12 files changed, 3 insertions, 299 deletions
diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2828.patch b/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2828.patch
deleted file mode 100644
index ef2d64b16c..0000000000
--- a/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2828.patch
+++ /dev/null
@@ -1,197 +0,0 @@
-From e9d5219fca9f6b819d953990b369d6acfb4e952b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
-Date: Tue, 30 May 2023 08:46:17 +0200
-Subject: [PATCH] Improve RBT overmem cache cleaning
-When cache memory usage is over the configured cache size (overmem) and
-we are cleaning unused entries, it might not be enough to clean just two
-entries if the entries to be expired are smaller than the newly added
-rdata.  This could be abused by an attacker to cause a remote Denial of
-Service by possibly running out of the operating system memory.
-Currently, the addrdataset() tries to do a single TTL-based cleaning
-considering the serve-stale TTL and then optionally moves to overmem
-cleaning if we are in that condition.  Then the overmem_purge() tries to
-do another single TTL based cleaning from the TTL heap and then continue
-with LRU-based cleaning up to 2 entries cleaned.
-Squash the TTL-cleaning mechanism into single call from addrdataset(),
-but ignore the serve-stale TTL if we are currently overmem.
-Then instead of having a fixed number of entries to clean, pass the size
-of newly added rdatasetheader to the overmem_purge() function and
-cleanup at least the size of the newly added data.  This prevents the
-cache going over the configured memory limit (`max-cache-size`).
-Additionally, refactor the overmem_purge() function to reduce for-loop
-nesting for readability.
-Patch taken from : https://downloads.isc.org/isc/bind9/9.18.16/patches/0001-CVE-2023-2828.patch
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/e9d5219fca9f6b819d953990b369d6acfb4e952b]
-CVE: CVE-2023-2828
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
- lib/dns/rbtdb.c | 106 +++++++++++++++++++++++++++++-------------------
- 1 file changed, 65 insertions(+), 41 deletions(-)
-diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
-index d1aee54..ba60a49 100644
--- a/lib/dns/rbtdb.c
-+++ b/lib/dns/rbtdb.c
-@@ -561,7 +561,7 @@ static void
- expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, bool tree_locked,
-              expire_t reason);
- static void
-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, isc_stdtime_t now,
-+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
-              bool tree_locked);
- static void
- resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader);
-@@ -6787,6 +6787,16 @@ cleanup:
- 
- static dns_dbmethods_t zone_methods;
- 
-+static size_t
-+rdataset_size(rdatasetheader_t *header) {
-+       if (!NONEXISTENT(header)) {
-+               return (dns_rdataslab_size((unsigned char *)header,
-+                                          sizeof(*header)));
-+       }
-+
-+       return (sizeof(*header));
-+}
-+
- static isc_result_t
- addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-            isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
-@@ -6951,7 +6961,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-        }
- 
-        if (cache_is_overmem) {
-               overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
-+               overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
-+                             tree_locked);
-        }
- 
-        NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-@@ -6970,11 +6981,18 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-                }
- 
-                header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
-               if (header != NULL &&
-                   header->rdh_ttl + STALE_TTL(header, rbtdb) <
-                           now - RBTDB_VIRTUAL)
-               {
-                       expire_header(rbtdb, header, tree_locked, expire_ttl);
-+               if (header != NULL) {
-+                       dns_ttl_t rdh_ttl = header->rdh_ttl;
-+
-+                       /* Only account for stale TTL if cache is not overmem */
-+                       if (!cache_is_overmem) {
-+                               rdh_ttl += STALE_TTL(header, rbtdb);
-+                       }
-+
-+                       if (rdh_ttl < now - RBTDB_VIRTUAL) {
-+                               expire_header(rbtdb, header, tree_locked,
-+                                             expire_ttl);
-+                       }
-                }
- 
-                /*
-@@ -10114,52 +10132,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, isc_stdtime_t now) {
-        ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
- }
- 
-+static size_t
-+expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
-+                  bool tree_locked) {
-+       rdatasetheader_t *header, *header_prev;
-+       size_t purged = 0;
-+
-+       for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
-+            header != NULL && purged <= purgesize; header = header_prev)
-+       {
-+               header_prev = ISC_LIST_PREV(header, link);
-+               /*
-+                * Unlink the entry at this point to avoid checking it
-+                * again even if it's currently used someone else and
-+                * cannot be purged at this moment.  This entry won't be
-+                * referenced any more (so unlinking is safe) since the
-+                * TTL was reset to 0.
