From 414d5ed7dd8cad7ef2738c53f9b9ecfe246ed91c Mon Sep 17 00:00:00 2001
From: erwin <erwin@FreeBSD.org>
Date: Wed, 31 Jul 2013 11:42:42 +0000
Subject: [PATCH] Vendor import of BIND 9.8.5-P2

Approved by:	delphij (mentor, implicit)
Sponsored by:	DK Hostmaster A/S
---
 CHANGES                               | 6 ++++++
 lib/dns/rdata/generic/keydata_65533.c | 2 +-
 version                               | 2 +-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2cfcb7b292f8..e8383c62baf4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+	--- 9.8.5-P2 released ---
+
+3621.	[security]	Incorrect bounds checking on private type 'keydata'
+			can lead to a remotely triggerable REQUIRE failure
+			(CVE-2013-4854). [RT #34238]
+
 	--- 9.8.5-P1 released ---
 
 3584.	[security]	Caching data from an incompletely signed zone could
diff --git a/lib/dns/rdata/generic/keydata_65533.c b/lib/dns/rdata/generic/keydata_65533.c
index 2592c30f6a08..317e1a87246a 100644
--- a/lib/dns/rdata/generic/keydata_65533.c
+++ b/lib/dns/rdata/generic/keydata_65533.c
@@ -176,7 +176,7 @@ fromwire_keydata(ARGS_FROMWIRE) {
 	UNUSED(options);
 
 	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 4)
+	if (sr.length < 16)
 		return (ISC_R_UNEXPECTEDEND);
 
 	isc_buffer_forward(source, sr.length);
diff --git a/version b/version
index 722bbe7f9b2f..7a518ed3ba84 100644
--- a/version
+++ b/version
@@ -9,4 +9,4 @@ MAJORVER=9
 MINORVER=8
 PATCHVER=5
 RELEASETYPE=-P
-RELEASEVER=1
+RELEASEVER=2