diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/CVE-2021-25220.patch b/SOURCES/CVE-2021-25220.patch
new file mode 100644
index 0000000..462804c
--- /dev/null
+++ b/SOURCES/CVE-2021-25220.patch
@@ -0,0 +1,200 @@
+diff --git a/bind/bind-9.11.14/lib/dns/resolver.c b/bind/bind-9.11.14/lib/dns/resolver.c
+index e24499e..969bb9e 100644
+--- a/bind/bind-9.11.14/lib/dns/resolver.c
++++ b/bind/bind-9.11.14/lib/dns/resolver.c
+@@ -63,6 +63,7 @@
+ #include <dns/stats.h>
+ #include <dns/tsig.h>
+ #include <dns/validator.h>
++#include <dns/zone.h>
+
+ #ifdef WANT_QUERYTRACE
+ #define RTRACE(m) isc_log_write(dns_lctx, \
+@@ -303,6 +304,8 @@ struct fetchctx {
+ bool ns_ttl_ok;
+ uint32_t ns_ttl;
+ isc_counter_t * qc;
++ dns_fixedname_t fwdfname;
++ dns_name_t *fwdname;
+
+ /*%
+ * The number of events we're waiting for.
+@@ -3344,6 +3347,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ if (result == ISC_R_SUCCESS) {
+ fwd = ISC_LIST_HEAD(forwarders->fwdrs);
+ fctx->fwdpolicy = forwarders->fwdpolicy;
++ dns_name_copy(domain, fctx->fwdname, NULL);
+ if (fctx->fwdpolicy == dns_fwdpolicy_only &&
+ isstrictsubdomain(domain, &fctx->domain)) {
+ fcount_decr(fctx);
+@@ -4368,6 +4372,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
+ fctx->restarts = 0;
+ fctx->querysent = 0;
+ fctx->referrals = 0;
++
++ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
++
+ TIME_NOW(&fctx->start);
+ fctx->timeouts = 0;
+ fctx->lamecount = 0;
+@@ -4421,8 +4428,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
+ domain = dns_fixedname_initname(&fixed);
+ result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname,
+ domain, &forwarders);
+- if (result == ISC_R_SUCCESS)
++ if (result == ISC_R_SUCCESS) {
+ fctx->fwdpolicy = forwarders->fwdpolicy;
++ dns_name_copy(domain, fctx->fwdname, NULL);
++ }
+
+ if (fctx->fwdpolicy != dns_fwdpolicy_only) {
+ /*
+@@ -6175,6 +6184,112 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
+ rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
+ }
+
++/*
++ * Returns true if 'name' is external to the namespace for which
++ * the server being queried can answer, either because it's not a
++ * subdomain or because it's below a forward declaration or a
++ * locally served zone.
++ */
++static inline bool
++name_external(dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
++ isc_result_t result;
++ dns_forwarders_t *forwarders = NULL;
++ dns_fixedname_t fixed, zfixed;
++ dns_name_t *fname = dns_fixedname_initname(&fixed);
++ dns_name_t *zfname = dns_fixedname_initname(&zfixed);
++ dns_name_t *apex = NULL;
++ dns_name_t suffix;
++ dns_zone_t *zone = NULL;
++ unsigned int labels;
++ dns_namereln_t rel;
++ /*
++ * The following two variables do not influence code flow; they are
++ * only necessary for calling dns_name_fullcompare().
++ */
++ int _orderp = 0;
++ unsigned int _nlabelsp = 0;
++
++ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
++
++ /*
++ * The name is outside the queried namespace.
++ */
++ rel = dns_name_fullcompare(name, apex, &_orderp, &_nlabelsp);
++ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
++ return (true);
++ }
++
++ /*
++ * If the record lives in the parent zone, adjust the name so we
++ * look for the correct zone or forward clause.
