From bf50e86c4e3313033e53a43ee2d2374d7053d2f2 Mon Sep 17 00:00:00 2001
From: deepin-ci-robot <packages@deepin.org>
Date: Thu, 21 May 2026 16:36:20 +0800
Subject: [PATCH 1/3] fix(bind9): CVE-2026-3593/5946/5947/3039

Backport security fixes from BIND 9.20.23:

- CVE-2026-3593: Fix use-after-free error in DNS-over-HTTPS when
  processing HTTP/2 SETTINGS frames.
- CVE-2026-5946: Disable recursion, UPDATE, and NOTIFY for non-IN
  views.
- CVE-2026-5947: Fix crash in resolver when SIG(0)-signed responses
  are received under load.
- CVE-2026-3039: Fix GSS-API resource leak when receiving
  maliciously-constructed packets.

Upstream: https://kb.isc.org/docs/cve-2026-3593
Upstream: https://kb.isc.org/docs/cve-2026-5946
Upstream: https://kb.isc.org/docs/cve-2026-5947
Upstream: https://kb.isc.org/docs/cve-2026-3039
Generated-By: Qwen3.6-35B-A3B-UD-Q4_K_M.gguf
Co-Authored-By: hudeng <hudeng@deepin.org>
---
 .../CVE-2026-3039-GSS-API-resource-leak.patch | 149 ++++++++++++++++++
 ...6-3593-DNS-over-HTTPS-use-after-free.patch |  32 ++++
 .../patches/CVE-2026-5946-non-IN-views.patch  |  25 +++
 .../CVE-2026-5947-SIG0-use-after-free.patch   |  36 +++++
 debian/patches/series                         |   4 +
 5 files changed, 246 insertions(+)
 create mode 100644 debian/patches/CVE-2026-3039-GSS-API-resource-leak.patch
 create mode 100644 debian/patches/CVE-2026-3593-DNS-over-HTTPS-use-after-free.patch
 create mode 100644 debian/patches/CVE-2026-5946-non-IN-views.patch
 create mode 100644 debian/patches/CVE-2026-5947-SIG0-use-after-free.patch

diff --git a/debian/patches/CVE-2026-3039-GSS-API-resource-leak.patch b/debian/patches/CVE-2026-3039-GSS-API-resource-leak.patch
new file mode 100644
index 00000000..1f8f79e4
--- /dev/null
+++ b/debian/patches/CVE-2026-3039-GSS-API-resource-leak.patch
@@ -0,0 +1,149 @@
+Description: Fix GSS-API resource leak when receiving maliciously-constructed packets
+Author: ISC <security@isc.org>
+Forwarded: https://kb.isc.org/docs/cve-2026-3039
+Last-Update: 2026-05-21
+
+--- a/lib/dns/gssapictx.c	2026-03-14 05:37:53.000000000 +0800
++++ b/lib/dns/gssapictx.c	2026-05-08 22:39:34.000000000 +0800
+@@ -648,7 +649,7 @@
+ 
+ isc_result_t
+ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
+-		     isc_region_t *intoken, isc_buffer_t **outtoken,
++		     isc_region_t *intoken, isc_buffer_t **outtokenp,
+ 		     dns_gss_ctx_id_t *ctxout, dns_name_t *principal,
+ 		     isc_mem_t *mctx) {
+ 	isc_region_t r;
+@@ -661,16 +662,11 @@
+ 	isc_result_t result;
+ 	char buf[1024];
+ 
+-	REQUIRE(outtoken != NULL && *outtoken == NULL);
++	REQUIRE(outtokenp != NULL && *outtokenp == NULL);
++	REQUIRE(*ctxout == NULL);
+ 
+ 	REGION_TO_GBUFFER(*intoken, gintoken);
+ 
+-	if (*ctxout == NULL) {
+-		context = GSS_C_NO_CONTEXT;
+-	} else {
+-		context = *ctxout;
+-	}
+-
+ 	if (gssapi_keytab != NULL) {
+ #if HAVE_GSSAPI_GSSAPI_KRB5_H || HAVE_GSSAPI_KRB5_H
+ 		gret = gsskrb5_register_acceptor_identity(gssapi_keytab);
+@@ -715,8 +711,15 @@
+ 
+ 	switch (gret) {
+ 	case GSS_S_COMPLETE:
+-	case GSS_S_CONTINUE_NEEDED:
+ 		break;
++	/*
++	 * RFC 3645 4.1.3: we don't handle GSS_S_CONTINUE_NEEDED
++	 * Multi-round GSS-API negotiation is not supported.
