From 96aeb7d8d23f418839a2126f05c3000420d9aa9d Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 31 2021 07:48:21 +0000
Subject: import bind-9.11.4-26.P2.el7_9.7


---

diff --git a/SOURCES/bind-9.11-CVE-2021-25214.patch b/SOURCES/bind-9.11-CVE-2021-25214.patch
new file mode 100644
index 0000000..83f445b
--- /dev/null
+++ b/SOURCES/bind-9.11-CVE-2021-25214.patch
@@ -0,0 +1,44 @@
+From 4eff09c6b1e524b0efc393ee948b5c4cdf16ccb8 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 3 Feb 2021 11:10:20 +1100
+Subject: [PATCH] Check SOA owner names in zone transfers
+
+An IXFR containing SOA records with owner names different than the
+transferred zone's origin can result in named serving a version of that
+zone without an SOA record at the apex.  This causes a RUNTIME_CHECK
+assertion failure the next time such a zone is refreshed.  Fix by
+immediately rejecting a zone transfer (either an incremental or
+non-incremental one) upon detecting an SOA record not placed at the apex
+of the transferred zone.
+---
+ lib/dns/xfrin.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
+index 3a3f407289..0ba82e4974 100644
+--- a/lib/dns/xfrin.c
++++ b/lib/dns/xfrin.c
+@@ -477,6 +477,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,
+ 	    dns_rdatatype_ismeta(rdata->type))
+ 		FAIL(DNS_R_FORMERR);
+ 
++	/*
++	 * Immediately reject the entire transfer if the RR that is currently
++	 * being processed is an SOA record that is not placed at the zone
++	 * apex.
++	 */
++	if (rdata->type == dns_rdatatype_soa &&
++	    !dns_name_equal(&xfr->name, name)) {
++		char namebuf[DNS_NAME_FORMATSIZE];
++		dns_name_format(name, namebuf, sizeof(namebuf));
++		xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
++			  namebuf);
++		FAIL(DNS_R_NOTZONETOP);
++	}
++
+  redo:
+ 	switch (xfr->state) {
+ 	case XFRST_SOAQUERY:
+-- 
+2.26.3
+
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index e2c34f2..9a65216 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -64,7 +64,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.11.4
-Release:  26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.5
+Release:  26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.7
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 #
@@ -179,6 +179,8 @@ Patch192: bind98-rh1769876.patch
 Patch193: bind-9.11-rh1889902.patch
 Patch194: bind-9.11-CVE-2020-8625.patch
 Patch195: bind-9.11-CVE-2021-25215.patch
+# https://gitlab.isc.org/isc-projects/bind9/commit/dfadbc9d7b485b1af62d77ad6c309792bbaabfdf
+Patch196: bind-9.11-CVE-2021-25214.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -551,6 +553,7 @@ are used for building ISC DHCP.
 %patch193 -p1 -b .rh1889902
 %patch194 -p1 -b .CVE-2020-8625
 %patch195 -p1 -b .CVE-2021-25215
+%patch196 -p1 -b .CVE-2021-25214
 
 # Override upstream builtin keys
 cp -fp %{SOURCE29} bind.keys
@@ -1532,6 +1535,12 @@ rm -rf ${RPM_BUILD_ROOT}
 
 
 %changelog
+* Tue Jul 13 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-26.P2.7
+- Apply again patch 172, got removed by mistake
+
+* Mon May 17 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-26.P2.6
+- Insufficient IXFR checks could lead to assertion failure (CVE-2021-25214)
+
 * Tue Apr 27 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-26.P2.5
 - Possible assertion failure on DNAME processing (CVE-2021-25215)