-+                */
-+               ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
-+               size_t header_size = rdataset_size(header);
-+               expire_header(rbtdb, header, tree_locked, expire_lru);
-+               purged += header_size;
-+       }
-+
-+       return (purged);
-+}
-+
- /*%
- * Purge some expired and/or stale (i.e. unused for some period) cache entries
- * under an overmem condition.  To recover from this condition quickly, up to
- * 2 entries will be purged.  This process is triggered while adding a new
- * entry, and we specifically avoid purging entries in the same LRU bucket as
- * the one to which the new entry will belong.  Otherwise, we might purge
- * entries of the same name of different RR types while adding RRsets from a
- * single response (consider the case where we're adding A and AAAA glue records
- * of the same NS name).
-+ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
-+ * entries under the overmem condition.  To recover from this condition quickly,
-+ * we cleanup entries up to the size of newly added rdata (passed as purgesize).
-+ *
-+ * This process is triggered while adding a new entry, and we specifically avoid
-+ * purging entries in the same LRU bucket as the one to which the new entry will
-+ * belong.  Otherwise, we might purge entries of the same name of different RR
-+ * types while adding RRsets from a single response (consider the case where
-+ * we're adding A and AAAA glue records of the same NS name).
-  */
- static void
-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, isc_stdtime_t now,
-+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
-              bool tree_locked) {
-       rdatasetheader_t *header, *header_prev;
-        unsigned int locknum;
-       int purgecount = 2;
-+       size_t purged = 0;
- 
-        for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
-            locknum != locknum_start && purgecount > 0;
-+            locknum != locknum_start && purged <= purgesize;
-             locknum = (locknum + 1) % rbtdb->node_lock_count)
-        {
-                NODE_LOCK(&rbtdb->node_locks[locknum].lock,
-                          isc_rwlocktype_write);
- 
-               header = isc_heap_element(rbtdb->heaps[locknum], 1);
-               if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
-                       expire_header(rbtdb, header, tree_locked, expire_ttl);
-                       purgecount--;
-               }
-
-               for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
-                    header != NULL && purgecount > 0; header = header_prev)
-               {
-                       header_prev = ISC_LIST_PREV(header, link);
-                       /*
-                        * Unlink the entry at this point to avoid checking it
-                        * again even if it's currently used someone else and
-                        * cannot be purged at this moment.  This entry won't be
-                        * referenced any more (so unlinking is safe) since the
-                        * TTL was reset to 0.
-                        */
-                       ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
-                                       link);
-                       expire_header(rbtdb, header, tree_locked, expire_lru);
-                       purgecount--;
-               }
-+               purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
-+                                            tree_locked);
- 
-                NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
-                            isc_rwlocktype_write);
-- 
-2.25.1
diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch b/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch
deleted file mode 100644
index 8e9a358dee..0000000000
--- a/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From ff5bacf17c2451e9d48c78a5ef96ec0c376ff33d Mon Sep 17 00:00:00 2001
-From: Matthijs Mekking <matthijs@isc.org>
-Date: Thu, 1 Jun 2023 10:03:48 +0200
-Subject: [PATCH] Fix serve-stale hang at shutdown
-The 'refresh_rrset' variable is used to determine if we can detach from
-the client. This can cause a hang on shutdown. To fix this, move setting
-of the 'nodetach' variable up to where 'refresh_rrset' is set (in
-query_lookup(), and thus not in ns_query_done()), and set it to false
-when actually refreshing the RRset, so that when this lookup is
-completed, the client will be detached.
-Patch taken from :https://downloads.isc.org/isc/bind9/9.18.16/patches/0003-CVE-2023-2911.patch
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/240caa32b9cab90a38ab863fd64e6becf5d1393c && https://gitlab.isc.org/isc-projects/bind9/-/commit/ff5bacf17c2451e9d48c78a5ef96ec0c376ff33d]
-CVE: CVE-2023-2911
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
- lib/ns/query.c | 30 ++++++++++++++++++++++--------
- 1 file changed, 22 insertions(+), 8 deletions(-)
-diff --git a/lib/ns/query.c b/lib/ns/query.c
-index 0d2ba6b..8945dd4 100644
--- a/lib/ns/query.c
-+++ b/lib/ns/query.c
-@@ -5824,6 +5824,7 @@ query_refresh_rrset(query_ctx_t *orig_qctx) {
-        qctx.client->query.dboptions &= ~(DNS_DBFIND_STALETIMEOUT |
-                                          DNS_DBFIND_STALEOK |
-                                          DNS_DBFIND_STALEENABLED);
-+       qctx.client->nodetach = false;
- 
-        /*
-         * We'll need some resources...
