Oval Definition:	oval:org.opensuse.security:def:52229
Revision Date: 2020-12-01 Version: 1 Title: Security update for bind (Moderate) Description: This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon. Family: unix Class: patch Status: Reference(s): 1082023 1100369 1109160 1118367 1118368 1128220 1130165 1149792 1156205 1157051 1158785 1158787 1158788 1158789 1158790 1158791 1158792 1158793 1158795 1161168 1170667 1170713 1171313 1171740 1172958 1173307 1173311 1173477 1173983 1173998 1175443 1176092 1176343 1176344 1176345 1176346 1176347 1176348 1176349 1176350 1176674 1178666 1178667 1178668 906079 CVE-2008-4316 CVE-2009-1886 CVE-2009-1888 CVE-2009-2625 CVE-2009-2813 CVE-2009-2906 CVE-2009-2948 CVE-2009-3560 CVE-2009-3720 CVE-2010-0547 CVE-2010-0728 CVE-2010-0787 CVE-2010-0926 CVE-2010-1635 CVE-2010-1642 CVE-2010-2063 CVE-2010-2640 CVE-2010-2641 CVE-2010-2642 CVE-2010-2643 CVE-2010-3069 CVE-2011-0719 CVE-2011-2522 CVE-2011-2694 CVE-2012-0817 CVE-2012-0870 CVE-2012-0876 CVE-2012-1147 CVE-2012-1148 CVE-2012-1182 CVE-2012-2111 CVE-2012-3524 CVE-2012-6150 CVE-2012-6702 CVE-2013-0172 CVE-2013-0213 CVE-2013-0214 CVE-2013-0454 CVE-2013-1863 CVE-2013-1990 CVE-2013-1999 CVE-2013-4124 CVE-2013-4408 CVE-2013-4475 CVE-2013-4476 CVE-2013-4496 CVE-2013-6442 CVE-2014-0178 CVE-2014-0239 CVE-2014-0244 CVE-2014-3493 CVE-2014-3560 CVE-2014-8143 CVE-2014-9622 CVE-2015-0240 CVE-2015-1283 CVE-2016-0718 CVE-2016-5300 CVE-2016-6318 CVE-2016-6354 CVE-2016-9063 CVE-2017-1000083 CVE-2017-18922 CVE-2017-3136 CVE-2017-8779 CVE-2017-9233 CVE-2018-5741 CVE-2019-1348 CVE-2019-1349 CVE-2019-1350 CVE-2019-1351 CVE-2019-1352 CVE-2019-1353 CVE-2019-1354 CVE-2019-1387 CVE-2019-19604 CVE-2019-6477 CVE-2019-9755 CVE-2020-13753 CVE-2020-25595 CVE-2020-25596 CVE-2020-25597 CVE-2020-25599 CVE-2020-25600 CVE-2020-25601 CVE-2020-25603 CVE-2020-25604 CVE-2020-25694 CVE-2020-25695 CVE-2020-25696 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 CVE-2020-9802 CVE-2020-9803 CVE-2020-9805 CVE-2020-9806 CVE-2020-9807 CVE-2020-9843 CVE-2020-9850 SUSE-SU-2019:1001-1 SUSE-SU-2020:0045-1 SUSE-SU-2020:1873-1 SUSE-SU-2020:1990-1 SUSE-SU-2020:2789-1 SUSE-SU-2020:3455-1 Platform(s): openSUSE Leap 15.0 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Desktop 11 SP4 SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP1 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP1-LTSS SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP2-ESPOS SUSE Linux Enterprise Server 12 SP2-LTSS SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP3-BCL SUSE Linux Enterprise Server 12 SP3-ESPOS SUSE Linux Enterprise Server 12 SP3-LTSS SUSE Linux Enterprise Server 12 SP3-TERADATA SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Workstation Extension 15 SUSE Linux Enterprise Workstation Extension 15 SP1 SUSE OpenStack Cloud 6 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 Product(s): Definition Synopsis openSUSE Leap 15.0 is installed AND Package Information file-5.32-lp150.5 is installed OR file-magic-5.32-lp150.5 is installed OR libmagic1-5.32-lp150.5 is installed OR libmagic1-32bit-5.32-lp150.5 is installed Definition Synopsis SUSE Linux Enterprise Desktop 11 SP2 is installed AND Package Information MozillaFirefox-17.0.9esr-0.3 is installed OR MozillaFirefox-translations-17.0.9esr-0.3 is installed Definition Synopsis SUSE Linux