Oval Definition:oval:org.opensuse.security:def:52470
Revision Date:2020-12-01Version:1
Title:Security update for bind (Moderate)
Description:

This update for bind fixes the following issues:

BIND was upgraded to version 9.16.6:

Note:

- bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC.

Fixing security issues:

- CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443).

Other issues fixed:

- Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon.
Family:unixClass:patch
Status:Reference(s):1058115
1065729
1071995
1085030
1100369
1109160
1118367
1118368
1128220
1130694
1133267
1135824
1148868
1152472
1152489
1153259
1153274
1154353
1154492
1155518
1155784
1155798
1156205
1156395
1157051
1157169
1158050
1158242
1158265
1158696
1158748
1158765
1158983
1159781
1159867
1160947
1161168
1161495
1162002
1162063
1162400
1162702
1164648
1164777
1164780
1165211
1165933
1165975
1166985
1167104
1167651
1167773
1168230
1168779
1168838
1168959
1169021
1169094
1169194
1169514
1169681
1169771
1170011
1170284
1170442
1170617
1170667
1170713
1170774
1170879
1170891
1170895
1171150
1171189
1171191
1171219
1171220
1171246
1171313
1171417
1171513
1171529
1171530
1171662
1171688
1171699
1171732
1171739
1171740
1171743
1171759
1171828
1171857
1171868
1171904
1171915
1171982
1171983
1171988
1172017
1172046
1172061
1172062
1172063
1172064
1172065
1172066
1172067
1172068
1172069
1172073
1172086
1172095
1172169
1172170
1172201
1172208
1172223
1172342
1172343
1172344
1172365
1172366
1172374
1172391
1172393
1172394
1172453
1172458
1172467
1172484
1172537
1172543
1172687
1172719
1172739
1172751
1172759
1172775
1172781
1172782
1172783
1172814
1172823
1172841
1172871
1172938
1172939
1172940
1172956
1172958
1172983
1172984
1172985
1172986
1172987
1172988
1172989
1172990
1172999
1173060
1173068
1173074
1173085
1173139
1173206
1173271
1173280
1173284
1173307
1173311
1173428
1173438
1173461
1173514
1173552
1173573
1173625
1173746
1173776
1173817
1173818
1173820
1173822
1173823
1173824
1173825
1173826
1173827
1173828
1173830
1173831
1173832
1173833
1173834
1173836
1173837
1173838
1173839
1173841
1173843
1173844
1173845
1173847
1173849
1173860
1173894
1173941
1173983
1174018
1174072
1174116
1174126
1174127
1174128
1174129
1174185
1174244
1174263
1174264
1174331
1174332
1174333
1174345
1174356
1174396
1174398
1174407
1174409
1174411
1174438
1174462
1174513
1174527
1174543
1174627
1175443
1176092
1176674
906079
962849
CVE-2009-1273
CVE-2011-0421
CVE-2012-0786
CVE-2012-1162
CVE-2012-1163
CVE-2012-1571
CVE-2013-2062
CVE-2013-2142
CVE-2013-4314
CVE-2014-3564
CVE-2014-3618
CVE-2014-3710
CVE-2014-5044
CVE-2014-8116
CVE-2014-8117
CVE-2015-2331
CVE-2015-5198
CVE-2015-5199
CVE-2015-5200
CVE-2016-5104
CVE-2017-14107
CVE-2017-3136
CVE-2018-18511
CVE-2018-5741
CVE-2018-9275
CVE-2019-11691
CVE-2019-11692
CVE-2019-11693
CVE-2019-11694
CVE-2019-11698
CVE-2019-19462
CVE-2019-19727
CVE-2019-20810
CVE-2019-20812
CVE-2019-5798
CVE-2019-6477
CVE-2019-7317
CVE-2019-9797
CVE-2019-9800
CVE-2019-9815
CVE-2019-9816
CVE-2019-9817
CVE-2019-9818
CVE-2019-9819
CVE-2019-9820
CVE-2020-0305
CVE-2020-10135
CVE-2020-10711
CVE-2020-10732
CVE-2020-10751
CVE-2020-10766
CVE-2020-10767
CVE-2020-10768
CVE-2020-10773
CVE-2020-10781
CVE-2020-12656
CVE-2020-12769
CVE-2020-12771
CVE-2020-12888
CVE-2020-13143
CVE-2020-13974
CVE-2020-14416
CVE-2020-15393
CVE-2020-15780
CVE-2020-8616
CVE-2020-8617
CVE-2020-8618
CVE-2020-8619
CVE-2020-8620
CVE-2020-8621
CVE-2020-8622
CVE-2020-8623
CVE-2020-8624
SUSE-SU-2019:1458-1
SUSE-SU-2020:0228-1
SUSE-SU-2020:2105-1
Platform(s):openSUSE Leap 15.0
openSUSE Leap 15.1
SUSE Linux Enterprise Desktop 11 SP2
SUSE Linux Enterprise Desktop 11 SP3
