OVAL Reference oval:org.opensuse.security:def:53331

Oval Definition:

oval:org.opensuse.security:def:53331

Revision Date:	2020-12-01	Version:	1
Title:	Security update for bind (Moderate)
Description:	This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon.
Family:	unix	Class:	patch
Status:		Reference(s):	1023895 1037559 1042419 1044084 1049379 1050135 1050707 1052249 1052253 1052261 1052545 1054924 1055219 1055430 1058565 1058622 1058624 1061873 1100369 1109160 1118367 1118368 1128220 1139924 1156205 1157051 1161168 1170667 1170713 1171313 1171740 1172958 1173307 1173311 1173983 1175443 1176092 1176674 906079 909563 910647 910669 952062 980486 994157 CVE-2010-0405 CVE-2010-1163 CVE-2010-1646 CVE-2010-4341 CVE-2011-0010 CVE-2011-1758 CVE-2011-2721 CVE-2011-3627 CVE-2011-3848 CVE-2011-3872 CVE-2012-1457 CVE-2012-1458 CVE-2012-1459 CVE-2012-2337 CVE-2012-3864 CVE-2012-3865 CVE-2012-3866 CVE-2012-3867 CVE-2012-6706 CVE-2013-0219 CVE-2013-0220 CVE-2013-0287 CVE-2013-1775 CVE-2013-1776 CVE-2013-3567 CVE-2013-4761 CVE-2013-4956 CVE-2013-6497 CVE-2014-0172 CVE-2014-0467 CVE-2014-1569 CVE-2014-3248 CVE-2014-3253 CVE-2014-8634 CVE-2014-8635 CVE-2014-8638 CVE-2014-8639 CVE-2014-8641 CVE-2014-9050 CVE-2014-9116 CVE-2014-9328 CVE-2014-9447 CVE-2014-9680 CVE-2015-1461 CVE-2015-1462 CVE-2015-1463 CVE-2015-2170 CVE-2015-2221 CVE-2015-2222 CVE-2015-2305 CVE-2015-2668 CVE-2015-8025 CVE-2016-10198 CVE-2016-10199 CVE-2016-6313 CVE-2016-7530 CVE-2016-9634 CVE-2016-9635 CVE-2016-9636 CVE-2016-9807 CVE-2016-9808 CVE-2016-9810 CVE-2017-10689 CVE-2017-11423 CVE-2017-11446 CVE-2017-11534 CVE-2017-12150 CVE-2017-12151 CVE-2017-12163 CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380 CVE-2017-12424 CVE-2017-12428 CVE-2017-12431 CVE-2017-12433 CVE-2017-13133 CVE-2017-13139 CVE-2017-15033 CVE-2017-2295 CVE-2017-3136 CVE-2017-5840 CVE-2017-5841 CVE-2017-5845 CVE-2017-6418 CVE-2017-6419 CVE-2017-6420 CVE-2017-8779 CVE-2018-0202 CVE-2018-0360 CVE-2018-0361 CVE-2018-1000085 CVE-2018-14680 CVE-2018-14681 CVE-2018-14682 CVE-2018-15378 CVE-2018-5741 CVE-2019-0199 CVE-2019-6477 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 SUSE-SU-2015:2053-1 SUSE-SU-2016:2345-1 SUSE-SU-2017:1336-1 SUSE-SU-2017:2650-1 SUSE-SU-2017:2947-1 SUSE-SU-2017:2949-1 SUSE-SU-2019:1825-1 SUSE-SU-2020:2914-1
Platform(s):	openSUSE Leap 15.0 openSUSE Leap 15.1 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Desktop 11 SP4 SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise Module for Server Applications 15 SP1 SUSE Linux Enterprise Module for Web Scripting 15 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP1-LTSS SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP2-ESPOS SUSE Linux Enterprise Server 12 SP2-LTSS SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP3-BCL SUSE Linux Enterprise Server 12 SP3-ESPOS SUSE Linux Enterprise Server 12 SP3-LTSS SUSE Linux Enterprise Server 12 SP3-TERADATA SUSE Linux Enterprise Server 12 SP4 SUSE OpenStack Cloud 6 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9	Product(s):
Definition Synopsis
openSUSE Leap 15.0 is installed AND iputils-s20161105-lp150.5 is installed
Definition Synopsis
