!129 [Backport] fix CVE-2024-1975 CVE-2024-1737

From: @xiangyu2020 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12

IAID-is-output-has-hexe-if-it-contains-or.patch

@@ -0,0 +1,46 @@
+From fb971ee6b5403c21e64fa66c8711f688f763518c Mon Sep 17 00:00:00 2001
+From: renmingshuai <renmingshuai@huawei.com>
+Date: Sat, 20 Jan 2024 02:51:53 +0000
+Subject: [PATCH] IAID is output has hexe if it contains '\' or '"'
+
+Signed-off-by: renmingshuai <renmingshuai@huawei.com>
+---
+ client/dhclient.conf.5 | 6 +++---
+ common/print.c         | 4 +++-
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/client/dhclient.conf.5 b/client/dhclient.conf.5
+index 566a881..2e2dc56 100644
+--- a/client/dhclient.conf.5
++++ b/client/dhclient.conf.5
+@@ -617,9 +617,9 @@ pairs, separated by colons.
+ Currently, the values written out based on lease-id-format are the default-duid
+ and the IAID value (DHCPv6 only).  The client automatically reads the values
+ in either format.  Note that when the format is octal, rather than as an octal
+-string, IAID is output as hex if it contains no printable characters or as a
+-string if contains only printable characters. This is done to maintain backward
+-compatibility.
++string, IAID is output as hex if it contains special character '"', '\' or
++no printable characters, or as a string if contains only printable characters.
++This is done to maintain backward compatibility.
+ .PP
+  \fBreject \fIcidr-ip-address\fR [\fB,\fR \fI...\fB \fIcidr-ip-address\fR ] \fB;\fR
+ .PP
+diff --git a/common/print.c b/common/print.c
+index b42e7bc..6835eb1 100644
+--- a/common/print.c
++++ b/common/print.c
+@@ -427,7 +427,9 @@ void print_hex_or_string (len, data, limit, buf)
+ 		return;
+ 
+ 	for (i = 0; (i < (limit - 3)) && (i < len); i++) {
+-		if (!isascii(data[i]) || !isprint(data[i])) {
++		/* print as hex if the characters contain '"' or '\' */
++		if (!isascii(data[i]) || !isprint(data[i]) ||
++		    (data[i] == '"' || data[i] == '\\')) {
+ 			print_hex_only(len, data, limit, buf);
+ 			return;
+ 		}
+-- 
+2.33.0
+

backport-0001-CVE-2024-1737.patch

@@ -0,0 +1,94 @@
+From fdabf4b9570a60688f9f7d1e88d885f7a3718bca Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Fri, 1 Mar 2024 08:26:07 +0100
+Subject: [PATCH 1/3] Add a limit to the number of RRs in RRSets
+ 
+Previously, the number of RRs in the RRSets were internally unlimited.
+As the data structure that holds the RRs is just a linked list, and
+there are places where we just walk through all of the RRs, adding an
+RRSet with huge number of RRs inside would slow down processing of said
+RRSets.
+ 
+The fix for end-of-life branches make the limit compile-time only for
+simplicity and the limit can be changed at the compile time by adding
+following define to CFLAGS:
+ 
+    -DDNS_RDATASET_MAX_RECORDS=<limit>
+ 
+(cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e)
+ 
+Conflict:NA
+Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/5360c90612abf51deb4a80b30e1da84fd61212a5
+ 
+---
+ bind/bind-9.11.14/configure           |  2 +-
+ bind/bind-9.11.14/configure.ac        |  2 +-
+ bind/bind-9.11.14/lib/dns/rdataslab.c | 12 ++++++++++++
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/bind/bind-9.11.14/configure b/bind/bind-9.11.14/configure
+index aab472a..7ce67de 100755
+--- a/bind/bind-9.11.14/configure
++++ b/bind/bind-9.11.14/configure
+@@ -12160,7 +12160,7 @@ fi
+ XTARGETS=
+ case "$enable_developer" in
+ yes)
+-	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
++	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
+ 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
+ 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
+ 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
+diff --git a/bind/bind-9.11.14/configure.ac b/bind/bind-9.11.14/configure.ac
+index 4ab10a0..3d69b03 100644
+--- a/bind/bind-9.11.14/configure.ac
++++ b/bind/bind-9.11.14/configure.ac
+@@ -94,7 +94,7 @@ AC_ARG_ENABLE(developer,
+ XTARGETS=
+ case "$enable_developer" in
+ yes)
+-	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
++	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
+ 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
+ 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
+ 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
+diff --git a/bind/bind-9.11.14/lib/dns/rdataslab.c b/bind/bind-9.11.14/lib/dns/rdataslab.c
+index 930a822..89c9881 100644
+--- a/bind/bind-9.11.14/lib/dns/rdataslab.c
++++ b/bind/bind-9.11.14/lib/dns/rdataslab.c
+@@ -115,6 +115,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
+ }
+ #endif
+ 
++#ifndef DNS_RDATASET_MAX_RECORDS
++#define DNS_RDATASET_MAX_RECORDS 100
++#endif /* DNS_RDATASET_MAX_RECORDS */
++
+ isc_result_t
+ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+ 			   isc_region_t *region, unsigned int reservelen)
+@@ -161,6 +165,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+ 		return (ISC_R_SUCCESS);
+ 	}
+ 
++	if (nitems > DNS_RDATASET_MAX_RECORDS) {
++		return (DNS_R_TOOMANYRECORDS);
++	}
++
+ 	if (nitems > 0xffff)
+ 		return (ISC_R_NOSPACE);
+ 
+@@ -651,6 +659,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
+ #endif
+ 	INSIST(ocount > 0 && ncount > 0);
+ 
++	if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
++		return (DNS_R_TOOMANYRECORDS);
++	}
++
+ #if DNS_RDATASET_FIXED
+ 	oncount = ncount;
+ #endif
+-- 
+2.33.0
+