-@@ -6076,7 +6077,14 @@ query_lookup(query_ctx_t *qctx) {
-                                        "%s stale answer used, an attempt to "
-                                        "refresh the RRset will still be made",
-                                        namebuf);
-+
-                                qctx->refresh_rrset = STALE(qctx->rdataset);
-+                               /*
-+                                * If we are refreshing the RRSet, we must not
-+                                * detach from the client in query_send().
-+                                */
-+                               qctx->client->nodetach = qctx->refresh_rrset;
-+
-                                ns_client_extendederror(
-                                        qctx->client, ede,
-                                        "stale data prioritized over lookup");
-@@ -6503,7 +6511,7 @@ ns_query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
-        if (recparam_match(&client->query.recparam, qtype, qname, qdomain)) {
-                ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
-                              ISC_LOG_INFO, "recursion loop detected");
-               return (ISC_R_FAILURE);
-+               return (ISC_R_ALREADYRUNNING);
-        }
- 
-        recparam_update(&client->query.recparam, qtype, qname, qdomain);
-@@ -7620,10 +7628,21 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) {
-                return (false);
-        }
- 
-       if (result == DNS_R_DUPLICATE || result == DNS_R_DROP) {
-+       if (qctx->refresh_rrset) {
-+               /*
-+                * This is a refreshing query, we have already prioritized
-+                * stale data, so don't enable serve-stale again.
-+                */
-+               return (false);
-+       }
-+
-+       if (result == DNS_R_DUPLICATE || result == DNS_R_DROP ||
-+           result == ISC_R_ALREADYRUNNING)
-+       {
-                /*
-                 * Don't enable serve-stale if the result signals a duplicate
-                * query or query that is being dropped.
-+                * query or a query that is being dropped or can't proceed
-+                * because of a recursion loop.
-                 */
-                return (false);
-        }
-@@ -11927,12 +11946,7 @@ ns_query_done(query_ctx_t *qctx) {
-        /*
-         * Client may have been detached after query_send(), so
-         * we test and store the flag state here, for safety.
-        * If we are refreshing the RRSet, we must not detach from the client
-        * in the query_send(), so we need to override the flag.
-         */
-       if (qctx->refresh_rrset) {
-               qctx->client->nodetach = true;
-       }
-        nodetach = qctx->client->nodetach;
-        query_send(qctx->client);
- 
-- 
-2.25.1
diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/0001-avoid-start-failure-with-bind-user.patch b/meta/recipes-connectivity/bind/bind-9.18.17/0001-avoid-start-failure-with-bind-user.patch
index ec1bc7b567..ec1bc7b567 100644
--- a/meta/recipes-connectivity/bind/bind-9.18.11/0001-avoid-start-failure-with-bind-user.patch
+++ b/meta/recipes-connectivity/bind/bind-9.18.17/0001-avoid-start-failure-with-bind-user.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/meta/recipes-connectivity/bind/bind-9.18.17/0001-named-lwresd-V-and-start-log-hide-build-options.patch
index 4c10f33f04..4c10f33f04 100644
--- a/meta/recipes-connectivity/bind/bind-9.18.11/0001-named-lwresd-V-and-start-log-hide-build-options.patch
+++ b/meta/recipes-connectivity/bind/bind-9.18.17/0001-named-lwresd-V-and-start-log-hide-build-options.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/bind-ensure-searching-for-json-headers-searches-sysr.patch b/meta/recipes-connectivity/bind/bind-9.18.17/bind-ensure-searching-for-json-headers-searches-sysr.patch
index f1abd179e8..f1abd179e8 100644
--- a/meta/recipes-connectivity/bind/bind-9.18.11/bind-ensure-searching-for-json-headers-searches-sysr.patch
+++ b/meta/recipes-connectivity/bind/bind-9.18.17/bind-ensure-searching-for-json-headers-searches-sysr.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/bind9 b/meta/recipes-connectivity/bind/bind-9.18.17/bind9
index 968679ff7f..968679ff7f 100644
--- a/meta/recipes-connectivity/bind/bind-9.18.11/bind9
+++ b/meta/recipes-connectivity/bind/bind-9.18.17/bind9
diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/conf.patch b/meta/recipes-connectivity/bind/bind-9.18.17/conf.patch