++ */
++ labels = dns_name_countlabels(name);
++ if (dns_rdatatype_atparent(type) && labels > 1U) {
++ dns_name_init(&suffix, NULL);
++ dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
++ name = &suffix;
++ } else if (rel == dns_namereln_equal) {
++ /* If 'name' is 'apex', no further checking is needed. */
++ return (false);
++ }
++
++ /*
++ * If there is a locally served zone between 'apex' and 'name'
++ * then don't cache.
++ */
++ LOCK(&fctx->res->view->lock);
++ if (fctx->res->view->zonetable != NULL) {
++ unsigned int options = DNS_ZTFIND_NOEXACT;
++ result = dns_zt_find(fctx->res->view->zonetable, name, options,
++ zfname, &zone);
++ if (zone != NULL) {
++ dns_zone_detach(&zone);
++ }
++ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
++ if (dns_name_fullcompare(zfname, apex, &_orderp,
++ &_nlabelsp) ==
++ dns_namereln_subdomain)
++ {
++ UNLOCK(&fctx->res->view->lock);
++ return (true);
++ }
++ }
++ }
++ UNLOCK(&fctx->res->view->lock);
++
++ /*
++ * Look for a forward declaration below 'name'.
++ */
++ result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, fname,
++ &forwarders);
++
++ if (ISFORWARDER(fctx->addrinfo)) {
++ /*
++ * See if the forwarder declaration is better.
++ */
++ if (result == ISC_R_SUCCESS) {
++ return (!dns_name_equal(fname, fctx->fwdname));
++ }
++
++ /*
++ * If the lookup failed, the configuration must have
++ * changed: play it safe and don't cache.
++ */
++ return (true);
++ } else if (result == ISC_R_SUCCESS &&
++ forwarders->fwdpolicy == dns_fwdpolicy_only &&
++ !ISC_LIST_EMPTY(forwarders->fwdrs))
++ {
++ /*
++ * If 'name' is covered by a 'forward only' clause then we
++ * can't cache this repsonse.
++ */
++ return (true);
++ }
++
++ return (false);
++}
++
+ static isc_result_t
+ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
+ dns_section_t section)
+@@ -6201,7 +6316,7 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
+ result = dns_message_findname(fctx->rmessage, section, addname,
+ dns_rdatatype_any, 0, &name, NULL);
+ if (result == ISC_R_SUCCESS) {
+- external = !dns_name_issubdomain(name, &fctx->domain);
++ external = name_external(name, type, fctx);
+ if (type == dns_rdatatype_a) {
+ for (rdataset = ISC_LIST_HEAD(name->list);
+ rdataset != NULL;
+@@ -7071,6 +7186,13 @@ answer_response(fetchctx_t *fctx) {
+ break;
+
+ case dns_namereln_subdomain:
++ /*
++ * Don't accept DNAME from parent namespace.
++ */
++ if (name_external(name, dns_rdatatype_dname, fctx)) {
++ continue;
++ }
++
+ /*
+ * In-scope DNAME records must have at least
+ * as many labels as the domain being queried.
+@@ -7299,11 +7421,9 @@ answer_response(fetchctx_t *fctx) {
+ */
+ result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+ while (!done && result == ISC_R_SUCCESS) {
+- bool external;
+ name = NULL;
+ dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+- external = !dns_name_issubdomain(name, &fctx->domain);
+- if (!external) {
++ if (!name_external(name, dns_rdatatype_ns, fctx)) {
+ /*
+ * We expect to find NS or SIG NS rdatasets, and
+ * nothing else.