backport-0002-CVE-2024-1737.patch

@@ -0,0 +1,125 @@
+From dfcadc2085c8844b5836aff2b5ea51fb60c34868 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Wed, 29 May 2024 08:43:39 +0200
+Subject: [PATCH 2/3] Add a limit to the number of RR types for single name
+ 
+Previously, the number of RR types for a single owner name was limited
+only by the maximum number of the types (64k).  As the data structure
+that holds the RR types for the database node is just a linked list, and
+there are places where we just walk through the whole list (again and
+again), adding a large number of RR types for a single owner named with
+would slow down processing of such name (database node).
+ 
+Add a hard-coded limit (100) to cap the number of the RR types for a single
+owner.  The limit can be changed at the compile time by adding following
+define to CFLAGS:
+ 
+    -DDNS_RBTDB_MAX_RTYPES=<limit>
+ 
+Conflict:Context Adaptation
+Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/5360c90612abf51deb4a80b30e1da84fd61212a5
+ 
+---
+ bind/bind-9.11.14/configure       |  2 +-
+ bind/bind-9.11.14/configure.ac    |  2 +-
+ bind/bind-9.11.14/lib/dns/rbtdb.c | 17 +++++++++++++++++
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/bind/bind-9.11.14/configure b/bind/bind-9.11.14/configure
+index 7ce67de..e839433 100755
+--- a/bind/bind-9.11.14/configure
++++ b/bind/bind-9.11.14/configure
+@@ -12160,7 +12160,7 @@ fi
+ XTARGETS=
+ case "$enable_developer" in
+ yes)
+-	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
++	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
+ 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
+ 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
+ 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
+diff --git a/bind/bind-9.11.14/configure.ac b/bind/bind-9.11.14/configure.ac
+index 3d69b03..0fc5a77 100644
+--- a/bind/bind-9.11.14/configure.ac
++++ b/bind/bind-9.11.14/configure.ac
+@@ -94,7 +94,7 @@ AC_ARG_ENABLE(developer,
+ XTARGETS=
+ case "$enable_developer" in
+ yes)
+-	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
++	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
+ 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
+ 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
+ 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
+diff --git a/bind/bind-9.11.14/lib/dns/rbtdb.c b/bind/bind-9.11.14/lib/dns/rbtdb.c
+index 5886431..2a55f54 100644
+--- a/bind/bind-9.11.14/lib/dns/rbtdb.c
++++ b/bind/bind-9.11.14/lib/dns/rbtdb.c
+@@ -6118,6 +6118,10 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
+ 	RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
+ }
+ 
++#ifndef DNS_RBTDB_MAX_RTYPES
++#define DNS_RBTDB_MAX_RTYPES 100
++#endif /* DNS_RBTDB_MAX_RTYPES */
++
+ static isc_result_t
+ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+       rdatasetheader_t *newheader, unsigned int options, bool loading,
+@@ -6135,6 +6139,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 	rbtdb_rdatatype_t negtype, sigtype;
+ 	dns_trust_t trust;
+ 	int idx;
++	uint32_t ntypes;
+ 
+ 	/*
+ 	 * Add an rdatasetheader_t to a node.
+@@ -6197,6 +6202,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 					set_ttl(rbtdb, topheader, 0);
+ 					mark_stale_header(rbtdb, topheader);
+ 				}
++				ntypes = 0;
+ 				goto find_header;
+ 			}
+ 			/*
+@@ -6218,9 +6224,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			 * check for an extant non-stale NODATA ncache
+ 			 * entry which covers the same type as the RRSIG.
+ 			 */
++			ntypes = 0;
+ 			for (topheader = rbtnode->data;
+ 			     topheader != NULL;
+ 			     topheader = topheader->next) {
++				ntypes++;
+ 				if ((topheader->type ==
+ 					RBTDB_RDATATYPE_NCACHEANY) ||
+ 					(newheader->type == sigtype &&
+@@ -6261,9 +6269,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 		}
+ 	}
+ 
++	ntypes = 0;
+ 	for (topheader = rbtnode->data;
+ 	     topheader != NULL;
+ 	     topheader = topheader->next) {
++		ntypes++;
+ 		if (prio_type(topheader->type)) {
+ 			prioheader = topheader;
+ 		}
+@@ -6619,6 +6629,13 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			/*
+ 			 * No rdatasets of the given type exist at the node.
+ 			 */
++
++			if (ntypes > DNS_RBTDB_MAX_RTYPES) {
++				free_rdataset(rbtdb, rbtdb->common.mctx,
++					      newheader);
++				return (ISC_R_QUOTA);
++			}
++
+ 			newheader->down = NULL;
+ 
+ 			if (prio_type(newheader->type)) {
+-- 
+2.33.0
+

backport-0003-CVE-2024-1737.patch

@@ -0,0 +1,52 @@
+From b27c6bcce894786a8e082eafd59eccbf6f2731cb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Mon, 17 Jun 2024 11:40:40 +0200
+Subject: [PATCH] Expand the list of the priority types and move it to db_p.h
+ 
+Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of
+the priority types that are put at the beginning of the slabheader list
+for faster access and to avoid eviction when there are more types than
+the max-types-per-name limit.
+ 
+Conflict:NA
+Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/b27c6bcce894786a8e082eafd59eccbf6f2731cb
+ 
+---
+ bind/bind-9.11.14/lib/dns/rbtdb.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/bind/bind-9.11.14/lib/dns/rbtdb.c b/bind/bind-9.11.14/lib/dns/rbtdb.c
+index 2a55f54..fb87923 100644
+--- a/bind/bind-9.11.14/lib/dns/rbtdb.c
++++ b/bind/bind-9.11.14/lib/dns/rbtdb.c
+@@ -1132,6 +1132,8 @@ prio_type(rbtdb_rdatatype_t type) {
+ 	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
+ 	case dns_rdatatype_a:
+ 	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
++	case dns_rdatatype_mx:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_mx):
+ 	case dns_rdatatype_aaaa:
+ 	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
+ 	case dns_rdatatype_nsec:
+@@ -1144,6 +1146,18 @@ prio_type(rbtdb_rdatatype_t type) {
+ 	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
+ 	case dns_rdatatype_cname:
+ 	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
++	case dns_rdatatype_dname:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname):
++	case dns_rdatatype_dnskey:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dnskey):
++	case dns_rdatatype_srv:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_srv):
++	case dns_rdatatype_txt:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_txt):
++	case dns_rdatatype_ptr:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ptr):
++	case dns_rdatatype_naptr:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_naptr):
+ 		return (true);
+ 	}
+ 	return (false);
+-- 
+2.33.0
+