index aa3642acec..aa3642acec 100644
--- a/meta/recipes-connectivity/bind/bind-9.18.11/conf.patch
+++ b/meta/recipes-connectivity/bind/bind-9.18.17/conf.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/generate-rndc-key.sh b/meta/recipes-connectivity/bind/bind-9.18.17/generate-rndc-key.sh
index 633e29c0e6..633e29c0e6 100644
--- a/meta/recipes-connectivity/bind/bind-9.18.11/generate-rndc-key.sh
+++ b/meta/recipes-connectivity/bind/bind-9.18.17/generate-rndc-key.sh
diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind-9.18.17/init.d-add-support-for-read-only-rootfs.patch
index 11db95ede1..11db95ede1 100644
--- a/meta/recipes-connectivity/bind/bind-9.18.11/init.d-add-support-for-read-only-rootfs.patch
+++ b/meta/recipes-connectivity/bind/bind-9.18.17/init.d-add-support-for-read-only-rootfs.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/make-etc-initd-bind-stop-work.patch b/meta/recipes-connectivity/bind/bind-9.18.17/make-etc-initd-bind-stop-work.patch
index 146f3e35db..146f3e35db 100644
--- a/meta/recipes-connectivity/bind/bind-9.18.11/make-etc-initd-bind-stop-work.patch
+++ b/meta/recipes-connectivity/bind/bind-9.18.17/make-etc-initd-bind-stop-work.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/named.service b/meta/recipes-connectivity/bind/bind-9.18.17/named.service
index cda56ef015..cda56ef015 100644
--- a/meta/recipes-connectivity/bind/bind-9.18.11/named.service
+++ b/meta/recipes-connectivity/bind/bind-9.18.17/named.service
diff --git a/meta/recipes-connectivity/bind/bind_9.18.11.bb b/meta/recipes-connectivity/bind/bind_9.18.17.bb
index b3e3b8bef0..b6fa279360 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.11.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.17.bb
@@ -4,7 +4,7 @@ DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system"
 SECTION = "console/network"
 LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=d8cf7bd9c4fd5471a588e7e66e672408"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=c7a0b6d9a1b692a5da9af9d503671f43"
 DEPENDS = "openssl libcap zlib libuv"
@@ -18,11 +18,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
           file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
           file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
           file://0001-avoid-start-failure-with-bind-user.patch \
-           file://CVE-2023-2828.patch \
-           file://CVE-2023-2911.patch \
           "
-SRC_URI[sha256sum] = "8ff3352812230cbcbda42df87cad961f94163d3da457c5e4bef8057fd5df2158"
+SRC_URI[sha256sum] = "bde1c5017b81d1d79c69eb8f537f2e5032fd3623acdd5ee830d4f74bc2483458"
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # follow the ESV versions divisible by 2
@@ -41,7 +39,7 @@ PACKAGECONFIG[readline] = "--with-readline=readline,,readline"
 PACKAGECONFIG[libedit] = "--with-readline=libedit,,libedit"
 PACKAGECONFIG[dns-over-http] = "--enable-doh,--disable-doh,nghttp2"
-EXTRA_OECONF = " --disable-devpoll --disable-auto-validation --enable-epoll \
+EXTRA_OECONF = "  --disable-auto-validation  \
                 --with-gssapi=no --with-lmdb=no --with-zlib \
                 --sysconfdir=${sysconfdir}/bind \
                 --with-openssl=${STAGING_DIR_HOST}${prefix} \

diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2828.patch b/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2828.patch deleted file mode 100644 index ef2d64b16c..0000000000 --- a/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2828.patch +++ /dev/null
@@ -1,197 +0,0 @@
1	From e9d5219fca9f6b819d953990b369d6acfb4e952b Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
3	Date: Tue, 30 May 2023 08:46:17 +0200
4	Subject: [PATCH] Improve RBT overmem cache cleaning
5
6	When cache memory usage is over the configured cache size (overmem) and
7	we are cleaning unused entries, it might not be enough to clean just two
8	entries if the entries to be expired are smaller than the newly added
9	rdata. This could be abused by an attacker to cause a remote Denial of
10	Service by possibly running out of the operating system memory.
11
12	Currently, the addrdataset() tries to do a single TTL-based cleaning
13	considering the serve-stale TTL and then optionally moves to overmem
14	cleaning if we are in that condition. Then the overmem_purge() tries to
15	do another single TTL based cleaning from the TTL heap and then continue
16	with LRU-based cleaning up to 2 entries cleaned.
