6 files changed, 480 insertions, 2 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch
new file mode 100644
index 0000000000..940c6776d3
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch
@@ -0,0 +1,67 @@
+From 36c878a0124973f29b7ca49e6bb18310f9b2601f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
+Date: Thu, 8 Sep 2022 11:11:30 +0200
+Subject: [PATCH 1/3] Bound the amount of work performed for delegations
+Limit the amount of database lookups that can be triggered in
+fctx_getaddresses() (i.e. when determining the name server addresses to
+query next) by setting a hard limit on the number of NS RRs processed
+for any delegation encountered.  Without any limit in place, named can
+be forced to perform large amounts of database lookups per each query
+received, which severely impacts resolver performance.
+The limit used (20) is an arbitrary value that is considered to be big
+enough for any sane DNS delegation.
+(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
+Upstream-Status: Backport
+CVE: CVE-2022-2795
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ lib/dns/resolver.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 8ae9a993bbd7..ac9a9ef5d009 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -180,6 +180,12 @@
+  */
+ #define NS_FAIL_LIMIT 4
+ #define NS_RR_LIMIT   5
+/*
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
+ * any NS RRset encountered, to avoid excessive resource use while processing
+ * large delegations.
+ */
+#define NS_PROCESSING_LIMIT 20
+ 
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+        bool need_alternate = false;
+        bool all_spilled = true;
+        unsigned int no_addresses = 0;
+       unsigned int ns_processed = 0;
+ 
+        FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 
+                dns_rdata_reset(&rdata);
+                dns_rdata_freestruct(&ns);
+
+               if (++ns_processed >= NS_PROCESSING_LIMIT) {
+                       result = ISC_R_NOMORE;
+                       break;
+               }
+        }
+        if (result != ISC_R_NOMORE) {
+                return (result);
+-- 
+2.34.1
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch
new file mode 100644
index 0000000000..0ef87fd260
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch
@@ -0,0 +1,31 @@
+From ef3d1a84ff807eea27b4fef601a15932c5ffbfbf Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 11 Aug 2022 15:15:34 +1000
+Subject: [PATCH 2/3] Free eckey on siglen mismatch
+Upstream-Status: Backport
+CVE: CVE-2022-38177
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/5b2282afff760b1ed3471f6666bdfe8e1d34e590
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ lib/dns/opensslecdsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
+index 83b5b51cd78c..7576e04ac635 100644
+--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
+@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+                siglen = DNS_SIG_ECDSA384SIZE;
+ 
+        if (sig->length != siglen)
+-               return (DST_R_VERIFYFAILURE);
+               DST_RET(DST_R_VERIFYFAILURE);
+ 
+        if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
+                DST_RET (dst__openssl_toresult3(dctx->category,
+-- 
+2.34.1
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch
new file mode 100644
index 0000000000..e0b398e24a
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch
@@ -0,0 +1,33 @@
+From 65f5b2f0162d5d2ab25f463aa14a8bae71ace3d9 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 11 Aug 2022 15:28:13 +1000
+Subject: [PATCH 3/3] Free ctx on invalid siglen
+(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825)
+Upstream-Status: Backport
+CVE: CVE-2022-38178
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ lib/dns/openssleddsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
+index 8b115ec283f0..b4fcd607c131 100644
+--- a/lib/dns/openssleddsa_link.c
+++ b/lib/dns/openssleddsa_link.c
+@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+                siglen = DNS_SIG_ED448SIZE;
+ 
+        if (sig->length != siglen)
+-               return (DST_R_VERIFYFAILURE);
+               DST_RET(ISC_R_NOTIMPLEMENTED);
+ 
+        isc_buffer_usedregion(buf, &tbsreg);
+ 
+-- 
+2.34.1
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
new file mode 100644
index 0000000000..6f6c104530
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
@@ -0,0 +1,166 @@
+Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.11.5.P4+dfsg-5.1+deb10u9.debian.tar.xz
+Upstream patch https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch]
+Upstream Commit: https://github.com/isc-projects/bind9/commit/da0eafcdee52147e72d407cc3b9f179378ee1d3a
+CVE: CVE-2023-2828
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/dns/rbtdb.c | 106 +++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 63 insertions(+), 43 deletions(-)
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index b1b928c..3165e26 100644
+--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
+@@ -792,7 +792,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+ static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+                          bool tree_locked, expire_t reason);
+ static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
+-                         isc_stdtime_t now, bool tree_locked);
+                         size_t purgesize, bool tree_locked);
+ static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
+                                  rdatasetheader_t *newheader);
+ static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+@@ -6784,6 +6784,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
+ 
+ static dns_dbmethods_t zone_methods;
+ 
+static size_t
+rdataset_size(rdatasetheader_t *header) {
+       if (!NONEXISTENT(header)) {
+               return (dns_rdataslab_size((unsigned char *)header,
+                                          sizeof(*header)));
+       }
+
+       return (sizeof(*header));
+}
+
+ static isc_result_t
+ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+            isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+@@ -6932,7 +6942,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+        }
+ 
+        if (cache_is_overmem)