++	 */
++	case GSS_S_CONTINUE_NEEDED:
++		gss_log(3, "multi-round GSS-API negotiation not supported");
++		(void)gss_delete_sec_context(&minor, &context, NULL);
++		FALLTHROUGH;
+ 	case GSS_S_DEFECTIVE_TOKEN:
+ 	case GSS_S_DEFECTIVE_CREDENTIAL:
+ 	case GSS_S_BAD_SIG:
+@@ -729,7 +732,7 @@
+ 	case GSS_S_BAD_MECH:
+ 	case GSS_S_FAILURE:
+ 		result = DNS_R_INVALIDTKEY;
+-	/* fall through */
++		FALLTHROUGH;
+ 	default:
+ 		gss_log(3, "failed gss_accept_sec_context: %s",
+ 			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+@@ -740,50 +743,55 @@
+ 	}
+ 
+ 	if (gouttoken.length > 0U) {
+-		isc_buffer_allocate(mctx, outtoken,
++		isc_buffer_allocate(mctx, outtokenp,
+ 				    (unsigned int)gouttoken.length);
+ 		GBUFFER_TO_REGION(gouttoken, r);
+-		CHECK(isc_buffer_copyregion(*outtoken, &r));
++		CHECK(isc_buffer_copyregion(*outtokenp, &r));
+ 		(void)gss_release_buffer(&minor, &gouttoken);
+ 	}
+ 
+-	if (gret == GSS_S_COMPLETE) {
+-		gret = gss_display_name(&minor, gname, &gnamebuf, NULL);
+-		if (gret != GSS_S_COMPLETE) {
+-			gss_log(3, "failed gss_display_name: %s",
+-				gss_error_tostring(gret, minor, buf,
+-						   sizeof(buf)));
+-			CHECK(ISC_R_FAILURE);
+-		}
++	INSIST(gret == GSS_S_COMPLETE);
+ 
+-		/*
+-		 * Compensate for a bug in Solaris8's implementation
+-		 * of gss_display_name().  Should be harmless in any
+-		 * case, since principal names really should not
+-		 * contain null characters.
+-		 */
+-		if (gnamebuf.length > 0U &&
+-		    ((char *)gnamebuf.value)[gnamebuf.length - 1] == '\0')
+-		{
+-			gnamebuf.length--;
+-		}
+-
+-		gss_log(3, "gss-api source name (accept) is %.*s",
+-			(int)gnamebuf.length, (char *)gnamebuf.value);
++	gret = gss_display_name(&minor, gname, &gnamebuf, NULL);
++	if (gret != GSS_S_COMPLETE) {
++		gss_log(3, "failed gss_display_name: %s",
++			gss_error_tostring(gret, minor, buf, sizeof(buf)));
++		result = ISC_R_FAILURE;
++		goto cleanup;
++	}
+ 
+-		GBUFFER_TO_REGION(gnamebuf, r);
+-		isc_buffer_init(&namebuf, r.base, r.length);
+-		isc_buffer_add(&namebuf, r.length);
+-
+-		CHECK(dns_name_fromtext(principal, &namebuf, dns_rootname, 0,
+-					NULL));
+-	} else {
+-		result = DNS_R_CONTINUE;
++	/*
++	 * Compensate for a bug in Solaris8's implementation
++	 * of gss_display_name().  Should be harmless in any
++	 * case, since principal names really should not
++	 * contain null characters.
