--- a/components/bind/Makefile	Mon Oct 24 01:08:41 2016 -0700
+++ b/components/bind/Makefile	Thu Nov 10 15:37:35 2016 -0800
@@ -24,8 +24,8 @@
 
 COMPONENT_NAME=		bind
 COMPONENT_VERSION=	9.6-ESV-R11
-HUMAN_VERSION=		$(COMPONENT_VERSION)-S8
-IPS_COMPONENT_VERSION=	9.6.3.11.8
+HUMAN_VERSION=		$(COMPONENT_VERSION)-S9
+IPS_COMPONENT_VERSION=	9.6.3.11.9
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
 COMPONENT_PROJECT_URL=	http://www.isc.org/software/bind/

--- a/components/bind/bindc.p5m	Mon Oct 24 01:08:41 2016 -0700
+++ b/components/bind/bindc.p5m	Thu Nov 10 15:37:35 2016 -0800
@@ -40,9 +40,9 @@
 link path=usr/lib/dns/libbind9.so target=libbind9.so.50.0.11
 link path=usr/lib/dns/libbind9.so.50 target=libbind9.so.50.0.11
 file path=usr/lib/dns/libbind9.so.50.0.11
-link path=usr/lib/dns/libdns.so target=libdns.so.113.1.3
-link path=usr/lib/dns/libdns.so.113 target=libdns.so.113.1.3
-file path=usr/lib/dns/libdns.so.113.1.3
+link path=usr/lib/dns/libdns.so target=libdns.so.113.1.4
+link path=usr/lib/dns/libdns.so.113 target=libdns.so.113.1.4
+file path=usr/lib/dns/libdns.so.113.1.4
 link path=usr/lib/dns/libisc.so target=libisc.so.110.0.2
 link path=usr/lib/dns/libisc.so.110 target=libisc.so.110.0.2
 file path=usr/lib/dns/libisc.so.110.0.2