+-               overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
+               overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
+                             tree_locked);
+ 
+        NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+                  isc_rwlocktype_write);
+@@ -6947,9 +6958,14 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+                        cleanup_dead_nodes(rbtdb, rbtnode->locknum);
+ 
+                header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
+-               if (header && header->rdh_ttl < now - RBTDB_VIRTUAL)
+-                       expire_header(rbtdb, header, tree_locked,
+-                                     expire_ttl);
+               if (header != NULL) {
+                       dns_ttl_t rdh_ttl = header->rdh_ttl;
+
+                       if (rdh_ttl < now - RBTDB_VIRTUAL) {
+                               expire_header(rbtdb, header, tree_locked,
+                                             expire_ttl);
+                       }
+               }
+ 
+                /*
+                 * If we've been holding a write lock on the tree just for
+@@ -10388,54 +10404,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+        ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
+ }
+ 
+static size_t
+expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
+                  bool tree_locked) {
+       rdatasetheader_t *header, *header_prev;
+       size_t purged = 0;
+
+       for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
+            header != NULL && purged <= purgesize; header = header_prev)
+       {
+               header_prev = ISC_LIST_PREV(header, link);
+               /*
+                * Unlink the entry at this point to avoid checking it
+                * again even if it's currently used someone else and
+                * cannot be purged at this moment.  This entry won't be
+                * referenced any more (so unlinking is safe) since the
+                * TTL was reset to 0.
+                */
+               ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
+               size_t header_size = rdataset_size(header);
+               expire_header(rbtdb, header, tree_locked, expire_lru);
+               purged += header_size;
+       }
+
+       return (purged);
+}
+
+ /*%
+- * Purge some expired and/or stale (i.e. unused for some period) cache entries
+- * under an overmem condition.  To recover from this condition quickly, up to
+- * 2 entries will be purged.  This process is triggered while adding a new
+- * entry, and we specifically avoid purging entries in the same LRU bucket as
+- * the one to which the new entry will belong.  Otherwise, we might purge
+- * entries of the same name of different RR types while adding RRsets from a
+- * single response (consider the case where we're adding A and AAAA glue records
+- * of the same NS name).
+- */
+ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
+ * entries under the overmem condition.  To recover from this condition quickly,
+ * we cleanup entries up to the size of newly added rdata (passed as purgesize).
+ *
+ * This process is triggered while adding a new entry, and we specifically avoid
+ * purging entries in the same LRU bucket as the one to which the new entry will
+ * belong.  Otherwise, we might purge entries of the same name of different RR
+ * types while adding RRsets from a single response (consider the case where
+ * we're adding A and AAAA glue records of the same NS name).
+*/
+ static void
+-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
+-             isc_stdtime_t now, bool tree_locked)
+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
+             bool tree_locked)
+ {
+-       rdatasetheader_t *header, *header_prev;
+        unsigned int locknum;
+-       int purgecount = 2;
+       size_t purged = 0;
+ 
+        for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
+-            locknum != locknum_start && purgecount > 0;
+            locknum != locknum_start && purged <= purgesize;
+             locknum = (locknum + 1) % rbtdb->node_lock_count) {
+                NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+                          isc_rwlocktype_write);
+ 
+-               header = isc_heap_element(rbtdb->heaps[locknum], 1);
+-               if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
+-                       expire_header(rbtdb, header, tree_locked,
+-                                     expire_ttl);
+-                       purgecount--;
+-               }
+-
+-               for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
+-                    header != NULL && purgecount > 0;
+-                    header = header_prev) {
+-                       header_prev = ISC_LIST_PREV(header, link);
+-                       /*
+-                        * Unlink the entry at this point to avoid checking it
+-                        * again even if it's currently used someone else and
+-                        * cannot be purged at this moment.  This entry won't be
+-                        * referenced any more (so unlinking is safe) since the
+-                        * TTL was reset to 0.
+-                        */
+-                       ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
+-                                       link);
+-                       expire_header(rbtdb, header, tree_locked,
+-                                     expire_lru);
+-                       purgecount--;
+-               }
+               purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
+                                            tree_locked);
+ 
+                NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+                                    isc_rwlocktype_write);
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
new file mode 100644
index 0000000000..be479cb00e
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
@@ -0,0 +1,175 @@
+From c4fac5ca98efd02fbaef43601627c7a3a09f5a71 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Tue, 20 Jun 2023 15:21:36 +1000
+Subject: [PATCH] Limit isccc_cc_fromwire recursion depth
+Named and rndc do not need a lot of recursion so the depth is
+set to 10.
+Taken from BIND 9.16.44 change.
+Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71]
+CVE: CVE-2023-3341
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/isccc/cc.c                   | 38 +++++++++++++++++++++++---------
+ lib/isccc/include/isccc/result.h |  4 +++-
+ lib/isccc/result.c               |  4 +++-
+ 3 files changed, 34 insertions(+), 12 deletions(-)
+diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
+index e012685..8eac3d6 100644
+--- a/lib/isccc/cc.c
+++ b/lib/isccc/cc.c
+@@ -53,6 +53,10 @@
+ 
+ #define MAX_TAGS               256
+ #define DUP_LIFETIME           900
+#ifndef ISCCC_MAXDEPTH
+#define ISCCC_MAXDEPTH \
+       10 /* Big enough for rndc which just sends a string each way. */
+#endif
+ 
+ typedef isccc_sexpr_t *sexpr_ptr;
+ 
+@@ -561,19 +565,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
+ 
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+-              uint32_t algorithm, isccc_sexpr_t **alistp);
+              uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
+ 
+ static isc_result_t
+-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
+list_fromwire(isccc_region_t *source, unsigned int depth,
+             isccc_sexpr_t **listp);
+ 
+ static isc_result_t
+-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+value_fromwire(isccc_region_t *source, unsigned int depth,
+              isccc_sexpr_t **valuep) {
+        unsigned int msgtype;
+        uint32_t len;
+        isccc_sexpr_t *value;
+        isccc_region_t active;
+        isc_result_t result;
+ 
+       if (depth > ISCCC_MAXDEPTH) {
+               return (ISCCC_R_MAXDEPTH);
+       }
+
+        if (REGION_SIZE(*source) < 1 + 4)
+                return (ISC_R_UNEXPECTEDEND);
+        GET8(msgtype, source->rstart);
+@@ -591,9 +601,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+                } else
+                        result = ISC_R_NOMEMORY;
+        } else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
+-               result = table_fromwire(&active, NULL, 0, valuep);
+               result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
+        else if (msgtype == ISCCC_CCMSGTYPE_LIST)
+-               result = list_fromwire(&active, valuep);
+               result = list_fromwire(&active, depth + 1, valuep);
+        else
+                result = ISCCC_R_SYNTAX;
+ 
+@@ -602,7 +612,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+ 
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+-              uint32_t algorithm, isccc_sexpr_t **alistp)
+              uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp)
+ {
+        char key[256];
+        uint32_t len;
+@@ -613,6 +623,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+ 
+        REQUIRE(alistp != NULL && *alistp == NULL);
+ 
+       if (depth > ISCCC_MAXDEPTH) {
+               return (ISCCC_R_MAXDEPTH);
+       }
+
+        checksum_rstart = NULL;
+        first_tag = true;
+        alist = isccc_alist_create();
+@@ -628,7 +642,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+                GET_MEM(key, len, source->rstart);
+                key[len] = '\0';        /* Ensure NUL termination. */
+                value = NULL;
+-               result = value_fromwire(source, &value);
+               result = value_fromwire(source, depth + 1, &value);
+                if (result != ISC_R_SUCCESS)
+                        goto bad;
+                if (isccc_alist_define(alist, key, value) == NULL) {
+@@ -661,14 +675,18 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+ }
+ 
+ static isc_result_t
+-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
+list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **listp) {
+        isccc_sexpr_t *list, *value;
+        isc_result_t result;
+ 
+       if (depth > ISCCC_MAXDEPTH) {
+               return (ISCCC_R_MAXDEPTH);
+       }
+
+        list = NULL;
+        while (!REGION_EMPTY(*source)) {
+                value = NULL;
+-               result = value_fromwire(source, &value);
+               result = value_fromwire(source, depth + 1, &value);
+                if (result != ISC_R_SUCCESS) {
+                        isccc_sexpr_free(&list);
+                        return (result);
+@@ -699,7 +717,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
+        if (version != 1)
+                return (ISCCC_R_UNKNOWNVERSION);
+ 
+-       return (table_fromwire(source, secret, algorithm, alistp));
+       return (table_fromwire(source, secret, algorithm, 0, alistp));
+ }
+ 
+ static isc_result_t
+diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