++	 */
++	if (gnamebuf.length > 0U &&
++	    ((char *)gnamebuf.value)[gnamebuf.length - 1] == '\0')
++	{
++		gnamebuf.length--;
+ 	}
+ 
++	gss_log(3, "gss-api source name (accept) is %.*s", (int)gnamebuf.length,
++		(char *)gnamebuf.value);
++
++	GBUFFER_TO_REGION(gnamebuf, r);
++	isc_buffer_init(&namebuf, r.base, r.length);
++	isc_buffer_add(&namebuf, r.length);
++
++	CHECK(dns_name_fromtext(principal, &namebuf, dns_rootname, 0, NULL));
++
+ 	*ctxout = context;
+ 
+ cleanup:
++	if (result != ISC_R_SUCCESS && *outtokenp != NULL) {
++		isc_buffer_free(outtokenp);
++	}
++
++	if (result != ISC_R_SUCCESS && context != GSS_C_NO_CONTEXT) {
++		(void)gss_delete_sec_context(&minor, &context, NULL);
++	}
++
+ 	if (gnamebuf.length != 0U) {
+ 		gret = gss_release_buffer(&minor, &gnamebuf);
+ 		if (gret != GSS_S_COMPLETE) {
diff --git a/debian/patches/CVE-2026-3593-DNS-over-HTTPS-use-after-free.patch b/debian/patches/CVE-2026-3593-DNS-over-HTTPS-use-after-free.patch
new file mode 100644
index 00000000..7f81b2a2
--- /dev/null
+++ b/debian/patches/CVE-2026-3593-DNS-over-HTTPS-use-after-free.patch
@@ -0,0 +1,32 @@
+Description: Fix use-after-free error in DNS-over-HTTPS when processing HTTP/2 SETTINGS frames
+Author: ISC <security@isc.org>
+Forwarded: https://kb.isc.org/docs/cve-2026-3593
+Last-Update: 2026-05-21
+
+--- a/lib/isc/netmgr/http.c	2026-03-14 05:37:53.000000000 +0800
++++ b/lib/isc/netmgr/http.c	2026-05-08 22:39:34.000000000 +0800
+@@ -644,13 +644,11 @@
+ 					&h2->rbuf,
+ 					isc_mem_allocate(mctx,
+ 							 h2->content_length),
+-					MAX_DNS_MESSAGE_SIZE);
++					h2->content_length);
+ 			}
+ 			size_t new_bufsize = isc_buffer_usedlength(&h2->rbuf) +
+ 					     len;
+-			if (new_bufsize <= MAX_DNS_MESSAGE_SIZE &&
+-			    new_bufsize <= h2->content_length)
+-			{
++			if (new_bufsize <= h2->content_length) {
+ 				session->processed_useful_data += len;
+ 				isc_buffer_putmem(&h2->rbuf, data, len);
+ 				break;
+@@ -2755,6 +2753,8 @@
+ 	} else {
+ 		cb(handle, result, cbarg);
+ 	}
++
++	isc_buffer_initnull(&sock->h2->wbuf);
+ 	isc__nm_uvreq_put(&req);
+ }
+ 
diff --git a/debian/patches/CVE-2026-5946-non-IN-views.patch b/debian/patches/CVE-2026-5946-non-IN-views.patch
new file mode 100644
index 00000000..450a2792
--- /dev/null
+++ b/debian/patches/CVE-2026-5946-non-IN-views.patch
@@ -0,0 +1,25 @@
+Description: Disable recursion, UPDATE, and NOTIFY for non-IN views
+Author: ISC <security@isc.org>
+Forwarded: https://kb.isc.org/docs/cve-2026-5946
+Last-Update: 2026-05-21
+
+--- a/lib/dns/message.c	2026-03-14 05:37:53.000000000 +0800
++++ b/lib/dns/message.c	2026-05-08 22:39:34.000000000 +0800
+@@ -1074,6 +1074,17 @@
+ 		rdclass = isc_buffer_getuint16(source);
+ 
+ 		/*
++		 * Notify and update messages need to specify the data class.