diff --git a/SOURCES/omshell-hmac-sha512-support.patch b/SOURCES/omshell-hmac-sha512-support.patch
new file mode 100644
index 0000000..479e2dd
--- /dev/null
+++ b/SOURCES/omshell-hmac-sha512-support.patch
@@ -0,0 +1,155 @@
+diff --git a/omapip/connection.c b/omapip/connection.c
+index 014ff21..6800514 100644
+--- a/omapip/connection.c
++++ b/omapip/connection.c
+@@ -44,6 +44,9 @@ extern omapi_array_t *trace_listeners;
+ #endif
+ static isc_result_t omapi_connection_connect_internal (omapi_object_t *);
+
++static isc_result_t ctring_from_attribute(omapi_object_t *obj, char *attr_name,
++ char **cstr);
++
+ OMAPI_OBJECT_ALLOC (omapi_connection,
+ omapi_connection_object_t, omapi_type_connection)
+
+@@ -763,64 +766,41 @@ isc_result_t omapi_connection_reaper (omapi_object_t *h)
+ }
+
+ static isc_result_t make_dst_key (dst_key_t **dst_key, omapi_object_t *a) {
+- omapi_value_t *name = (omapi_value_t *)0;
+- omapi_value_t *algorithm = (omapi_value_t *)0;
+- omapi_value_t *key = (omapi_value_t *)0;
+- char *name_str = NULL;
++ omapi_value_t *key = 0;
++ char *name_str = 0;
++ char *algorithm_str = 0;
+ isc_result_t status = ISC_R_SUCCESS;
+
+- if (status == ISC_R_SUCCESS)
+- status = omapi_get_value_str
+- (a, (omapi_object_t *)0, "name", &name);
+-
+- if (status == ISC_R_SUCCESS)
+- status = omapi_get_value_str
+- (a, (omapi_object_t *)0, "algorithm", &algorithm);
+-
+- if (status == ISC_R_SUCCESS)
+- status = omapi_get_value_str
+- (a, (omapi_object_t *)0, "key", &key);
+-
++ /* Get the key name as a C string. */
++ status = ctring_from_attribute(a, "name", &name_str);
+ if (status == ISC_R_SUCCESS) {
+- if ((algorithm->value->type != omapi_datatype_data &&
+- algorithm->value->type != omapi_datatype_string) ||
+- strncasecmp((char *)algorithm->value->u.buffer.value,
+- NS_TSIG_ALG_HMAC_MD5 ".",
+- algorithm->value->u.buffer.len) != 0) {
+- status = DHCP_R_INVALIDARG;
++ /* Get the algorithm name as a C string. */
++ status = ctring_from_attribute(a, "algorithm", &algorithm_str);
++ if (status == ISC_R_SUCCESS) {
++ /* Get the key secret value */
++ status = omapi_get_value_str(a, 0, "key", &key);
++ if (status == ISC_R_SUCCESS) {
++ /* Now let's try and create the key */
++ status = isclib_make_dst_key(
++ name_str,
++ algorithm_str,
++ key->value->u.buffer.value,
++ key->value->u.buffer.len,
++ dst_key);
++
++ if (*dst_key == NULL) {
++ status = ISC_R_NOMEMORY;
++ }
++ }
+ }
+ }
+
+- if (status == ISC_R_SUCCESS) {
+- name_str = dmalloc (name -> value -> u.buffer.len + 1, MDL);
+- if (!name_str)
+- status = ISC_R_NOMEMORY;
+- }
+-
+- if (status == ISC_R_SUCCESS) {
+- memcpy (name_str,
+- name -> value -> u.buffer.value,
+- name -> value -> u.buffer.len);
+- name_str [name -> value -> u.buffer.len] = 0;
+-
+- status = isclib_make_dst_key(name_str,
+- DHCP_HMAC_MD5_NAME,
+- key->value->u.buffer.value,
+- key->value->u.buffer.len,
+- dst_key);
+-
+- if (*dst_key == NULL)
+- status = ISC_R_NOMEMORY;
+- }
+-
+ if (name_str)
+ dfree (name_str, MDL);
++ if (algorithm_str)
++ dfree (algorithm_str, MDL);
+ if (key)
+ omapi_value_dereference (&key, MDL);
+- if (algorithm)
+- omapi_value_dereference (&algorithm, MDL);
+- if (name)
+- omapi_value_dereference (&name, MDL);
+
+ return status;
+ }
+@@ -1103,3 +1083,50 @@ isc_result_t omapi_connection_stuff_values (omapi_object_t *c,
+ m -> inner);
+ return ISC_R_SUCCESS;
+ }
++
++/* @brief Fetches the value of an attribute in an object as an allocated
++ * C string
++ *
++ * @param obj ompapi object containing the desire attribute
++ * @param attr_name name of the desired attribute
++ * @param[out] cstr pointer in which to place the allocated C string's address
++ *
++ * Caller is responsible for freeing (via dfree) the allocated string.