17
18	Squash the TTL-cleaning mechanism into single call from addrdataset(),
19	but ignore the serve-stale TTL if we are currently overmem.
20
21	Then instead of having a fixed number of entries to clean, pass the size
22	of newly added rdatasetheader to the overmem_purge() function and
23	cleanup at least the size of the newly added data. This prevents the
24	cache going over the configured memory limit (`max-cache-size`).
25
26	Additionally, refactor the overmem_purge() function to reduce for-loop
27	nesting for readability.
28
29	Patch taken from : https://downloads.isc.org/isc/bind9/9.18.16/patches/0001-CVE-2023-2828.patch
30
31	Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/e9d5219fca9f6b819d953990b369d6acfb4e952b]
32	CVE: CVE-2023-2828
33	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
34	---
35	lib/dns/rbtdb.c \| 106 +++++++++++++++++++++++++++++-------------------
36	1 file changed, 65 insertions(+), 41 deletions(-)
37
38	diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
39	index d1aee54..ba60a49 100644
40	--- a/lib/dns/rbtdb.c
41	+++ b/lib/dns/rbtdb.c
42	@@ -561,7 +561,7 @@ static void
43	expire_header(dns_rbtdb_t rbtdb, rdatasetheader_t header, bool tree_locked,
44	expire_t reason);
45	static void
46	-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, isc_stdtime_t now,
47	+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
48	bool tree_locked);
49	static void
50	resign_insert(dns_rbtdb_t rbtdb, int idx, rdatasetheader_t newheader);
51	@@ -6787,6 +6787,16 @@ cleanup:
52
53	static dns_dbmethods_t zone_methods;
54
55	+static size_t
56	+rdataset_size(rdatasetheader_t *header) {
57	+ if (!NONEXISTENT(header)) {
58	+ return (dns_rdataslab_size((unsigned char *)header,
59	+ sizeof(*header)));
60	+ }
61	+
62	+ return (sizeof(*header));
63	+}
64	+
65	static isc_result_t
66	addrdataset(dns_db_t db, dns_dbnode_t node, dns_dbversion_t *version,
67	isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
68	@@ -6951,7 +6961,8 @@ addrdataset(dns_db_t db, dns_dbnode_t node, dns_dbversion_t *version,
69	}
70
71	if (cache_is_overmem) {
72	- overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
73	+ overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
74	+ tree_locked);
75	}
76
77	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
78	@@ -6970,11 +6981,18 @@ addrdataset(dns_db_t db, dns_dbnode_t node, dns_dbversion_t *version,
79	}
80
81	header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
82	- if (header != NULL &&
83	- header->rdh_ttl + STALE_TTL(header, rbtdb) <
84	- now - RBTDB_VIRTUAL)
85	- {
86	- expire_header(rbtdb, header, tree_locked, expire_ttl);
87	+ if (header != NULL) {
88	+ dns_ttl_t rdh_ttl = header->rdh_ttl;
89	+
90	+ /* Only account for stale TTL if cache is not overmem */
91	+ if (!cache_is_overmem) {
92	+ rdh_ttl += STALE_TTL(header, rbtdb);
93	+ }
94	+
95	+ if (rdh_ttl < now - RBTDB_VIRTUAL) {
96	+ expire_header(rbtdb, header, tree_locked,
97	+ expire_ttl);
98	+ }
99	}
100
101	/*
102	@@ -10114,52 +10132,58 @@ update_header(dns_rbtdb_t rbtdb, rdatasetheader_t header, isc_stdtime_t now) {
103	ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
104	}
105
106	+static size_t
107	+expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
108	+ bool tree_locked) {
109	+ rdatasetheader_t header, header_prev;
110	+ size_t purged = 0;
111	+
112	+ for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
113	+ header != NULL && purged <= purgesize; header = header_prev)
114	+ {
115	+ header_prev = ISC_LIST_PREV(header, link);
116	+ /*
117	+ * Unlink the entry at this point to avoid checking it
118	+ * again even if it's currently used someone else and
119	+ * cannot be purged at this moment. This entry won't be
120	+ * referenced any more (so unlinking is safe) since the
121	+ * TTL was reset to 0.
