--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/013-RT43632.patch Mon Jan 23 11:25:04 2017 -0800
@@ -0,0 +1,175 @@
+This patch was derived from a source code patch provided by ISC to
+resolve ISC ticket RT #43632. [9.6-ESV-R11-S10]
+
+--- old/./CHANGES Wed Jan 11 14:12:28 2017
++++ new/./CHANGES Wed Jan 11 14:12:28 2017
+@@ -1,5 +1,9 @@
+ --- 9.6-ESV-R11-S10 released ---
+
++4517. [security] Named could mishandle authority sections that were
++ missing RRSIGs triggering an assertion failure.
++ (CVE-2016-9444) [RT #43632]
++
+ 4510. [security] Named mishandled some responses where covering RRSIG
+ records are returned without the requested data
+ resulting in a assertion failure. (CVE-2016-9147)
+--- old/lib/dns/api Wed Jan 11 14:12:28 2017
++++ new/lib/dns/api Wed Jan 11 14:12:28 2017
+@@ -5,5 +5,5 @@
+ # 9.9: 90-109
+ # 9.9-sub: 130-139
+ LIBINTERFACE = 114
+-LIBREVISION = 4
++LIBREVISION = 5
+ LIBAGE = 1
+--- old/lib/dns/message.c Wed Jan 11 14:12:28 2017
++++ new/lib/dns/message.c Wed Jan 11 14:12:28 2017
+@@ -1169,6 +1169,63 @@
+ return (ISC_FALSE);
+ }
+
++/*
++ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
++ * covering RRSIGs.
++ */
++static isc_boolean_t
++auth_signed(dns_namelist_t *section) {
++ dns_name_t *name;
++
++ for (name = ISC_LIST_HEAD(*section);
++ name != NULL;
++ name = ISC_LIST_NEXT(name, link))
++ {
++ int auth_dnssec = 0, auth_rrsig = 0;
++ dns_rdataset_t *rds;
++
++ for (rds = ISC_LIST_HEAD(name->list);
++ rds != NULL;
++ rds = ISC_LIST_NEXT(rds, link))
++ {
++ switch (rds->type) {
++ case dns_rdatatype_ds:
++ auth_dnssec |= 0x1;
++ break;
++ case dns_rdatatype_nsec:
++ auth_dnssec |= 0x2;
++ break;
++ case dns_rdatatype_nsec3:
++ auth_dnssec |= 0x4;
++ break;
++ case dns_rdatatype_rrsig:
++ break;
++ default:
++ continue;
++ }
++
++ switch (rds->covers) {
++ case dns_rdatatype_ds:
++ auth_rrsig |= 0x1;
++ break;
++ case dns_rdatatype_nsec:
++ auth_rrsig |= 0x2;
++ break;
++ case dns_rdatatype_nsec3:
++ auth_rrsig |= 0x4;
++ break;
++ default:
++ break;
++ }
++ }
++
++ if (auth_dnssec != auth_rrsig)
++ return (ISC_FALSE);
++ }
++
++ return (ISC_TRUE);
++}
++
+ static isc_result_t
+ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+ dns_section_t sectionid, unsigned int options)
+@@ -1194,12 +1251,12 @@
+ best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
+ seen_problem = ISC_FALSE;
+
++ section = &msg->sections[sectionid];
++
+ for (count = 0; count < msg->counts[sectionid]; count++) {
+ int recstart = source->current;
+ isc_boolean_t skip_name_search, skip_type_search;
+
+- section = &msg->sections[sectionid];
+-
+ skip_name_search = ISC_FALSE;
+ skip_type_search = ISC_FALSE;
+ free_rdataset = ISC_FALSE;
+@@ -1372,7 +1429,7 @@
+ goto cleanup;
+ rdata->rdclass = rdclass;
+ issigzero = ISC_FALSE;
+- if (rdtype == dns_rdatatype_rrsig &&
++ if (rdtype == dns_rdatatype_rrsig &&
+ rdata->flags == 0) {
+ covers = dns_rdata_covers(rdata);
+ if (covers == 0)
+@@ -1577,6 +1634,19 @@
+ INSIST(free_rdataset == ISC_FALSE);
+ }
+
++ /*
++ * If any of DS, NSEC or NSEC3 appeared in the
++ * authority section of a query response without
++ * a covering RRSIG, FORMERR
++ */
++ if (sectionid == DNS_SECTION_AUTHORITY &&
++ msg->opcode == dns_opcode_query &&
++ ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
++ ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
++ !preserve_order &&
++ !auth_signed(section))
++ DO_FORMERR;
++
+ if (seen_problem)
+ return (DNS_R_RECOVERABLE);
+ return (ISC_R_SUCCESS);
+--- old/lib/dns/resolver.c Wed Jan 11 14:12:30 2017
++++ new/lib/dns/resolver.c Wed Jan 11 14:12:29 2017
+@@ -4766,13 +4766,9 @@
+ rdataset->type,
+ &noqname);
+ if (tresult == ISC_R_SUCCESS &&
+- noqname != NULL) {
+- tresult =
+- dns_rdataset_addnoqname(
++ noqname != NULL)
++ (void) dns_rdataset_addnoqname(
+ rdataset, noqname);
+- RUNTIME_CHECK(tresult ==
+- ISC_R_SUCCESS);
+- }
+ }
+ addedrdataset = ardataset;
+ result = dns_db_addrdataset(fctx->cache, node,
+@@ -4902,11 +4898,9 @@
+ tresult = findnoqname(fctx, name,
+ rdataset->type, &noqname);
+ if (tresult == ISC_R_SUCCESS &&
+- noqname != NULL) {
+- tresult = dns_rdataset_addnoqname(
+- rdataset, noqname);
+- RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
+- }
++ noqname != NULL)
++ (void) dns_rdataset_addnoqname(
++ rdataset, noqname);
+ }
+
+ /*
+--- old/./version Wed Jan 11 14:12:30 2017
++++ new/./version Wed Jan 11 14:12:29 2017
+@@ -10,4 +10,4 @@
+ PATCHVER=
+ RELEASETYPE=-ESV
+ RELEASEVER=-R11
+-EXTENSIONS=-S9
++EXTENSIONS=-S10