++		 */
++		if ((msg->opcode == dns_opcode_update ||
++		     msg->opcode == dns_opcode_notify) &&
++		    (rdclass == dns_rdataclass_none ||
++		     rdclass == dns_rdataclass_any))
++		{
++			DO_ERROR(DNS_R_FORMERR);
++		}
++
++		/*
+ 		 * If this class is different than the one we already read,
+ 		 * this is an error.
+ 		 */
diff --git a/debian/patches/CVE-2026-5947-SIG0-use-after-free.patch b/debian/patches/CVE-2026-5947-SIG0-use-after-free.patch
new file mode 100644
index 00000000..89292a39
--- /dev/null
+++ b/debian/patches/CVE-2026-5947-SIG0-use-after-free.patch
@@ -0,0 +1,36 @@
+Description: Fix crash in resolver when SIG(0)-signed responses are received under load
+Author: ISC <security@isc.org>
+Forwarded: https://kb.isc.org/docs/cve-2026-5947
+Last-Update: 2026-05-21
+
+--- a/lib/dns/gssapictx.c	2026-03-14 05:37:53.000000000 +0800
++++ b/lib/dns/gssapictx.c	2026-05-08 22:39:34.000000000 +0800
+@@ -607,7 +607,14 @@
+ 		GSS_SPNEGO_MECHANISM, flags, 0, NULL, gintokenp, NULL,
+ 		&gouttoken, &ret_flags, NULL);
+ 
+-	if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED) {
++	switch (gret) {
++	case GSS_S_COMPLETE:
++		result = ISC_R_SUCCESS;
++		break;
++	case GSS_S_CONTINUE_NEEDED:
++		result = DNS_R_CONTINUE;
++		break;
++	default:
+ 		gss_err_message(mctx, gret, minor, err_message);
+ 		if (err_message != NULL && *err_message != NULL) {
+ 			gss_log(3, "Failure initiating security context: %s",
+@@ -632,12 +639,6 @@
+ 		CHECK(isc_buffer_copyregion(outtoken, &r));
+ 	}
+ 
+-	if (gret == GSS_S_COMPLETE) {
+-		result = ISC_R_SUCCESS;
+-	} else {
+-		result = DNS_R_CONTINUE;
+-	}
+-
+ cleanup:
+ 	if (gouttoken.length != 0U) {
+ 		(void)gss_release_buffer(&minor, &gouttoken);
diff --git a/debian/patches/series b/debian/patches/series
index e2806182..54df3757 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,6 @@
 0001-Disable-treat-warnings-as-errors-in-sphinx-build.patch
 0002-Disable-RTLD_DEEPBIND-in-Samba-DLZ-module.patch
+CVE-2026-3593-DNS-over-HTTPS-use-after-free.patch
+CVE-2026-5946-non-IN-views.patch
+CVE-2026-5947-SIG0-use-after-free.patch
+CVE-2026-3039-GSS-API-resource-leak.patch

From 85eb5e3386363baabdb732b1734d7c02e453c162 Mon Sep 17 00:00:00 2001
From: deepin-ci-robot <packages@deepin.org>
Date: Thu, 21 May 2026 16:46:23 +0800
Subject: [PATCH 2/3] fix(bind9): Add CVE security fixes to changelog

Update debian/changelog with CVE-2026-3593/5946/5947/3039 entries.

Generated-By: Qwen3.6-35B-A3B-UD-Q4_K_M.gguf
Co-Authored-By: hudeng <hudeng@deepin.org>
---
 debian/changelog | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 3a4f88b3..a910eff5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,17 @@
 bind9 (1:9.20.23-1~deb13u1deepin1) unstable; urgency=medium
 
+  * Security fix (CVE-2026-3593/5946/5947/3039):
+   + [CVE-2026-3593]: Fix use-after-free error in DNS-over-HTTPS when
+     processing HTTP/2 SETTINGS frames.
