OVAL Reference oval:org.opensuse.security:def:50834

Oval Definition:

oval:org.opensuse.security:def:50834

Revision Date:	2020-12-01	Version:	1
Title:	Security update for bind (Moderate)
Description:	This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon.
Family:	unix	Class:	patch
Status:		Reference(s):	1058115 1095508 1100369 1109160 1118367 1118368 1120470 1120502 1120503 1120504 1120584 1120589 1120999 1127838 1128220 1135350 1148742 1156205 1157051 1160398 1160968 1161168 1162501 1163592 1167030 1169511 1170667 1170713 1171313 1171352 1171740 1171883 1172277 1172726 1172873 1172958 1173100 1173307 1173311 1173659 1173661 1173663 1173758 1173869 1173942 1173963 1173983 1174186 1174247 1174633 1174635 1174638 1174662 1175306 1175443 1175721 1176092 1176674 1176855 1176907 1176983 1177582 1177703 1177819 1177820 1178123 1178393 1178589 1178622 1178686 1178765 1178782 906079 927455 CVE-2017-18594 CVE-2017-3136 CVE-2018-10995 CVE-2018-15173 CVE-2018-20544 CVE-2018-20545 CVE-2018-20546 CVE-2018-20547 CVE-2018-20548 CVE-2018-20549 CVE-2018-5741 CVE-2019-0155 CVE-2019-0804 CVE-2019-14895 CVE-2019-14901 CVE-2019-16746 CVE-2019-19447 CVE-2019-20446 CVE-2019-2949 CVE-2019-6477 CVE-2019-9458 CVE-2020-11668 CVE-2020-13943 CVE-2020-13962 CVE-2020-14331 CVE-2020-14345 CVE-2020-14346 CVE-2020-14347 CVE-2020-15780 CVE-2020-25668 CVE-2020-25704 CVE-2020-25705 CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601 CVE-2020-2604 CVE-2020-2654 CVE-2020-2659 CVE-2020-2754 CVE-2020-2754 CVE-2020-2755 CVE-2020-2755 CVE-2020-2756 CVE-2020-2756 CVE-2020-2757 CVE-2020-2757 CVE-2020-2773 CVE-2020-2781 CVE-2020-2781 CVE-2020-2800 CVE-2020-2800 CVE-2020-2803 CVE-2020-2803 CVE-2020-2805 CVE-2020-2805 CVE-2020-2830 CVE-2020-2830 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 CVE-2020-9862 CVE-2020-9893 CVE-2020-9894 CVE-2020-9895 CVE-2020-9915 CVE-2020-9925 SUSE-SU-2018:1925-1 SUSE-SU-2019:0603-1 SUSE-SU-2019:0770-1 SUSE-SU-2019:2425-1 SUSE-SU-2020:0231-1 SUSE-SU-2020:0629-1 SUSE-SU-2020:1684-1 SUSE-SU-2020:1858-1 SUSE-SU-2020:2326-1 SUSE-SU-2020:2914-1
Platform(s):	SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise Module for additional PackageHub packages 15 SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for High Performance Computing 15 SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP2 SUSE Linux Enterprise Module for Public Cloud 15 SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP1-LTSS SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP2-ESPOS SUSE Linux Enterprise Server 12 SP2-LTSS SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP3-LTSS SUSE Linux Enterprise Server 12 SP3-TERADATA SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Workstation Extension 15 SP1 SUSE Linux Enterprise Workstation Extension 15 SP2 SUSE OpenStack Cloud 6 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud Crowbar 8	Product(s):
Definition Synopsis
SUSE Linux Enterprise Desktop 11 SP3 is installed AND cabextract-1.2-2.12 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 is installed AND Package Information kernel-default-3.12.28-4 is installed OR kernel-default-devel-3.12.28-4 is installed OR kernel-default-extra-3.12.28-4 is installed OR kernel-devel-3.12.28-4 is installed OR kernel-macros-3.12.28-4 is installed OR kernel-source-3.12.28-4 is installed OR kernel-syms-3.12.28-4 is installed OR kernel-xen-3.12.28-4 is installed OR kernel-xen-devel-3.12.28-4 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP1 is installed AND Package Information aaa_base-13.2+git20140911.61c1681-9 is installed OR aaa_base-extras-13.2+git20140911.61c1681-9 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP2 is installed AND Package Information cpio-2.11-29 is installed OR cpio-lang-2.11-29 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP3 is installed AND cvs-1.12.12-181 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP4 is installed AND Package