diff --git a/SOURCES/bind-99-socket-maxevents.patch b/SOURCES/bind-99-socket-maxevents.patch
new file mode 100644
index 0000000..75fe038
--- /dev/null
+++ b/SOURCES/bind-99-socket-maxevents.patch
@@ -0,0 +1,13 @@
+diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
+index 05eaeaa..82d0d16 100644
+--- a/lib/isc/unix/socket.c
++++ b/lib/isc/unix/socket.c
+@@ -214,7 +214,7 @@ typedef enum { poll_idle, poll_active, poll_checking } pollstate_t;
+ */
+ #if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
+ #ifndef ISC_SOCKET_MAXEVENTS
+-#define ISC_SOCKET_MAXEVENTS 64
++#define ISC_SOCKET_MAXEVENTS 2048
+ #endif
+ #endif
+
diff --git a/SOURCES/bind99-CVE-2015-5722.patch b/SOURCES/bind99-CVE-2015-5722.patch
new file mode 100644
index 0000000..bb240ac
--- /dev/null
+++ b/SOURCES/bind99-CVE-2015-5722.patch
@@ -0,0 +1,449 @@
+diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
+index 7a56c79..3ac01a8 100644
+--- a/lib/dns/hmac_link.c
++++ b/lib/dns/hmac_link.c
+@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
+ hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
+ if (hmacmd5ctx == NULL)
+ return (ISC_R_NOMEMORY);
+- isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
++ isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
+ dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
+ return (ISC_R_SUCCESS);
+ }
+@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ else if (hkey1 == NULL || hkey2 == NULL)
+ return (ISC_FALSE);
+
+- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
++ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
+ return (ISC_TRUE);
+ else
+ return (ISC_FALSE);
+@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
+ isc_buffer_t b;
+ isc_result_t ret;
+ unsigned int bytes;
+- unsigned char data[ISC_SHA1_BLOCK_LENGTH];
++ unsigned char data[ISC_MD5_BLOCK_LENGTH];
+
+ UNUSED(callback);
+
+ bytes = (key->key_size + 7) / 8;
+- if (bytes > ISC_SHA1_BLOCK_LENGTH) {
+- bytes = ISC_SHA1_BLOCK_LENGTH;
+- key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
++ if (bytes > ISC_MD5_BLOCK_LENGTH) {
++ bytes = ISC_MD5_BLOCK_LENGTH;
++ key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
+ }
+
+- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
++ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+ ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+
+ if (ret != ISC_R_SUCCESS)
+@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
+ isc_buffer_init(&b, data, bytes);
+ isc_buffer_add(&b, bytes);
+ ret = hmacmd5_fromdns(key, &b);
+- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
++ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+
+ return (ret);
+ }
+@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
+
+ memset(hkey->key, 0, sizeof(hkey->key));
+
+- if (r.length > ISC_SHA1_BLOCK_LENGTH) {
++ if (r.length > ISC_MD5_BLOCK_LENGTH) {
+ isc_md5_init(&md5ctx);
+ isc_md5_update(&md5ctx, r.base, r.length);
+ isc_md5_final(&md5ctx, hkey->key);
+@@ -237,6 +237,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ key->key_size = keylen * 8;
+ key->keydata.hmacmd5 = hkey;
+
++ isc_buffer_forward(data, r.length);
++
+ return (ISC_R_SUCCESS);
+ }
+
+@@ -518,6 +520,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ key->key_size = keylen * 8;
+ key->keydata.hmacsha1 = hkey;
+
++ isc_buffer_forward(data, r.length);
++
+ return (ISC_R_SUCCESS);
+ }
+
+@@ -804,6 +808,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ key->key_size = keylen * 8;
+ key->keydata.hmacsha224 = hkey;
+
++ isc_buffer_forward(data, r.length);