Enterprise Desktop 11 SP3 is installed AND Package Information xorg-x11-libXrender-7.4-1.16 is installed OR xorg-x11-libXrender-32bit-7.4-1.16 is installed Definition Synopsis SUSE Linux Enterprise Desktop 11 SP4 is installed AND Package Information MozillaFirefox-38.6.1esr-34 is installed OR MozillaFirefox-translations-38.6.1esr-34 is installed Definition Synopsis SUSE Linux Enterprise Desktop 12 is installed AND Package Information glib2-lang-2.38.2-5 is installed OR glib2-tools-2.38.2-5 is installed OR libgio-2_0-0-2.38.2-5 is installed OR libgio-2_0-0-32bit-2.38.2-5 is installed OR libgio-fam-2.38.2-5 is installed OR libglib-2_0-0-2.38.2-5 is installed OR libglib-2_0-0-32bit-2.38.2-5 is installed OR libgmodule-2_0-0-2.38.2-5 is installed OR libgmodule-2_0-0-32bit-2.38.2-5 is installed OR libgobject-2_0-0-2.38.2-5 is installed OR libgobject-2_0-0-32bit-2.38.2-5 is installed OR libgthread-2_0-0-2.38.2-5 is installed OR libgthread-2_0-0-32bit-2.38.2-5 is installed Definition Synopsis SUSE Linux Enterprise Desktop 12 SP1 is installed AND Package Information libdcerpc-binding0-4.2.4-4 is installed OR libdcerpc-binding0-32bit-4.2.4-4 is installed OR libdcerpc0-4.2.4-4 is installed OR libdcerpc0-32bit-4.2.4-4 is installed OR libgensec0-4.2.4-4 is installed OR libgensec0-32bit-4.2.4-4 is installed OR libndr-krb5pac0-4.2.4-4 is installed OR libndr-krb5pac0-32bit-4.2.4-4 is installed OR libndr-nbt0-4.2.4-4 is installed OR libndr-nbt0-32bit-4.2.4-4 is installed OR libndr-standard0-4.2.4-4 is installed OR libndr-standard0-32bit-4.2.4-4 is installed OR libndr0-4.2.4-4 is installed OR libndr0-32bit-4.2.4-4 is installed OR libnetapi0-4.2.4-4 is installed OR libnetapi0-32bit-4.2.4-4 is installed OR libregistry0-4.2.4-4 is installed OR libsamba-credentials0-4.2.4-4 is installed OR libsamba-credentials0-32bit-4.2.4-4 is installed OR libsamba-hostconfig0-4.2.4-4 is installed OR libsamba-hostconfig0-32bit-4.2.4-4 is installed OR libsamba-passdb0-4.2.4-4 is installed OR libsamba-passdb0-32bit-4.2.4-4 is installed OR libsamba-util0-4.2.4-4 is installed OR libsamba-util0-32bit-4.2.4-4 is installed OR libsamdb0-4.2.4-4 is installed OR libsamdb0-32bit-4.2.4-4 is installed OR libsmbclient-raw0-4.2.4-4 is installed OR libsmbclient-raw0-32bit-4.2.4-4 is installed OR libsmbclient0-4.2.4-4 is installed OR libsmbclient0-32bit-4.2.4-4 is installed OR libsmbconf0-4.2.4-4 is installed OR libsmbconf0-32bit-4.2.4-4 is installed OR libsmbldap0-4.2.4-4 is installed OR libsmbldap0-32bit-4.2.4-4 is installed OR libtevent-util0-4.2.4-4 is installed OR libtevent-util0-32bit-4.2.4-4 is installed OR libwbclient0-4.2.4-4 is installed OR libwbclient0-32bit-4.2.4-4 is installed OR samba-4.2.4-4 is installed OR samba-32bit-4.2.4-4 is installed OR samba-client-4.2.4-4 is installed OR samba-client-32bit-4.2.4-4 is installed OR samba-doc-4.2.4-4 is installed OR samba-libs-4.2.4-4 is installed OR samba-libs-32bit-4.2.4-4 is installed OR samba-winbind-4.2.4-4 is installed OR samba-winbind-32bit-4.2.4-4 is installed Definition Synopsis SUSE Linux Enterprise Desktop 12 SP2 is installed AND Package Information at-3.1.14-7 is installed OR libQtWebKit4-4.8.6+2.3.3-3 is installed OR libQtWebKit4-32bit-4.8.6+2.3.3-3 is installed OR libbonobo-2.32.1-16 is installed OR libbonobo-32bit-2.32.1-16 is installed OR libbonobo-lang-2.32.1-16 is installed OR