diff --git a/SOURCES/ldns-1.7.1-Support-sysconfig-python-module-in-python_devel.patch b/SOURCES/ldns-1.7.1-Support-sysconfig-python-module-in-python_devel.patch
new file mode 100644
index 0000000..e6b2ccf
--- /dev/null
+++ b/SOURCES/ldns-1.7.1-Support-sysconfig-python-module-in-python_devel.patch
@@ -0,0 +1,248 @@
+--- a/m4/ax_python_devel.m4 2019-07-26 17:07:44.000000000 +0200
++++ b/m4/ax_python_devel.m4 2022-02-15 10:29:28.876543000 +0100
+@@ -1,5 +1,5 @@
+ # ===========================================================================
+-# http://www.gnu.org/software/autoconf-archive/ax_python_devel.html
++# https://www.gnu.org/software/autoconf-archive/ax_python_devel.html
+ # ===========================================================================
+ #
+ # SYNOPSIS
+@@ -12,8 +12,8 @@
+ # in your configure.ac.
+ #
+ # This macro checks for Python and tries to get the include path to
+-# 'Python.h'. It provides the $(PYTHON_CPPFLAGS) and $(PYTHON_LDFLAGS)
+-# output variables. It also exports $(PYTHON_EXTRA_LIBS) and
++# 'Python.h'. It provides the $(PYTHON_CPPFLAGS) and $(PYTHON_LIBS) output
++# variables. It also exports $(PYTHON_EXTRA_LIBS) and
+ # $(PYTHON_EXTRA_LDFLAGS) for embedding Python in your code.
+ #
+ # You can search for some particular version of Python by passing a
+@@ -52,7 +52,7 @@
+ # Public License for more details.
+ #
+ # You should have received a copy of the GNU General Public License along
+-# with this program. If not, see <http://www.gnu.org/licenses/>.
++# with this program. If not, see <https://www.gnu.org/licenses/>.
+ #
+ # As a special exception, the respective Autoconf Macro's copyright owner
+ # gives unlimited permission to copy, distribute and modify the configure
+@@ -67,7 +67,7 @@
+ # modified version of the Autoconf Macro, you may extend this special
+ # exception to the GPL to apply to your modified version as well.
+
+-#serial 16
++#serial 23
+
+ AU_ALIAS([AC_PYTHON_DEVEL], [AX_PYTHON_DEVEL])
+ AC_DEFUN([AX_PYTHON_DEVEL],[
+@@ -99,7 +99,7 @@
+ This version of the AC@&t@_PYTHON_DEVEL macro
+ doesn't work properly with versions of Python before
+ 2.1.0. You may need to re-run configure, setting the
+-variables PYTHON_CPPFLAGS, PYTHON_LDFLAGS, PYTHON_SITE_PKG,
++variables PYTHON_CPPFLAGS, PYTHON_LIBS, PYTHON_SITE_PKG,
+ PYTHON_EXTRA_LIBS and PYTHON_EXTRA_LDFLAGS by hand.
+ Moreover, to disable this check, set PYTHON_NOVERSIONCHECK
+ to something else than an empty string.
+@@ -135,16 +135,25 @@
+ #
+ # Check if you have distutils, else fail
+ #
+- AC_MSG_CHECKING([for the distutils Python package])
+- ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`
+- if test -z "$ac_distutils_result"; then
++ AC_MSG_CHECKING([for the sysconfig Python package])
++ ac_sysconfig_result=`$PYTHON -c "import sysconfig" 2>&1`
++ if test $? -eq 0; then
+ AC_MSG_RESULT([yes])
++ IMPORT_SYSCONFIG="import sysconfig"
+ else
+ AC_MSG_RESULT([no])
+- AC_MSG_ERROR([cannot import Python module "distutils".
++
++ AC_MSG_CHECKING([for the distutils Python package])
++ ac_sysconfig_result=`$PYTHON -c "from distutils import sysconfig" 2>&1`
++ if test $? -eq 0; then
++ AC_MSG_RESULT([yes])
++ IMPORT_SYSCONFIG="from distutils import sysconfig"
++ else
++ AC_MSG_ERROR([cannot import Python module "distutils".