openSUSE Leap 15.1 is installed AND Package Information kernel-debug-4.12.14-lp151.28.4 is installed OR kernel-debug-base-4.12.14-lp151.28.4 is installed OR kernel-debug-devel-4.12.14-lp151.28.4 is installed OR kernel-default-4.12.14-lp151.28.4 is installed OR kernel-default-base-4.12.14-lp151.28.4 is installed OR kernel-default-devel-4.12.14-lp151.28.4 is installed OR kernel-devel-4.12.14-lp151.28.4 is installed OR kernel-docs-4.12.14-lp151.28.4 is installed OR kernel-docs-html-4.12.14-lp151.28.4 is installed OR kernel-kvmsmall-4.12.14-lp151.28.4 is installed OR kernel-kvmsmall-base-4.12.14-lp151.28.4 is installed OR kernel-kvmsmall-devel-4.12.14-lp151.28.4 is installed OR kernel-macros-4.12.14-lp151.28.4 is installed OR kernel-obs-build-4.12.14-lp151.28.4 is installed OR kernel-obs-qa-4.12.14-lp151.28.4 is installed OR kernel-source-4.12.14-lp151.28.4 is installed OR kernel-source-vanilla-4.12.14-lp151.28.4 is installed OR kernel-syms-4.12.14-lp151.28.4 is installed OR kernel-vanilla-4.12.14-lp151.28.4 is installed OR kernel-vanilla-base-4.12.14-lp151.28.4 is installed OR kernel-vanilla-devel-4.12.14-lp151.28.4 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 11 SP2 is installed AND Package Information MozillaFirefox-10.0.7-0.3 is installed OR MozillaFirefox-branding-SLED-7-0.6.7 is installed OR MozillaFirefox-translations-10.0.7-0.3 is installed OR libfreebl3-3.13.6-0.5 is installed OR libfreebl3-32bit-3.13.6-0.5 is installed OR mozilla-nspr-4.9.2-0.6 is installed OR mozilla-nspr-32bit-4.9.2-0.6 is installed OR mozilla-nss-3.13.6-0.5 is installed OR mozilla-nss-32bit-3.13.6-0.5 is installed OR mozilla-nss-tools-3.13.6-0.5 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 11 SP3 is installed AND Package Information MozillaFirefox-38.5.0esr-28 is installed OR MozillaFirefox-translations-38.5.0esr-28 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 11 SP4 is installed AND Package Information java-1_7_0-openjdk-1.7.0.85-0.11 is installed OR java-1_7_0-openjdk-demo-1.7.0.85-0.11 is installed OR java-1_7_0-openjdk-devel-1.7.0.85-0.11 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 is installed AND Package Information MozillaFirefox-31.4.0esr-20 is installed OR MozillaFirefox-translations-31.4.0esr-20 is installed OR libfreebl3-3.17.3-16 is installed OR libfreebl3-32bit-3.17.3-16 is installed OR libsoftokn3-3.17.3-16 is installed OR libsoftokn3-32bit-3.17.3-16 is installed OR mozilla-nss-3.17.3-16 is installed OR mozilla-nss-32bit-3.17.3-16 is installed OR mozilla-nss-certs-3.17.3-16 is installed OR mozilla-nss-certs-32bit-3.17.3-16 is installed OR mozilla-nss-tools-3.17.3-16 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP1 is installed AND Package Information libgcrypt-1.6.1-16.33 is installed OR libgcrypt20-1.6.1-16.33 is installed OR libgcrypt20-32bit-1.6.1-16.33 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP2 is installed AND sudo-1.8.10p3-6 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP3 is installed AND Package Information elfutils-0.158-6 is installed OR libasm1-0.158-6 is installed OR libdw1-0.158-6 is installed OR libdw1-32bit-0.158-6 is installed OR libebl1-0.158-6 is installed OR libebl1-32bit-0.158-6 is installed OR libelf1-0.158-6 is installed OR libelf1-32bit-0.158-6 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP4 is installed AND clamav-0.100.2-33.18 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Server Applications 15 SP1 is installed AND Package Information bind-9.16.6-12.32 is installed OR bind-chrootenv-9.16.6-12.32 is installed OR bind-doc-9.16.6-12.32 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Web Scripting 15 is installed AND Package Information tomcat-9.0.21-3.27 is installed OR tomcat-admin-webapps-9.0.21-3.27 is installed OR tomcat-el-3_0-api-9.0.21-3.27 is installed OR tomcat-jsp-2_3-api-9.0.21-3.27 is installed OR tomcat-lib-9.0.21-3.27 is installed OR tomcat-servlet-4_0-api-9.0.21-3.27 is installed OR tomcat-webapps-9.0.21-3.27 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP1 is installed AND Package Information dbus-1-glib-0.100.2-3 is installed OR dbus-1-glib-32bit-0.100.2-3 