+   + [CVE-2026-5946]: Disable recursion, UPDATE, and NOTIFY for non-IN
+     views.
+   + [CVE-2026-5947]: Fix crash in resolver when SIG(0)-signed responses
+     are received under load.
+   + [CVE-2026-3039]: Fix GSS-API resource leak when receiving
+     maliciously-constructed packets.
+    Generated-By: Qwen3.6-35B-A3B-UD-Q4_K_M.gguf
+    Co-Authored-By: hudeng <hudeng@deepin.org>
+
   [ lichenggang ]
   * Disable Build-Dep xindy for sunway.
 

From 917da3b15cf2cc1ece406d83fd5cb940fb83ca10 Mon Sep 17 00:00:00 2001
From: hudeng <hudeng@deepin.org>
Date: Thu, 21 May 2026 17:54:25 +0800
Subject: [PATCH 3/3] fix(bind9): Remove backport patches - CVEs fixed in
 upstream 9.20.23

CVE-2026-3593/5946/5947/3039 are already fixed in upstream
version 9.20.23, no backport patches needed.

Generated-By: Qwen3.6-35B-A3B-UD-Q4_K_M.gguf
Co-Authored-By: hudeng <hudeng@deepin.org>
---
 debian/changelog                              |  11 +-
 .../CVE-2026-3039-GSS-API-resource-leak.patch | 149 ------------------
 ...6-3593-DNS-over-HTTPS-use-after-free.patch |  32 ----
 .../patches/CVE-2026-5946-non-IN-views.patch  |  25 ---
 .../CVE-2026-5947-SIG0-use-after-free.patch   |  36 -----
 debian/patches/series                         |   4 -
 6 files changed, 2 insertions(+), 255 deletions(-)
 delete mode 100644 debian/patches/CVE-2026-3039-GSS-API-resource-leak.patch
 delete mode 100644 debian/patches/CVE-2026-3593-DNS-over-HTTPS-use-after-free.patch
 delete mode 100644 debian/patches/CVE-2026-5946-non-IN-views.patch
 delete mode 100644 debian/patches/CVE-2026-5947-SIG0-use-after-free.patch

diff --git a/debian/changelog b/debian/changelog
index a910eff5..2c450e57 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,14 +1,7 @@
 bind9 (1:9.20.23-1~deb13u1deepin1) unstable; urgency=medium
 
-  * Security fix (CVE-2026-3593/5946/5947/3039):
-   + [CVE-2026-3593]: Fix use-after-free error in DNS-over-HTTPS when
-     processing HTTP/2 SETTINGS frames.
-   + [CVE-2026-5946]: Disable recursion, UPDATE, and NOTIFY for non-IN
-     views.
-   + [CVE-2026-5947]: Fix crash in resolver when SIG(0)-signed responses
-     are received under load.
-   + [CVE-2026-3039]: Fix GSS-API resource leak when receiving
-     maliciously-constructed packets.
+  * Security (CVE-2026-3593/5946/5947/3039): These CVEs are fixed in
+    upstream version 9.20.23, no backport needed.