+index 6c79dd7..a85861c 100644
+--- a/lib/isccc/include/isccc/result.h
+++ b/lib/isccc/include/isccc/result.h
+@@ -47,8 +47,10 @@
+ #define ISCCC_R_CLOCKSKEW              (ISC_RESULTCLASS_ISCCC + 4)
+ /*% Duplicate */
+ #define ISCCC_R_DUPLICATE              (ISC_RESULTCLASS_ISCCC + 5)
+/*% Maximum recursion depth */
+#define ISCCC_R_MAXDEPTH               (ISC_RESULTCLASS_ISCCC + 6)
+ 
+-#define ISCCC_R_NRESULTS               6       /*%< Number of results */
+#define ISCCC_R_NRESULTS               7       /*%< Number of results */
+ 
+ ISC_LANG_BEGINDECLS
+ 
+diff --git a/lib/isccc/result.c b/lib/isccc/result.c
+index 8419bbb..325200b 100644
+--- a/lib/isccc/result.c
+++ b/lib/isccc/result.c
+@@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = {
+        "bad auth",                             /* 3 */
+        "expired",                              /* 4 */
+        "clock skew",                           /* 5 */
+-       "duplicate"                             /* 6 */
+       "duplicate",                            /* 6 */
+       "max depth",                            /* 7 */
+ };
+ 
+ static const char *ids[ISCCC_R_NRESULTS] = {
+@@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = {
+        "ISCCC_R_EXPIRED",
+        "ISCCC_R_CLOCKSKEW",
+        "ISCCC_R_DUPLICATE",
+       "ISCCC_R_MAXDEPTH",
+ };
+ 
+ #define ISCCC_RESULT_RESULTSET                 2
+-- 
+2.25.1
diff --git a/meta/recipes-connectivity/bind/bind_9.11.22.bb b/meta/recipes-connectivity/bind/bind_9.11.37.bb
index 3b4a299b36..95bb5be005 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.22.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb
@@ -1,9 +1,10 @@
 SUMMARY = "ISC Internet Domain Name Server"
 HOMEPAGE = "https://www.isc.org/bind/"
+DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system"
 SECTION = "console/network"
 LICENSE = "ISC & BSD"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bf39058a7f64b2a934ce14dc9ec1dd45"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=89a97ebbf713f7125fe5c02223d3ae95"
 DEPENDS = "openssl libcap zlib"
@@ -18,9 +19,14 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
           file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
           file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
           file://0001-avoid-start-failure-with-bind-user.patch \
+           file://CVE-2022-2795.patch \
+           file://CVE-2022-38177.patch \
+           file://CVE-2022-38178.patch \
+           file://CVE-2023-2828.patch \
+           file://CVE-2023-3341.patch \
           "
-SRC_URI[sha256sum] = "afc6d8015006f1cabf699ff19f517bb8fd9c1811e5231f26baf51c3550262ac9"
+SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff"
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch new file mode 100644 index 0000000000..940c6776d3 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch
@@ -0,0 +1,67 @@
		1	From 36c878a0124973f29b7ca49e6bb18310f9b2601f Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
		3	Date: Thu, 8 Sep 2022 11:11:30 +0200
		4	Subject: [PATCH 1/3] Bound the amount of work performed for delegations
		5
		6	Limit the amount of database lookups that can be triggered in
		7	fctx_getaddresses() (i.e. when determining the name server addresses to
		8	query next) by setting a hard limit on the number of NS RRs processed
		9	for any delegation encountered. Without any limit in place, named can
		10	be forced to perform large amounts of database lookups per each query
		11	received, which severely impacts resolver performance.
		12
		13	The limit used (20) is an arbitrary value that is considered to be big
		14	enough for any sane DNS delegation.
		15
		16	(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
		17
		18	Upstream-Status: Backport
		19	CVE: CVE-2022-2795
		20	Reference to upstream patch:
		21	https://gitlab.isc.org/isc-projects/bind9/-/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8
		22
		23	Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
		24	---
		25	lib/dns/resolver.c \| 12 ++++++++++++
		26	1 file changed, 12 insertions(+)
		27
		28	diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
		29	index 8ae9a993bbd7..ac9a9ef5d009 100644
		30	--- a/lib/dns/resolver.c
		31	+++ b/lib/dns/resolver.c
		32	@@ -180,6 +180,12 @@
		33	*/
		34	#define NS_FAIL_LIMIT 4
		35	#define NS_RR_LIMIT 5
		36	+/*
		37	+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
		38	+ * any NS RRset encountered, to avoid excessive resource use while processing
		39	+ * large delegations.