122	+ */
123	+ ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
124	+ size_t header_size = rdataset_size(header);
125	+ expire_header(rbtdb, header, tree_locked, expire_lru);
126	+ purged += header_size;
127	+ }
128	+
129	+ return (purged);
130	+}
131	+
132	/*%
133	- * Purge some expired and/or stale (i.e. unused for some period) cache entries
134	- * under an overmem condition. To recover from this condition quickly, up to
135	- * 2 entries will be purged. This process is triggered while adding a new
136	- * entry, and we specifically avoid purging entries in the same LRU bucket as
137	- * the one to which the new entry will belong. Otherwise, we might purge
138	- * entries of the same name of different RR types while adding RRsets from a
139	- * single response (consider the case where we're adding A and AAAA glue records
140	- * of the same NS name).
141	+ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
142	+ * entries under the overmem condition. To recover from this condition quickly,
143	+ * we cleanup entries up to the size of newly added rdata (passed as purgesize).
144	+ *
145	+ * This process is triggered while adding a new entry, and we specifically avoid
146	+ * purging entries in the same LRU bucket as the one to which the new entry will
147	+ * belong. Otherwise, we might purge entries of the same name of different RR
148	+ * types while adding RRsets from a single response (consider the case where
149	+ * we're adding A and AAAA glue records of the same NS name).
150	*/
151	static void
152	-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, isc_stdtime_t now,
153	+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
154	bool tree_locked) {
155	- rdatasetheader_t header, header_prev;
156	unsigned int locknum;
157	- int purgecount = 2;
158	+ size_t purged = 0;
159
160	for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
161	- locknum != locknum_start && purgecount > 0;
162	+ locknum != locknum_start && purged <= purgesize;
163	locknum = (locknum + 1) % rbtdb->node_lock_count)
164	{
165	NODE_LOCK(&rbtdb->node_locks[locknum].lock,
166	isc_rwlocktype_write);
167
168	- header = isc_heap_element(rbtdb->heaps[locknum], 1);
169	- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
170	- expire_header(rbtdb, header, tree_locked, expire_ttl);
171	- purgecount--;
172	- }
173	-
174	- for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
175	- header != NULL && purgecount > 0; header = header_prev)
176	- {
177	- header_prev = ISC_LIST_PREV(header, link);
178	- /*
179	- * Unlink the entry at this point to avoid checking it
180	- * again even if it's currently used someone else and
181	- * cannot be purged at this moment. This entry won't be
182	- * referenced any more (so unlinking is safe) since the
183	- * TTL was reset to 0.
184	- */
185	- ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
186	- link);
187	- expire_header(rbtdb, header, tree_locked, expire_lru);
188	- purgecount--;
189	- }
190	+ purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
191	+ tree_locked);
192
193	NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
194	isc_rwlocktype_write);
195	--
196	2.25.1
197


diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch b/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch deleted file mode 100644 index 8e9a358dee..0000000000 --- a/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch +++ /dev/null
@@ -1,97 +0,0 @@
1	From ff5bacf17c2451e9d48c78a5ef96ec0c376ff33d Mon Sep 17 00:00:00 2001
2	From: Matthijs Mekking <matthijs@isc.org>
3	Date: Thu, 1 Jun 2023 10:03:48 +0200
4	Subject: [PATCH] Fix serve-stale hang at shutdown
5
6	The 'refresh_rrset' variable is used to determine if we can detach from
7	the client. This can cause a hang on shutdown. To fix this, move setting
8	of the 'nodetach' variable up to where 'refresh_rrset' is set (in
9	query_lookup(), and thus not in ns_query_done()), and set it to false
10	when actually refreshing the RRset, so that when this lookup is
11	completed, the client will be detached.
12
13	Patch taken from :https://downloads.isc.org/isc/bind9/9.18.16/patches/0003-CVE-2023-2911.patch
14
15	Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/240caa32b9cab90a38ab863fd64e6becf5d1393c && https://gitlab.isc.org/isc-projects/bind9/-/commit/ff5bacf17c2451e9d48c78a5ef96ec0c376ff33d]
16	CVE: CVE-2023-2911
17	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
18	---
19	lib/ns/query.c \| 30 ++++++++++++++++++++++--------
20	1 file changed, 22 insertions(+), 8 deletions(-)
21
22	diff --git a/lib/ns/query.c b/lib/ns/query.c
23	index 0d2ba6b..8945dd4 100644
24	--- a/lib/ns/query.c
25	+++ b/lib/ns/query.c
26	@@ -5824,6 +5824,7 @@ query_refresh_rrset(query_ctx_t *orig_qctx) {
27	qctx.client->query.dboptions &= ~(DNS_DBFIND_STALETIMEOUT \|
28	DNS_DBFIND_STALEOK \|
29	DNS_DBFIND_STALEENABLED);
30	+ qctx.client->nodetach = false;
31
32	/*
33	* We'll need some resources...
