From 9cfd20cd90fab4c97fe91f68555b7a2e05b808e8 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 16 Jan 2024 14:25:27 +1100
Subject: [PATCH 1/3] Clear qctx->zversion

Clear qctx->zversion when clearing qctx->zrdataset et al in
lib/ns/query.c:qctx_freedata.  The uncleared pointer could lead to
an assertion failure if zone data needed to be re-saved which could
happen with stale data support enabled.

(cherry picked from commit 179fb3532ab8d4898ab070b2db54c0ce872ef709)
---
 lib/ns/query.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 37b0d0ab0d..132a151bed 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5325,6 +5325,7 @@ qctx_freedata(query_ctx_t *qctx) {
 		ns_client_releasename(qctx->client, &qctx->zfname);
 		dns_db_detachnode(qctx->zdb, &qctx->znode);
 		dns_db_detach(&qctx->zdb);
+		qctx->zversion = NULL;
 	}
 
 	if (qctx->event != NULL && !qctx->client->nodetach) {

From 7d3042c384baf0d8174bcd8f66902c2213bcd664 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 16 Jan 2024 14:36:12 +1100
Subject: [PATCH 2/3] Add CHANGES note for [GL #4507]

(cherry picked from commit 09ff8b1169f8be6867c0b2004d0369d246ad2994)
---
 CHANGES | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGES b/CHANGES
index 655694c8d1..626c497404 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+6403.	[security]	qctx-zversion was not being cleared when it should have
+			been leading to an assertion failure if it needed to be
+			reused. (CVE-2024-4076) [GL #4507]
+
 6402.	[security]	Remove SIG(0) support from named as a countermeasure
 			for CVE-2024-1975. [GL #4480]
 

From acfb8508a845c29d9647a8b87f4b103172aaac09 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 2 May 2024 16:30:30 +0200
Subject: [PATCH 3/3] Add release note for [GL #4507]

(cherry picked from commit 454f245a7047571afdfda62978ea75dda119a712)
---
 doc/notes/notes-current.rst | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index fbd682b01b..5aeb796621 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -39,6 +39,10 @@ Security Fixes
   Support for SIG(0) message validation was removed from this version of
   :iscman:`named`. :cve:`2024-1975` :gl:`#4480`
 
+- Due to a logic error, lookups that trigger serving stale data and require
+  lookups in local authoritative zone data may result in an assertion failure.
+  This has been fixed. :cve:`2024-4076` :gl:`#4507`
+
 - Named could trigger an assertion failure when looking up the NS
   records of parent zones as part of looking up DS records.  This
   has been fixed. :gl:`#4661`