backport-0004-CVE-2024-1737.patch

@@ -0,0 +1,184 @@
+From 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120 Mon Sep 17 00:00:00 2001
+From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= <ondrej@isc.org>
+Date: Mon, 17 Jun 2024 11:40:40 +0200
+Subject: Be smarter about refusing to add many RR types to the database
+ 
+Instead of outright refusing to add new RR types to the cache, be a bit
+smarter:
+ 
+1. If the new header type is in our priority list, we always add either
+   positive or negative entry at the beginning of the list.
+ 
+2. If the new header type is negative entry, and we are over the limit,
+   we mark it as ancient immediately, so it gets evicted from the cache
+   as soon as possible.
+ 
+3. Otherwise add the new header after the priority headers (or at the
+   head of the list).
+ 
+4. If we are over the limit, evict the last entry on the normal header
+   list.
+ 
+(cherry picked from commit 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120)
+ 
+Conflict:NA
+Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/57cd34441a1b4ecc9874a4a106c2c95b8d7a3120
+ 
+---
+ bind/bind-9.11.14/lib/dns/rbtdb.c | 70 ++++++++++++++++++++++++++-----
+ 1 file changed, 59 insertions(+), 11 deletions(-)
+
+diff --git a/bind/bind-9.11.14/lib/dns/rbtdb.c b/bind/bind-9.11.14/lib/dns/rbtdb.c
+index fb87923..1a346b9 100644
+--- a/bind/bind-9.11.14/lib/dns/rbtdb.c
++++ b/bind/bind-9.11.14/lib/dns/rbtdb.c
+@@ -6136,6 +6136,26 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
+ #define DNS_RBTDB_MAX_RTYPES 100
+ #endif /* DNS_RBTDB_MAX_RTYPES */
+ 
++static bool
++overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
++	UNUSED(rbtdb);
++
++	if (DNS_RBTDB_MAX_RTYPES == 0) {
++		return (false);
++	}
++
++	return (ntypes >= DNS_RBTDB_MAX_RTYPES);
++}
++
++static bool
++prio_header(rdatasetheader_t *header) {
++	if (NEGATIVE(header) && prio_type(RBTDB_RDATATYPE_EXT(header->type))) {
++		return (true);
++	}
++
++	return (prio_type(header->type));
++}
++
+ static isc_result_t
+ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+       rdatasetheader_t *newheader, unsigned int options, bool loading,
+@@ -6143,7 +6163,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ {
+ 	rbtdb_changed_t *changed = NULL;
+ 	rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
+-	rdatasetheader_t *prioheader = NULL;
++	rdatasetheader_t *prioheader = NULL, *expireheader = NULL;
+ 	unsigned char *merged;
+ 	isc_result_t result;
+ 	bool header_nx;
+@@ -6153,7 +6173,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 	rbtdb_rdatatype_t negtype, sigtype;
+ 	dns_trust_t trust;
+ 	int idx;
+-	uint32_t ntypes;
++	uint32_t ntypes = 0;
+ 
+ 	/*
+ 	 * Add an rdatasetheader_t to a node.
+@@ -6216,7 +6236,6 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 					set_ttl(rbtdb, topheader, 0);
+ 					mark_stale_header(rbtdb, topheader);
+ 				}
+-				ntypes = 0;
+ 				goto find_header;
+ 			}
+ 			/*
+@@ -6226,8 +6245,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			for (topheader = rbtnode->data;
+ 			     topheader != NULL;
+ 			     topheader = topheader->next)
+-				if (topheader->type == sigtype)
++				if (topheader->type == sigtype) {
+ 					sigheader = topheader;
++					break;
++				}
+ 			negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
+ 		} else {
+ 			/*
+@@ -6238,11 +6259,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			 * check for an extant non-stale NODATA ncache
+ 			 * entry which covers the same type as the RRSIG.
+ 			 */
+-			ntypes = 0;
+ 			for (topheader = rbtnode->data;
+ 			     topheader != NULL;
+ 			     topheader = topheader->next) {
+-				ntypes++;
+ 				if ((topheader->type ==
+ 					RBTDB_RDATATYPE_NCACHEANY) ||
+ 					(newheader->type == sigtype &&
+@@ -6283,12 +6302,16 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 		}
+ 	}
+ 
+-	ntypes = 0;
+ 	for (topheader = rbtnode->data;
+ 	     topheader != NULL;
+ 	     topheader = topheader->next) {
+-		ntypes++;
+-		if (prio_type(topheader->type)) {
++		if (IS_CACHE(rbtdb) && ACTIVE(topheader, now)) {
++			++ntypes;
++			expireheader = topheader;
++		} else if (!IS_CACHE(rbtdb)) {
++			++ntypes;
++		}
++		if (prio_header(topheader)) {
+ 			prioheader = topheader;
+ 		}
+ 		if (topheader->type == newheader->type ||
+@@ -6644,7 +6667,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			 * No rdatasets of the given type exist at the node.
+ 			 */
+ 
+-			if (ntypes > DNS_RBTDB_MAX_RTYPES) {
++			if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
+ 				free_rdataset(rbtdb, rbtdb->common.mctx,
+ 					      newheader);
+ 				return (ISC_R_QUOTA);
+@@ -6652,7 +6675,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 
+ 			newheader->down = NULL;
+ 
+-			if (prio_type(newheader->type)) {
++			if (prio_header(newheader)) {
+ 				/* This is a priority type, prepend it */
+ 				newheader->next = rbtnode->data;
+ 				rbtnode->data = newheader;
+@@ -6665,6 +6688,31 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 				newheader->next = rbtnode->data;
+ 				rbtnode->data = newheader;
+ 			}
++
++			if (IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
++				if (expireheader == NULL) {
++					expireheader = newheader;
++				}
++				if (NEGATIVE(newheader) &&
++				    !prio_header(newheader))
++				{
++					/*
++					 * Add the new non-priority negative
++					 * header to the database only
++					 * temporarily.
++					 */
++					expireheader = newheader;
++				}
++
++				set_ttl(rbtdb, expireheader, 0);
++				mark_stale_header(rbtdb, expireheader);
++				/*
++				 * FIXME: In theory, we should mark the RRSIG
++				 * and the header at the same time, but there is
++				 * no direct link between those two header, so
++				 * we would have to check the whole list again.
++				 */
++			}
+ 		}
+ 	}
+ 
+-- 
+2.33.0
+