++
+ return (ISC_R_SUCCESS);
+ }
+
+@@ -1090,6 +1096,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ key->key_size = keylen * 8;
+ key->keydata.hmacsha256 = hkey;
+
++ isc_buffer_forward(data, r.length);
++
+ return (ISC_R_SUCCESS);
+ }
+
+@@ -1376,6 +1384,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ key->key_size = keylen * 8;
+ key->keydata.hmacsha384 = hkey;
+
++ isc_buffer_forward(data, r.length);
++
+ return (ISC_R_SUCCESS);
+ }
+
+@@ -1662,6 +1672,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ key->key_size = keylen * 8;
+ key->keydata.hmacsha512 = hkey;
+
++ isc_buffer_forward(data, r.length);
++
+ return (ISC_R_SUCCESS);
+ }
+
+diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
+index bdbd269..37853aa 100644
+--- a/lib/dns/include/dst/dst.h
++++ b/lib/dns/include/dst/dst.h
+@@ -69,6 +69,7 @@ typedef struct dst_context dst_context_t;
+ #define DST_ALG_HMACSHA256 163 /* XXXMPA */
+ #define DST_ALG_HMACSHA384 164 /* XXXMPA */
+ #define DST_ALG_HMACSHA512 165 /* XXXMPA */
++#define DST_ALG_INDIRECT 252
+ #define DST_ALG_PRIVATE 254
+ #define DST_ALG_EXPAND 255
+ #define DST_MAX_ALGS 255
+diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
+index bcb3d05..3114954 100644
+--- a/lib/dns/ncache.c
++++ b/lib/dns/ncache.c
+@@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
+ dns_name_fromregion(&tname, &remaining);
+ INSIST(remaining.length >= tname.length);
+ isc_buffer_forward(&source, tname.length);
+- remaining.length -= tname.length;
+- remaining.base += tname.length;
++ isc_region_consume(&remaining, tname.length);
+
+ INSIST(remaining.length >= 2);
+ type = isc_buffer_getuint16(&source);
+- remaining.length -= 2;
+- remaining.base += 2;
++ isc_region_consume(&remaining, 2);
+
+ if (type != dns_rdatatype_rrsig ||
+ !dns_name_equal(&tname, name)) {
+@@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
+ INSIST(remaining.length >= 1);
+ trust = isc_buffer_getuint8(&source);
+ INSIST(trust <= dns_trust_ultimate);
+- remaining.length -= 1;
+- remaining.base += 1;
++ isc_region_consume(&remaining, 1);
+
+ raw = remaining.base;
+ count = raw[0] * 256 + raw[1];
+diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
+index 55752da..f0cee8d 100644
+--- a/lib/dns/openssldh_link.c
++++ b/lib/dns/openssldh_link.c
+@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) {
+
+ static void
+ uint16_toregion(isc_uint16_t val, isc_region_t *region) {
+- *region->base++ = (val & 0xff00) >> 8;
+- *region->base++ = (val & 0x00ff);
++ *region->base = (val & 0xff00) >> 8;
++ isc_region_consume(region, 1);
++ *region->base = (val & 0x00ff);
++ isc_region_consume(region, 1);
+ }
+
+ static isc_uint16_t
+@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region) {
+ val = ((unsigned int)(cp[0])) << 8;
+ val |= ((unsigned int)(cp[1]));
+
+- region->base += 2;
++ isc_region_consume(region, 2);
++
+ return (val);
+ }
+
+@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+ }
+ else
+ BN_bn2bin(dh->p, r.base);
+- r.base += plen;
++ isc_region_consume(&r, plen);
+
+ uint16_toregion(glen, &r);
+ if (glen > 0)
+ BN_bn2bin(dh->g, r.base);
+- r.base += glen;
++ isc_region_consume(&r, glen);
+
+ uint16_toregion(publen, &r);
+ BN_bn2bin(dh->pub_key, r.base);
+- r.base += publen;
++ isc_region_consume(&r, publen);
+
+ isc_buffer_add(data, dnslen);
+
+@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ if (plen == 1 || plen == 2) {
+- if (plen == 1)
+- special = *r.base++;
+- else
++ if (plen == 1) {
++ special = *r.base;