SUSE Linux Enterprise Desktop 12
SUSE Linux Enterprise Desktop 12 SP1
SUSE Linux Enterprise Desktop 12 SP2
SUSE Linux Enterprise Desktop 12 SP3
SUSE Linux Enterprise Desktop 12 SP4
SUSE Linux Enterprise Module for High Performance Computing 15
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP2
SUSE Linux Enterprise Server 12 SP1
SUSE Linux Enterprise Server 12 SP1-LTSS
SUSE Linux Enterprise Server 12 SP2
SUSE Linux Enterprise Server 12 SP2-BCL
SUSE Linux Enterprise Server 12 SP2-ESPOS
SUSE Linux Enterprise Server 12 SP2-LTSS
SUSE Linux Enterprise Server 12 SP3
SUSE Linux Enterprise Server 12 SP3-BCL
SUSE Linux Enterprise Server 12 SP3-ESPOS
SUSE Linux Enterprise Server 12 SP3-LTSS
SUSE Linux Enterprise Server 12 SP3-TERADATA
SUSE Linux Enterprise Server 12 SP4
SUSE Linux Enterprise Workstation Extension 15 SP1
SUSE Linux Enterprise Workstation Extension 15 SP2
SUSE OpenStack Cloud 6
SUSE OpenStack Cloud 7
SUSE OpenStack Cloud 8
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 8
Product(s):
Definition Synopsis
  • openSUSE Leap 15.0 is installed
  • AND Package Information
  • bluez-5.48-lp150.3 is installed
  • OR libbluetooth3-5.48-lp150.3 is installed
    • Definition Synopsis
  • openSUSE Leap 15.1 is installed
  • AND Package Information
  • go1.12-1.12.9-lp151.2.17 is installed
  • OR go1.12-doc-1.12.9-lp151.2.17 is installed
  • OR go1.12-race-1.12.9-lp151.2.17 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Desktop 11 SP2 is installed
  • AND Package Information
  • libxslt-1.1.24-19.23 is installed
  • OR libxslt-32bit-1.1.24-19.23 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Desktop 11 SP3 is installed
  • AND icedtea-web-1.4.2-0.7 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Desktop 12 is installed
  • AND Package Information
  • cpp48-4.8.3+r212056-6 is installed
  • OR gcc48-4.8.3+r212056-6 is installed
  • OR gcc48-32bit-4.8.3+r212056-6 is installed
  • OR gcc48-c++-4.8.3+r212056-6 is installed
  • OR gcc48-gij-4.8.3+r212056-6 is installed
  • OR gcc48-gij-32bit-4.8.3+r212056-6 is installed
  • OR gcc48-info-4.8.3+r212056-6 is installed
  • OR libasan0-4.8.3+r212056-6 is installed
  • OR libasan0-32bit-4.8.3+r212056-6 is installed
  • OR libatomic1-4.8.3+r212056-6 is installed
  • OR libatomic1-32bit-4.8.3+r212056-6 is installed
  • OR libffi4-4.8.3+r212056-6 is installed
  • OR libffi4-32bit-4.8.3+r212056-6 is installed
  • OR libgcc_s1-4.8.3+r212056-6 is installed
  • OR libgcc_s1-32bit-4.8.3+r212056-6 is installed
  • OR libgcj48-4.8.3+r212056-6 is installed
  • OR libgcj48-32bit-4.8.3+r212056-6 is installed
  • OR libgcj48-jar-4.8.3+r212056-6 is installed
  • OR libgcj_bc1-4.8.3+r212056-6 is installed
  • OR libgfortran3-4.8.3+r212056-6 is installed
  • OR libgomp1-4.8.3+r212056-6 is installed
  • OR libgomp1-32bit-4.8.3+r212056-6 is installed
  • OR libitm1-4.8.3+r212056-6 is installed
  • OR libitm1-32bit-4.8.3+r212056-6 is installed
  • OR libquadmath0-4.8.3+r212056-6 is installed
  • OR libstdc++48-devel-4.8.3+r212056-6 is installed
  • OR libstdc++48-devel-32bit-4.8.3+r212056-6 is installed
  • OR libstdc++6-4.8.3+r212056-6 is installed
  • OR libstdc++6-32bit-4.8.3+r212056-6 is installed
  • OR libtsan0-4.8.3+r212056-6 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Desktop 12 SP1 is installed
  • AND Package Information
  • gpgme-1.5.1-1 is installed
  • OR libgpgme11-1.5.1-1 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Desktop 12 SP2 is installed
  • AND Package Information
  • imobiledevice-tools-1.2.0-7 is installed
  • OR libimobiledevice6-1.2.0-7 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Desktop 12 SP3 is installed
