bind: upgrade 9.18.2 -> 9.18.3

Changelog:
==========
[security]
 Fix a crash in DNS-over-HTTPS (DoH) code caused by
 premature TLS stream socket object deletion.
 (CVE-2022-1183) [GL #3216]

[bug]
 RPZ NSIP and NSDNAME rule processing didn't handle stub
 and static-stub zones at or above the query name.  This
 has now been addressed. [GL #3232]
 Fixed a deadlock that could occur if an rndc
 connection arrived during the shutdown of network
 interfaces. [GL #3272]

 Refactor the fctx_done() function to set fctx to
 NULL after detaching, so that reference counting
 errors will be easier to avoid. [GL #2969]

 udp_recv() in dispatch could trigger an INSIST when the
 callback's result indicated success but the response
 was canceled in the meantime. [GL #3300]

 Work around a jemalloc quirk which could trigger an
 out-of-memory condition in named over time. [GL #3287]

 If there was a pending negative cache DS entry,
 validations depending upon it could fail. [GL #3279]

 dig returned a 0 exit status on UDP connection failure.
 [GL #3235]

 Fix an assertion failure when using dig with +nssearch
 and +tcp options by starting the next query in the
 send_done() callback (like in the UDP mode) instead
 of doing that recursively in start_tcp(). Also
 ensure that queries interrupted while connecting
 are detached properly. [GL #3144]

 Don't remove CDS/CDNSKEY DELETE records on zone sign
 when using 'auto-dnssec maintain;'. [GL #2931]

[contrib]
 Avoid name space collision in dlz modules by prefixing
 functions with 'dlz_'. [GL !5778]

 dlz: Add FALLTHROUGH and UNREACHABLE macros. [GL #3306]

[func]
 Add new named command-line option -C to print built-in
 defaults. [GL #1326]

 Introduce the concept of broken catalog zones described
 in the DNS catalog zones draft version 5 document.
 [GL #3224]

 Add DNS Extended Errors when stale answers are returned
 from cache. [GL #2267]

 Implement support for catalog zones change of ownership
 (coo) mechanism described in the DNS catalog zones draft
 version 5 document. [GL #3223]

 Implement support for catalog zones options new syntax
 based on catalog zones custom properties with "ext"
 suffix described in the DNS catalog zones draft version
 5 document. [GL #3222]

 Implement reference counting for TLS contexts and
 allow reloading of TLS certificates on reconfiguration
 without destroying the underlying TCP listener sockets
 for TLS-based DNS transports. [GL #3122]
 Add support for remote TLS certificates
 verification, both to BIND and dig, making it possible
 to implement Strict and Mutual TLS authentication,
 as described in RFC 9103, Section 9.3. [GL #3163]

[cleanup]
 Remove use of exclusive mode in ns_interfacemgr in
 favor of rwlocked access to localhost and localnets
 members of dns_aclenv_t structure. [GL #3229]

 Remove the task exclusive mode use in ns_clientmgr.
 [GL #3230]

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d2ae8b85c71be2e9e332b1ef0a2d3083b30c63e6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>

1 files changed, 65 insertions, 0 deletions

diff --git a/meta/recipes-connectivity/bind/bind-9.18.3/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind-9.18.3/init.d-add-support-for-read-only-rootfs.patch
new file mode 100644
index 0000000000..11db95ede1
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind-9.18.3/init.d-add-support-for-read-only-rootfs.patch
@@ -0,0 +1,65 @@
+Subject: init.d: add support for read-only rootfs
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ init.d |   40 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/init.d b/init.d
+index 0111ed4..24677c8 100644
+--- a/init.d
++++ b/init.d
+@@ -6,8 +6,48 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin
+ # Don't modify this line, change or create /etc/default/bind9.
+ OPTIONS=""
+ 
++test -f /etc/default/rcS && . /etc/default/rcS
+ test -f /etc/default/bind9 && . /etc/default/bind9
+ 
++# This function is here because it's possible that /var and / are on different partitions.
++is_on_read_only_partition () {
++    DIRECTORY=$1
++    dir=`readlink -f $DIRECTORY`
++    while true; do
++	if [ ! -d "$dir" ]; then
++	    echo "ERROR: $dir is not a directory"
++	    exit 1
++	else
++	    for flag in `awk -v dir=$dir '{ if ($2 == dir) { print "FOUND"; split($4,FLAGS,",") } }; \
++		END { for (f in FLAGS) print FLAGS[f] }' < /proc/mounts`; do
++		[ "$flag" = "FOUND" ] && partition="read-write"
++		[ "$flag" = "ro" ] && { partition="read-only"; break; }
++	    done
++	    if [ "$dir" = "/" -o -n "$partition" ]; then
++		break
++	    else
++		dir=`dirname $dir`
++	    fi
++	fi
++    done
++    [ "$partition" = "read-only" ] && echo "yes" || echo "no"
++}
++
++bind_mount () {
++    olddir=$1
++    newdir=$2
++    mkdir -p $olddir
++    cp -a $newdir/* $olddir
++    mount --bind $olddir $newdir
++}
++
++# Deal with read-only rootfs
++if [ "$ROOTFS_READ_ONLY" = "yes" ]; then
++    [ "$VERBOSE" != "no" ] && echo "WARN: start bind service in read-only rootfs"
++    [ `is_on_read_only_partition /etc/bind` = "yes" ] && bind_mount /var/volatile/bind/etc /etc/bind
++    [ `is_on_read_only_partition /var/named` = "yes" ] && bind_mount /var/volatile/bind/named /var/named
++fi
++
+ test -x /usr/sbin/rndc || exit 0
+ 
+ case "$1" in
+-- 
+1.7.9.5
+