+ Please check your Python installation. The error was:
+-$ac_distutils_result])
+- PYTHON_VERSION=""
++$ac_sysconfig_result])
++ PYTHON_VERSION=""
++ fi
+ fi
+
+ #
+@@ -152,10 +161,19 @@
+ #
+ AC_MSG_CHECKING([for Python include path])
+ if test -z "$PYTHON_CPPFLAGS"; then
+- python_path=`$PYTHON -c "import distutils.sysconfig; \
+- print (distutils.sysconfig.get_python_inc ());"`
+- plat_python_path=`$PYTHON -c "import distutils.sysconfig; \
+- print (distutils.sysconfig.get_python_inc (plat_specific=1));"`
++ if test "$IMPORT_SYSCONFIG" = "import sysconfig"; then
++ # sysconfig module has different functions
++ python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++ print (sysconfig.get_path ('include'));"`
++ plat_python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++ print (sysconfig.get_path ('platinclude'));"`
++ else
++ # old distutils way
++ python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++ print (sysconfig.get_python_inc ());"`
++ plat_python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++ print (sysconfig.get_python_inc (plat_specific=1));"`
++ fi
+ if test -n "${python_path}"; then
+ if test "${plat_python_path}" != "${python_path}"; then
+ python_path="-I$python_path -I$plat_python_path"
+@@ -172,14 +190,14 @@
+ # Check for Python library path
+ #
+ AC_MSG_CHECKING([for Python library path])
+- if test -z "$PYTHON_LDFLAGS"; then
++ if test -z "$PYTHON_LIBS"; then
+ # (makes two attempts to ensure we've got a version number
+ # from the interpreter)
+ ac_python_version=`cat<<EOD | $PYTHON -
+
+ # join all versioning strings, on some systems
+ # major/minor numbers could be in different list elements
+-from distutils.sysconfig import *
++from sysconfig import *
+ e = get_config_var('VERSION')
+ if e is not None:
+ print(e)
+@@ -202,8 +220,8 @@
+ ac_python_libdir=`cat<<EOD | $PYTHON -
+
+ # There should be only one
+-import distutils.sysconfig
+-e = distutils.sysconfig.get_config_var('LIBDIR')
++$IMPORT_SYSCONFIG
++e = sysconfig.get_config_var('LIBDIR')
+ if e is not None:
+ print (e)
+ EOD`
+@@ -211,8 +229,8 @@
+ # Now, for the library:
+ ac_python_library=`cat<<EOD | $PYTHON -
+
+-import distutils.sysconfig
+-c = distutils.sysconfig.get_config_vars()
++$IMPORT_SYSCONFIG
++c = sysconfig.get_config_vars()
+ if 'LDVERSION' in c:
+ print ('python'+c[['LDVERSION']])
+ else:
+@@ -227,45 +245,51 @@
+ then
+ # use the official shared library
+ ac_python_library=`echo "$ac_python_library" | sed "s/^lib//"`
+- PYTHON_LDFLAGS="-L$ac_python_libdir -l$ac_python_library"
++ PYTHON_LIBS="-L$ac_python_libdir -l$ac_python_library"
+ else
+ # old way: use libpython from python_configdir
+ ac_python_libdir=`$PYTHON -c \
+- "from distutils.sysconfig import get_python_lib as f; \
++ "from sysconfig import get_python_lib as f; \
+ import os; \
+ print (os.path.join(f(plat_specific=1, standard_lib=1), 'config'));"`
+- PYTHON_LDFLAGS="-L$ac_python_libdir -lpython$ac_python_version"
++ PYTHON_LIBS="-L$ac_python_libdir -lpython$ac_python_version"
+ fi
+
+- if test -z "PYTHON_LDFLAGS"; then
++ if test -z "PYTHON_LIBS"; then
+ AC_MSG_ERROR([
+ Cannot determine location of your Python DSO. Please check it was installed with
+- dynamic libraries enabled, or try setting PYTHON_LDFLAGS by hand.
++ dynamic libraries enabled, or try setting PYTHON_LIBS by hand.