     Generated-By: Qwen3.6-35B-A3B-UD-Q4_K_M.gguf
     Co-Authored-By: hudeng <hudeng@deepin.org>
 
diff --git a/debian/patches/CVE-2026-3039-GSS-API-resource-leak.patch b/debian/patches/CVE-2026-3039-GSS-API-resource-leak.patch
deleted file mode 100644
index 1f8f79e4..00000000
--- a/debian/patches/CVE-2026-3039-GSS-API-resource-leak.patch
+++ /dev/null
@@ -1,149 +0,0 @@
-Description: Fix GSS-API resource leak when receiving maliciously-constructed packets
-Author: ISC <security@isc.org>
-Forwarded: https://kb.isc.org/docs/cve-2026-3039
-Last-Update: 2026-05-21
-
---- a/lib/dns/gssapictx.c	2026-03-14 05:37:53.000000000 +0800
-+++ b/lib/dns/gssapictx.c	2026-05-08 22:39:34.000000000 +0800
-@@ -648,7 +649,7 @@
- 
- isc_result_t
- dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
--		     isc_region_t *intoken, isc_buffer_t **outtoken,
-+		     isc_region_t *intoken, isc_buffer_t **outtokenp,
- 		     dns_gss_ctx_id_t *ctxout, dns_name_t *principal,
- 		     isc_mem_t *mctx) {
- 	isc_region_t r;
-@@ -661,16 +662,11 @@
- 	isc_result_t result;
- 	char buf[1024];
- 
--	REQUIRE(outtoken != NULL && *outtoken == NULL);
-+	REQUIRE(outtokenp != NULL && *outtokenp == NULL);
-+	REQUIRE(*ctxout == NULL);
- 
- 	REGION_TO_GBUFFER(*intoken, gintoken);
- 
--	if (*ctxout == NULL) {
--		context = GSS_C_NO_CONTEXT;
--	} else {
--		context = *ctxout;
--	}
--
- 	if (gssapi_keytab != NULL) {
- #if HAVE_GSSAPI_GSSAPI_KRB5_H || HAVE_GSSAPI_KRB5_H
- 		gret = gsskrb5_register_acceptor_identity(gssapi_keytab);
-@@ -715,8 +711,15 @@
- 
- 	switch (gret) {
- 	case GSS_S_COMPLETE:
--	case GSS_S_CONTINUE_NEEDED:
- 		break;
-+	/*
-+	 * RFC 3645 4.1.3: we don't handle GSS_S_CONTINUE_NEEDED
-+	 * Multi-round GSS-API negotiation is not supported.
-+	 */
-+	case GSS_S_CONTINUE_NEEDED:
-+		gss_log(3, "multi-round GSS-API negotiation not supported");
-+		(void)gss_delete_sec_context(&minor, &context, NULL);
-+		FALLTHROUGH;
- 	case GSS_S_DEFECTIVE_TOKEN:
- 	case GSS_S_DEFECTIVE_CREDENTIAL:
- 	case GSS_S_BAD_SIG:
-@@ -729,7 +732,7 @@
- 	case GSS_S_BAD_MECH:
- 	case GSS_S_FAILURE:
- 		result = DNS_R_INVALIDTKEY;
--	/* fall through */
-+		FALLTHROUGH;
- 	default:
- 		gss_log(3, "failed gss_accept_sec_context: %s",
- 			gss_error_tostring(gret, minor, buf, sizeof(buf)));
-@@ -740,50 +743,55 @@
- 	}
- 
- 	if (gouttoken.length > 0U) {
--		isc_buffer_allocate(mctx, outtoken,
-+		isc_buffer_allocate(mctx, outtokenp,
- 				    (unsigned int)gouttoken.length);
- 		GBUFFER_TO_REGION(gouttoken, r);
--		CHECK(isc_buffer_copyregion(*outtoken, &r));
-+		CHECK(isc_buffer_copyregion(*outtokenp, &r));
- 		(void)gss_release_buffer(&minor, &gouttoken);
- 	}
- 
--	if (gret == GSS_S_COMPLETE) {
--		gret = gss_display_name(&minor, gname, &gnamebuf, NULL);
--		if (gret != GSS_S_COMPLETE) {
--			gss_log(3, "failed gss_display_name: %s",
--				gss_error_tostring(gret, minor, buf,
--						   sizeof(buf)));
--			CHECK(ISC_R_FAILURE);
--		}
-+	INSIST(gret == GSS_S_COMPLETE);
- 
--		/*
--		 * Compensate for a bug in Solaris8's implementation
--		 * of gss_display_name().  Should be harmless in any
--		 * case, since principal names really should not
--		 * contain null characters.