		40	+ */
		41	+#define NS_PROCESSING_LIMIT 20
		42
		43	/* Number of hash buckets for zone counters */
		44	#ifndef RES_DOMAIN_BUCKETS
		45	@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
		46	bool need_alternate = false;
		47	bool all_spilled = true;
		48	unsigned int no_addresses = 0;
		49	+ unsigned int ns_processed = 0;
		50
		51	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
		52
		53	@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
		54
		55	dns_rdata_reset(&rdata);
		56	dns_rdata_freestruct(&ns);
		57	+
		58	+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
		59	+ result = ISC_R_NOMORE;
		60	+ break;
		61	+ }
		62	}
		63	if (result != ISC_R_NOMORE) {
		64	return (result);
		65	--
		66	2.34.1
		67


diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch new file mode 100644 index 0000000000..0ef87fd260 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch
@@ -0,0 +1,31 @@
		1	From ef3d1a84ff807eea27b4fef601a15932c5ffbfbf Mon Sep 17 00:00:00 2001
		2	From: Mark Andrews <marka@isc.org>
		3	Date: Thu, 11 Aug 2022 15:15:34 +1000
		4	Subject: [PATCH 2/3] Free eckey on siglen mismatch
		5
		6	Upstream-Status: Backport
		7	CVE: CVE-2022-38177
		8	Reference to upstream patch:
		9	https://gitlab.isc.org/isc-projects/bind9/-/commit/5b2282afff760b1ed3471f6666bdfe8e1d34e590
		10
		11	Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
		12	---
		13	lib/dns/opensslecdsa_link.c \| 2 +-
		14	1 file changed, 1 insertion(+), 1 deletion(-)
		15
		16	diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
		17	index 83b5b51cd78c..7576e04ac635 100644
		18	--- a/lib/dns/opensslecdsa_link.c
		19	+++ b/lib/dns/opensslecdsa_link.c
		20	@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t dctx, const isc_region_t sig) {
		21	siglen = DNS_SIG_ECDSA384SIZE;
		22
		23	if (sig->length != siglen)
		24	- return (DST_R_VERIFYFAILURE);
		25	+ DST_RET(DST_R_VERIFYFAILURE);
		26
		27	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
		28	DST_RET (dst__openssl_toresult3(dctx->category,
		29	--
		30	2.34.1
		31


diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch new file mode 100644 index 0000000000..e0b398e24a --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch
@@ -0,0 +1,33 @@
		1	From 65f5b2f0162d5d2ab25f463aa14a8bae71ace3d9 Mon Sep 17 00:00:00 2001
		2	From: Mark Andrews <marka@isc.org>
		3	Date: Thu, 11 Aug 2022 15:28:13 +1000
		4	Subject: [PATCH 3/3] Free ctx on invalid siglen
		5
		6	(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825)
		7
		8	Upstream-Status: Backport
		9	CVE: CVE-2022-38178
		10	Reference to upstream patch:
		11	https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6
		12
		13	Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
		14	---
		15	lib/dns/openssleddsa_link.c \| 2 +-
		16	1 file changed, 1 insertion(+), 1 deletion(-)
		17
		18	diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
		19	index 8b115ec283f0..b4fcd607c131 100644
		20	--- a/lib/dns/openssleddsa_link.c
		21	+++ b/lib/dns/openssleddsa_link.c
		22	@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t dctx, const isc_region_t sig) {
		23	siglen = DNS_SIG_ED448SIZE;
		24
		25	if (sig->length != siglen)
		26	- return (DST_R_VERIFYFAILURE);
		27	+ DST_RET(ISC_R_NOTIMPLEMENTED);
		28
		29	isc_buffer_usedregion(buf, &tbsreg);
		30
		31	--
		32	2.34.1
		33


diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch new file mode 100644 index 0000000000..6f6c104530 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
@@ -0,0 +1,166 @@
		1
		2	Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.11.5.P4+dfsg-5.1+deb10u9.debian.tar.xz
		3	Upstream patch https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch]
		4	Upstream Commit: https://github.com/isc-projects/bind9/commit/da0eafcdee52147e72d407cc3b9f179378ee1d3a
		5	CVE: CVE-2023-2828
		6	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		7
		8	---
		9	lib/dns/rbtdb.c \| 106 +++++++++++++++++++++++++++++++++-----------------------
		10	1 file changed, 63 insertions(+), 43 deletions(-)
		11
		12	diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
		13	index b1b928c..3165e26 100644
		14	--- a/lib/dns/rbtdb.c
		15	+++ b/lib/dns/rbtdb.c
		16	@@ -792,7 +792,7 @@ static void update_header(dns_rbtdb_t rbtdb, rdatasetheader_t header,
		17	static void expire_header(dns_rbtdb_t rbtdb, rdatasetheader_t header,
		18	bool tree_locked, expire_t reason);
		19	static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
		20	- isc_stdtime_t now, bool tree_locked);
		21	+ size_t purgesize, bool tree_locked);
		22	static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
		23	rdatasetheader_t *newheader);
		24	static void resign_delete(dns_rbtdb_t rbtdb, rbtdb_version_t version,
		25	@@ -6784,6 +6784,16 @@ addclosest(dns_rbtdb_t rbtdb, rdatasetheader_t newheader,
		26
		27	static dns_dbmethods_t zone_methods;
		28
		29	+static size_t
		30	+rdataset_size(rdatasetheader_t *header) {
		31	+ if (!NONEXISTENT(header)) {
		32	+ return (dns_rdataslab_size((unsigned char *)header,