  • AND Package Information
  • file-5.19-9 is installed
  • OR file-magic-5.19-9 is installed
  • OR libmagic1-5.19-9 is installed
  • OR libmagic1-32bit-5.19-9 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Desktop 12 SP4 is installed
  • AND Package Information
  • libXp6-1.0.2-3 is installed
  • OR libXp6-32bit-1.0.2-3 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Module for High Performance Computing 15 is installed
  • AND Package Information
  • libpmi0-17.11.13-6.23 is installed
  • OR libslurm32-17.11.13-6.23 is installed
  • OR perl-slurm-17.11.13-6.23 is installed
  • OR slurm-17.11.13-6.23 is installed
  • OR slurm-auth-none-17.11.13-6.23 is installed
  • OR slurm-config-17.11.13-6.23 is installed
  • OR slurm-devel-17.11.13-6.23 is installed
  • OR slurm-doc-17.11.13-6.23 is installed
  • OR slurm-lua-17.11.13-6.23 is installed
  • OR slurm-munge-17.11.13-6.23 is installed
  • OR slurm-node-17.11.13-6.23 is installed
  • OR slurm-pam_slurm-17.11.13-6.23 is installed
  • OR slurm-plugins-17.11.13-6.23 is installed
  • OR slurm-slurmdbd-17.11.13-6.23 is installed
  • OR slurm-sql-17.11.13-6.23 is installed
  • OR slurm-torque-17.11.13-6.23 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP2 is installed
  • AND Package Information
  • bind-9.16.6-12.32 is installed
  • OR bind-devel-32bit-9.16.6-12.32 is installed
  • OR libbind9-1600-32bit-9.16.6-12.32 is installed
  • OR libdns1605-32bit-9.16.6-12.32 is installed
  • OR libirs1601-32bit-9.16.6-12.32 is installed
  • OR libisc1606-32bit-9.16.6-12.32 is installed
  • OR libisccc1600-32bit-9.16.6-12.32 is installed
  • OR libisccfg1600-32bit-9.16.6-12.32 is installed
  • OR libns1604-32bit-9.16.6-12.32 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP1 is installed
  • AND libevent-2_0-5-2.0.21-4 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP1-LTSS is installed
  • AND Package Information
  • kernel-default-3.12.74-60.64.48 is installed
  • OR kernel-default-base-3.12.74-60.64.48 is installed
  • OR kernel-default-devel-3.12.74-60.64.48 is installed
  • OR kernel-default-man-3.12.74-60.64.48 is installed
  • OR kernel-devel-3.12.74-60.64.48 is installed
  • OR kernel-macros-3.12.74-60.64.48 is installed
  • OR kernel-source-3.12.74-60.64.48 is installed
  • OR kernel-syms-3.12.74-60.64.48 is installed
  • OR kernel-xen-3.12.74-60.64.48 is installed
  • OR kernel-xen-base-3.12.74-60.64.48 is installed
  • OR kernel-xen-devel-3.12.74-60.64.48 is installed
  • OR kgraft-patch-3_12_74-60_64_48-default-1-2 is installed
  • OR kgraft-patch-3_12_74-60_64_48-xen-1-2 is installed
  • OR kgraft-patch-SLE12-SP1_Update_17-1-2 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP2 is installed
  • AND Package Information
  • dbus-1-1.8.22-24.8 is installed
  • OR dbus-1-x11-1.8.22-24.8 is installed
  • OR libdbus-1-3-1.8.22-24.8 is installed
  • OR libdbus-1-3-32bit-1.8.22-24.8 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP2-BCL is installed
  • AND Package Information
  • strongswan-5.1.3-26.13 is installed
  • OR strongswan-doc-5.1.3-26.13 is installed
  • OR strongswan-hmac-5.1.3-26.13 is installed
  • OR strongswan-ipsec-5.1.3-26.13 is installed
  • OR strongswan-libs0-5.1.3-26.13 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP2-ESPOS is installed
  • AND Package Information
  • libdcerpc-atsvc0-4.2.4-28.32 is installed
  • OR samba-4.2.4-28.32 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP2-LTSS is installed
  • AND Package Information
  • kgraft-patch-4_4_74-92_38-default-12-2 is installed
  • OR kgraft-patch-SLE12-SP2_Update_13-12-2 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP3 is installed