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP1-LTSS is installed AND Package Information kgraft-patch-3_12_74-60_64_40-default-2-3 is installed OR kgraft-patch-3_12_74-60_64_40-xen-2-3 is installed OR kgraft-patch-SLE12-SP1_Update_15-2-3 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2 is installed AND Package Information libtiff5-4.0.6-26 is installed OR libtiff5-32bit-4.0.6-26 is installed OR tiff-4.0.6-26 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2-BCL is installed AND Package Information ntp-4.2.8p13-85 is installed OR ntp-doc-4.2.8p13-85 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2-ESPOS is installed AND Package Information git-2.12.3-27.14 is installed OR git-core-2.12.3-27.14 is installed OR git-doc-2.12.3-27.14 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2-LTSS is installed AND Package Information kgraft-patch-4_4_59-92_24-default-9-2 is installed OR kgraft-patch-SLE12-SP2_Update_9-9-2 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3 is installed AND Package Information eog-3.20.4-7 is installed OR eog-lang-3.20.4-7 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3-BCL is installed AND Package Information wicked-0.6.60-38.27 is installed OR wicked-service-0.6.60-38.27 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3-ESPOS is installed AND Package Information libssh2-1-1.4.3-20.9 is installed OR libssh2-1-32bit-1.4.3-20.9 is installed OR libssh2_org-1.4.3-20.9 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3-LTSS is installed AND Package Information kgraft-patch-4_4_180-94_97-default-3-2 is installed OR kgraft-patch-SLE12-SP3_Update_26-3-2 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3-TERADATA is installed AND Package Information java-1_7_1-ibm-1.7.1_sr4.30-38.26 is installed OR java-1_7_1-ibm-alsa-1.7.1_sr4.30-38.26 is installed OR java-1_7_1-ibm-jdbc-1.7.1_sr4.30-38.26 is installed OR java-1_7_1-ibm-plugin-1.7.1_sr4.30-38.26 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP4 is installed AND Package Information DirectFB-1.7.1-6 is installed OR lib++dfb-1_7-1-1.7.1-6 is installed OR libdirectfb-1_7-1-1.7.1-6 is installed
Definition Synopsis
SUSE OpenStack Cloud 6 is installed AND Package Information xen-4.5.5_16-22.28 is installed OR xen-doc-html-4.5.5_16-22.28 is installed OR xen-kmp-default-4.5.5_16_k3.12.74_60.64.57-22.28 is installed OR xen-libs-4.5.5_16-22.28 is installed OR xen-libs-32bit-4.5.5_16-22.28 is installed OR xen-tools-4.5.5_16-22.28 is installed OR xen-tools-domU-4.5.5_16-22.28 is installed
Definition Synopsis
SUSE OpenStack Cloud 7 is installed AND python-XStatic-jquery-ui-1.11.0.1-2.3 is installed
Definition Synopsis
SUSE OpenStack Cloud 8 is installed AND Package Information libgcrypt-1.6.1-16.68 is installed OR libgcrypt20-1.6.1-16.68 is installed OR libgcrypt20-32bit-1.6.1-16.68 is installed OR libgcrypt20-hmac-1.6.1-16.68 is installed OR libgcrypt20-hmac-32bit-1.6.1-16.68 is installed
Definition Synopsis
SUSE OpenStack Cloud Crowbar 8 is installed AND Package Information kernel-default-4.4.180-94.116 is installed OR kernel-default-base-4.4.180-94.116 is installed OR kernel-default-devel-4.4.180-94.116 is installed OR kernel-default-kgraft-4.4.180-94.116 is installed OR kernel-devel-4.4.180-94.116 is installed OR kernel-macros-4.4.180-94.116 is installed OR kernel-source-4.4.180-94.116 is installed OR kernel-syms-4.4.180-94.116 is installed OR kgraft-patch-4_4_180-94_116-default-1-4.3 is installed OR kgraft-patch-SLE12-SP3_Update_31-1-4.3 is installed
Definition Synopsis
SUSE OpenStack Cloud Crowbar 9 is installed AND python-Django1-1.11.23-3.9 is installed

BACK