OVAL Reference oval:org.opensuse.security:def:50986

Oval Definition:

oval:org.opensuse.security:def:50986

Revision Date:	2020-12-01	Version:	1
Title:	Security update for bind (Moderate)
Description:	This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon.
Family:	unix	Class:	patch
Status:		Reference(s):	1084929 1100369 1101888 1101889 1109160 1112142 1112143 1112144 1112146 1112147 1112148 1112152 1112153 1118367 1118368 1127532 1128220 1131314 1131553 1133191 1135114 1135280 1136446 1136935 1137595 1137597 1138872 1152308 1154460 1154464 1154804 1154805 1155198 1155205 1155298 1155678 1155819 1156015 1156158 1156205 1157051 1157377 1157888 1158003 1158004 1158005 1158006 1158007 1158763 1160790 1161088 1161089 1161168 1161670 1168630 1168874 1170667 1170713 1171313 1171740 1172021 1172958 1173307 1173311 1173983 1174628 1175443 1176092 1176674 906079 CVE-2017-3136 CVE-2018-13785 CVE-2018-14394 CVE-2018-14395 CVE-2018-16435 CVE-2018-3136 CVE-2018-3139 CVE-2018-3149 CVE-2018-3169 CVE-2018-3180 CVE-2018-3183 CVE-2018-3214 CVE-2018-5741 CVE-2019-11085 CVE-2019-11477 CVE-2019-11478 CVE-2019-11487 CVE-2019-11703 CVE-2019-11704 CVE-2019-11705 CVE-2019-11706 CVE-2019-11707 CVE-2019-11708 CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792 CVE-2019-16884 CVE-2019-18422 CVE-2019-18423 CVE-2019-18900 CVE-2019-19577 CVE-2019-19578 CVE-2019-19579 CVE-2019-19580 CVE-2019-19581 CVE-2019-19582 CVE-2019-19583 CVE-2019-19956 CVE-2019-3846 CVE-2019-5068 CVE-2019-5737 CVE-2019-6477 CVE-2020-14344 CVE-2020-14344 CVE-2020-6819 CVE-2020-6820 CVE-2020-6821 CVE-2020-6822 CVE-2020-6825 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 SUSE-SU-2019:0058-1 SUSE-SU-2019:0627-1 SUSE-SU-2019:1299-1 SUSE-SU-2019:1683-1 SUSE-SU-2019:2810-1 SUSE-SU-2019:3309-1 SUSE-SU-2020:0087-1 SUSE-SU-2020:0111-1 SUSE-SU-2020:1027-1 SUSE-SU-2020:1532-1 SUSE-SU-2020:2197-1 SUSE-SU-2020:2914-1
Platform(s):	SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise Module for additional PackageHub packages 15 SUSE Linux Enterprise Module for Basesystem 15 SP2 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Legacy Software 15 SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP2 SUSE Linux Enterprise Module for Python2 packages 15 SP1 SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Module for Web Scripting 15 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP1-LTSS SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP2-ESPOS SUSE Linux Enterprise Server 12 SP2-LTSS SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP3-BCL SUSE Linux Enterprise Server 12 SP3-ESPOS SUSE Linux Enterprise Server 12 SP3-LTSS SUSE Linux Enterprise Server 12 SP3-TERADATA SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Workstation Extension 15 SP1 SUSE OpenStack Cloud 6 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9	Product(s):
Definition Synopsis
SUSE Linux Enterprise Desktop 11 SP3 is installed AND Package Information libldap-2_4-2-2.4.26-0.30 is installed OR libldap-2_4-2-32bit-2.4.26-0.30 is installed OR openldap2-client-2.4.26-0.30 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 is installed AND Package Information libXxf86vm1-1.1.3-3 is installed OR libXxf86vm1-32bit-1.1.3-3 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP1 is installed AND Package Information cpp48-4.8.5-24 is installed OR gcc48-4.8.5-24 is installed OR gcc48-32bit-4.8.5-24 is installed OR gcc48-c++-4.8.5-24 is installed OR gcc48-gij-4.8.5-24 is installed OR gcc48-gij-32bit-4.8.5-24 is installed OR gcc48-info-4.8.5-24 is installed OR libasan0-4.8.5-24 is installed OR libasan0-32bit-4.8.5-24 is installed OR libgcj48-4.8.5-24 is installed OR libgcj48-32bit-4.8.5-24 is installed OR libgcj48-jar-4.8.5-24 is installed OR libgcj_bc1-4.8.5-24 is installed OR libstdc++48-devel-4.8.5-24 is installed OR libstdc++48-devel-32bit-4.8.5-24 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP2 is installed AND Package Information NetworkManager-1.0.12-8 is installed OR NetworkManager-lang-1.0.12-8 is installed OR libnm-glib-vpn1-1.0.12-8 is installed OR libnm-glib4-1.0.12-8 is installed OR libnm-util2-1.0.12-8 