++ isc_region_consume(&r, 1);
++ } else {
+ special = uint16_fromregion(&r);
++ }
+ switch (special) {
+ case 1:
+ dh->p = &bn768;
+@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ DH_free(dh);
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+- }
+- else {
++ } else {
+ dh->p = BN_bin2bn(r.base, plen, NULL);
+- r.base += plen;
++ isc_region_consume(&r, plen);
+ }
+
+ /*
+@@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ }
+- }
+- else {
++ } else {
+ if (glen == 0) {
+ DH_free(dh);
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ dh->g = BN_bin2bn(r.base, glen, NULL);
+ }
+- r.base += glen;
++ isc_region_consume(&r, glen);
+
+ if (r.length < 2) {
+ DH_free(dh);
+@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ dh->pub_key = BN_bin2bn(r.base, publen, NULL);
+- r.base += publen;
++ isc_region_consume(&r, publen);
+
+ key->key_size = BN_num_bits(dh->p);
+
+diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
+index fd6e91e..8e16557 100644
+--- a/lib/dns/openssldsa_link.c
++++ b/lib/dns/openssldsa_link.c
+@@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+ DSA *dsa = key->keydata.dsa;
+ isc_region_t r;
+ DSA_SIG *dsasig;
++ unsigned int klen;
+ #if USE_EVP
+ EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+ EVP_PKEY *pkey;
+@@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+ "DSA_do_sign",
+ DST_R_SIGNFAILURE));
+ #endif
+- *r.base++ = (key->key_size - 512)/64;
++
++ klen = (key->key_size - 512)/64;
++ if (klen > 255)
++ return (ISC_R_FAILURE);
++ *r.base = klen;
++ isc_region_consume(&r, 1);
++
+ BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
+- r.base += ISC_SHA1_DIGESTLENGTH;
++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
+- r.base += ISC_SHA1_DIGESTLENGTH;
++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ DSA_SIG_free(dsasig);
+ isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
+
+@@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+ if (r.length < (unsigned int) dnslen)
+ return (ISC_R_NOSPACE);
+
+- *r.base++ = t;
++ *r.base = t;
++ isc_region_consume(&r, 1);
+ BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
+- r.base += ISC_SHA1_DIGESTLENGTH;
++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+ BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
+- r.base += p_bytes;
++ isc_region_consume(&r, p_bytes);
+ BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
+- r.base += p_bytes;
++ isc_region_consume(&r, p_bytes);
+ BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
+- r.base += p_bytes;
++ isc_region_consume(&r, p_bytes);
+
+ isc_buffer_add(data, dnslen);
+
+@@ -479,29 +486,30 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ return (ISC_R_NOMEMORY);
+ dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
+
+- t = (unsigned int) *r.base++;
++ t = (unsigned int) *r.base;
++ isc_region_consume(&r, 1);
+ if (t > 8) {
+ DSA_free(dsa);
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ p_bytes = 64 + 8 * t;
+
+- if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
++ if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+ DSA_free(dsa);
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+
+ dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
+- r.base += ISC_SHA1_DIGESTLENGTH;
++ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+
+ dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
+- r.base += p_bytes;
++ isc_region_consume(&r, p_bytes);
+
+ dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
+- r.base += p_bytes;
++ isc_region_consume(&r, p_bytes);