Information cyrus-sasl-2.1.26-8.7 is installed OR cyrus-sasl-32bit-2.1.26-8.7 is installed OR cyrus-sasl-crammd5-2.1.26-8.7 is installed OR cyrus-sasl-crammd5-32bit-2.1.26-8.7 is installed OR cyrus-sasl-digestmd5-2.1.26-8.7 is installed OR cyrus-sasl-digestmd5-32bit-2.1.26-8.7 is installed OR cyrus-sasl-gssapi-2.1.26-8.7 is installed OR cyrus-sasl-gssapi-32bit-2.1.26-8.7 is installed OR cyrus-sasl-plain-2.1.26-8.7 is installed OR cyrus-sasl-plain-32bit-2.1.26-8.7 is installed OR cyrus-sasl-saslauthd-2.1.26-8.7 is installed OR libsasl2-3-2.1.26-8.7 is installed OR libsasl2-3-32bit-2.1.26-8.7 is installed
Definition Synopsis
SUSE Linux Enterprise Module for additional PackageHub packages 15 is installed AND Package Information nmap-7.70-3.12 is installed OR nping-7.70-3.12 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Basesystem 15 SP1 is installed AND Package Information bind-9.16.6-12.32 is installed OR bind-devel-9.16.6-12.32 is installed OR bind-utils-9.16.6-12.32 is installed OR libbind9-1600-9.16.6-12.32 is installed OR libdns1605-9.16.6-12.32 is installed OR libirs-devel-9.16.6-12.32 is installed OR libirs1601-9.16.6-12.32 is installed OR libisc1606-9.16.6-12.32 is installed OR libisccc1600-9.16.6-12.32 is installed OR libisccfg1600-9.16.6-12.32 is installed OR libns1604-9.16.6-12.32 is installed OR python3-bind-9.16.6-12.32 is installed OR sysuser-shadow-2.0-4.2 is installed OR sysuser-tools-2.0-4.2 is installed
Definition Synopsis
SUSE Linux Enterprise Module for High Performance Computing 15 is installed AND Package Information libpmi0-17.11.7-6.3 is installed OR libslurm32-17.11.7-6.3 is installed OR perl-slurm-17.11.7-6.3 is installed OR slurm-17.11.7-6.3 is installed OR slurm-auth-none-17.11.7-6.3 is installed OR slurm-config-17.11.7-6.3 is installed OR slurm-devel-17.11.7-6.3 is installed OR slurm-doc-17.11.7-6.3 is installed OR slurm-lua-17.11.7-6.3 is installed OR slurm-munge-17.11.7-6.3 is installed OR slurm-node-17.11.7-6.3 is installed OR slurm-pam_slurm-17.11.7-6.3 is installed OR slurm-plugins-17.11.7-6.3 is installed OR slurm-slurmdbd-17.11.7-6.3 is installed OR slurm-sql-17.11.7-6.3 is installed OR slurm-torque-17.11.7-6.3 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Live Patching 15 is installed AND Package Information kernel-livepatch-4_12_14-150_41-default-6-2 is installed OR kernel-livepatch-SLE15_Update_16-6-2 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP1 is installed AND Package Information libjavascriptcoregtk-4_0-18-32bit-2.28.4-3.60 is installed OR libwebkit2gtk-4_0-37-32bit-2.28.4-3.60 is installed OR webkit-jsc-4-2.28.4-3.60 is installed OR webkit2gtk3-2.28.4-3.60 is installed OR webkit2gtk3-minibrowser-2.28.4-3.60 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP2 is installed AND Package Information java-1_8_0-openjdk-1.8.0.252-3.35 is installed OR java-1_8_0-openjdk-accessibility-1.8.0.252-3.35 is installed OR java-1_8_0-openjdk-javadoc-1.8.0.252-3.35 is installed OR java-1_8_0-openjdk-src-1.8.0.252-3.35 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Public Cloud 15 is installed AND python-azure-agent-2.2.36-7.6 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Server Applications 15 is installed AND Package Information libcaca-0.99.beta19.git20171003-3.3 is installed OR libcaca-devel-0.99.beta19.git20171003-3.3 is installed OR libcaca0-0.99.beta19.git20171003-3.3 is installed OR libcaca0-plugins-0.99.beta19.git20171003-3.3 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP1 is installed AND Package Information freeradius-server-3.0.3-10 is installed OR freeradius-server-doc-3.0.3-10 is installed OR freeradius-server-krb5-3.0.3-10 is installed OR freeradius-server-ldap-3.0.3-10 is installed OR freeradius-server-libs-3.0.3-10 is installed OR freeradius-server-mysql-3.0.3-10 is installed OR freeradius-server-perl-3.0.3-10 is installed OR freeradius-server-postgresql-3.0.3-10 is installed OR