is installed OR libnm0-1.0.12-8 is installed OR typelib-1_0-NM-1_0-1.0.12-8 is installed OR typelib-1_0-NMClient-1_0-1.0.12-8 is installed OR typelib-1_0-NetworkManager-1_0-1.0.12-8 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP3 is installed AND Package Information audiofile-0.3.6-10 is installed OR libaudiofile1-0.3.6-10 is installed OR libaudiofile1-32bit-0.3.6-10 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP4 is installed AND Package Information avahi-0.6.32-30 is installed OR avahi-lang-0.6.32-30 is installed OR libavahi-client3-0.6.32-30 is installed OR libavahi-client3-32bit-0.6.32-30 is installed OR libavahi-common3-0.6.32-30 is installed OR libavahi-common3-32bit-0.6.32-30 is installed OR libavahi-core7-0.6.32-30 is installed OR libdns_sd-0.6.32-30 is installed OR libdns_sd-32bit-0.6.32-30 is installed
Definition Synopsis
SUSE Linux Enterprise Module for additional PackageHub packages 15 is installed AND Package Information ffmpeg-3.4.2-4.17 is installed OR libavdevice57-3.4.2-4.17 is installed OR libavfilter6-3.4.2-4.17 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Basesystem 15 SP2 is installed AND Package Information bind-9.16.6-12.32 is installed OR bind-devel-9.16.6-12.32 is installed OR bind-utils-9.16.6-12.32 is installed OR libbind9-1600-9.16.6-12.32 is installed OR libdns1605-9.16.6-12.32 is installed OR libirs-devel-9.16.6-12.32 is installed OR libirs1601-9.16.6-12.32 is installed OR libisc1606-9.16.6-12.32 is installed OR libisccc1600-9.16.6-12.32 is installed OR libisccfg1600-9.16.6-12.32 is installed OR libns1604-9.16.6-12.32 is installed OR python3-bind-9.16.6-12.32 is installed OR sysuser-shadow-2.0-4.2 is installed OR sysuser-tools-2.0-4.2 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Containers 15 SP1 is installed AND runc-1.0.0~rc8-1.6 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Legacy Software 15 is installed AND Package Information java-1_8_0-openjdk-1.8.0.191-3.13 is installed OR java-1_8_0-openjdk-demo-1.8.0.191-3.13 is installed OR java-1_8_0-openjdk-devel-1.8.0.191-3.13 is installed OR java-1_8_0-openjdk-headless-1.8.0.191-3.13 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Live Patching 15 is installed AND Package Information kernel-livepatch-4_12_14-25_3-default-10-2 is installed OR kernel-livepatch-SLE15_Update_1-10-2 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP1 is installed AND Package Information libsolv-0.7.10-3.22 is installed OR python-solv-0.7.10-3.22 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP2 is installed AND Package Information libX11-1.6.5-3.6 is installed OR libX11-devel-32bit-1.6.5-3.6 is installed OR libxcb-1.13-3.5 is installed OR libxcb-composite0-32bit-1.13-3.5 is installed OR libxcb-damage0-32bit-1.13-3.5 is installed OR libxcb-devel-32bit-1.13-3.5 is installed OR libxcb-dpms0-32bit-1.13-3.5 is installed OR libxcb-randr0-32bit-1.13-3.5 is installed OR libxcb-record0-32bit-1.13-3.5 is installed OR libxcb-res0-32bit-1.13-3.5 is installed OR libxcb-screensaver0-32bit-1.13-3.5 is installed OR libxcb-shape0-32bit-1.13-3.5 is installed OR libxcb-xf86dri0-32bit-1.13-3.5 is installed OR libxcb-xinerama0-32bit-1.13-3.5 is installed OR libxcb-xinput0-32bit-1.13-3.5 is installed OR libxcb-xkb1-32bit-1.13-3.5 is installed OR libxcb-xtest0-32bit-1.13-3.5 is installed OR libxcb-xv0-32bit-1.13-3.5 is installed OR libxcb-xvmc0-32bit-1.13-3.5 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Python2 packages 15 SP1 is installed AND Package Information python-libxml2-python-2.9.7-3.22 is installed OR python2-libxml2-python-2.9.7-3.22 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Server Applications 15 is installed AND Package Information xen-4.10.4_08-3.28 is installed OR xen-devel-4.10.4_08-3.28 is installed OR xen-tools-4.10.4_08-3.28 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Web Scripting 15 is installed AND Package Information nodejs10-10.15.2-1.6 is installed OR nodejs10-devel-10.15.2-1.6 is installed OR nodejs10-docs-10.15.2-1.6 is installed OR npm10-10.15.2-1.6 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP1 