		33	+ sizeof(*header)));
		34	+ }
		35	+
		36	+ return (sizeof(*header));
		37	+}
		38	+
		39	static isc_result_t
		40	addrdataset(dns_db_t db, dns_dbnode_t node, dns_dbversion_t *version,
		41	isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
		42	@@ -6932,7 +6942,8 @@ addrdataset(dns_db_t db, dns_dbnode_t node, dns_dbversion_t *version,
		43	}
		44
		45	if (cache_is_overmem)
		46	- overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
		47	+ overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
		48	+ tree_locked);
		49
		50	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
		51	isc_rwlocktype_write);
		52	@@ -6947,9 +6958,14 @@ addrdataset(dns_db_t db, dns_dbnode_t node, dns_dbversion_t *version,
		53	cleanup_dead_nodes(rbtdb, rbtnode->locknum);
		54
		55	header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
		56	- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL)
		57	- expire_header(rbtdb, header, tree_locked,
		58	- expire_ttl);
		59	+ if (header != NULL) {
		60	+ dns_ttl_t rdh_ttl = header->rdh_ttl;
		61	+
		62	+ if (rdh_ttl < now - RBTDB_VIRTUAL) {
		63	+ expire_header(rbtdb, header, tree_locked,
		64	+ expire_ttl);
		65	+ }
		66	+ }
		67
		68	/*
		69	* If we've been holding a write lock on the tree just for
		70	@@ -10388,54 +10404,58 @@ update_header(dns_rbtdb_t rbtdb, rdatasetheader_t header,
		71	ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
		72	}
		73
		74	+static size_t
		75	+expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
		76	+ bool tree_locked) {
		77	+ rdatasetheader_t header, header_prev;
		78	+ size_t purged = 0;
		79	+
		80	+ for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
		81	+ header != NULL && purged <= purgesize; header = header_prev)
		82	+ {
		83	+ header_prev = ISC_LIST_PREV(header, link);
		84	+ /*
		85	+ * Unlink the entry at this point to avoid checking it
		86	+ * again even if it's currently used someone else and
		87	+ * cannot be purged at this moment. This entry won't be
		88	+ * referenced any more (so unlinking is safe) since the
		89	+ * TTL was reset to 0.
		90	+ */
		91	+ ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
		92	+ size_t header_size = rdataset_size(header);
		93	+ expire_header(rbtdb, header, tree_locked, expire_lru);
		94	+ purged += header_size;
		95	+ }
		96	+
		97	+ return (purged);
		98	+}
		99	+
		100	/*%
		101	- * Purge some expired and/or stale (i.e. unused for some period) cache entries
		102	- * under an overmem condition. To recover from this condition quickly, up to
		103	- * 2 entries will be purged. This process is triggered while adding a new
		104	- * entry, and we specifically avoid purging entries in the same LRU bucket as
		105	- * the one to which the new entry will belong. Otherwise, we might purge
		106	- * entries of the same name of different RR types while adding RRsets from a
		107	- * single response (consider the case where we're adding A and AAAA glue records
		108	- * of the same NS name).
		109	- */
		110	+ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
		111	+ * entries under the overmem condition. To recover from this condition quickly,
		112	+ * we cleanup entries up to the size of newly added rdata (passed as purgesize).
		113	+ *
		114	+ * This process is triggered while adding a new entry, and we specifically avoid
		115	+ * purging entries in the same LRU bucket as the one to which the new entry will
		116	+ * belong. Otherwise, we might purge entries of the same name of different RR
		117	+ * types while adding RRsets from a single response (consider the case where
		118	+ * we're adding A and AAAA glue records of the same NS name).
		119	+*/
		120	static void
		121	-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
		122	- isc_stdtime_t now, bool tree_locked)
		123	+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
		124	+ bool tree_locked)
		125	{
		126	- rdatasetheader_t header, header_prev;
		127	unsigned int locknum;
		128	- int purgecount = 2;
		129	+ size_t purged = 0;
		130
		131	for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
		132	- locknum != locknum_start && purgecount > 0;
		133	+ locknum != locknum_start && purged <= purgesize;
		134	locknum = (locknum + 1) % rbtdb->node_lock_count) {
		135	NODE_LOCK(&rbtdb->node_locks[locknum].lock,
		136	isc_rwlocktype_write);
		137
		138	- header = isc_heap_element(rbtdb->heaps[locknum], 1);
		139	- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
		140	- expire_header(rbtdb, header, tree_locked,
		141	- expire_ttl);
		142	- purgecount--;
		143	- }
		144	-
		145	- for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
		146	- header != NULL && purgecount > 0;
		147	- header = header_prev) {
		148	- header_prev = ISC_LIST_PREV(header, link);
		149	- /*
		150	- * Unlink the entry at this point to avoid checking it
		151	- * again even if it's currently used someone else and
		152	- * cannot be purged at this moment. This entry won't be
		153	- * referenced any more (so unlinking is safe) since the
		154	- * TTL was reset to 0.
