1 files changed, 40 insertions, 0 deletions

diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-3817.patch b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-3817.patch
new file mode 100644
index 0000000000..1e159bd2f8
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind-CVE-2012-3817.patch
@@ -0,0 +1,40 @@
+bind: fix for CVE-2012-3817
+
+Upstream-Status: Backport
+
+ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before 9.8.3-P2;
+9.9.x before 9.9.1-P2; and 9.6-ESV before 9.6-ESV-R7-P2, when DNSSEC validation
+is enabled, does not properly initialize the failing-query cache, which allows
+remote attackers to cause a denial of service (assertion failure and daemon exit)
+by sending many queries.
+
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3817
+
+This patch is back-ported from bind-9.3.6-20.P1.el5_8.2.src.rpm package.
+
+Signed-off-by: Ming Liu <ming.liu@windriver.com>
+---
+ resolver.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -8318,6 +8318,7 @@ dns_resolver_addbadcache(dns_resolver_t 
+ 			goto cleanup;
+ 		bad->type = type;
+ 		bad->hashval = hashval;
++		bad->expire = *expire;
+ 		isc_buffer_init(&buffer, bad + 1, name->length);
+ 		dns_name_init(&bad->name, NULL);
+ 		dns_name_copy(name, &bad->name, &buffer);
+@@ -8329,8 +8330,8 @@ dns_resolver_addbadcache(dns_resolver_t 
+ 		if (resolver->badcount < resolver->badhash * 2 &&
+ 		    resolver->badhash > DNS_BADCACHE_SIZE)
+ 			resizehash(resolver, &now, ISC_FALSE);
+-	}
+-	bad->expire = *expire;
++	} else
++		bad->expire = *expire;
+  cleanup:
+ 	UNLOCK(&resolver->lock);
+ }