OVAL Reference oval:org.opensuse.security:def:4943

Oval Definition:

oval:org.opensuse.security:def:4943

Revision Date:	2020-12-02	Version:	1
Title:	Security update for bind (Moderate)
Description:	This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon.
Family:	unix	Class:	patch
Status:		Reference(s):	1013712 1100369 1109160 1110850 1118367 1118368 1125330 1128220 1129821 1130262 1142825 1142832 1142835 1156205 1157051 1158194 1158328 1161168 1170667 1170713 1171313 1171740 1172958 1173307 1173311 1173983 1174910 1174913 1175443 1176092 1176674 906079 CVE-2007-6600 CVE-2009-0186 CVE-2009-1273 CVE-2009-4034 CVE-2009-4136 CVE-2010-1169 CVE-2010-1170 CVE-2010-2640 CVE-2010-2641 CVE-2010-2642 CVE-2010-2643 CVE-2010-3433 CVE-2010-4540 CVE-2010-4541 CVE-2010-4542 CVE-2010-4543 CVE-2011-2696 CVE-2011-2896 CVE-2012-0866 CVE-2012-0867 CVE-2012-0868 CVE-2012-2143 CVE-2012-2655 CVE-2012-3236 CVE-2012-3488 CVE-2012-3489 CVE-2012-5576 CVE-2013-0221 CVE-2013-0222 CVE-2013-0223 CVE-2013-0255 CVE-2013-1899 CVE-2013-1900 CVE-2013-1901 CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067 CVE-2014-0467 CVE-2016-9798 CVE-2017-3136 CVE-2018-11784 CVE-2018-18335 CVE-2018-18356 CVE-2018-18506 CVE-2018-18509 CVE-2018-5741 CVE-2019-10181 CVE-2019-10182 CVE-2019-10185 CVE-2019-11745 CVE-2019-13722 CVE-2019-17005 CVE-2019-17008 CVE-2019-17009 CVE-2019-17010 CVE-2019-17011 CVE-2019-17012 CVE-2019-19451 CVE-2019-5785 CVE-2019-6477 CVE-2019-9788 CVE-2019-9790 CVE-2019-9791 CVE-2019-9792 CVE-2019-9793 CVE-2019-9794 CVE-2019-9795 CVE-2019-9796 CVE-2019-9801 CVE-2019-9810 CVE-2019-9813 CVE-2020-14361 CVE-2020-14362 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 SUSE-SU-2018:3968-1 SUSE-SU-2019:0853-1 SUSE-SU-2019:2033-1 SUSE-SU-2019:3046-1 SUSE-SU-2019:3339-1 SUSE-SU-2019:3391-1 SUSE-SU-2020:2481-1 SUSE-SU-2020:2914-1
Platform(s):	SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Desktop 11 SP4 SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise High Availability 12 SUSE Linux Enterprise High Availability 12 SP1 SUSE Linux Enterprise High Availability 12 SP2 SUSE Linux Enterprise High Availability 12 SP4 SUSE Linux Enterprise High Availability 12 SP5 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Live Patching 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Legacy Software 12 SUSE Linux Enterprise Module for Public Cloud 12 SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Module for Web Scripting 12 SUSE Linux Enterprise Module for Web Scripting 15 SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for Rasperry Pi 12 SP2 SUSE Linux Enterprise Server for VMWare 11 SP3 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Linux Enterprise Software Development Kit 12 SP1 SUSE Linux Enterprise Software Development Kit 12 SP2 SUSE Linux Enterprise Software Development Kit 12 SP3 SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Workstation Extension 15 SUSE Linux Enterprise Workstation Extension 15 SP1	Product(s):
Definition Synopsis
SUSE Linux Enterprise Desktop 11 SP3 is installed AND Package Information evolution-data-server-2.28.2-0.32.1 is installed OR evolution-data-server-32bit-2.28.2-0.32.1 is installed OR evolution-data-server-lang-2.28.2-0.32.1 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 is installed AND Package Information coreutils-8.22-5 is installed OR coreutils-lang-8.22-5 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP1 is installed AND autofs-5.0.9-8 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP2 is installed AND Package Information MozillaFirefox-45.4.0esr-81 is installed OR MozillaFirefox-translations-45.4.0esr-81 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP3 is installed AND Package Information emacs-24.3-19 is installed OR emacs-info-24.3-19 is installed OR emacs-x11-24.3-19 is installed OR etags-24.3-19 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP4 is installed AND Package Information expat-2.1.0-21.3 is installed OR libexpat1-2.1.0-21.3 is installed OR libexpat1-32bit-2.1.0-21.3 is installed
Definition Synopsis