++ *
++ * @return ISC_R_SUCCESS if successful, otherwise indicates the type of failure
++*/
++static isc_result_t ctring_from_attribute(omapi_object_t *obj, char *attr_name,
++ char **cstr) {
++ isc_result_t status = ISC_R_SUCCESS;
++ omapi_value_t *attr = 0;
++
++ /* Find the attribute in the object. */
++ status = omapi_get_value_str(obj, (omapi_object_t *)0, attr_name,
++ &attr);
++ if (status != ISC_R_SUCCESS) {
++ return (status);
++ }
++
++ /* Got it, let's make sure it's either data or string type. */
++ if (attr->value->type != omapi_datatype_data &&
++ attr->value->type != omapi_datatype_string) {
++ return (DHCP_R_INVALIDARG);
++ }
++
++ /* Make a C string from the attribute value. */
++ *cstr = dmalloc (attr->value->u.buffer.len + 1, MDL);
++ if (!(*cstr)) {
++ status = ISC_R_NOMEMORY;
++ } else {
++ memcpy (*cstr, attr->value->u.buffer.value,
++ attr->value->u.buffer.len);
++ (*cstr)[attr->value->u.buffer.len] = 0;
++ }
++
++ /* Get rid of the attribute reference */
++ if (attr) {
++ omapi_value_dereference (&attr, MDL);
++ }
++
++ return (status);
++}
diff --git a/SPECS/dhcp.spec b/SPECS/dhcp.spec
index c444842..35706ca 100644
--- a/SPECS/dhcp.spec
+++ b/SPECS/dhcp.spec
@@ -15,7 +15,7 @@
Summary: Dynamic host configuration protocol software
Name: dhcp
Version: 4.4.2
-Release: 15.b1%{?dist}
+Release: 17.b1%{?dist}
# NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to
# dcantrell maintaining the package) made incorrect use of the epoch and
@@ -33,35 +33,37 @@ Source6: dhcpd.service
Source7: dhcpd6.service
Source8: dhcrelay.service
-Patch1 : 0001-change-bug-url.patch
-Patch2 : 0002-additional-dhclient-options.patch
-Patch3 : 0003-Handle-releasing-interfaces-requested-by-sbin-ifup.patch
-Patch4 : 0004-Support-unicast-BOOTP-for-IBM-pSeries-systems-and-ma.patch
-Patch5 : 0005-Change-default-requested-options.patch
-Patch6 : 0006-Various-man-page-only-fixes.patch
-Patch7 : 0007-Change-paths-to-conform-to-our-standards.patch
-Patch8 : 0008-Make-sure-all-open-file-descriptors-are-closed-on-ex.patch
-Patch9 : 0009-Fix-garbage-in-format-string-error.patch
-Patch10 : 0010-Handle-null-timeout.patch
-Patch11 : 0011-Drop-unnecessary-capabilities.patch
-Patch12 : 0012-RFC-3442-Classless-Static-Route-Option-for-DHCPv4-51.patch
-Patch13 : 0013-DHCPv6-over-PPP-support-626514.patch
-Patch14 : 0014-IPoIB-support-660681.patch
-Patch15 : 0015-Add-GUID-DUID-to-dhcpd-logs-1064416.patch
-Patch16 : 0016-Turn-on-creating-sending-of-DUID.patch
-Patch17 : 0017-Send-unicast-request-release-via-correct-interface.patch
-Patch18 : 0018-No-subnet-declaration-for-iface-should-be-info-not-e.patch
-Patch19 : 0019-dhclient-write-DUID_LLT-even-in-stateless-mode-11563.patch
-Patch20 : 0020-Discover-all-hwaddress-for-xid-uniqueness.patch
