From aea68014445fd1b2c75c3a9c63c03cf48f1fbdbc Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik@redhat.com>
Date: Jul 17 2019 10:08:23 +0000
Subject: Update to 9.11.8


Contains:
5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
			that could cause an assertion failure if a
			significant number of incoming packets were
			rejected. (CVE-2019-6471) [GL #942]

5241.	[bug]		Fix Ed448 private and public key ASN.1 prefix blobs.
			[GL #225]

5237.	[bug]		Recurse to find the root server list with 'dig +trace'.
			[GL #1028]

---

diff --git a/.gitignore b/.gitignore
index 9775b64..ecd31fd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -92,3 +92,4 @@ bind-9.7.2b1.tar.gz
 /bind-9.11.5-P4.tar.gz
 /bind-9.11.6.tar.gz
 /bind-9.11.6-P1.tar.gz
+/bind-9.11.8.tar.gz
diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch
index 65a2e83..9468850 100644
--- a/bind-9.10-dist-native-pkcs11.patch
+++ b/bind-9.10-dist-native-pkcs11.patch
@@ -300,10 +300,10 @@ index a058c91..d4b689a 100644
  DEPLIBS =	${ISCDEPLIBS}
  
 diff --git a/configure.ac b/configure.ac
-index 5e4e839..0ef2c8f 100644
+index d48fd51..79c96f8 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1081,12 +1081,14 @@ AC_SUBST(USE_GSSAPI)
+@@ -1089,12 +1089,14 @@ AC_SUBST(USE_GSSAPI)
  AC_SUBST(DST_GSSAPI_INC)
  AC_SUBST(DNS_GSSAPI_LIBS)
  DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
@@ -318,7 +318,7 @@ index 5e4e839..0ef2c8f 100644
  
  #
  # was --with-randomdev specified?
-@@ -1471,11 +1473,11 @@ fi
+@@ -1479,11 +1481,11 @@ fi
  AC_MSG_CHECKING(for OpenSSL library)
  OPENSSL_WARNING=
  openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
@@ -335,7 +335,7 @@ index 5e4e839..0ef2c8f 100644
  
  if test "auto" = "$use_openssl"
  then
-@@ -1488,6 +1490,7 @@ then
+@@ -1496,6 +1498,7 @@ then
  		fi
  	done
  fi
@@ -343,7 +343,7 @@ index 5e4e839..0ef2c8f 100644
  OPENSSL_ECDSA=""
  OPENSSL_GOST=""
  OPENSSL_ED25519=""
-@@ -1509,11 +1512,10 @@ case "$with_gost" in
+@@ -1517,11 +1520,10 @@ case "$with_gost" in
  		;;
  esac
  
@@ -358,7 +358,7 @@ index 5e4e839..0ef2c8f 100644
  		CRYPTOLIB="pkcs11"
  		OPENSSLECDSALINKOBJS=""
  		OPENSSLECDSALINKSRCS=""
-@@ -1523,7 +1525,9 @@ case "$use_openssl" in
+@@ -1531,7 +1533,9 @@ case "$use_openssl" in
  		OPENSSLGOSTLINKSRCS=""
  		OPENSSLLINKOBJS=""
  		OPENSSLLINKSRCS=""
@@ -369,7 +369,7 @@ index 5e4e839..0ef2c8f 100644
  	no)
  		AC_MSG_RESULT(no)
  		DST_OPENSSL_INC=""
-@@ -1555,7 +1559,7 @@ case "$use_openssl" in
+@@ -1563,7 +1567,7 @@ case "$use_openssl" in
  If you do not want OpenSSL, use --without-openssl])
  		;;
  	*)
@@ -378,7 +378,7 @@ index 5e4e839..0ef2c8f 100644
  		then
  			AC_MSG_RESULT()
  			AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
-@@ -1983,6 +1987,7 @@ AC_SUBST(OPENSSL_ED25519)
+@@ -1991,6 +1995,7 @@ AC_SUBST(OPENSSL_ED25519)
  AC_SUBST(OPENSSL_GOST)
  
  DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
@@ -386,7 +386,7 @@ index 5e4e839..0ef2c8f 100644
  
  ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
  if test "yes" = "$with_aes"
-@@ -2306,6 +2311,7 @@ esac
+@@ -2314,6 +2319,7 @@ esac
  AC_SUBST(PKCS11LINKOBJS)
  AC_SUBST(PKCS11LINKSRCS)
  AC_SUBST(CRYPTO)
@@ -394,7 +394,7 @@ index 5e4e839..0ef2c8f 100644
  AC_SUBST(PKCS11_ECDSA)
  AC_SUBST(PKCS11_GOST)
  AC_SUBST(PKCS11_ED25519)
-@@ -5428,8 +5434,11 @@ AC_CONFIG_FILES([
+@@ -5441,8 +5447,11 @@ AC_CONFIG_FILES([
  	bin/delv/Makefile
  	bin/dig/Makefile
  	bin/dnssec/Makefile
@@ -406,7 +406,7 @@ index 5e4e839..0ef2c8f 100644
  	bin/nsupdate/Makefile
  	bin/pkcs11/Makefile
  	bin/python/Makefile
-@@ -5502,6 +5511,10 @@ AC_CONFIG_FILES([
+@@ -5515,6 +5524,10 @@ AC_CONFIG_FILES([
  	lib/dns/include/dns/Makefile
  	lib/dns/include/dst/Makefile
  	lib/dns/tests/Makefile
@@ -417,7 +417,7 @@ index 5e4e839..0ef2c8f 100644
  	lib/irs/Makefile
  	lib/irs/include/Makefile
  	lib/irs/include/irs/Makefile
-@@ -5526,6 +5539,24 @@ AC_CONFIG_FILES([
+@@ -5539,6 +5552,24 @@ AC_CONFIG_FILES([
  	lib/isc/unix/include/Makefile
  	lib/isc/unix/include/isc/Makefile
  	lib/isc/unix/include/pkcs11/Makefile
@@ -456,7 +456,7 @@ index 81270a0..bcb5312 100644
  