is installed AND Package Information pam_krb5-2.4.4-4 is installed OR pam_krb5-32bit-2.4.4-4 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP1-LTSS is installed AND dnsmasq-2.78-18.3 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2 is installed AND apache2-mod_perl-2.0.8-11 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2-BCL is installed AND Package Information gstreamer-0_10-plugins-base-0.10.36-18.3 is installed OR gstreamer-0_10-plugins-base-32bit-0.10.36-18.3 is installed OR libgstapp-0_10-0-32bit-0.10.36-18.3 is installed OR libgstinterfaces-0_10-0-32bit-0.10.36-18.3 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2-ESPOS is installed AND Package Information git-2.12.3-27.14 is installed OR git-core-2.12.3-27.14 is installed OR git-doc-2.12.3-27.14 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2-LTSS is installed AND Package Information java-1_8_0-openjdk-1.8.0.171-27.19 is installed OR java-1_8_0-openjdk-demo-1.8.0.171-27.19 is installed OR java-1_8_0-openjdk-devel-1.8.0.171-27.19 is installed OR java-1_8_0-openjdk-headless-1.8.0.171-27.19 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3 is installed AND Package Information augeas-1.2.0-15 is installed OR augeas-lenses-1.2.0-15 is installed OR libaugeas0-1.2.0-15 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3-BCL is installed AND Package Information bzip2-1.0.6-30.8 is installed OR bzip2-doc-1.0.6-30.8 is installed OR libbz2-1-1.0.6-30.8 is installed OR libbz2-1-32bit-1.0.6-30.8 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3-ESPOS is installed AND Package Information java-1_8_0-openjdk-1.8.0.222-27.35 is installed OR java-1_8_0-openjdk-demo-1.8.0.222-27.35 is installed OR java-1_8_0-openjdk-devel-1.8.0.222-27.35 is installed OR java-1_8_0-openjdk-headless-1.8.0.222-27.35 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3-LTSS is installed AND Package Information perl-5.18.2-12.20 is installed OR perl-32bit-5.18.2-12.20 is installed OR perl-base-5.18.2-12.20 is installed OR perl-doc-5.18.2-12.20 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3-TERADATA is installed AND Package Information gvim-7.4.326-17.3 is installed OR vim-7.4.326-17.3 is installed OR vim-data-7.4.326-17.3 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP4 is installed AND Package Information eog-3.20.4-7 is installed OR eog-lang-3.20.4-7 is installed
Definition Synopsis
SUSE Linux Enterprise Server for SAP Applications 15 is installed AND Package Information libX11-1.6.5-3.9 is installed OR libX11-6-1.6.5-3.9 is installed OR libX11-6-32bit-1.6.5-3.9 is installed OR libX11-data-1.6.5-3.9 is installed OR libX11-devel-1.6.5-3.9 is installed OR libX11-xcb1-1.6.5-3.9 is installed OR libX11-xcb1-32bit-1.6.5-3.9 is installed
Definition Synopsis
SUSE Linux Enterprise Workstation Extension 15 SP1 is installed AND Package Information MozillaThunderbird-60.7.2-3.43 is installed OR MozillaThunderbird-translations-common-60.7.2-3.43 is installed OR MozillaThunderbird-translations-other-60.7.2-3.43 is installed
Definition Synopsis
SUSE OpenStack Cloud 6 is installed AND ruby2.1-rubygem-bundler-1.7.3-3 is installed
Definition Synopsis
SUSE OpenStack Cloud 7 is installed AND python-Django-1.8.19-3.4 is installed
Definition Synopsis
SUSE OpenStack Cloud 8 is installed AND Package Information glib2-2.48.2-12.15 is installed OR glib2-lang-2.48.2-12.15 is installed OR glib2-tools-2.48.2-12.15 is installed OR libgio-2_0-0-2.48.2-12.15 is installed OR libgio-2_0-0-32bit-2.48.2-12.15 is installed OR libglib-2_0-0-2.48.2-12.15 is installed OR libglib-2_0-0-32bit-2.48.2-12.15 is installed OR libgmodule-2_0-0-2.48.2-12.15 is installed OR libgmodule-2_0-0-32bit-2.48.2-12.15 is installed OR libgobject-2_0-0-2.48.2-12.15 is installed OR libgobject-2_0-0-32bit-2.48.2-12.15 is installed OR libgthread-2_0-0-2.48.2-12.15 is installed OR libgthread-2_0-0-32bit-2.48.2-12.15 is installed
Definition Synopsis
SUSE OpenStack Cloud Crowbar 8 is installed AND nodejs6-6.14.4-11.18 is installed
Definition Synopsis
SUSE OpenStack Cloud Crowbar 9 is installed AND nodejs6-6.17.0-11.27 is installed

BACK