backport-CVE-2022-2795.patch

@@ -0,0 +1,46 @@
+Reference:http://downloads.isc.org/isc/bind/9.16.33/patches/0001-CVE-2022-2795.patch
+---
+ bind/bind-9.11.14/lib/dns/resolver.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/bind/bind-9.11.14/lib/dns/resolver.c b/bind/bind-9.11.14/lib/dns/resolver.c
+index 45faf19..8334005 100644
+--- a/bind/bind-9.11.14/lib/dns/resolver.c
++++ b/bind/bind-9.11.14/lib/dns/resolver.c
+@@ -173,6 +173,13 @@
+ #define DEFAULT_MAX_QUERIES 75
+ #endif
+ 
++/*
++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
++ * any NS RRset encountered, to avoid excessive resource use while processing
++ * large delegations.
++ */
++#define NS_PROCESSING_LIMIT 20
++
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+ #define RES_DOMAIN_BUCKETS	523
+@@ -3273,6 +3280,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 	dns_rdata_ns_t ns;
+ 	bool need_alternate = false;
+ 	bool all_spilled = true;
++	unsigned int ns_processed = 0;
+ 
+ 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3452,6 +3460,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 
+ 		dns_rdata_reset(&rdata);
+ 		dns_rdata_freestruct(&ns);
++
++		if (++ns_processed >= NS_PROCESSING_LIMIT) {
++			result = ISC_R_NOMORE;
++			break;
++		}
+ 	}
+ 	if (result != ISC_R_NOMORE)
+ 		return (result);
+-- 
+2.33.0
+

backport-CVE-2022-38177.patch

@@ -0,0 +1,21 @@
+Reference:http://downloads.isc.org/isc/bind/9.16.33/patches/0003-CVE-2022-38177.patch
+---
+ bind/bind-9.11.14/lib/dns/opensslecdsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bind/bind-9.11.14/lib/dns/opensslecdsa_link.c b/bind/bind-9.11.14/lib/dns/opensslecdsa_link.c
+index 83b5b51..7576e04 100644
+--- a/bind/bind-9.11.14/lib/dns/opensslecdsa_link.c
++++ b/bind/bind-9.11.14/lib/dns/opensslecdsa_link.c
+@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 		siglen = DNS_SIG_ECDSA384SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(DST_R_VERIFYFAILURE);
+ 
+ 	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
+ 		DST_RET (dst__openssl_toresult3(dctx->category,
+-- 
+2.33.0
+

backport-CVE-2022-38178.patch

@@ -0,0 +1,21 @@
+Reference:http://downloads.isc.org/isc/bind/9.16.33/patches/0004-CVE-2022-38178.patch
+---
+ bind/bind-9.11.14/lib/dns/openssleddsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bind/bind-9.11.14/lib/dns/openssleddsa_link.c b/bind/bind-9.11.14/lib/dns/openssleddsa_link.c
+index 8b115ec..4f3c2a8 100644
+--- a/bind/bind-9.11.14/lib/dns/openssleddsa_link.c
++++ b/bind/bind-9.11.14/lib/dns/openssleddsa_link.c
+@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 		siglen = DNS_SIG_ED448SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(DST_R_VERIFYFAILURE);
+ 
+ 	isc_buffer_usedregion(buf, &tbsreg);
+ 
+-- 
+2.33.0
+