+
+ dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
+- r.base += p_bytes;
++ isc_region_consume(&r, p_bytes);
+
+ key->key_size = p_bytes * 8;
+
+diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
+index c64cc55..40c612b 100644
+--- a/lib/dns/opensslecdsa_link.c
++++ b/lib/dns/opensslecdsa_link.c
+@@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+ "ECDSA_do_sign",
+ DST_R_SIGNFAILURE));
+ BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
+- r.base += siglen / 2;
++ isc_region_consume(&r, siglen / 2);
+ BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
+- r.base += siglen / 2;
++ isc_region_consume(&r, siglen / 2);
+ ECDSA_SIG_free(ecdsasig);
+ isc_buffer_add(sig, siglen);
+ ret = ISC_R_SUCCESS;
+diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
+index 1edeb8d..53c6d4b 100644
+--- a/lib/dns/opensslrsa_link.c
++++ b/lib/dns/opensslrsa_link.c
+@@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ RSA *rsa;
+ isc_region_t r;
+ unsigned int e_bytes;
++ unsigned int length;
+ #if USE_EVP
+ EVP_PKEY *pkey;
+ #endif
+@@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ isc_buffer_remainingregion(data, &r);
+ if (r.length == 0)
+ return (ISC_R_SUCCESS);
++ length = r.length;
+
+ rsa = RSA_new();
+ if (rsa == NULL)
+@@ -982,17 +984,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ RSA_free(rsa);
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+- e_bytes = *r.base++;
+- r.length--;
++ e_bytes = *r.base;
++ isc_region_consume(&r, 1);
+
+ if (e_bytes == 0) {
+ if (r.length < 2) {
+ RSA_free(rsa);
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+- e_bytes = ((*r.base++) << 8);
+- e_bytes += *r.base++;
+- r.length -= 2;
++ e_bytes = (*r.base) << 8;
++ isc_region_consume(&r, 1);
++ e_bytes += *r.base;
++ isc_region_consume(&r, 1);
+ }
+
+ if (r.length < e_bytes) {
+@@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
+- r.base += e_bytes;
+- r.length -= e_bytes;
++ isc_region_consume(&r, e_bytes);
+
+ rsa->n = BN_bin2bn(r.base, r.length, NULL);
+
+ key->key_size = BN_num_bits(rsa->n);
+
+- isc_buffer_forward(data, r.length);
++ isc_buffer_forward(data, length);
+
+ #if USE_EVP
+ pkey = EVP_PKEY_new();
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 2004b0b..c7971b1 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -8959,6 +8959,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
+
+ REQUIRE(VALID_RESOLVER(resolver));
+
++ /*
++ * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
++ */
++ if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
++ return (ISC_FALSE);
++
+ #if USE_ALGLOCK
+ RWLOCK(&resolver->alglock, isc_rwlocktype_read);
+ #endif
+
diff --git a/SOURCES/bind99-rh1215687-limits.patch b/SOURCES/bind99-rh1215687-limits.patch
new file mode 100644
index 0000000..7922b7e
--- /dev/null
+++ b/SOURCES/bind99-rh1215687-limits.patch
@@ -0,0 +1,67 @@
+diff -up bind-9.9.4/bin/named/interfacemgr.c.rh1215687-limits bind-9.9.4/bin/named/interfacemgr.c
+--- bind-9.9.4/bin/named/interfacemgr.c.rh1215687-limits 2015-05-20 16:08:21.286007013 +0200
++++ bind-9.9.4/bin/named/interfacemgr.c 2015-05-20 16:21:49.227001713 +0200
+@@ -275,7 +275,7 @@ ns_interface_listenudp(ns_interface_t *i
+ result = dns_dispatch_getudp_dup(ifp->mgr->dispatchmgr,
+ ns_g_socketmgr,
+ ns_g_taskmgr, &ifp->addr,
+- 4096, 1000, 32768, 8219, 8237,
++ 4096, 32768, 32768, 8219, 8237,
+ attrs, attrmask,
+ &ifp->udpdispatch[disp],
+ disp == 0
+diff -up bind-9.9.4/bin/named/server.c.rh1215687-limits bind-9.9.4/bin/named/server.c