+ ])
+ fi
+ fi
+- AC_MSG_RESULT([$PYTHON_LDFLAGS])
+- AC_SUBST([PYTHON_LDFLAGS])
++ AC_MSG_RESULT([$PYTHON_LIBS])
++ AC_SUBST([PYTHON_LIBS])
+
+ #
+ # Check for site packages
+ #
+ AC_MSG_CHECKING([for Python site-packages path])
+ if test -z "$PYTHON_SITE_PKG"; then
+- PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \
+- print (distutils.sysconfig.get_python_lib(1,0));"`
++ if test "$IMPORT_SYSCONFIG" = "import sysconfig"; then
++ PYTHON_SITE_PKG=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++ print (sysconfig.get_path('platlib'));"`
++ else
++ # distutils.sysconfig way
++ PYTHON_SITE_PKG=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++ print (sysconfig.get_python_lib(0,0));"`
++ fi
+ fi
+ AC_MSG_RESULT([$PYTHON_SITE_PKG])
+ AC_SUBST([PYTHON_SITE_PKG])
+
+ #
+ # libraries which must be linked in when embedding
+ #
+ AC_MSG_CHECKING(python extra libraries)
+ if test -z "$PYTHON_EXTRA_LIBS"; then
+- PYTHON_EXTRA_LIBS=`$PYTHON -c "import distutils.sysconfig; \
+- conf = distutils.sysconfig.get_config_var; \
+- print (conf('LIBS'))"`
++ PYTHON_EXTRA_LIBS=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++ conf = sysconfig.get_config_var; \
++ print (conf('LIBS') + ' ' + conf('SYSLIBS'))"`
+ fi
+ AC_MSG_RESULT([$PYTHON_EXTRA_LIBS])
+ AC_SUBST(PYTHON_EXTRA_LIBS)
+@@ -275,8 +316,8 @@
+ #
+ AC_MSG_CHECKING(python extra linking flags)
+ if test -z "$PYTHON_EXTRA_LDFLAGS"; then
+- PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import distutils.sysconfig; \
+- conf = distutils.sysconfig.get_config_var; \
++ PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++ conf = sysconfig.get_config_var; \
+ print (conf('LINKFORSHARED'))"`
+ fi
+ AC_MSG_RESULT([$PYTHON_EXTRA_LDFLAGS])
+@@ -288,8 +329,10 @@
+ AC_MSG_CHECKING([consistency of all components of python development environment])
+ # save current global flags
+ ac_save_LIBS="$LIBS"
++ ac_save_LDFLAGS="$LDFLAGS"
+ ac_save_CPPFLAGS="$CPPFLAGS"
+- LIBS="$ac_save_LIBS $PYTHON_LDFLAGS $PYTHON_EXTRA_LDFLAGS $PYTHON_EXTRA_LIBS"
++ LIBS="$ac_save_LIBS $PYTHON_LIBS $PYTHON_EXTRA_LIBS $PYTHON_EXTRA_LIBS"
++ LDFLAGS="$ac_save_LDFLAGS $PYTHON_EXTRA_LDFLAGS"
+ CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
+ AC_LANG_PUSH([C])
+ AC_LINK_IFELSE([
+@@ -300,6 +343,7 @@
+ # turn back to default flags
+ CPPFLAGS="$ac_save_CPPFLAGS"
+ LIBS="$ac_save_LIBS"
++ LDFLAGS="$ac_save_LDFLAGS"
+
+ AC_MSG_RESULT([$pythonexists])
+
+@@ -307,8 +351,8 @@
+ AC_MSG_FAILURE([
+ Could not link test program to Python. Maybe the main Python library has been
+ installed in some non-standard library path. If so, pass it to configure,
+- via the LDFLAGS environment variable.
+- Example: ./configure LDFLAGS="-L/usr/non-standard-path/python/lib"
++ via the LIBS environment variable.
++ Example: ./configure LIBS="-L/usr/non-standard-path/python/lib"
+ ============================================================================
+ ERROR!