backport-CVE-2024-1975.patch

@@ -0,0 +1,240 @@
+From bef3d2cca3552100bbe44790c8c1a4f5bef06798 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
+Date: Thu, 16 May 2024 12:10:41 +0200
+Subject: [PATCH] Remove support for SIG(0) message verification
+ 
+Conflict:Case adaptation and some documents are not incorporated and echo_i->echo "I.
+Reference:https://downloads.isc.org/isc/bind9/9.18.28/patches/0003-CVE-2024-1975.patch
+ 
+---
+ bind/bind-9.11.14/bin/named/client.c          |  7 ++
+ .../bin/tests/system/tsiggss/authsock.pl      |  5 +
+ .../bin/tests/system/tsiggss/tests.sh         | 12 ++-
+ .../bin/tests/system/upforwd/tests.sh         |  9 +-
+ bind/bind-9.11.14/lib/dns/message.c           | 92 ++-----------------
+ 5 files changed, 32 insertions(+), 93 deletions(-)
+
+diff --git a/bind/bind-9.11.14/bin/named/client.c b/bind/bind-9.11.14/bin/named/client.c
+index f8431bc..86846d3 100644
+--- a/bind/bind-9.11.14/bin/named/client.c
++++ b/bind/bind-9.11.14/bin/named/client.c
+@@ -2984,6 +2984,13 @@ client_request(isc_task_t *task, isc_event_t *event) {
+ 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+ 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+ 			      "request is signed by a nonauthoritative key");
++	} else if (result == DNS_R_NOTVERIFIEDYET &&
++		   client->message->sig0 != NULL)
++	{
++		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
++			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
++			      "request has a SIG(0) signature but its support "
++			      "was removed (CVE-2024-1975)");
+ 	} else {
+ 		char tsigrcode[64];
+ 		isc_buffer_t b;
+diff --git a/bind/bind-9.11.14/bin/tests/system/tsiggss/authsock.pl b/bind/bind-9.11.14/bin/tests/system/tsiggss/authsock.pl
+index 57a72b2..3afaa83 100644
+--- a/bind/bind-9.11.14/bin/tests/system/tsiggss/authsock.pl
++++ b/bind/bind-9.11.14/bin/tests/system/tsiggss/authsock.pl
+@@ -31,6 +31,10 @@ if (!defined($path)) {
+ 	exit(1);
+ }
+ 
++# Enable output autoflush so that it's not lost when the parent sends TERM.
++select STDOUT;
++$| = 1;
++
+ unlink($path);
+ my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or
+     die "unable to create socket $path";
+@@ -48,6 +52,7 @@ if ($timeout != 0) {
+ }
+ 
+ while (my $client = $server->accept()) {
++	printf("accept()\n");
+ 	$client->recv(my $buf, 8, 0);
+ 	my ($version, $req_len) = unpack('N N', $buf);
+ 
+diff --git a/bind/bind-9.11.14/bin/tests/system/tsiggss/tests.sh b/bind/bind-9.11.14/bin/tests/system/tsiggss/tests.sh
+index e4c32dc..a6d3371 100644
+--- a/bind/bind-9.11.14/bin/tests/system/tsiggss/tests.sh
++++ b/bind/bind-9.11.14/bin/tests/system/tsiggss/tests.sh
+@@ -116,7 +116,7 @@ status=$((status+ret))
+ 
+ echo "I:testing external update policy (CNAME) with auth sock ($n)"
+ ret=0
+-$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
++$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > authsock.log 2>&1 &
+ sleep 1
+ test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
+ n=$((n+1))
+@@ -130,17 +130,19 @@ n=$((n+1))
+ if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+ 
+-echo "I:testing external policy with SIG(0) key ($n)"
++echo "I:testing external policy with unsupported SIG(0) key ($n)"
+ ret=0
+-$NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
++$NSUPDATE -R $RANDFILE -d -k ns1/Kkey.example.nil.*.private <<END >nsupdate.out${n} 2>&1 || true
++debug
+ server 10.53.0.1 ${PORT}
+ zone example.nil
+ update add fred.example.nil 120 cname foo.bar.
+ send
+ END
+ output=`$DIG $DIGOPTS +short cname fred.example.nil.`
+-[ -n "$output" ] || ret=1
+-[ $ret -eq 0 ] || echo "I:failed"
++# update must have failed - SIG(0) signer is not supported
++[ -n "$output" ] && ret=1
++grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1
+ n=$((n+1))
+ if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+diff --git a/bind/bind-9.11.14/bin/tests/system/upforwd/tests.sh b/bind/bind-9.11.14/bin/tests/system/upforwd/tests.sh
+index b0694bb..b8e316b 100644
+--- a/bind/bind-9.11.14/bin/tests/system/upforwd/tests.sh
++++ b/bind/bind-9.11.14/bin/tests/system/upforwd/tests.sh
+@@ -177,18 +177,21 @@ n=`expr $n + 1`
+ 
+ if test -f keyname
+ then
+-	echo_i "checking update forwarding to with sig0 ($n)"
++	echo_i "checking update forwarding to with sig0 (expected to fail) ($n)"
+ 	ret=0
+ 	keyname=`cat keyname`
+-	$NSUPDATE -k $keyname.private -- - <<EOF
++        # SIG(0) is removed, update is expected to fail.
++        {
++        $NSUPDATE -k $keyname.private -- - <<EOF
+ 	server 10.53.0.3 ${PORT}
+ 	zone example2
+ 	update add unsigned.example2. 600 A 10.10.10.1
+ 	update add unsigned.example2. 600 TXT Foo
+ 	send
+ EOF
++        } >nsupdate.out.$n 2>&1 && ret=1
+ 	$DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n
+-	grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
++	grep "status: NOERROR" dig.out.ns1.test$n > /dev/null && ret=1
+ 	if [ $ret != 0 ] ; then echo_i "failed"; fi
+ 	status=`expr $status + $ret`
+ 	n=`expr $n + 1`
+diff --git a/bind/bind-9.11.14/lib/dns/message.c b/bind/bind-9.11.14/lib/dns/message.c
+index 70733ab..6aed685 100644
+--- a/bind/bind-9.11.14/lib/dns/message.c
++++ b/bind/bind-9.11.14/lib/dns/message.c
+@@ -3162,102 +3162,24 @@ dns_message_dumpsig(dns_message_t *msg, char *txt1) {
+ 
+ isc_result_t
+ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
+-	isc_buffer_t b, msgb;
++	isc_buffer_t msgb;
+ 
+ 	REQUIRE(DNS_MESSAGE_VALID(msg));
+ 
+-	if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL)
++	if (msg->tsigkey == NULL && msg->tsig == NULL) {
+ 		return (ISC_R_SUCCESS);
++	}
+ 
+ 	INSIST(msg->saved.base != NULL);
+ 	isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
+ 	isc_buffer_add(&msgb, msg->saved.length);
+-	if (msg->tsigkey != NULL || msg->tsig != NULL) {
+ #ifdef SKAN_MSG_DEBUG
+-		dns_message_dumpsig(msg, "dns_message_checksig#1");
++	dns_message_dumpsig(msg, "dns_message_checksig#1");
+ #endif
+-		if (view != NULL)
+-			return (dns_view_checksig(view, &msgb, msg));
+-		else
+-			return (dns_tsig_verify(&msgb, msg, NULL, NULL));
++	if (view != NULL) {
++		return (dns_view_checksig(view, &msgb, msg));
+ 	} else {
+-		dns_rdata_t rdata = DNS_RDATA_INIT;
+-		dns_rdata_sig_t sig;
+-		dns_rdataset_t keyset;
+-		isc_result_t result;
+-
+-		result = dns_rdataset_first(msg->sig0);
+-		INSIST(result == ISC_R_SUCCESS);
+-		dns_rdataset_current(msg->sig0, &rdata);
+-
+-		/*
+-		 * This can occur when the message is a dynamic update, since
+-		 * the rdata length checking is relaxed.  This should not
+-		 * happen in a well-formed message, since the SIG(0) is only
+-		 * looked for in the additional section, and the dynamic update
+-		 * meta-records are in the prerequisite and update sections.
+-		 */
+-		if (rdata.length == 0)
+-			return (ISC_R_UNEXPECTEDEND);
+-
+-		result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
+-		if (result != ISC_R_SUCCESS)
+-			return (result);
+-
+-		dns_rdataset_init(&keyset);
+-		if (view == NULL)
+-			return (DNS_R_KEYUNAUTHORIZED);
+-		result = dns_view_simplefind(view, &sig.signer,
+-					     dns_rdatatype_key /* SIG(0) */,
+-					     0, 0, false, &keyset, NULL);
+-
+-		if (result != ISC_R_SUCCESS) {
+-			/* XXXBEW Should possibly create a fetch here */
+-			result = DNS_R_KEYUNAUTHORIZED;
+-			goto freesig;
+-		} else if (keyset.trust < dns_trust_secure) {
+-			/* XXXBEW Should call a validator here */
+-			result = DNS_R_KEYUNAUTHORIZED;
+-			goto freesig;
+-		}
+-		result = dns_rdataset_first(&keyset);
+-		INSIST(result == ISC_R_SUCCESS);
+-		for (;
+-		     result == ISC_R_SUCCESS;
+-		     result = dns_rdataset_next(&keyset))
+-		{
+-			dst_key_t *key = NULL;
+-
+-			dns_rdata_reset(&rdata);
+-			dns_rdataset_current(&keyset, &rdata);
+-			isc_buffer_init(&b, rdata.data, rdata.length);
+-			isc_buffer_add(&b, rdata.length);
+-
+-			result = dst_key_fromdns(&sig.signer, rdata.rdclass,
+-						 &b, view->mctx, &key);
+-			if (result != ISC_R_SUCCESS)
+-				continue;
+-			if (dst_key_alg(key) != sig.algorithm ||
+-			    dst_key_id(key) != sig.keyid ||
+-			    !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
+-			      dst_key_proto(key) == DNS_KEYPROTO_ANY))
+-			{
+-				dst_key_free(&key);
+-				continue;
+-			}
+-			result = dns_dnssec_verifymessage(&msgb, msg, key);
+-			dst_key_free(&key);
+-			if (result == ISC_R_SUCCESS)
+-				break;
+-		}
+-		if (result == ISC_R_NOMORE)
+-			result = DNS_R_KEYUNAUTHORIZED;
+-
+- freesig:
+-		if (dns_rdataset_isassociated(&keyset))
+-			dns_rdataset_disassociate(&keyset);
+-		dns_rdata_freestruct(&sig);
+-		return (result);
++		return (dns_tsig_verify(&msgb, msg, NULL, NULL));
+ 	}
+ }
+ 
+-- 
+2.33.0
+