  • AND Package Information
  • elfutils-0.158-6 is installed
  • OR libasm1-0.158-6 is installed
  • OR libasm1-32bit-0.158-6 is installed
  • OR libdw1-0.158-6 is installed
  • OR libdw1-32bit-0.158-6 is installed
  • OR libebl1-0.158-6 is installed
  • OR libebl1-32bit-0.158-6 is installed
  • OR libelf1-0.158-6 is installed
  • OR libelf1-32bit-0.158-6 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP3-BCL is installed
  • AND Package Information
  • MozillaFirefox-68.1.0-109.89 is installed
  • OR MozillaFirefox-branding-SLE-68-32.8 is installed
  • OR MozillaFirefox-translations-common-68.1.0-109.89 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP3-ESPOS is installed
  • AND Package Information
  • glib2-2.48.2-12.15 is installed
  • OR glib2-lang-2.48.2-12.15 is installed
  • OR glib2-tools-2.48.2-12.15 is installed
  • OR libgio-2_0-0-2.48.2-12.15 is installed
  • OR libgio-2_0-0-32bit-2.48.2-12.15 is installed
  • OR libglib-2_0-0-2.48.2-12.15 is installed
  • OR libglib-2_0-0-32bit-2.48.2-12.15 is installed
  • OR libgmodule-2_0-0-2.48.2-12.15 is installed
  • OR libgmodule-2_0-0-32bit-2.48.2-12.15 is installed
  • OR libgobject-2_0-0-2.48.2-12.15 is installed
  • OR libgobject-2_0-0-32bit-2.48.2-12.15 is installed
  • OR libgthread-2_0-0-2.48.2-12.15 is installed
  • OR libgthread-2_0-0-32bit-2.48.2-12.15 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP3-LTSS is installed
  • AND Package Information
  • kgraft-patch-4_4_178-94_91-default-3-2 is installed
  • OR kgraft-patch-SLE12-SP3_Update_25-3-2 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP3-TERADATA is installed
  • AND Package Information
  • libtiff5-4.0.9-44.21 is installed
  • OR libtiff5-32bit-4.0.9-44.21 is installed
  • OR tiff-4.0.9-44.21 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP4 is installed
  • AND clamav-0.100.2-33.18 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Workstation Extension 15 SP1 is installed
  • AND Package Information
  • MozillaThunderbird-60.7.0-3.33 is installed
  • OR MozillaThunderbird-translations-common-60.7.0-3.33 is installed
  • OR MozillaThunderbird-translations-other-60.7.0-3.33 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Workstation Extension 15 SP2 is installed
  • AND Package Information
  • kernel-default-5.3.18-24.9 is installed
  • OR kernel-default-extra-5.3.18-24.9 is installed
    • Definition Synopsis
  • SUSE OpenStack Cloud 6 is installed
  • AND Package Information
  • git-2.12.3-27.5 is installed
  • OR git-core-2.12.3-27.5 is installed
  • OR git-doc-2.12.3-27.5 is installed
    • Definition Synopsis
  • SUSE OpenStack Cloud 7 is installed
  • AND nodejs6-6.14.4-11.18 is installed
    • Definition Synopsis
  • SUSE OpenStack Cloud 8 is installed
  • AND slf4j-1.7.12-3.3 is installed
    • Definition Synopsis
  • SUSE OpenStack Cloud 9 is installed
  • AND python-Django1-1.11.20-3.3 is installed
    • Definition Synopsis
  • SUSE OpenStack Cloud Crowbar 8 is installed
  • AND Package Information
  • evince-3.20.2-6.27 is installed
  • OR evince-browser-plugin-3.20.2-6.27 is installed
  • OR evince-lang-3.20.2-6.27 is installed
  • OR evince-plugin-djvudocument-3.20.2-6.27 is installed
  • OR evince-plugin-dvidocument-3.20.2-6.27 is installed
  • OR evince-plugin-pdfdocument-3.20.2-6.27 is installed
  • OR evince-plugin-psdocument-3.20.2-6.27 is installed
  • OR evince-plugin-tiffdocument-3.20.2-6.27 is installed
  • OR evince-plugin-xpsdocument-3.20.2-6.27 is installed
  • OR libevdocument3-4-3.20.2-6.27 is installed
  • OR libevview3-3-3.20.2-6.27 is installed
  • OR nautilus-evince-3.20.2-6.27 is installed
    • BACK