SUSE Linux Enterprise High Availability 12 is installed AND Package Information ctdb-4.2.4-18.17.1 is installed OR samba-4.2.4-18.17.1 is installed
Definition Synopsis
SUSE Linux Enterprise High Availability 12 SP1 is installed AND hawk2-1.0.1+git.1456406635.49e230d-12.1 is installed
Definition Synopsis
SUSE Linux Enterprise High Availability 12 SP2 is installed AND Package Information libpacemaker3-1.1.15-19 is installed OR pacemaker-1.1.15-19 is installed OR pacemaker-cli-1.1.15-19 is installed OR pacemaker-cts-1.1.15-19 is installed OR pacemaker-remote-1.1.15-19 is installed
Definition Synopsis
SUSE Linux Enterprise High Availability 12 SP4 is installed AND python-requests-2.11.1-6.28 is installed
Definition Synopsis
SUSE Linux Enterprise High Availability 12 SP5 is installed AND Package Information cluster-md-kmp-default-4.12.14-120 is installed OR dlm-kmp-default-4.12.14-120 is installed OR gfs2-kmp-default-4.12.14-120 is installed OR ocfs2-kmp-default-4.12.14-120 is installed
Definition Synopsis
SUSE Linux Enterprise High Performance Computing 12 SP5 is installed AND Package Information apache-commons-beanutils-1.9.2-3.3 is installed OR apache-commons-beanutils-javadoc-1.9.2-3.3 is installed
Definition Synopsis
SUSE Linux Enterprise Live Patching 12 is installed AND Package Information kgraft-patch-3_12_38-44-default-1-2.2 is installed OR kgraft-patch-3_12_38-44-xen-1-2.2 is installed OR kgraft-patch-SLE12_Update_3-1-2.2 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Containers 12 is installed AND docker-1.8.3-49.1 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Legacy Software 12 is installed AND Package Information cups154-1.5.4-5.1 is installed OR cups154-client-1.5.4-5.1 is installed OR cups154-filters-1.5.4-5.1 is installed OR cups154-libs-1.5.4-5.1 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Public Cloud 12 is installed AND Package Information kernel-ec2-3.12.38-44.1 is installed OR kernel-ec2-devel-3.12.38-44.1 is installed OR kernel-ec2-extra-3.12.38-44.1 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Server Applications 15 SP2 is installed AND Package Information bind-9.16.6-12.32 is installed OR bind-chrootenv-9.16.6-12.32 is installed OR bind-doc-9.16.6-12.32 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Web Scripting 12 is installed AND Package Information apache2-mod_php5-5.5.14-11.3 is installed OR php5-5.5.14-11.3 is installed OR php5-bcmath-5.5.14-11.3 is installed OR php5-bz2-5.5.14-11.3 is installed OR php5-calendar-5.5.14-11.3 is installed OR php5-ctype-5.5.14-11.3 is installed OR php5-curl-5.5.14-11.3 is installed OR php5-dba-5.5.14-11.3 is installed OR php5-dom-5.5.14-11.3 is installed OR php5-enchant-5.5.14-11.3 is installed OR php5-exif-5.5.14-11.3 is installed OR php5-fastcgi-5.5.14-11.3 is installed OR php5-fileinfo-5.5.14-11.3 is installed OR php5-fpm-5.5.14-11.3 is installed OR php5-ftp-5.5.14-11.3 is installed OR php5-gd-5.5.14-11.3 is installed OR php5-gettext-5.5.14-11.3 is installed OR php5-gmp-5.5.14-11.3 is installed OR php5-iconv-5.5.14-11.3 is installed OR php5-intl-5.5.14-11.3 is installed OR php5-json-5.5.14-11.3 is installed OR php5-ldap-5.5.14-11.3 is installed OR php5-mbstring-5.5.14-11.3 is installed OR php5-mcrypt-5.5.14-11.3 is installed OR php5-mysql-5.5.14-11.3 is installed OR php5-odbc-5.5.14-11.3 is installed OR php5-openssl-5.5.14-11.3 is installed OR php5-pcntl-5.5.14-11.3 is installed OR php5-pdo-5.5.14-11.3 is installed OR php5-pear-5.5.14-11.3 is installed OR php5-pgsql-5.5.14-11.3 is installed OR php5-pspell-5.5.14-11.3 is installed OR php5-shmop-5.5.14-11.3 is installed OR php5-snmp-5.5.14-11.3 is installed OR php5-soap-5.5.14-11.3 is installed OR php5-sockets-5.5.14-11.3 is installed OR php5-sqlite-5.5.14-11.3 is installed OR php5-suhosin-5.5.14-11.3 is installed OR php5-sysvmsg-5.5.14-11.3 is installed OR php5-sysvsem-5.5.14-11.3 is installed OR php5-sysvshm-5.5.14-11.3 is installed OR php5-tokenizer-5.5.14-11.3 is installed OR php5-wddx-5.5.14-11.3 is installed OR php5-xmlreader-5.5.14-11.3 is installed OR php5-xmlrpc-5.5.14-11.3 is installed OR php5-xmlwriter-5.5.14-11.3 is installed OR php5-xsl-5.5.14-11.3 is installed OR php5-zip-5.5.14-11.3 is installed OR php5-zlib-5.5.14-11.3 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Web Scripting 15 is installed AND Package Information tomcat-9.0.12-3.8 is installed OR tomcat-admin-webapps-9.0.12-3.8 is installed OR tomcat-el-3_0-api-9.0.12-3.8 is installed OR tomcat-jsp-2_3-api-9.0.12-3.8 is installed OR tomcat-lib-9.0.12-3.8 is installed OR tomcat-servlet-4_0-api-9.0.12-3.8 is installed OR tomcat-webapps-9.0.12-3.8 is installed