freeradius-server-python-3.0.3-10 is installed OR freeradius-server-sqlite-3.0.3-10 is installed OR freeradius-server-utils-3.0.3-10 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP1-LTSS is installed AND Package Information libopenssl1_0_0-1.0.1i-54.8 is installed OR libopenssl1_0_0-32bit-1.0.1i-54.8 is installed OR libopenssl1_0_0-hmac-1.0.1i-54.8 is installed OR libopenssl1_0_0-hmac-32bit-1.0.1i-54.8 is installed OR openssl-1.0.1i-54.8 is installed OR openssl-doc-1.0.1i-54.8 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2 is installed AND ft2demos-2.6.3-7.8 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2-BCL is installed AND ucode-intel-20180425-13.20 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2-ESPOS is installed AND Package Information kernel-firmware-20170530-21.22 is installed OR ucode-amd-20170530-21.22 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2-LTSS is installed AND Package Information libmysqlclient18-10.0.35-29.20 is installed OR libmysqlclient18-32bit-10.0.35-29.20 is installed OR mariadb-10.0.35-29.20 is installed OR mariadb-client-10.0.35-29.20 is installed OR mariadb-errormessages-10.0.35-29.20 is installed OR mariadb-tools-10.0.35-29.20 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3 is installed AND Package Information crash-7.1.8-3 is installed OR crash-kmp-default-7.1.8_k4.4.73_5-3 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3-LTSS is installed AND Package Information kgraft-patch-4_4_143-94_47-default-7-2 is installed OR kgraft-patch-SLE12-SP3_Update_16-7-2 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3-TERADATA is installed AND Package Information libpolkit0-0.113-5.12 is installed OR polkit-0.113-5.12 is installed OR typelib-1_0-Polkit-1_0-0.113-5.12 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP4 is installed AND libvpx1-1.3.0-3.3 is installed
Definition Synopsis
SUSE Linux Enterprise Server 15-LTSS is installed AND Package Information java-1_8_0-ibm-1.8.0_sr6.10-3.38 is installed OR java-1_8_0-ibm-alsa-1.8.0_sr6.10-3.38 is installed OR java-1_8_0-ibm-devel-1.8.0_sr6.10-3.38 is installed OR java-1_8_0-ibm-plugin-1.8.0_sr6.10-3.38 is installed
Definition Synopsis
SUSE Linux Enterprise Server for SAP Applications 15 is installed AND permissions-20180125-3.27 is installed
Definition Synopsis
SUSE Linux Enterprise Workstation Extension 15 SP1 is installed AND Package Information dia-0.97.3-4.3 is installed OR dia-lang-0.97.3-4.3 is installed
Definition Synopsis
SUSE Linux Enterprise Workstation Extension 15 SP2 is installed AND Package Information kernel-default-5.3.18-24.29 is installed OR kernel-default-extra-5.3.18-24.29 is installed
Definition Synopsis
SUSE OpenStack Cloud 6 is installed AND Package Information openstack-cinder-7.0.2~a0~dev1-1 is installed OR openstack-cinder-api-7.0.2~a0~dev1-1 is installed OR openstack-cinder-backup-7.0.2~a0~dev1-1 is installed OR openstack-cinder-scheduler-7.0.2~a0~dev1-1 is installed OR openstack-cinder-volume-7.0.2~a0~dev1-1 is installed OR python-cinder-7.0.2~a0~dev1-1 is installed
Definition Synopsis
SUSE OpenStack Cloud 7 is installed AND Package Information kernel-default-4.4.121-92.85 is installed OR kernel-default-base-4.4.121-92.85 is installed OR kernel-default-devel-4.4.121-92.85 is installed OR kernel-default-man-4.4.121-92.85 is installed OR kernel-devel-4.4.121-92.85 is installed OR kernel-macros-4.4.121-92.85 is installed OR kernel-source-4.4.121-92.85 is installed OR kernel-syms-4.4.121-92.85 is installed OR kgraft-patch-4_4_121-92_85-default-1-3.5 is installed OR kgraft-patch-SLE12-SP2_Update_23-1-3.5 is installed
Definition Synopsis
SUSE OpenStack Cloud Crowbar 8 is installed AND Package Information java-1_8_0-openjdk-1.8.0.222-27.35 is installed OR java-1_8_0-openjdk-demo-1.8.0.222-27.35 is installed OR java-1_8_0-openjdk-devel-1.8.0.222-27.35 is installed OR java-1_8_0-openjdk-headless-1.8.0.222-27.35 is installed

BACK