  @BIND9_MAKE_RULES@
 diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
-index 56dd259..f9aa782 100644
+index f6868d1..ea6fd36 100644
 --- a/lib/dns-pkcs11/Makefile.in
 +++ b/lib/dns-pkcs11/Makefile.in
 @@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@
@@ -501,9 +501,9 @@ index 56dd259..f9aa782 100644
  
  include: gen
  	${MAKE} include/dns/enumtype.h
-@@ -183,22 +183,22 @@ gen: gen.c
- 	${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
- 	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
+@@ -185,22 +185,22 @@ gen: gen.c
+ 	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
+ 	${BUILD_LIBS} ${LFS_LIBS}
  
 -timestamp: include libdns.@A@
 +timestamp: include libdns-pkcs11.@A@
diff --git a/bind-9.11.8.tar.gz.asc b/bind-9.11.8.tar.gz.asc
new file mode 100644
index 0000000..fb0ac3b
--- /dev/null
+++ b/bind-9.11.8.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABAgAdFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlz45qgACgkQdLtrmky7
+PThZoxAAuqUxL9JV1NsvODkJ049F8hRrrzhN8Vgx19D/w6oLWawaHuOahU67RYWh
+OGa3D72G0mClVFBABTV9YiAwkNnbkq3Nkclh6riWDjAO3RPKMo50yiAhLKSt2Z4N
+i0dMSIzZb8T9nq19T9JI1loyEG3oU+I97uWLyzrLe2WqCpSmdCTNd8PsD/0r+MxV
+QnBt1RFHda4z7r0fYLMw5oALXiNttPg6JdKByssgmYB6DYYw4f9ywMj1e8Jnn307
+6BXMweF0uOpGgy18HzgdfSjMNc3g9WKU86gTyAblAd1HALtdwe/VKgH1ZVJZoflT
+QnxzJDDjNbKE5OP7TOgzN9pLPCGwvQhpHDqGTTn+cTj5h9pQZcfq0vQQJ+MGzFWF
+kj0TUeLYs9FNnJt91Rpk+T96sOUypOrpPM9RdAEKp38qSMmZN8DJ83sga2b1OCqr
+zIcuQOBuXlKu9uD9g2cTquGGSG0vGvVSx0OXogUYEPS635AZbyZ9IqSntlDE+cnS
+mJt7jCQv+DVFVDUiyfLcdmPZk0U88hHdruKTbN3dc+a+OMddukPM4AepLKgdAWkQ
+F9et7SJ5VeiGiHgIwJaeu04VhD4DuQILo6xx7wxJIiPQ8H1sazdrikcn70hxMQwB
+yq1tBfQHTUfHmZBCytMVRR3sEQscv/7MBEhS9DXmNRYfIXrXKIE=
+=j1R3
+-----END PGP SIGNATURE-----
diff --git a/bind.spec b/bind.spec
index 737c418..6d3ac25 100644
--- a/bind.spec
+++ b/bind.spec
@@ -2,7 +2,7 @@
 # Red Hat BIND package .spec file
 #
 
-%global PATCHVER P1
+#%%global PATCHVER P1
 #%%global PREVER rc1
 %global BINDVERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}}
 
@@ -52,8 +52,8 @@
 Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
 Name:     bind
 License:  MPLv2.0
-Version:  9.11.6
-Release:  2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Version:  9.11.8
+Release:  1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -1511,6 +1511,9 @@ fi;
 
 
 %changelog
+* Tue Jul 02 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.8-1
+- Update to 9.11.8
+
 * Mon Jun 17 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.7-2
 - Fix OpenSSL random generator initialization
 
diff --git a/sources b/sources
index 413be45..a8b7813 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (bind-9.11.6-P1.tar.gz) = 419aeeddeab7aef818b9043db7b21a847993444f663dca04e58ee97a0ebee0610cbc5a9422d17a6f0ee5d44598a2cbb5651e3b4e8c56708eaf923dca0a5c4c03
+SHA512 (bind-9.11.8.tar.gz) = 0192d6e087cdbdebec171869d908c4326c2575d65ee5367a78ed9da26de357e017b0306349d66a6016a7ec80ad27f5f7f9f2db25002c6d0c78589dc473a015fc
 SHA512 (config-19.tar.bz2) = 36aa38a0c7c33267ae594b31c81681290ac58dde7ca6749bd599da531380b5b1428330813dbe983e01071ccaed83e83f6a9cd92179a53b7d0ccbb6851a0b017c