+ You probably have to install the development version of the Python package
diff --git a/SOURCES/ldns-1.7.1-Use-PYTHON_LIBS-instead-of-PYTHON_LDFLAGS.patch b/SOURCES/ldns-1.7.1-Use-PYTHON_LIBS-instead-of-PYTHON_LDFLAGS.patch
new file mode 100644
index 0000000..28beb33
--- /dev/null
+++ b/SOURCES/ldns-1.7.1-Use-PYTHON_LIBS-instead-of-PYTHON_LDFLAGS.patch
@@ -0,0 +1,32 @@
+From a5a5dd867fdb934a7ce3637dd9def598f0979247 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 3 Jun 2021 10:51:15 +0200
+Subject: [PATCH] Use PYTHON_LIBS instead of PYTHON_LDFLAGS
+
+Definition was changed to more obvious variable in ax_python_devel.m4
+---
+ Makefile.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ldns-1.7.1/Makefile.in b/ldns-1.7.1/Makefile.in
+index af529e43..2f6b1423 100644
+--- a/ldns-1.7.1/Makefile.in
++++ b/ldns-1.7.1/Makefile.in
+@@ -48,7 +48,7 @@ LIBS = @LIBS@
+ LIBOBJDIR = compat/
+ LIBOBJS = @LIBOBJS@
+ PYTHON_CPPFLAGS = @PYTHON_CPPFLAGS@
+-PYTHON_LDFLAGS = @PYTHON_LDFLAGS@
++PYTHON_LIBS = @PYTHON_LIBS@
+ PYTHON_X_CFLAGS = @PYTHON_X_CFLAGS@
+ LIBSSL_CPPFLAGS = @LIBSSL_CPPFLAGS@
+ LIBSSL_LDFLAGS = @LIBSSL_LDFLAGS@
+@@ -301,7 +301,7 @@
+ $(COMP_LIB) -I./include/ldns $(LIBSSL_CPPFLAGS) $(PYTHON_CPPFLAGS) $(PYTHON_X_CFLAGS) -c $(pywrapdir)/ldns_wrapper.c -o $@
+
+ _ldns.la: ldns_wrapper.lo libldns.la
+- $(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) $(PYTHON_CFLAGS) $(LDFLAGS) $(PYTHON_LDFLAGS) -module -version-info $(version_info) -no-undefined -o $@ ldns_wrapper.lo -rpath $(python_site) -L. -L.libs -lldns $(LIBS)
++ $(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) $(PYTHON_CFLAGS) $(LDFLAGS) -module -version-info $(version_info) -no-undefined -o $@ ldns_wrapper.lo -rpath $(python_site) -L. -L.libs -lldns $(PYTHON_LIBS) $(LIBS)
+
+ $(p5_dns_ldns_dir)/Makefile: $(p5_dns_ldns_dir)/Makefile.PL
+ BUILDDIR=`pwd`; cd $(p5_dns_ldns_dir); LD_LIBRARY_PATH="$$BUILDDIR/.libs:$$LD_LIBRARY_PATH" DYLD_LIBRARY_PATH="$$BUILDDIR/.libs:$$DYLD_LIBRARY_PATH" $(PERL) Makefile.PL LIBS="-L$$BUILDDIR/.libs -lldns" INC="-I$$BUILDDIR"
diff --git a/SOURCES/ldns-1.7.1-out-of-boud-read-vuln.patch b/SOURCES/ldns-1.7.1-out-of-boud-read-vuln.patch
new file mode 100644
index 0000000..474902c
--- /dev/null
+++ b/SOURCES/ldns-1.7.1-out-of-boud-read-vuln.patch
@@ -0,0 +1,41 @@
+From 15d96206996bea969fbc918eb0a4a346f514b9f3 Mon Sep 17 00:00:00 2001
+From: Wouter Wijngaards <wouter@nlnetlabs.nl>
+Date: Tue, 24 Sep 2019 16:50:27 +0200
+Subject: [PATCH 1/2] * bugfix #70: heap Out-of-bound Read vulnerability in
+rr_frm_str_internal reported by pokerfacett.