34	@@ -6076,7 +6077,14 @@ query_lookup(query_ctx_t *qctx) {
35	"%s stale answer used, an attempt to "
36	"refresh the RRset will still be made",
37	namebuf);
38	+
39	qctx->refresh_rrset = STALE(qctx->rdataset);
40	+ /*
41	+ * If we are refreshing the RRSet, we must not
42	+ * detach from the client in query_send().
43	+ */
44	+ qctx->client->nodetach = qctx->refresh_rrset;
45	+
46	ns_client_extendederror(
47	qctx->client, ede,
48	"stale data prioritized over lookup");
49	@@ -6503,7 +6511,7 @@ ns_query_recurse(ns_client_t client, dns_rdatatype_t qtype, dns_name_t qname,
50	if (recparam_match(&client->query.recparam, qtype, qname, qdomain)) {
51	ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
52	ISC_LOG_INFO, "recursion loop detected");
53	- return (ISC_R_FAILURE);
54	+ return (ISC_R_ALREADYRUNNING);
55	}
56
57	recparam_update(&client->query.recparam, qtype, qname, qdomain);
58	@@ -7620,10 +7628,21 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) {
59	return (false);
60	}
61
62	- if (result == DNS_R_DUPLICATE \|\| result == DNS_R_DROP) {
63	+ if (qctx->refresh_rrset) {
64	+ /*
65	+ * This is a refreshing query, we have already prioritized
66	+ * stale data, so don't enable serve-stale again.
67	+ */
68	+ return (false);
69	+ }
70	+
71	+ if (result == DNS_R_DUPLICATE \|\| result == DNS_R_DROP \|\|
72	+ result == ISC_R_ALREADYRUNNING)
73	+ {
74	/*
75	* Don't enable serve-stale if the result signals a duplicate
76	- * query or query that is being dropped.
77	+ * query or a query that is being dropped or can't proceed
78	+ * because of a recursion loop.
79	*/
80	return (false);
81	}
82	@@ -11927,12 +11946,7 @@ ns_query_done(query_ctx_t *qctx) {
83	/*
84	* Client may have been detached after query_send(), so
85	* we test and store the flag state here, for safety.
86	- * If we are refreshing the RRSet, we must not detach from the client
87	- * in the query_send(), so we need to override the flag.
88	*/
89	- if (qctx->refresh_rrset) {
90	- qctx->client->nodetach = true;
91	- }
92	nodetach = qctx->client->nodetach;
93	query_send(qctx->client);
94
95	--
96	2.25.1
97


diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/0001-avoid-start-failure-with-bind-user.patch b/meta/recipes-connectivity/bind/bind-9.18.17/0001-avoid-start-failure-with-bind-user.patch index ec1bc7b567..ec1bc7b567 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.11/0001-avoid-start-failure-with-bind-user.patch +++ b/meta/recipes-connectivity/bind/bind-9.18.17/0001-avoid-start-failure-with-bind-user.patch


diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/meta/recipes-connectivity/bind/bind-9.18.17/0001-named-lwresd-V-and-start-log-hide-build-options.patch index 4c10f33f04..4c10f33f04 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.11/0001-named-lwresd-V-and-start-log-hide-build-options.patch +++ b/meta/recipes-connectivity/bind/bind-9.18.17/0001-named-lwresd-V-and-start-log-hide-build-options.patch


diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/bind-ensure-searching-for-json-headers-searches-sysr.patch b/meta/recipes-connectivity/bind/bind-9.18.17/bind-ensure-searching-for-json-headers-searches-sysr.patch index f1abd179e8..f1abd179e8 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.11/bind-ensure-searching-for-json-headers-searches-sysr.patch +++ b/meta/recipes-connectivity/bind/bind-9.18.17/bind-ensure-searching-for-json-headers-searches-sysr.patch


diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/bind9 b/meta/recipes-connectivity/bind/bind-9.18.17/bind9 index 968679ff7f..968679ff7f 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.11/bind9 +++ b/meta/recipes-connectivity/bind/bind-9.18.17/bind9


diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/conf.patch b/meta/recipes-connectivity/bind/bind-9.18.17/conf.patch index aa3642acec..aa3642acec 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.11/conf.patch +++ b/meta/recipes-connectivity/bind/bind-9.18.17/conf.patch


diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/generate-rndc-key.sh b/meta/recipes-connectivity/bind/bind-9.18.17/generate-rndc-key.sh index 633e29c0e6..633e29c0e6 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.11/generate-rndc-key.sh +++ b/meta/recipes-connectivity/bind/bind-9.18.17/generate-rndc-key.sh


diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind-9.18.17/init.d-add-support-for-read-only-rootfs.patch index 11db95ede1..11db95ede1 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.11/init.d-add-support-for-read-only-rootfs.patch +++ b/meta/recipes-connectivity/bind/bind-9.18.17/init.d-add-support-for-read-only-rootfs.patch


diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/make-etc-initd-bind-stop-work.patch b/meta/recipes-connectivity/bind/bind-9.18.17/make-etc-initd-bind-stop-work.patch index 146f3e35db..146f3e35db 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.11/make-etc-initd-bind-stop-work.patch +++ b/meta/recipes-connectivity/bind/bind-9.18.17/make-etc-initd-bind-stop-work.patch


diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/named.service b/meta/recipes-connectivity/bind/bind-9.18.17/named.service index cda56ef015..cda56ef015 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.11/named.service +++ b/meta/recipes-connectivity/bind/bind-9.18.17/named.service


diff --git a/meta/recipes-connectivity/bind/bind_9.18.11.bb b/meta/recipes-connectivity/bind/bind_9.18.17.bb index b3e3b8bef0..b6fa279360 100644 --- a/meta/recipes-connectivity/bind/bind_9.18.11.bb +++ b/meta/recipes-connectivity/bind/bind_9.18.17.bb
@@ -4,7 +4,7 @@ DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system"
4	SECTION = "console/network"	4	SECTION = "console/network"
5		5
6	LICENSE = "MPL-2.0"	6	LICENSE = "MPL-2.0"
7	LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=d8cf7bd9c4fd5471a588e7e66e672408"	7	LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=c7a0b6d9a1b692a5da9af9d503671f43"
8		8
9	DEPENDS = "openssl libcap zlib libuv"	9	DEPENDS = "openssl libcap zlib libuv"
10		10
@@ -18,11 +18,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
18	file://bind-ensure-searching-for-json-headers-searches-sysr.patch \	18	file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
19	file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \	19	file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
20	file://0001-avoid-start-failure-with-bind-user.patch \	20	file://0001-avoid-start-failure-with-bind-user.patch \
21	file://CVE-2023-2828.patch \
22	file://CVE-2023-2911.patch \
23	"	21	"
24		22
25	SRC_URI[sha256sum] = "8ff3352812230cbcbda42df87cad961f94163d3da457c5e4bef8057fd5df2158"	23	SRC_URI[sha256sum] = "bde1c5017b81d1d79c69eb8f537f2e5032fd3623acdd5ee830d4f74bc2483458"
26		24
27	UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"	25	UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
28	# follow the ESV versions divisible by 2	26	# follow the ESV versions divisible by 2
@@ -41,7 +39,7 @@ PACKAGECONFIG[readline] = "--with-readline=readline,,readline"
41	PACKAGECONFIG[libedit] = "--with-readline=libedit,,libedit"	39	PACKAGECONFIG[libedit] = "--with-readline=libedit,,libedit"
42	PACKAGECONFIG[dns-over-http] = "--enable-doh,--disable-doh,nghttp2"	40	PACKAGECONFIG[dns-over-http] = "--enable-doh,--disable-doh,nghttp2"
43		41
44	EXTRA_OECONF = " --disable-devpoll --disable-auto-validation --enable-epoll \	42	EXTRA_OECONF = " --disable-auto-validation \
45	--with-gssapi=no --with-lmdb=no --with-zlib \	43	--with-gssapi=no --with-lmdb=no --with-zlib \
46	--sysconfdir=${sysconfdir}/bind \	44	--sysconfdir=${sysconfdir}/bind \
47	--with-openssl=${STAGING_DIR_HOST}${prefix} \	45	--with-openssl=${STAGING_DIR_HOST}${prefix} \