libkde4-4.12.0-7 is installed OR libkde4-32bit-4.12.0-7 is installed OR libkdecore4-4.12.0-7 is installed OR libkdecore4-32bit-4.12.0-7 is installed OR libksuseinstall1-4.12.0-7 is installed OR libksuseinstall1-32bit-4.12.0-7 is installed OR libnetpbm11-10.66.3-4 is installed OR libnetpbm11-32bit-10.66.3-4 is installed OR netpbm-10.66.3-4 is installed Definition Synopsis SUSE Linux Enterprise Desktop 12 SP3 is installed AND Package Information libtirpc-netconfig-1.0.1-16 is installed OR libtirpc3-1.0.1-16 is installed OR libtirpc3-32bit-1.0.1-16 is installed Definition Synopsis SUSE Linux Enterprise Desktop 12 SP4 is installed AND Package Information cracklib-2.9.0-7 is installed OR libcrack2-2.9.0-7 is installed OR libcrack2-32bit-2.9.0-7 is installed Definition Synopsis SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP1 is installed AND Package Information bind-9.16.6-12.32 is installed OR bind-devel-32bit-9.16.6-12.32 is installed OR libbind9-1600-32bit-9.16.6-12.32 is installed OR libdns1605-32bit-9.16.6-12.32 is installed OR libirs1601-32bit-9.16.6-12.32 is installed OR libisc1606-32bit-9.16.6-12.32 is installed OR libisccc1600-32bit-9.16.6-12.32 is installed OR libisccfg1600-32bit-9.16.6-12.32 is installed OR libns1604-32bit-9.16.6-12.32 is installed OR sysuser-tools-2.0-4.2 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP1 is installed AND libarchive13-3.1.2-9 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP1-LTSS is installed AND Package Information kgraft-patch-3_12_74-60_64_57-default-4-2 is installed OR kgraft-patch-3_12_74-60_64_57-xen-4-2 is installed OR kgraft-patch-SLE12-SP1_Update_20-4-2 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP2 is installed AND libapr1-1.5.1-2 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP2-BCL is installed AND Package Information kernel-firmware-20170530-21.22 is installed OR ucode-amd-20170530-21.22 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP2-ESPOS is installed AND ucode-intel-20180703-13.25 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP2-LTSS is installed AND Package Information kgraft-patch-4_4_121-92_85-default-2-2 is installed OR kgraft-patch-SLE12-SP2_Update_23-2-2 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3 is installed AND binutils-2.26.1-9.12 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3-BCL is installed AND Package Information glib2-2.48.2-12.15 is installed OR glib2-lang-2.48.2-12.15 is installed OR glib2-tools-2.48.2-12.15 is installed OR libgio-2_0-0-2.48.2-12.15 is installed OR libgio-2_0-0-32bit-2.48.2-12.15 is installed OR libglib-2_0-0-2.48.2-12.15 is installed OR libglib-2_0-0-32bit-2.48.2-12.15 is installed OR libgmodule-2_0-0-2.48.2-12.15 is installed OR libgmodule-2_0-0-32bit-2.48.2-12.15 is installed OR libgobject-2_0-0-2.48.2-12.15 is installed OR libgobject-2_0-0-32bit-2.48.2-12.15 is installed OR libgthread-2_0-0-2.48.2-12.15 is installed OR libgthread-2_0-0-32bit-2.48.2-12.15 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3-ESPOS is installed AND Package Information kgraft-patch-4_4_162-94_72-default-7-2 is installed OR kgraft-patch-SLE12-SP3_Update_22-7-2 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3-LTSS is installed AND Package Information bzip2-1.0.6-30.8 is installed OR bzip2-doc-1.0.6-30.8 is installed OR libbz2-1-1.0.6-30.8 is installed