+
+From 4e9861576a600a5ecfa16ec2de853c90dd9ce276 Mon Sep 17 00:00:00 2001
+From: Wouter Wijngaards <wouter@nlnetlabs.nl>
+Date: Tue, 24 Sep 2019 16:51:09 +0200
+Subject: [PATCH 2/2] Fix #70 fix code.
+
+diff --git a/ldns-1.7.1/rr.c b/ldns-1.7.1/rr.c
+index 6642aca7..adf67ae4 100644
+--- a/ldns-1.7.1/rr.c
++++ b/ldns-1.7.1/rr.c
+@@ -365,15 +365,18 @@ ldns_rr_new_frm_str_internal(ldns_rr **newrr, const char *str,
+ ldns_buffer_remaining(rd_buf) > 0){
+
+ /* skip spaces */
+- while (*(ldns_buffer_current(rd_buf)) == ' ') {
++ while (ldns_buffer_remaining(rd_buf) > 0 &&
++ *(ldns_buffer_current(rd_buf)) == ' ') {
+ ldns_buffer_skip(rd_buf, 1);
+ }
+
+- if (*(ldns_buffer_current(rd_buf)) == '\"') {
++ if (ldns_buffer_remaining(rd_buf) > 0 &&
++ *(ldns_buffer_current(rd_buf)) == '\"') {
+ delimiters = "\"\0";
+ ldns_buffer_skip(rd_buf, 1);
+ quoted = true;
+- } else if (ldns_rr_descriptor_field_type(desc, r_cnt)
++ }
++ if (!quoted && ldns_rr_descriptor_field_type(desc, r_cnt)
+ == LDNS_RDF_TYPE_LONG_STR) {
+
+ status = LDNS_STATUS_SYNTAX_RDATA_ERR;
+--
+2.34.1
+
+
diff --git a/SPECS/ldns.spec b/SPECS/ldns.spec
index 25a1579..ddc15c6 100644
--- a/SPECS/ldns.spec
+++ b/SPECS/ldns.spec
@@ -39,7 +39,7 @@
Summary: Low-level DNS(SEC) library with API
Name: ldns
Version: 1.7.1
-Release: 8%{?dist}
+Release: 10%{?dist}
License: BSD
Url: https://www.nlnetlabs.nl/%{name}/
@@ -50,6 +50,14 @@ Source2: https://keys.openpgp.org/vks/v1/by-fingerprint/DC34EE5DB2417BCC151E5100
Patch1: ldns-1.7.0-multilib.patch
# 2008445 - https://github.com/NLnetLabs/ldns/commit/12ab6f7a408cd99e9b43b7db86724c2ee66bc36e
Patch2: ldns-1.7.1-openssl-build.patch
+# 2051211 - https://github.com/NLnetLabs/ldns/commit/15d96206996bea969fbc918eb0a4a346f514b9f3
+Patch3: ldns-1.7.1-out-of-boud-read-vuln.patch
+# https://github.com/autoconf-archive/autoconf-archive/commit/7f21e125bbe4e7c93d3bc86cda29c8b8e3b07d52
+# used 'platlib' instead of 'purelib'
+Patch4: ldns-1.7.1-Support-sysconfig-python-module-in-python_devel.patch
+# https://github.com/NLnetLabs/ldns/commit/a5a5dd867fdb934a7ce3637dd9def598f0979247
+Patch5: ldns-1.7.1-Use-PYTHON_LIBS-instead-of-PYTHON_LDFLAGS.patch
+
# Only needed for builds from svn snapshot
%if 0%{snapshot}
@@ -351,6 +359,13 @@ rm -rf doc/man
%doc doc
%changelog
+* Fri Feb 25 2022 Richard Lescak <rlescak@redhat.com> - 1.7.1-10
+- use Python LIBS instead of LDFLAGS - fix annocheck issues
+
+* Thu Feb 24 2022 Richard Lescak <rlescak@redhat.com> - 1.7.1-9
+- Fix for CVE-2020-19860 ldns: heap overread vulnerability (#2051211)
+- Added also patch for deprecated distutils Python module used in build
+
* Wed Oct 13 2021 Richard Lescak <rlescak@redhat.com> - 1.7.1-8
- Added patch for failing rebuild with OpenSSL 3.0.0 (#2008445)