+--- bind-9.9.4/bin/named/server.c.rh1215687-limits 2015-05-20 16:08:21.272006979 +0200
++++ bind-9.9.4/bin/named/server.c 2015-05-20 16:08:21.288007018 +0200
+@@ -992,7 +992,7 @@ get_view_querysource_dispatch(const cfg_
+ }
+ if (isc_sockaddr_getport(&sa) == 0) {
+ attrs |= DNS_DISPATCHATTR_EXCLUSIVE;
+- maxdispatchbuffers = 4096;
++ maxdispatchbuffers = 32768;
+ } else {
+ INSIST(obj != NULL);
+ if (is_firstview) {
+@@ -1001,7 +1001,7 @@ get_view_querysource_dispatch(const cfg_
+ "suppresses port randomization and can be "
+ "insecure.");
+ }
+- maxdispatchbuffers = 1000;
++ maxdispatchbuffers = 32768;
+ }
+
+ attrmask = 0;
+@@ -6491,7 +6491,7 @@ ns_add_reserved_dispatch(ns_server_t *se
+
+ result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
+ ns_g_taskmgr, &dispatch->addr, 4096,
+- 1000, 32768, 16411, 16433,
++ 32768, 32768, 16411, 16433,
+ attrs, attrmask, &dispatch->dispatch);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
+diff -up bind-9.9.4/lib/dns/dispatch.c.rh1215687-limits bind-9.9.4/lib/dns/dispatch.c
+diff -up bind-9.9.4/lib/dns/request.c.rh1215687-limits bind-9.9.4/lib/dns/request.c
+--- bind-9.9.4/lib/dns/request.c.rh1215687-limits 2013-09-05 07:09:08.000000000 +0200
++++ bind-9.9.4/lib/dns/request.c 2015-05-20 16:08:21.286007013 +0200
+@@ -601,7 +601,7 @@ find_udp_dispatch(dns_requestmgr_t *requ
+ requestmgr->socketmgr,
+ requestmgr->taskmgr,
+ srcaddr, 4096,
+- 1000, 32768, 16411, 16433,
++ 32768, 32768, 16411, 16433,
+ attrs, attrmask,
+ dispatchp));
+ }
+diff -up bind-9.9.4/lib/dns/resolver.c.rh1215687-limits bind-9.9.4/lib/dns/resolver.c
+--- bind-9.9.4/lib/dns/resolver.c.rh1215687-limits 2015-05-20 16:08:21.277006991 +0200
++++ bind-9.9.4/lib/dns/resolver.c 2015-05-20 16:08:21.285007010 +0200
+@@ -1489,7 +1489,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddr
+ result = dns_dispatch_getudp(res->dispatchmgr,
+ res->socketmgr,
+ res->taskmgr, &addr,
+- 4096, 1000, 32768, 16411,
++ 4096, 20000, 32768, 16411,
+ 16433, attrs, attrmask,
+ &query->dispatch);
+ if (result != ISC_R_SUCCESS)
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index 8f28afe..7e8815b 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -29,7 +29,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: ISC
Version: 9.9.4
-Release: 18%{?PATCHVER}%{?PREVER}%{?dist}.3
+Release: 18%{?PATCHVER}%{?PREVER}%{?dist}.5
Epoch: 32
Url: http://www.isc.org/products/BIND/
Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -100,6 +100,9 @@ Patch147:bind99-CVE-2014-8500.patch
Patch148:bind99-CVE-2015-1349.patch
Patch149:bind99-CVE-2015-4620.patch
Patch150:bind99-CVE-2015-5477.patch
+Patch151:bind99-rh1215687-limits.patch
+Patch152:bind-99-socket-maxevents.patch
+Patch153:bind99-CVE-2015-5722.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -329,6 +332,9 @@ popd
%patch148 -p1 -b .CVE-2015-1349
%patch149 -p1 -b .CVE-2015-4620
%patch150 -p1 -b .CVE-2015-5477
+%patch151 -p1 -b .rh1215687-limits
+%patch152 -p1 -b .sock-maxevent
+%patch153 -p1 -b .CVE-2015-5722
%if %{SDB}
%patch101 -p1 -b .old-api
@@ -948,6 +954,13 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
+* Wed Sep 02 2015 Tomas Hozza <thozza@redhat.com> - 32:9.9.4-18.5
+- Fix CVE-2015-5722
+
+* Thu Aug 06 2015 Tomas Hozza <thozza@redhat.com> - 32:9.9.4-18.4
+- DNS resolution failure in high load environment with SERVFAIL and "out of memory/success" in the log (#1221180)
+- Increase ISC_SOCKET_MAXEVENTS to 2048 (#1250561)
+
* Mon Jul 27 2015 Florian Weimer <fweimer@redhat.com> - 32:9.9.4-18.3
- Fix CVE-2015-5477