backport-Fix-CVE-2022-2928.patch

@@ -0,0 +1,113 @@
+onflict:NA
+Reference:https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/CVE-2022-2928.4-4-3.diff
+---
+ common/options.c               |  7 +++++
+ common/tests/option_unittest.c | 53 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 60 insertions(+)
+
+diff --git a/common/options.c b/common/options.c
+index a53484e..40238f7 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -4499,6 +4499,8 @@ add_option(struct option_state *options,
+ 	if (!option_cache_allocate(&oc, MDL)) {
+ 		log_error("No memory for option cache adding %s (option %d).",
+ 			  option->name, option_num);
++		/* Get rid of reference created during hash lookup. */
++		option_dereference(&option, MDL);
+ 		return 0;
+ 	}
+ 
+@@ -4510,6 +4512,8 @@ add_option(struct option_state *options,
+ 			     MDL)) {
+ 		log_error("No memory for constant data adding %s (option %d).",
+ 			  option->name, option_num);
++		/* Get rid of reference created during hash lookup. */
++		option_dereference(&option, MDL);
+ 		option_cache_dereference(&oc, MDL);
+ 		return 0;
+ 	}
+@@ -4518,6 +4522,9 @@ add_option(struct option_state *options,
+ 	save_option(&dhcp_universe, options, oc);
+ 	option_cache_dereference(&oc, MDL);
+ 
++	/* Get rid of reference created during hash lookup. */
++	option_dereference(&option, MDL);
++
+ 	return 1;
+ }
+ 
+diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c
+index cd52cfb..7e477ae 100644
+--- a/common/tests/option_unittest.c
++++ b/common/tests/option_unittest.c
+@@ -129,6 +129,58 @@ ATF_TC_BODY(pretty_print_option, tc)
+     }
+ }
+ 
++ATF_TC(add_option_ref_cnt);
++
++ATF_TC_HEAD(add_option_ref_cnt, tc)
++{
++	atf_tc_set_md_var(tc, "descr",
++		"Verify add_option() does not leak option ref counts.");
++}
++
++ATF_TC_BODY(add_option_ref_cnt, tc)
++{
++	struct option_state *options = NULL;
++	struct option *option = NULL;
++	unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
++	char *cid_str = "1234";
++	int refcnt_before = 0;
++
++	// Look up the option we're going to add.
++	initialize_common_option_spaces();
++	if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
++				&cid_code, 0, MDL)) {
++		atf_tc_fail("cannot find option definition?");
++	}
++
++	// Get the option's reference count before we call add_options.
++	refcnt_before = option->refcnt;
++
++	// Allocate a option_state to which to add an option.
++	if (!option_state_allocate(&options, MDL)) {
++		atf_tc_fail("cannot allocat options state");
++	}
++
++	// Call add_option() to add the option to the option state.
++	if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
++		atf_tc_fail("add_option returned 0");
++	}
++
++	// Verify that calling add_option() only adds 1 to the option ref count.
++	if (option->refcnt != (refcnt_before + 1)) {
++		atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
++			    refcnt_before, option->refcnt);
++	}
++
++	// Derefrence the option_state, this should reduce the ref count to
++	// it's starting value.
++	option_state_dereference(&options, MDL);
++
++	// Verify that dereferencing option_state restores option ref count.
++	if (option->refcnt != refcnt_before) {
++		atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
++			    refcnt_before, option->refcnt);
++	}
++}
+ 
+ /* This macro defines main() method that will call specified
+    test cases. tp and simple_test_case names can be whatever you want
+@@ -137,6 +189,7 @@ ATF_TP_ADD_TCS(tp)
+ {
+     ATF_TP_ADD_TC(tp, option_refcnt);
+     ATF_TP_ADD_TC(tp, pretty_print_option);
++    ATF_TP_ADD_TC(tp, add_option_ref_cnt);
+ 
+     return (atf_no_error());
+ }
+-- 
+2.23.0
+