OR libbz2-1-32bit-1.0.6-30.8 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3-TERADATA is installed AND shadow-4.2.1-27.19 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP4 is installed AND Package Information guile-2.0.9-8 is installed OR guile-modules-2_0-2.0.9-8 is installed OR libguile-2_0-22-2.0.9-8 is installed Definition Synopsis SUSE Linux Enterprise Server 15-LTSS is installed AND Package Information libecpg6-10.15-4.28 is installed OR libpq5-10.15-4.28 is installed OR libpq5-32bit-10.15-4.28 is installed OR postgresql10-10.15-4.28 is installed OR postgresql10-contrib-10.15-4.28 is installed OR postgresql10-devel-10.15-4.28 is installed OR postgresql10-docs-10.15-4.28 is installed OR postgresql10-plperl-10.15-4.28 is installed OR postgresql10-plpython-10.15-4.28 is installed OR postgresql10-pltcl-10.15-4.28 is installed OR postgresql10-server-10.15-4.28 is installed Definition Synopsis SUSE Linux Enterprise Server for SAP Applications 15 is installed AND Package Information libjavascriptcoregtk-4_0-18-2.28.3-3.57 is installed OR libwebkit2gtk-4_0-37-2.28.3-3.57 is installed OR libwebkit2gtk3-lang-2.28.3-3.57 is installed OR webkit2gtk-4_0-injected-bundles-2.28.3-3.57 is installed OR webkit2gtk3-2.28.3-3.57 is installed OR webkit2gtk3-devel-2.28.3-3.57 is installed Definition Synopsis SUSE Linux Enterprise Workstation Extension 15 is installed AND Package Information libntfs-3g87-2016.2.22-3.3 is installed OR ntfs-3g-2016.2.22-3.3 is installed OR ntfs-3g_ntfsprogs-2016.2.22-3.3 is installed OR ntfsprogs-2016.2.22-3.3 is installed Definition Synopsis SUSE Linux Enterprise Workstation Extension 15 SP1 is installed AND Package Information LibVNCServer-0.9.10-4.19 is installed OR libvncclient0-0.9.10-4.19 is installed Definition Synopsis SUSE OpenStack Cloud 6 is installed AND Package Information krb5-1.12.1-38.5 is installed OR krb5-32bit-1.12.1-38.5 is installed OR krb5-client-1.12.1-38.5 is installed OR krb5-doc-1.12.1-38.5 is installed OR krb5-plugin-kdb-ldap-1.12.1-38.5 is installed OR krb5-plugin-preauth-otp-1.12.1-38.5 is installed OR krb5-plugin-preauth-pkinit-1.12.1-38.5 is installed OR krb5-server-1.12.1-38.5 is installed Definition Synopsis SUSE OpenStack Cloud 7 is installed AND Package Information crowbar-4.0+git.1528801103.f5708341-7.20 is installed OR crowbar-core-4.0+git.1534246408.3ab19c567-9.33 is installed OR crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33 is installed OR crowbar-devel-4.0+git.1528801103.f5708341-7.20 is installed OR crowbar-ha-4.0+git.1533750802.5768e73-4.34 is installed OR crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39 is installed OR crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3 is installed Definition Synopsis SUSE OpenStack Cloud 8 is installed AND Package Information libsolv-0.6.36-2.27.19 is installed OR libsolv-tools-0.6.36-2.27.19 is installed OR libzypp-16.20.2-27.60 is installed OR perl-solv-0.6.36-2.27.19 is installed OR python-solv-0.6.36-2.27.19 is installed OR zypper-1.13.54-18.40 is installed OR zypper-log-1.13.54-18.40 is installed Definition Synopsis SUSE OpenStack Cloud 9 is installed AND python-Django1-1.11.20-3.3 is installed Definition Synopsis SUSE OpenStack Cloud Crowbar 8 is installed AND Package Information dnsmasq-2.78-18.6 is installed OR dnsmasq-utils-2.78-18.6 is installed
BACK