[rpms/bind9-next] rawhide: Update to 9.21.22 (rhbz#2480122)

[rpms/bind9-next] rawhide: Update to 9.21.22 (rhbz#2480122)

[@ 2026-06-05 10:24 UTC (permalink / raw)]

            A new commit has been pushed.

            Repo   : rpms/bind9-next
            Branch : rawhide
            Commit : 7ec75a1e1cf5c78d7fbddc15e415d63e0cfde575
            Author : Petr Menšík <pemensik@redhat.com>
            Date   : 2026-06-03T15:56:35+02:00
            Stats  : +13/-165 in 4 file(s)
            URL    : https://src.fedoraproject.org/rpms/bind9-next/c/7ec75a1e1cf5c78d7fbddc15e415d63e0cfde575?branch=rawhide

            Log:
            Update to 9.21.22 (rhbz#2480122)

Security Fixes:

- Limit resolver server list size. (CVE-2026-3592)
- Fix GSS-API resource leak. (CVE-2026-3039)
- Disable recursion, UPDATE, and NOTIFY for non-IN views. (CVE-2026-5946)
- Avoid unbounded recursion loop. (CVE-2026-5950)
- Fix crash in resolver when SIG(0)-signed responses are received under load. (CVE-2026-5947)
- Fix use-after-free error in DNS-over-HTTPS when processing HTTP/2 SETTINGS frames. (CVE-2026-3593)
- Fix outgoing zone transfers' quota issue.

Feature Changes:

- Fix CPU spikes and slow queries when cache approaches memory limit.
- Implement RFC 3645 Section 4.1.1 key expiry check in TKEY.
- Reduce memory footprint by actively returning unused memory to the OS.

An multiple bugfixes.

Source: https://downloads.isc.org/isc/bind9/9.21.22/doc/arm/html/notes.html#notes-for-bind-9-21-22