Definition Synopsis
SUSE Linux Enterprise Server 11 SP2 is installed AND wireshark-1.4.10-0.2.1 is installed
Definition Synopsis
SUSE Linux Enterprise Server 11 SP3 is installed AND cifs-utils-5.1-0.11.1 is installed
Definition Synopsis
SUSE Linux Enterprise Server 11 SP3-LTSS is installed AND Package Information mono-core-2.6.7-0.18.1 is installed OR mono-data-2.6.7-0.18.1 is installed OR mono-data-postgresql-2.6.7-0.18.1 is installed OR mono-data-sqlite-2.6.7-0.18.1 is installed OR mono-locale-extras-2.6.7-0.18.1 is installed OR mono-nunit-2.6.7-0.18.1 is installed OR mono-web-2.6.7-0.18.1 is installed OR mono-winforms-2.6.7-0.18.1 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 is installed AND Package Information cpio-2.11-29.1 is installed OR cpio-lang-2.11-29.1 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP1 is installed AND Package Information bind-9.9.6P1-32.1 is installed OR bind-chrootenv-9.9.6P1-32.1 is installed OR bind-doc-9.9.6P1-32.1 is installed OR bind-libs-9.9.6P1-32.1 is installed OR bind-libs-32bit-9.9.6P1-32.1 is installed OR bind-utils-9.9.6P1-32.1 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2 is installed AND cifs-utils-6.5-8 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3 is installed AND Package Information apache2-mod_apparmor-2.8.2-49 is installed OR apparmor-docs-2.8.2-49 is installed OR apparmor-parser-2.8.2-49 is installed OR apparmor-profiles-2.8.2-49 is installed OR apparmor-utils-2.8.2-49 is installed OR libapparmor1-2.8.2-49 is installed OR libapparmor1-32bit-2.8.2-49 is installed OR pam_apparmor-2.8.2-49 is installed OR pam_apparmor-32bit-2.8.2-49 is installed OR perl-apparmor-2.8.2-49 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP4 is installed AND Package Information DirectFB-1.7.1-6 is installed OR lib++dfb-1_7-1-1.7.1-6 is installed OR libdirectfb-1_7-1-1.7.1-6 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12-LTSS is installed AND Package Information kgraft-patch-3_12_44-52_18-default-6-2.2 is installed OR kgraft-patch-3_12_44-52_18-xen-6-2.2 is installed OR kgraft-patch-SLE12_Update_7-6-2.2 is installed
Definition Synopsis
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 is installed AND w3m-0.5.3.git20161120-160 is installed
Definition Synopsis
SUSE Linux Enterprise Software Development Kit 11 SP4 is installed AND Package Information MozillaFirefox-38.7.0esr-37.3 is installed OR MozillaFirefox-devel-38.7.0esr-37.3 is installed OR mozilla-nspr-4.12-24.1 is installed OR mozilla-nspr-devel-4.12-24.1 is installed OR mozilla-nss-3.20.2-28.1 is installed OR mozilla-nss-devel-3.20.2-28.1 is installed
Definition Synopsis
SUSE Linux Enterprise Software Development Kit 12 SP1 is installed AND freetype2-devel-2.5.5-7.5 is installed
Definition Synopsis
SUSE Linux Enterprise Software Development Kit 12 SP2 is installed AND Package Information FastCGI-2.4.0-167 is installed OR perl-FastCGI-2.4.0-167 is installed
Definition Synopsis
SUSE Linux Enterprise Software Development Kit 12 SP3 is installed AND apache2-devel-2.4.23-28 is installed
Definition Synopsis
SUSE Linux Enterprise Workstation Extension 12 is installed AND Package Information flash-player-11.2.202.418-11.1 is installed OR flash-player-gnome-11.2.202.418-11.1 is installed
Definition Synopsis
SUSE Linux Enterprise Workstation Extension 15 is installed AND icedtea-web-1.7.2-3.3 is installed
Definition Synopsis
SUSE Linux Enterprise Workstation Extension 15 SP1 is installed AND Package Information MozillaThunderbird-68.3.0-3.61 is installed OR MozillaThunderbird-translations-common-68.3.0-3.61 is installed OR MozillaThunderbird-translations-other-68.3.0-3.61 is installed

BACK