backport-Fix-CVE-2022-2929.patch

@@ -0,0 +1,34 @@
+Conflict:NA
+Reference:https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/CVE-2022-2929.4-4-3.diff
+---
+ common/options.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/common/options.c b/common/options.c
+index 40238f7..11b1961 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options,
+ 		while (s < &bp -> data[0] + length + 2) {
+ 			len = *s;
+ 			if (len > 63) {
+-				log_info ("fancy bits in fqdn option");
+-				return 0;
++				log_info ("label length exceeds 63 in fqdn option");
++				goto bad;
+ 			}
+ 			if (len == 0) {
+ 				terminated = 1;
+ 				break;
+ 			}
+ 			if (s + len > &bp -> data [0] + length + 3) {
+-				log_info ("fqdn tag longer than buffer");
+-				return 0;
++				log_info ("fqdn label longer than buffer");
++				goto bad;
+ 			}
+ 
+ 			if (first_len == 0) {
+-- 
+2.27.0
+

backport-optimize-the-slabheader-placement-for-certain-RRtype.patch

@@ -0,0 +1,98 @@
+From 8ef414a7f38a04cfc11df44adaedaf3126fa3878 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Mon, 29 Jan 2024 16:36:30 +0100
+Subject: [PATCH] Optimize the slabheader placement for certain RRTypes
+ 
+Mark the infrastructure RRTypes as "priority" types and place them at
+the beginning of the rdataslab header data graph.  The non-priority
+types either go right after the priority types (if any).
+ 
+(cherry picked from commit 3ac482be7fd058d284e89873021339579fad0615)
+ 
+Conflict:NA
+Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/8ef414a7f38a04cfc11df44adaedaf3126fa3878
+ 
+---
+ bind/bind-9.11.14/lib/dns/rbtdb.c | 44 +++++++++++++++++++++++++++++--
+ 1 file changed, 42 insertions(+), 2 deletions(-)
+
+diff --git a/bind/bind-9.11.14/lib/dns/rbtdb.c b/bind/bind-9.11.14/lib/dns/rbtdb.c
+index 68e6a89..5886431 100644
+--- a/bind/bind-9.11.14/lib/dns/rbtdb.c
++++ b/bind/bind-9.11.14/lib/dns/rbtdb.c
+@@ -1125,6 +1125,30 @@ set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
+ 		isc_heap_decreased(heap, header->heap_index);
+ }
+ 
++static bool
++prio_type(rbtdb_rdatatype_t type) {
++	switch (type) {
++	case dns_rdatatype_soa:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
++	case dns_rdatatype_a:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
++	case dns_rdatatype_aaaa:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
++	case dns_rdatatype_nsec:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec):
++	case dns_rdatatype_nsec3:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3):
++	case dns_rdatatype_ns:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns):
++	case dns_rdatatype_ds:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
++	case dns_rdatatype_cname:
++	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
++		return (true);
++	}
++	return (false);
++}
++
+ /*%
+  * These functions allow the heap code to rank the priority of each
+  * element.  It returns true if v1 happens "sooner" than v2.
+@@ -6101,6 +6125,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ {
+ 	rbtdb_changed_t *changed = NULL;
+ 	rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
++	rdatasetheader_t *prioheader = NULL;
+ 	unsigned char *merged;
+ 	isc_result_t result;
+ 	bool header_nx;
+@@ -6239,6 +6264,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 	for (topheader = rbtnode->data;
+ 	     topheader != NULL;
+ 	     topheader = topheader->next) {
++		if (prio_type(topheader->type)) {
++			prioheader = topheader;
++		}
+ 		if (topheader->type == newheader->type ||
+ 		    topheader->type == negtype)
+ 			break;
+@@ -6591,9 +6619,21 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ 			/*
+ 			 * No rdatasets of the given type exist at the node.
+ 			 */
+-			newheader->next = rbtnode->data;
+ 			newheader->down = NULL;
+-			rbtnode->data = newheader;
++
++			if (prio_type(newheader->type)) {
++				/* This is a priority type, prepend it */
++				newheader->next = rbtnode->data;
++				rbtnode->data = newheader;
++			} else if (prioheader != NULL) {
++				/* Append after the priority headers */
++				newheader->next = prioheader->next;
++				prioheader->next = newheader;
++			} else {
++				/* There were no priority headers */
++				newheader->next = rbtnode->data;
++				rbtnode->data = newheader;
++			}
+ 		}
+ 	}
+ 
+-- 
+2.33.0
+