---
diff --git a/bind-9.21-openssl4-malloc.patch b/bind-9.21-openssl4-malloc.patch
deleted file mode 100644
index 693cad4..0000000
--- a/bind-9.21-openssl4-malloc.patch
+++ /dev/null
@@ -1,150 +0,0 @@
-From c4b7f67b7d79150007412e370de3c21cc80057d6 Mon Sep 17 00:00:00 2001
-From: Aram Sargsyan <aram@isc.org>
-Date: Thu, 16 Apr 2026 17:31:04 +0000
-Subject: [PATCH] Remove OpenSSL memory tracking support from the ossl3.c
- module
-
-OPENSSL_cleanup() in OpenSSL 4 doesn't free the memory, and that is
-not compatible with BIND 9's memory leak detection code. Don't use
-custom allocation/deallocation functions for OpenSSL's internal memory
-management in the ossl3.c module.
-
-See https://github.com/openssl/openssl/pull/29721
-
-(cherry picked from commit 4ede6edc547109af81dc5c5ec25cf3ff7991bc10)
----
- lib/isc/crypto/ossl3.c | 90 +++++-------------------------------------
- 1 file changed, 9 insertions(+), 81 deletions(-)
-
-diff --git a/lib/isc/crypto/ossl3.c b/lib/isc/crypto/ossl3.c
-index 1c2f3cab9d..35344dc8b1 100644
---- a/lib/isc/crypto/ossl3.c
-+++ b/lib/isc/crypto/ossl3.c
-@@ -44,8 +44,6 @@ struct isc_hmac_key {
- 
- constexpr uint32_t hmac_key_magic = ISC_MAGIC('H', 'M', 'A', 'C');
- 
--static isc_mem_t *isc__crypto_mctx = NULL;
--
- static OSSL_PROVIDER *base = NULL, *fips = NULL;
- 
- static EVP_MAC *evp_hmac = NULL;
-@@ -320,69 +318,6 @@ isc_hmac_final(isc_hmac_t *hmac, isc_buffer_t *out) {
- 	return ISC_R_SUCCESS;
- }
- 
--#if ISC_MEM_TRACKLINES
--/*
-- * We use the internal isc__mem API here, so we can pass the file and line
-- * arguments passed from OpenSSL >= 1.1.0 to our memory functions for better
-- * tracking of the OpenSSL allocations.  Without this, we would always just see
-- * isc__crypto_{malloc,realloc,free} in the tracking output, but with this in
-- * place we get to see the places in the OpenSSL code where the allocations
-- * happen.
-- */
--
--static void *
--isc__crypto_malloc_ex(size_t size, const char *file, int line) {
--	return isc__mem_allocate(isc__crypto_mctx, size, 0, __func__, file,
--				 (unsigned int)line);
--}
--
--static void *
--isc__crypto_realloc_ex(void *ptr, size_t size, const char *file, int line) {
--	return isc__mem_reallocate(isc__crypto_mctx, ptr, size, 0, __func__,
--				   file, (unsigned int)line);
--}
--
--static void
--isc__crypto_free_ex(void *ptr, const char *file, int line) {
--	if (ptr == NULL) {
--		return;
--	}
--	if (isc__crypto_mctx != NULL) {
--		isc__mem_free(isc__crypto_mctx, ptr, 0, __func__, file,
--			      (unsigned int)line);
--	}
--}
--
--#else /* ISC_MEM_TRACKLINES */
--
--static void *
--isc__crypto_malloc_ex(size_t size, const char *file, int line) {
--	UNUSED(file);
--	UNUSED(line);
--	return isc_mem_allocate(isc__crypto_mctx, size);
--}
--
--static void *
--isc__crypto_realloc_ex(void *ptr, size_t size, const char *file, int line) {
--	UNUSED(file);
--	UNUSED(line);
--	return isc_mem_reallocate(isc__crypto_mctx, ptr, size);
--}
--
--static void
--isc__crypto_free_ex(void *ptr, const char *file, int line) {
--	UNUSED(file);
--	UNUSED(line);
--	if (ptr == NULL) {
--		return;
--	}
--	if (isc__crypto_mctx != NULL) {
--		isc__mem_free(isc__crypto_mctx, ptr, 0);
--	}
--}
--
--#endif /* ISC_MEM_TRACKLINES */
--
- bool
- isc_crypto_fips_mode(void) {
- 	return EVP_default_properties_is_fips_enabled(NULL) != 0;
-@@ -424,9 +359,17 @@ isc_crypto_fips_enable(void) {
- 	return ISC_R_SUCCESS;
- }
- 
-+/*
-+ * OPENSSL_cleanup() in OpenSSL 4 doesn't free the memory, which is not
-+ * compatible with BIND 9's memory leak detection code, that is why the memory
-+ * tracking has been disabled in this module, and this function is a no-op.
-+ * This can be cleaned up once OpenSSL 1.1.x support is removed.
-+ *
-+ * See https://github.com/openssl/openssl/pull/29721
-+ */
- void
- isc__crypto_setdestroycheck(bool check) {
--	isc_mem_setdestroycheck(isc__crypto_mctx, check);
-+	UNUSED(check);
- }
- 
- void
-@@ -437,19 +380,6 @@ isc__crypto_initialize(void) {
- 	 */
- 	uint64_t opts = OPENSSL_INIT_LOAD_CONFIG | OPENSSL_INIT_NO_ATEXIT;
- 
--	isc_mem_create("OpenSSL", &isc__crypto_mctx);
--	isc_mem_setdebugging(isc__crypto_mctx, 0);
--	isc_mem_setdestroycheck(isc__crypto_mctx, false);
--
--	/*
--	 * CRYPTO_set_mem_(_ex)_functions() returns 1 on success or 0 on
--	 * failure, which means OpenSSL already allocated some memory.  There's
--	 * nothing we can do about it.
--	 */
--	(void)CRYPTO_set_mem_functions(isc__crypto_malloc_ex,
--				       isc__crypto_realloc_ex,
--				       isc__crypto_free_ex);
--
- 	RUNTIME_CHECK(OPENSSL_init_ssl(opts, NULL) == 1);
- 
- 	register_algorithms();
-@@ -486,6 +416,4 @@ isc__crypto_shutdown(void) {
- 	}
- 
- 	OPENSSL_cleanup();
--
--	isc_mem_detach(&isc__crypto_mctx);
- }
--- 
-2.54.0
-

diff --git a/bind-9.21-unittest-32b-mem.patch b/bind-9.21-unittest-32b-mem.patch
index ba968d8..90dee92 100644
--- a/bind-9.21-unittest-32b-mem.patch
+++ b/bind-9.21-unittest-32b-mem.patch
@@ -1,4 +1,4 @@
-From 0ec3954222bab0c7a74b379fc1982c55f89a90e4 Mon Sep 17 00:00:00 2001
+From e81b125a9c7eb9222b5f8298bec689e23287969b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Thu, 9 Apr 2026 10:51:57 +0200
 Subject: [PATCH] Accept significantly lower memory consumption on 32b system
@@ -17,10 +17,10 @@ Signed-off-by: Petr Menšík <pemensik@redhat.com>
  1 file changed, 21 insertions(+), 6 deletions(-)
 
 diff --git a/tests/dns/deleg_test.c b/tests/dns/deleg_test.c
-index 904eaeef00..cc4772977f 100644
+index d3af6ab..cbab065 100644
 --- a/tests/dns/deleg_test.c
 +++ b/tests/dns/deleg_test.c
-@@ -567,6 +567,22 @@ typedef struct {
+@@ -579,6 +579,22 @@ typedef struct {
  	isc_stdtime_t now;
  } cleanup_ctx_t;
  