		155	- */
		156	- ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
		157	- link);
		158	- expire_header(rbtdb, header, tree_locked,
		159	- expire_lru);
		160	- purgecount--;
		161	- }
		162	+ purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
		163	+ tree_locked);
		164
		165	NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
		166	isc_rwlocktype_write);


diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch new file mode 100644 index 0000000000..be479cb00e --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
@@ -0,0 +1,175 @@
		1	From c4fac5ca98efd02fbaef43601627c7a3a09f5a71 Mon Sep 17 00:00:00 2001
		2	From: Mark Andrews <marka@isc.org>
		3	Date: Tue, 20 Jun 2023 15:21:36 +1000
		4	Subject: [PATCH] Limit isccc_cc_fromwire recursion depth
		5
		6	Named and rndc do not need a lot of recursion so the depth is
		7	set to 10.
		8
		9	Taken from BIND 9.16.44 change.
		10
		11	Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71]
		12	CVE: CVE-2023-3341
		13	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		14	---
		15	lib/isccc/cc.c \| 38 +++++++++++++++++++++++---------
		16	lib/isccc/include/isccc/result.h \| 4 +++-
		17	lib/isccc/result.c \| 4 +++-
		18	3 files changed, 34 insertions(+), 12 deletions(-)
		19
		20	diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
		21	index e012685..8eac3d6 100644
		22	--- a/lib/isccc/cc.c
		23	+++ b/lib/isccc/cc.c
		24	@@ -53,6 +53,10 @@
		25
		26	#define MAX_TAGS 256
		27	#define DUP_LIFETIME 900
		28	+#ifndef ISCCC_MAXDEPTH
		29	+#define ISCCC_MAXDEPTH \
		30	+ 10 /* Big enough for rndc which just sends a string each way. */
		31	+#endif
		32
		33	typedef isccc_sexpr_t *sexpr_ptr;
		34
		35	@@ -561,19 +565,25 @@ verify(isccc_sexpr_t alist, unsigned char data, unsigned int length,
		36
		37	static isc_result_t
		38	table_fromwire(isccc_region_t source, isccc_region_t secret,
		39	- uint32_t algorithm, isccc_sexpr_t **alistp);
		40	+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
		41
		42	static isc_result_t
		43	-list_fromwire(isccc_region_t source, isccc_sexpr_t *listp);
		44	+list_fromwire(isccc_region_t *source, unsigned int depth,
		45	+ isccc_sexpr_t **listp);
		46
		47	static isc_result_t
		48	-value_fromwire(isccc_region_t source, isccc_sexpr_t *valuep) {
		49	+value_fromwire(isccc_region_t *source, unsigned int depth,
		50	+ isccc_sexpr_t **valuep) {
		51	unsigned int msgtype;
		52	uint32_t len;
		53	isccc_sexpr_t *value;
		54	isccc_region_t active;
		55	isc_result_t result;
		56
		57	+ if (depth > ISCCC_MAXDEPTH) {
		58	+ return (ISCCC_R_MAXDEPTH);
		59	+ }
		60	+
		61	if (REGION_SIZE(*source) < 1 + 4)
		62	return (ISC_R_UNEXPECTEDEND);
		63	GET8(msgtype, source->rstart);
		64	@@ -591,9 +601,9 @@ value_fromwire(isccc_region_t source, isccc_sexpr_t *valuep) {
		65	} else
		66	result = ISC_R_NOMEMORY;
		67	} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
		68	- result = table_fromwire(&active, NULL, 0, valuep);
		69	+ result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
		70	else if (msgtype == ISCCC_CCMSGTYPE_LIST)
		71	- result = list_fromwire(&active, valuep);
		72	+ result = list_fromwire(&active, depth + 1, valuep);
		73	else
		74	result = ISCCC_R_SYNTAX;
		75
		76	@@ -602,7 +612,7 @@ value_fromwire(isccc_region_t source, isccc_sexpr_t *valuep) {
		77
		78	static isc_result_t
		79	table_fromwire(isccc_region_t source, isccc_region_t secret,
		80	- uint32_t algorithm, isccc_sexpr_t **alistp)
		81	+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp)
		82	{
		83	char key[256];
		84	uint32_t len;
		85	@@ -613,6 +623,10 @@ table_fromwire(isccc_region_t source, isccc_region_t secret,
		86
		87	REQUIRE(alistp != NULL && *alistp == NULL);
		88
		89	+ if (depth > ISCCC_MAXDEPTH) {
		90	+ return (ISCCC_R_MAXDEPTH);
		91	+ }
		92	+
		93	checksum_rstart = NULL;
		94	first_tag = true;
		95	alist = isccc_alist_create();
		96	@@ -628,7 +642,7 @@ table_fromwire(isccc_region_t source, isccc_region_t secret,
		97	GET_MEM(key, len, source->rstart);
		98	key[len] = '\0'; /* Ensure NUL termination. */
		99	value = NULL;
		100	- result = value_fromwire(source, &value);
		101	+ result = value_fromwire(source, depth + 1, &value);
		102	if (result != ISC_R_SUCCESS)
		103	goto bad;
		104	if (isccc_alist_define(alist, key, value) == NULL) {