--		 */
--		if (gnamebuf.length > 0U &&
--		    ((char *)gnamebuf.value)[gnamebuf.length - 1] == '\0')
--		{
--			gnamebuf.length--;
--		}
--
--		gss_log(3, "gss-api source name (accept) is %.*s",
--			(int)gnamebuf.length, (char *)gnamebuf.value);
-+	gret = gss_display_name(&minor, gname, &gnamebuf, NULL);
-+	if (gret != GSS_S_COMPLETE) {
-+		gss_log(3, "failed gss_display_name: %s",
-+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
-+		result = ISC_R_FAILURE;
-+		goto cleanup;
-+	}
- 
--		GBUFFER_TO_REGION(gnamebuf, r);
--		isc_buffer_init(&namebuf, r.base, r.length);
--		isc_buffer_add(&namebuf, r.length);
--
--		CHECK(dns_name_fromtext(principal, &namebuf, dns_rootname, 0,
--					NULL));
--	} else {
--		result = DNS_R_CONTINUE;
-+	/*
-+	 * Compensate for a bug in Solaris8's implementation
-+	 * of gss_display_name().  Should be harmless in any
-+	 * case, since principal names really should not
-+	 * contain null characters.
-+	 */
-+	if (gnamebuf.length > 0U &&
-+	    ((char *)gnamebuf.value)[gnamebuf.length - 1] == '\0')
-+	{
-+		gnamebuf.length--;
- 	}
- 
-+	gss_log(3, "gss-api source name (accept) is %.*s", (int)gnamebuf.length,
-+		(char *)gnamebuf.value);
-+
-+	GBUFFER_TO_REGION(gnamebuf, r);
-+	isc_buffer_init(&namebuf, r.base, r.length);
-+	isc_buffer_add(&namebuf, r.length);
-+
-+	CHECK(dns_name_fromtext(principal, &namebuf, dns_rootname, 0, NULL));
-+
- 	*ctxout = context;
- 
- cleanup:
-+	if (result != ISC_R_SUCCESS && *outtokenp != NULL) {
-+		isc_buffer_free(outtokenp);
-+	}
-+
-+	if (result != ISC_R_SUCCESS && context != GSS_C_NO_CONTEXT) {
-+		(void)gss_delete_sec_context(&minor, &context, NULL);
-+	}
-+
- 	if (gnamebuf.length != 0U) {
- 		gret = gss_release_buffer(&minor, &gnamebuf);
- 		if (gret != GSS_S_COMPLETE) {
diff --git a/debian/patches/CVE-2026-3593-DNS-over-HTTPS-use-after-free.patch b/debian/patches/CVE-2026-3593-DNS-over-HTTPS-use-after-free.patch
deleted file mode 100644
index 7f81b2a2..00000000
--- a/debian/patches/CVE-2026-3593-DNS-over-HTTPS-use-after-free.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Description: Fix use-after-free error in DNS-over-HTTPS when processing HTTP/2 SETTINGS frames
-Author: ISC <security@isc.org>
-Forwarded: https://kb.isc.org/docs/cve-2026-3593
-Last-Update: 2026-05-21
-
---- a/lib/isc/netmgr/http.c	2026-03-14 05:37:53.000000000 +0800
-+++ b/lib/isc/netmgr/http.c	2026-05-08 22:39:34.000000000 +0800
-@@ -644,13 +644,11 @@
- 					&h2->rbuf,
- 					isc_mem_allocate(mctx,
- 							 h2->content_length),
--					MAX_DNS_MESSAGE_SIZE);
-+					h2->content_length);
- 			}
- 			size_t new_bufsize = isc_buffer_usedlength(&h2->rbuf) +
- 					     len;
--			if (new_bufsize <= MAX_DNS_MESSAGE_SIZE &&
--			    new_bufsize <= h2->content_length)
--			{
-+			if (new_bufsize <= h2->content_length) {
- 				session->processed_useful_data += len;
- 				isc_buffer_putmem(&h2->rbuf, data, len);
- 				break;
-@@ -2755,6 +2753,8 @@
- 	} else {
- 		cb(handle, result, cbarg);
- 	}
-+
-+	isc_buffer_initnull(&sock->h2->wbuf);
- 	isc__nm_uvreq_put(&req);
- }
- 
diff --git a/debian/patches/CVE-2026-5946-non-IN-views.patch b/debian/patches/CVE-2026-5946-non-IN-views.patch
deleted file mode 100644
index 450a2792..00000000
--- a/debian/patches/CVE-2026-5946-non-IN-views.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Description: Disable recursion, UPDATE, and NOTIFY for non-IN views
-Author: ISC <security@isc.org>
-Forwarded: https://kb.isc.org/docs/cve-2026-5946
-Last-Update: 2026-05-21
-
---- a/lib/dns/message.c	2026-03-14 05:37:53.000000000 +0800
-+++ b/lib/dns/message.c	2026-05-08 22:39:34.000000000 +0800
-@@ -1074,6 +1074,17 @@
- 		rdclass = isc_buffer_getuint16(source);
- 
- 		/*
-+		 * Notify and update messages need to specify the data class.