@@ -43,16 +43,16 @@ index 904eaeef00..cc4772977f 100644
  static void
  cleanuptests_phase3(void *arg) {
  	cleanup_ctx_t *ctx = arg;
-@@ -575,7 +591,7 @@ cleanuptests_phase3(void *arg) {
+@@ -587,7 +603,7 @@ cleanuptests_phase3(void *arg) {
  	dns_delegset_t *delegset = NULL;
  	isc_result_t result;
  
--	assert_int_in_range(isc_mem_inuse(db->mctx), 4000000, 4100000);
+-	assert_int_in_range(isc_mem_inuse(db->mctx), 8000000, 8100000);
 +	cleanuptests_memcheck1(db->mctx, 3);
  
  	/*
  	 * baz. is there, but bar. is gone, as it has been
-@@ -600,7 +616,7 @@ cleanuptests_phase2(void *arg) {
+@@ -612,7 +628,7 @@ cleanuptests_phase2(void *arg) {
  	dns_delegset_t *delegset = NULL;
  	isc_result_t result;
  
@@ -61,7 +61,7 @@ index 904eaeef00..cc4772977f 100644
  
  	/*
  	 * bar. is there
-@@ -620,7 +636,7 @@ cleanuptests_phase2(void *arg) {
+@@ -632,7 +648,7 @@ cleanuptests_phase2(void *arg) {
  	for (size_t i = 0; i < 99999; i++) {
  		addipdeleg(AF_INET6, "1111::2222", delegset, deleg);
  	}
@@ -70,7 +70,7 @@ index 904eaeef00..cc4772977f 100644
  	writedb(db, "baz.", 30, &delegset, true);
  	deleg = NULL;
  
-@@ -669,8 +685,7 @@ cleanuptests(ISC_ATTR_UNUSED void *arg) {
+@@ -681,8 +697,7 @@ cleanuptests(ISC_ATTR_UNUSED void *arg) {
  		addipdeleg(AF_INET6, "1111::2222", delegset, deleg);
  	}
  
@@ -80,7 +80,7 @@ index 904eaeef00..cc4772977f 100644
  	writedb(db, "stuff.", 10, &delegset, true);
  	deleg = NULL;
  	stdtime_now += 10;
-@@ -691,7 +706,7 @@ cleanuptests(ISC_ATTR_UNUSED void *arg) {
+@@ -703,7 +718,7 @@ cleanuptests(ISC_ATTR_UNUSED void *arg) {
  	 * with DB mem context) overmem conditions will be detected, and the
  	 * expired node will be removed
  	 */
@@ -90,5 +90,5 @@ index 904eaeef00..cc4772977f 100644
  	deleg = NULL;
  
 -- 
-2.53.0
+2.54.0
 

diff --git a/bind9-next.spec b/bind9-next.spec
index c7343da..2dc204d 100644
--- a/bind9-next.spec
+++ b/bind9-next.spec
@@ -54,7 +54,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind9-next
 License:  MPL-2.0 AND ISC AND BSD-3-clause AND MIT AND BSD-2-clause
 #
-Version:  9.21.21
+Version:  9.21.22
 Release:  %autorelease
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
@@ -90,8 +90,6 @@ Patch1: bind-9.16-redhat_doc.patch
 Patch4: bind-9.21-unittest-qpdb-i386.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11825
 Patch5: bind-9.21-unittest-32b-mem.patch
-# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11865
-Patch6: bind-9.21-openssl4-malloc.patch
 
 %{?systemd_ordering}
 Requires:       coreutils

diff --git a/sources b/sources
index 4641049..c97ab7f 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (bind-9.21.21.tar.xz) = ebb05d1141d38bd1897bb0de1475194ca6e9335e1a295ab388376d880de1a0569279b734433f469565eccdea91cc8e6e3603b2879be700bf27082ff075bdbe49
-SHA512 (bind-9.21.21.tar.xz.asc) = bad3fa0355742b57bc711c2f3f6bddd220bf5a5d4f5fa3b3ef9f2172247f184e637688080b0fc8cc67d37e1ee41bf484062f3a529d9942454b243a46091761b3
+SHA512 (bind-9.21.22.tar.xz) = f9e11d150162661c755dabdd7862c0565e6a10077e2a6aee04f8cefce94c262d8928ff9e42f8c8750242aee3b0992afe2f49f72f0f8cab8b7e4ae1c9fc06e0fa
+SHA512 (bind-9.21.22.tar.xz.asc) = 1e0bd14fad5754e12b6a4855dbed698dba74468790948316e17442e5bc840fc81d18e590fd78186a1e26e9526870b13470dcef6a15644e91775cc8883813ad24