		105	@@ -661,14 +675,18 @@ table_fromwire(isccc_region_t source, isccc_region_t secret,
		106	}
		107
		108	static isc_result_t
		109	-list_fromwire(isccc_region_t source, isccc_sexpr_t *listp) {
		110	+list_fromwire(isccc_region_t source, unsigned int depth, isccc_sexpr_t *listp) {
		111	isccc_sexpr_t list, value;
		112	isc_result_t result;
		113
		114	+ if (depth > ISCCC_MAXDEPTH) {
		115	+ return (ISCCC_R_MAXDEPTH);
		116	+ }
		117	+
		118	list = NULL;
		119	while (!REGION_EMPTY(*source)) {
		120	value = NULL;
		121	- result = value_fromwire(source, &value);
		122	+ result = value_fromwire(source, depth + 1, &value);
		123	if (result != ISC_R_SUCCESS) {
		124	isccc_sexpr_free(&list);
		125	return (result);
		126	@@ -699,7 +717,7 @@ isccc_cc_fromwire(isccc_region_t source, isccc_sexpr_t *alistp,
		127	if (version != 1)
		128	return (ISCCC_R_UNKNOWNVERSION);
		129
		130	- return (table_fromwire(source, secret, algorithm, alistp));
		131	+ return (table_fromwire(source, secret, algorithm, 0, alistp));
		132	}
		133
		134	static isc_result_t
		135	diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
		136	index 6c79dd7..a85861c 100644
		137	--- a/lib/isccc/include/isccc/result.h
		138	+++ b/lib/isccc/include/isccc/result.h
		139	@@ -47,8 +47,10 @@
		140	#define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4)
		141	/% Duplicate /
		142	#define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5)
		143	+/% Maximum recursion depth /
		144	+#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6)
		145
		146	-#define ISCCC_R_NRESULTS 6 /%< Number of results /
		147	+#define ISCCC_R_NRESULTS 7 /%< Number of results /
		148
		149	ISC_LANG_BEGINDECLS
		150
		151	diff --git a/lib/isccc/result.c b/lib/isccc/result.c
		152	index 8419bbb..325200b 100644
		153	--- a/lib/isccc/result.c
		154	+++ b/lib/isccc/result.c
		155	@@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = {
		156	"bad auth", /* 3 */
		157	"expired", /* 4 */
		158	"clock skew", /* 5 */
		159	- "duplicate" /* 6 */
		160	+ "duplicate", /* 6 */
		161	+ "max depth", /* 7 */
		162	};
		163
		164	static const char *ids[ISCCC_R_NRESULTS] = {
		165	@@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = {
		166	"ISCCC_R_EXPIRED",
		167	"ISCCC_R_CLOCKSKEW",
		168	"ISCCC_R_DUPLICATE",
		169	+ "ISCCC_R_MAXDEPTH",
		170	};
		171
		172	#define ISCCC_RESULT_RESULTSET 2
		173	--
		174	2.25.1
		175


diff --git a/meta/recipes-connectivity/bind/bind_9.11.22.bb b/meta/recipes-connectivity/bind/bind_9.11.37.bb index 3b4a299b36..95bb5be005 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.22.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb
@@ -1,9 +1,10 @@
1	SUMMARY = "ISC Internet Domain Name Server"	1	SUMMARY = "ISC Internet Domain Name Server"
2	HOMEPAGE = "https://www.isc.org/bind/"	2	HOMEPAGE = "https://www.isc.org/bind/"
		3	DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system"
3	SECTION = "console/network"	4	SECTION = "console/network"
4		5
5	LICENSE = "ISC & BSD"	6	LICENSE = "ISC & BSD"
6	LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bf39058a7f64b2a934ce14dc9ec1dd45"	7	LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=89a97ebbf713f7125fe5c02223d3ae95"
7		8
8	DEPENDS = "openssl libcap zlib"	9	DEPENDS = "openssl libcap zlib"
9		10
@@ -18,9 +19,14 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
18	file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \	19	file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
19	file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \	20	file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
20	file://0001-avoid-start-failure-with-bind-user.patch \	21	file://0001-avoid-start-failure-with-bind-user.patch \
		22	file://CVE-2022-2795.patch \
		23	file://CVE-2022-38177.patch \
		24	file://CVE-2022-38178.patch \
		25	file://CVE-2023-2828.patch \
		26	file://CVE-2023-3341.patch \
21	"	27	"
22		28
23	SRC_URI[sha256sum] = "afc6d8015006f1cabf699ff19f517bb8fd9c1811e5231f26baf51c3550262ac9"	29	SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff"
24		30
25	UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"	31	UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
26	# stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4	32	# stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4