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/010-RT43465.patch	Thu Nov 10 15:37:35 2016 -0800
@@ -0,0 +1,212 @@
+This patch was derived from a source code patch provided by ISC to
+resolve ISC ticket RT #43465. [9.6-ESV-R11-S9]
+
+diff -r 94ec7bb11985 CHANGES
+--- a/CHANGES	Thu Oct 27 01:35:34 2016 -0700
++++ b/CHANGES	Fri Oct 28 17:37:53 2016 -0700
+@@ -1,3 +1,8 @@
++	--- 9.6-ESV-R11-S9 released ---
++
++4489.   [security]      It was possible to trigger assertions when processing
++		    a response. (CVE-2016-8864) [RT #43465]
++
+ 	--- 9.6-ESV-R11-S8 released ---
+ 
+ 4467.	[security]	It was possible to trigger a assertion when rendering
+diff -r 94ec7bb11985 lib/dns/api
+--- a/lib/dns/api	Thu Oct 27 01:35:34 2016 -0700
++++ b/lib/dns/api	Fri Oct 28 17:37:53 2016 -0700
+@@ -5,5 +5,5 @@
+ # 9.9: 90-109
+ # 9.9-sub: 130-139
+ LIBINTERFACE = 114
+-LIBREVISION = 3
++LIBREVISION = 4
+ LIBAGE = 1
+diff -r 94ec7bb11985 lib/dns/resolver.c
+--- a/lib/dns/resolver.c	Thu Oct 27 01:35:34 2016 -0700
++++ b/lib/dns/resolver.c	Fri Oct 28 17:37:53 2016 -0700
+@@ -503,7 +503,9 @@
+ 	valarg->addrinfo = addrinfo;
+ 
+ 	if (!ISC_LIST_EMPTY(fctx->validators))
+-		INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
++		valoptions |= DNS_VALIDATOR_DEFER;
++	else
++		valoptions &= ~DNS_VALIDATOR_DEFER;
+ 
+ 	result = dns_validator_create(fctx->res->view, name, type, rdataset,
+ 				      sigrdataset, fctx->rmessage,
+@@ -4849,13 +4851,6 @@
+ 							   rdataset,
+ 							   sigrdataset,
+ 							   valoptions, task);
+-					/*
+-					 * Defer any further validations.
+-					 * This prevents multiple validators
+-					 * from manipulating fctx->rmessage
+-					 * simultaneously.
+-					 */
+-					valoptions |= DNS_VALIDATOR_DEFER;
+ 				}
+ 			} else if (CHAINING(rdataset)) {
+ 				if (rdataset->type == dns_rdatatype_cname)
+@@ -4961,6 +4956,11 @@
+ 				       eresult == DNS_R_NCACHENXRRSET);
+ 			}
+ 			event->result = eresult;
++			if (adbp != NULL && *adbp != NULL) {
++				if (anodep != NULL && *anodep != NULL)
++					dns_db_detachnode(*adbp, anodep);
++				dns_db_detach(adbp);
++			}
+ 			dns_db_attach(fctx->cache, adbp);
+ 			dns_db_transfernode(fctx->cache, &node, anodep);
+ 			clone_results(fctx);
+@@ -5208,6 +5208,11 @@
+ 		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+ 		if (event != NULL) {
+ 			event->result = eresult;
++			if (adbp != NULL && *adbp != NULL) {
++				if (anodep != NULL && *anodep != NULL)
++					dns_db_detachnode(*adbp, anodep);
++				dns_db_detach(adbp);
++			}
+ 			dns_db_attach(fctx->cache, adbp);
+ 			dns_db_transfernode(fctx->cache, &node, anodep);
+ 			clone_results(fctx);
+@@ -5777,13 +5782,15 @@
+ answer_response(fetchctx_t *fctx) {
+ 	isc_result_t result;
+ 	dns_message_t *message;
+-	dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
++	dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
++	dns_name_t *cname = NULL;
+ 	dns_rdataset_t *rdataset, *ns_rdataset;
+ 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
+-	isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
++	isc_boolean_t have_answer, found_cname, found_dname, found_type;
++	isc_boolean_t wanted_chaining;
+ 	unsigned int aflag;
+ 	dns_rdatatype_t type;
+-	dns_fixedname_t fdname, fqname;
++	dns_fixedname_t fdname, fqname, fqdname;
+ 
+ 	FCTXTRACE("answer_response");
+ 
+@@ -5796,6 +5803,7 @@
+ 
+ 	done = ISC_FALSE;
+ 	found_cname = ISC_FALSE;
++	found_dname = ISC_FALSE;
+ 	found_type = ISC_FALSE;
+ 	chaining = ISC_FALSE;
+ 	have_answer = ISC_FALSE;
+@@ -5805,11 +5813,13 @@
+ 		aa = ISC_TRUE;
+ 	else
+ 		aa = ISC_FALSE;
+-	qname = &fctx->name;
++	dqname = qname = &fctx->name;
+ 	type = fctx->type;
++	dns_fixedname_init(&fqdname);
+ 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+ 	while (!done && result == ISC_R_SUCCESS) {
+-		dns_namereln_t namereln;
++		dns_namereln_t namereln, dnamereln;
++
+ 		int order;
+ 		unsigned int nlabels;
+ 
+@@ -5817,6 +5827,8 @@
+ 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+ 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+ 		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
++		dnamereln = dns_name_fullcompare(dqname, name, &order,
++						     &nlabels);
+ 		if (namereln == dns_namereln_equal) {
+ 			wanted_chaining = ISC_FALSE;
+ 			for (rdataset = ISC_LIST_HEAD(name->list);
+@@ -5897,7 +5909,7 @@
+ 						return (result);
+ 				} else if (rdataset->type == dns_rdatatype_rrsig
+ 					   && rdataset->covers ==
+-					   dns_rdatatype_cname
++					      dns_rdatatype_cname
+ 					   && !found_type) {
+ 					/*
+ 					 * We're looking for something else,
+@@ -5927,11 +5939,18 @@
+ 						 * a CNAME or DNAME).
+ 						 */
+ 						INSIST(!external);
+-						if (aflag ==
+-						    DNS_RDATASETATTR_ANSWER) {
++						if ((rdataset->type !=
++						     dns_rdatatype_cname) ||
++						    !found_dname ||
++						    (aflag ==
++						     DNS_RDATASETATTR_ANSWER))
++						{
+ 							have_answer = ISC_TRUE;
++							if (rdataset->type ==
++							    dns_rdatatype_cname)
++								cname = name;
+ 							name->attributes |=
+-								DNS_NAMEATTR_ANSWER;
++							    DNS_NAMEATTR_ANSWER;
+ 						}
+ 						rdataset->attributes |= aflag;
+ 						if (aa)
+@@ -6029,11 +6048,11 @@
+ 					return (DNS_R_FORMERR);
+ 				}
+ 
+-				if (namereln != dns_namereln_subdomain) {
++				if (dnamereln != dns_namereln_subdomain) {
+ 					char qbuf[DNS_NAME_FORMATSIZE];
+ 					char obuf[DNS_NAME_FORMATSIZE];
+ 
+-					dns_name_format(qname, qbuf,
++					dns_name_format(dqname, qbuf,
+ 							sizeof(qbuf));
+ 					dns_name_format(name, obuf,
+ 							sizeof(obuf));
+@@ -6052,7 +6071,7 @@
+ 					want_chaining = ISC_TRUE;
+ 					POST(want_chaining);
+ 					aflag = DNS_RDATASETATTR_ANSWER;
+-					result = dname_target(rdataset, qname,
++					result = dname_target(rdataset, dqname,
+ 							      nlabels, &fdname);
+ 					if (result == ISC_R_NOSPACE) {
+ 						/*
+@@ -6068,6 +6087,8 @@
+ 						dnameset = rdataset;
+ 
+ 					dname = dns_fixedname_name(&fdname);
++					dqname = dns_fixedname_name(&fqdname);
++					dns_name_copy(dname, dqname, NULL);
+ 				} else {
+ 					/*
+ 					 * We've found a signature that
+@@ -6092,6 +6113,10 @@
+ 					INSIST(!external);
+ 					if (aflag == DNS_RDATASETATTR_ANSWER) {
+ 						have_answer = ISC_TRUE;
++						found_dname = ISC_TRUE;
++						if (cname != NULL)
++							cname->attributes &=
++							   ~DNS_NAMEATTR_ANSWER;
+ 						name->attributes |=
+ 							DNS_NAMEATTR_ANSWER;
+ 					}
+diff -r 94ec7bb11985 version
+--- a/version	Thu Oct 27 01:35:34 2016 -0700
++++ b/version	Fri Oct 28 17:37:53 2016 -0700
+@@ -10,4 +10,4 @@
+ PATCHVER=
+ RELEASETYPE=-ESV
+ RELEASEVER=-R11
+-EXTENSIONS=-S8
++EXTENSIONS=-S9