bugfix-cancel-rebind6-timer-after-ipv6-expire.patch

@@ -0,0 +1,54 @@
+From 6fced85ebcd9563ceb78675d0f4ff3e3d0eea90b Mon Sep 17 00:00:00 2001
+From: huyizhen <huyizhen2@huawei.com>
+Date: Thu, 24 Oct 2024 21:36:06 +0800
+Subject: huawei-cancel-rebind6-timer-after-ipv6-expire
+
+Solve below question:
+Oct 23 16:38:04 localhost dhclient[141133]: PRC: Address 6636::3c depreferred.
+Oct 23 16:38:04 localhost dhclient[141133]: XMT: Rebind on enp4s0, interval 00ms.
+Oct 23 16:38:04 localhost dhclient[141133]: Impossible condition at dhc6.c:279.
+Oct 23 16:38:04 localhost dhclient[141133]:
+Oct 23 16:38:04 localhost dhclient[141133]: If you think you have received this message due to a bug rather
+Oct 23 16:38:04 localhost dhclient[141133]: than a configuration issue please read the section on submitting
+Oct 23 16:38:04 localhost dhclient[141133]: bugs on either our web page at www.isc.org or in the README file
+Oct 23 16:38:04 localhost dhclient[141133]: before submitting a bug. These pages explain the proper
+Oct 23 16:38:04 localhost dhclient[141133]: process and the information we find helpful for debugging.
+Oct 23 16:38:04 localhost dhclient[141133]:
+Oct 23 16:38:04 localhost dhclient[141133]: exiting.
+
+The reason is:
+1. After the REBIND message is retransmitted for the second time, the REBIND timer checks whether the REBIND message
+is received 5 seconds later and sets the RT field to 0. (Because the 5s timer expires when the timer expires, no next
+retransmission will occur.)
+2. After 5s, the DEPREFER timer is triggered first. The DEPREFER timer considers that the REBIND timer expires and set
+MRD field to 0, but the previously set REBIND timer is not canceled.
+3. The REBIND timer is triggered immediately. Because the MRD is set to 0, the retransmission timer considers that the
+maximum retransmission duration is not limited and attempts to continue the retransmission.
+4. During the retransmission process, the RT value is 0 (retransmission is performed after 0s), and the process exits.
+As a result, the DHCP6 function becomes abnormal.
+
+Solution:
+Cencle REBIND timer when DEPREFER timer considers that the REBIND timer expires.
+
+---
+ client/dhc6.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/client/dhc6.c b/client/dhc6.c
+index 88fd07d..2dbea60 100644
+--- a/client/dhc6.c
++++ b/client/dhc6.c
+@@ -4656,6 +4656,10 @@ dhc6_check_times(struct client_state *client)
+ 		 * depreffed an address.
+ 		 */
+ 		client->MRD = hi_expire - cur_time;
++		/* Rebind expired, cancel rebind(do_refresh6) timer. */
++		if (client->MRD == 0) {
++			cancel_timeout(do_refresh6, client);
++		}
+ 		break;
+ 
+ 	      default:
+-- 
+2.33.0
+

dhcp.spec

@@ -3,7 +3,7 @@
 
 Name:      dhcp
 Version:   4.4.2
-Release:   8
+Release:   13
 Summary:   Dynamic host configuration protocol software
 #Please don't change the epoch on this package
 Epoch:     12
@@ -58,6 +58,20 @@ Patch37: backport-Fix-CVE-2021-25214.patch
 Patch38: backport-Fix-CVE-2021-25215.patch
 Patch39: backport-Fix-CVE-2021-25219.patch
 Patch40: backport-Fix-CVE-2021-25220.patch
+Patch41: backport-Fix-CVE-2022-2928.patch
+Patch42: backport-Fix-CVE-2022-2929.patch
+Patch43: backport-CVE-2022-2795.patch
+Patch44: backport-CVE-2022-38177.patch
+Patch45: backport-CVE-2022-38178.patch
+Patch46: IAID-is-output-has-hexe-if-it-contains-or.patch
+Patch47: bugfix-cancel-rebind6-timer-after-ipv6-expire.patch
+Patch48: backport-CVE-2024-1975.patch
+Patch49: backport-optimize-the-slabheader-placement-for-certain-RRtype.patch
+Patch50: backport-0001-CVE-2024-1737.patch
+Patch51: backport-0002-CVE-2024-1737.patch
+Patch52: backport-0003-CVE-2024-1737.patch
+Patch53: backport-0004-CVE-2024-1737.patch
+
 
 BuildRequires: gcc autoconf automake libtool openldap-devel krb5-devel libcap-ng-devel bind-export-devel
 BuildRequires: systemd systemd-devel
@@ -299,6 +313,36 @@ exit 0
 %{_mandir}/man3/omapi.3.gz
 
 %changelog
+* Mon Nov 11 2024 huyizhen <huyizhen2@huawei.com> - 12:4.4.2-13
+- Type:CVE
+- ID:NA
+- SUG:restart
+- DESC:fix CVE-2024-1975,CVE-2024-1737
+
+* Tue Nov 05 2024 huyizhen <huyizhen2@huawei.com> - 12:4.4.2-12
+- Type:bugfix
+- ID:NA
+- SUG:restart
+- DESC:cancel rebind6 timer after ipv6 expire
+
+* Sat Jan 20 2024 renmingshuai <renmingshuai@huawei.com> - 12:4.4.2-11
+- Type:bugfix
+- ID:
+- SUG:restart
+- DESC:IAID is output has hexe if it contains '\' or '"'
+
+* Thu Jan 4 2024 renmingshuai <renmingshuai@huawei.com> - 12:4.4.2-10
+- Type:CVE
+- ID:CVE-2022-2795,CVE-2022-38177,CVE-2022-38178
+- SUG:restart
+- DESC:fix CVE-2022-2795,CVE-2022-38177 and CVE-2022-38178
+
+* Mon Oct 17 2022 renmingshuai <renmingshuai@huawei.com> - 12:4.4.2-9
+- Type:cves
+- ID:CVE-2022-2928, CVE-2022-2929
+- SUG:restart
+- DESC: Fix CVE-2022-2928 and CVE-2022-2929
+
 * Tue Sep 27 2022 renmingshuai <renmingshuai@huawei.com> - 12:4.4.2-8
 - Type:cves
 - ID:CVE-2021-25214, CVE-2021-25215, CVE-2021-25219, CVE-2021-25220