7692aa35d350..01cf819221110d4dd1c17ab73ff48dee6db16b15 100644 --- a/bind.spec +++ b/bind.spec @@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 25 +Release: 26 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -252,6 +252,7 @@ Patch6168:backport-CVE-2024-1737-records-test.patch Patch6169:backport-CVE-2024-1737-types.patch Patch6170:backport-CVE-2024-1737-types-test.patch Patch6171:backport-CVE-2024-1737-records-test2.patch +Patch6172:backport-fix-build-failure-for-bind-dyndb-ldap.patch Patch9000:bugfix-limit-numbers-of-test-threads.patch @@ -1261,6 +1262,12 @@ fi; %endif %changelog +* Tue May 20 2025 xinghe - 32:9.16.23-26 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix build failure for bind-dyndb-ldap + * Wed Apr 23 2025 chengyechun - 32:9.16.23-25 - Type:CVE - CVE:CVE-2024-1737