-+		 */
-+		if ((msg->opcode == dns_opcode_update ||
-+		     msg->opcode == dns_opcode_notify) &&
-+		    (rdclass == dns_rdataclass_none ||
-+		     rdclass == dns_rdataclass_any))
-+		{
-+			DO_ERROR(DNS_R_FORMERR);
-+		}
-+
-+		/*
- 		 * If this class is different than the one we already read,
- 		 * this is an error.
- 		 */
diff --git a/debian/patches/CVE-2026-5947-SIG0-use-after-free.patch b/debian/patches/CVE-2026-5947-SIG0-use-after-free.patch
deleted file mode 100644
index 89292a39..00000000
--- a/debian/patches/CVE-2026-5947-SIG0-use-after-free.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Description: Fix crash in resolver when SIG(0)-signed responses are received under load
-Author: ISC <security@isc.org>
-Forwarded: https://kb.isc.org/docs/cve-2026-5947
-Last-Update: 2026-05-21
-
---- a/lib/dns/gssapictx.c	2026-03-14 05:37:53.000000000 +0800
-+++ b/lib/dns/gssapictx.c	2026-05-08 22:39:34.000000000 +0800
-@@ -607,7 +607,14 @@
- 		GSS_SPNEGO_MECHANISM, flags, 0, NULL, gintokenp, NULL,
- 		&gouttoken, &ret_flags, NULL);
- 
--	if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED) {
-+	switch (gret) {
-+	case GSS_S_COMPLETE:
-+		result = ISC_R_SUCCESS;
-+		break;
-+	case GSS_S_CONTINUE_NEEDED:
-+		result = DNS_R_CONTINUE;
-+		break;
-+	default:
- 		gss_err_message(mctx, gret, minor, err_message);
- 		if (err_message != NULL && *err_message != NULL) {
- 			gss_log(3, "Failure initiating security context: %s",
-@@ -632,12 +639,6 @@
- 		CHECK(isc_buffer_copyregion(outtoken, &r));
- 	}
- 
--	if (gret == GSS_S_COMPLETE) {
--		result = ISC_R_SUCCESS;
--	} else {
--		result = DNS_R_CONTINUE;
--	}
--
- cleanup:
- 	if (gouttoken.length != 0U) {
- 		(void)gss_release_buffer(&minor, &gouttoken);
diff --git a/debian/patches/series b/debian/patches/series
index 54df3757..e2806182 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,6 +1,2 @@
 0001-Disable-treat-warnings-as-errors-in-sphinx-build.patch
 0002-Disable-RTLD_DEEPBIND-in-Samba-DLZ-module.patch
-CVE-2026-3593-DNS-over-HTTPS-use-after-free.patch
-CVE-2026-5946-non-IN-views.patch
-CVE-2026-5947-SIG0-use-after-free.patch
-CVE-2026-3039-GSS-API-resource-leak.patch