-Patch21 : 0021-Load-leases-DB-in-non-replay-mode-only.patch
-Patch22 : 0022-dhclient-make-sure-link-local-address-is-ready-in-st.patch
-Patch23 : 0023-option-97-pxe-client-id.patch
-Patch24 : 0024-Detect-system-time-changes.patch
-Patch25 : 0025-bind-Detect-system-time-changes.patch
-Patch26 : 0026-Add-dhclient-5-B-option-description.patch
-Patch27: 0027-Add-missed-sd-notify-patch-to-manage-dhcpd-with-syst.patch
-Patch28: 0028-Fix-for-CVE-2021-25217.patch
-Patch29: 0029-Use-system-getaddrinfo-for-dhcp.patch
+Patch1: 0001-change-bug-url.patch
+Patch2: 0002-additional-dhclient-options.patch
+Patch3: 0003-Handle-releasing-interfaces-requested-by-sbin-ifup.patch
+Patch4: 0004-Support-unicast-BOOTP-for-IBM-pSeries-systems-and-ma.patch
+Patch5: 0005-Change-default-requested-options.patch
+Patch6: 0006-Various-man-page-only-fixes.patch
+Patch7: 0007-Change-paths-to-conform-to-our-standards.patch
+Patch8: 0008-Make-sure-all-open-file-descriptors-are-closed-on-ex.patch
+Patch9: 0009-Fix-garbage-in-format-string-error.patch
+Patch10: 0010-Handle-null-timeout.patch
+Patch11: 0011-Drop-unnecessary-capabilities.patch
+Patch12: 0012-RFC-3442-Classless-Static-Route-Option-for-DHCPv4-51.patch
+Patch13: 0013-DHCPv6-over-PPP-support-626514.patch
+Patch14: 0014-IPoIB-support-660681.patch
+Patch15: 0015-Add-GUID-DUID-to-dhcpd-logs-1064416.patch
+Patch16: 0016-Turn-on-creating-sending-of-DUID.patch
+Patch17: 0017-Send-unicast-request-release-via-correct-interface.patch
+Patch18: 0018-No-subnet-declaration-for-iface-should-be-info-not-e.patch
+Patch19: 0019-dhclient-write-DUID_LLT-even-in-stateless-mode-11563.patch
+Patch20: 0020-Discover-all-hwaddress-for-xid-uniqueness.patch
+Patch21: 0021-Load-leases-DB-in-non-replay-mode-only.patch
+Patch22: 0022-dhclient-make-sure-link-local-address-is-ready-in-st.patch
+Patch23: 0023-option-97-pxe-client-id.patch
+Patch24: 0024-Detect-system-time-changes.patch
+Patch25: 0025-bind-Detect-system-time-changes.patch
+Patch26: 0026-Add-dhclient-5-B-option-description.patch
+Patch27: 0027-Add-missed-sd-notify-patch-to-manage-dhcpd-with-syst.patch
+Patch28: 0028-Fix-for-CVE-2021-25217.patch
+Patch29: 0029-Use-system-getaddrinfo-for-dhcp.patch
+Patch30: CVE-2021-25220.patch
+Patch31: omshell-hmac-sha512-support.patch
BuildRequires: autoconf
@@ -512,8 +514,11 @@ done
%endif
%changelog
-* Wed Nov 03 2021 CentOS Sources <bugs@centos.org> - 4.4.2-15.b1.el9.centos
-- Apply debranding changes
+* Tue May 10 2022 Martin Osvald <mosvald@redhat.com> - 12:4.4.2-17.b1
+- omshell: add support for hmac-sha512 algorithm (#2083553)
+
+* Thu Apr 14 2022 Martin Osvald <mosvald@redhat.com> - 12:4.4.2-16.b1
+- Fix for CVE-2021-25220
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 12:4.4.2-15.b1
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags