Oval Definition:	oval:org.opensuse.security:def:53552
Revision Date: 2020-12-01 Version: 1 Title: Security update for bind (Moderate) Description: This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon. Family: unix Class: patch Status: Reference(s): 1000189 1000287 1000304 1000776 1001419 1001486 1002165 1003079 1003153 1003400 1003568 1003866 1003925 1003964 1004252 1004462 1004517 1004520 1005666 1006691 1007615 1007886 1028301 1033783 1046853 1046858 1047964 1047965 1049255 1049344 1049621 1084850 1100369 1109160 1118367 1118368 1128220 1156205 1157051 1161168 1170667 1170713 1171313 1171550 1171740 1172958 1173307 1173311 1173983 1175443 1176092 1176674 744692 772786 789311 857397 860441 865545 866130 868923 874131 876463 898675 904489 906079 909994 911687 912460 915183 921338 921784 922064 922634 924381 924384 930399 931454 931978 934067 937086 937888 940545 941420 946309 955446 956514 959463 960317 961257 962846 966864 967640 970943 971975 971989 974406 974620 975596 975772 976195 977687 978094 979451 979928 982783 983619 984194 984419 984779 984992 985562 986445 987192 987333 987542 987565 987621 987805 988440 988617 988715 989152 989953 990245 991247 991608 991665 992244 992555 992591 992593 992712 993392 993841 993890 993891 994296 994438 994520 994748 995153 995968 996664 997059 997299 997708 997896 998689 998795 998825 999577 999584 999600 999779 999907 999932 CVE-2006-4484 CVE-2012-2396 CVE-2012-4453 CVE-2013-1989 CVE-2013-2066 CVE-2014-8767 CVE-2014-8768 CVE-2014-8769 CVE-2014-9140 CVE-2014-9721 CVE-2015-0261 CVE-2015-2153 CVE-2015-2154 CVE-2015-2155 CVE-2015-3138 CVE-2015-8459 CVE-2015-8460 CVE-2015-8634 CVE-2015-8635 CVE-2015-8636 CVE-2015-8638 CVE-2015-8639 CVE-2015-8640 CVE-2015-8641 CVE-2015-8642 CVE-2015-8643 CVE-2015-8644 CVE-2015-8645 CVE-2015-8646 CVE-2015-8647 CVE-2015-8648 CVE-2015-8649 CVE-2015-8650 CVE-2015-8651 CVE-2015-8956 CVE-2016-5407 CVE-2016-5696 CVE-2016-6130 CVE-2016-6327 CVE-2016-6480 CVE-2016-6828 CVE-2016-7042 CVE-2016-7097 CVE-2016-7425 CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 CVE-2016-8637 CVE-2016-8658 CVE-2016-8666 CVE-2017-0381 CVE-2017-10684 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-11406 CVE-2017-11407 CVE-2017-11408 CVE-2017-11410 CVE-2017-11411 CVE-2017-3136 CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 CVE-2017-5486 CVE-2017-6508 CVE-2017-7467 CVE-2018-5741 CVE-2018-7999 CVE-2019-6477 CVE-2020-13249 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 SUSE-SU-2015:1510-1 SUSE-SU-2015:2401-1 SUSE-SU-2016:2912-1 SUSE-SU-2017:0800-1 SUSE-SU-2017:1092-1 SUSE-SU-2017:2033-1 SUSE-SU-2017:2075-1 SUSE-SU-2018:0858-1 SUSE-SU-2020:1423-1 SUSE-SU-2020:2914-1 Platform(s): openSUSE Leap 15.0 openSUSE Leap 15.1 SUSE Linux Enterprise Desktop 11 SP2 SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Desktop 11 SP4 SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP1-LTSS SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP2-ESPOS SUSE Linux Enterprise Server 12 SP2-LTSS SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP3-BCL SUSE Linux Enterprise Server 12 SP3-ESPOS SUSE Linux Enterprise Server 12 SP3-LTSS SUSE Linux Enterprise Server 12 SP3-TERADATA SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SUSE OpenStack Cloud 6 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 Product(s): Definition Synopsis openSUSE Leap 15.0 is installed AND Package Information ImageMagick-7.0.7.29-lp150.1 is installed OR libMagick++-7_Q16HDRI4-7.0.7.29-lp150.1 is installed OR libMagickCore-7_Q16HDRI6-7.0.7.29-lp150.1 is installed OR libMagickWand-7_Q16HDRI6-7.0.7.29-lp150.1 is installed Definition Synopsis openSUSE Leap 15.1 is installed AND Package Information update-test-32bit-pkg-5.1-lp151.12 is installed OR update-test-affects-package-manager-5.1-lp151.12 is installed OR update-test-broken-5.1-lp151.12 is installed OR update-test-feature-5.1-lp151.12 is installed OR update-test-interactive-5.1-lp151.12 is installed OR update-test-optional-5.1-lp151.12 is installed OR update-test-reboot-needed-5.1-lp151.12 is installed OR update-test-relogin-suggested-5.1-lp151.12 is installed OR update-test-security-5.1-lp151.12 is installed OR update-test-trivial-5.1-lp151.12 is installed Definition Synopsis SUSE Linux Enterprise Desktop 11 SP2 is installed AND Package Information openssh-5.1p1-41.57 is installed OR openssh-askpass-5.1p1-41.57 is installed Definition Synopsis SUSE Linux Enterprise Desktop 11 SP3 is installed AND Package Information MozillaFirefox-24.5.0esr-0.8 is installed OR MozillaFirefox-branding-SLED-24-0.7 is installed OR MozillaFirefox-translations-24.5.0esr-0.8 is installed OR libfreebl3-3.16-0.8 is installed OR libfreebl3-32bit-3.16-0.8 is installed OR libsoftokn3-3.16-0.8 is installed OR libsoftokn3-32bit-3.16-0.8 is installed OR mozilla-nspr-4.10.4-0.3 is installed OR mozilla-nspr-32bit-4.10.4-0.3 is installed OR mozilla-nss-3.16-0.8 is installed OR mozilla-nss-32bit-3.16-0.8 is installed OR mozilla-nss-tools-3.16-0.8 is installed Definition Synopsis SUSE Linux Enterprise Desktop 11 SP4 is installed AND Package Information libopenssl0_9_8-0.9.8j-0.80 is installed OR libopenssl0_9_8-32bit-0.9.8j-0.80 is installed OR openssl-0.9.8j-0.80 is installed Definition Synopsis SUSE Linux Enterprise Desktop 12 is installed AND Package Information libzmq3-4.0.4-13 is installed OR zeromq-4.0.4-13 is installed Definition Synopsis SUSE Linux Enterprise Desktop 12 SP1 is installed AND Package Information flash-player-11.2.202.559-117 is installed OR flash-player-gnome-11.2.202.559-117 is installed Definition Synopsis SUSE Linux Enterprise Desktop 12 SP2 is installed AND wget-1.14-20 is installed Definition Synopsis SUSE Linux Enterprise Desktop 12 SP3 is installed AND libopus0-1.1-3 is installed Definition Synopsis SUSE Linux Enterprise Desktop 12 SP4 is installed AND dracut-044.1-9 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP1 is installed AND Package Information dbus-1-glib-0.100.2-3 is installed OR dbus-1-glib-32bit-0.100.2-3 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP1-LTSS is installed AND Package Information evince-3.10.3-2.3 is installed OR evince-lang-3.10.3-2.3 is installed OR libevdocument3-4-3.10.3-2.3 is installed OR libevview3-3-3.10.3-2.3 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP2 is installed AND libXfont1-1.5.1-10 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP2-BCL is installed AND Package Information kernel-default-4.4.121-92.73 is installed OR kernel-default-base-4.4.121-92.73 is installed OR kernel-default-devel-4.4.121-92.73 is installed OR kernel-devel-4.4.121-92.73 is installed OR kernel-macros-4.4.121-92.73 is installed OR kernel-source-4.4.121-92.73 is installed OR kernel-syms-4.4.121-92.73 is installed OR kgraft-patch-4_4_121-92_73-default-1-3.3 is installed OR kgraft-patch-SLE12-SP2_Update_21-1-3.3 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP2-ESPOS is installed AND Package Information dbus-1-1.8.22-24.19 is installed OR dbus-1-x11-1.8.22-24.19 is installed OR libdbus-1-3-1.8.22-24.19 is installed OR libdbus-1-3-32bit-1.8.22-24.19 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP2-LTSS is installed AND Package Information MozillaFirefox-52.9.0esr-109.38 is installed OR MozillaFirefox-devel-52.9.0esr-109.38 is installed OR MozillaFirefox-translations-52.9.0esr-109.38 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3 is installed AND Package Information gnutls-3.3.27-1 is installed OR libgnutls-openssl27-3.3.27-1 is installed OR libgnutls28-3.3.27-1 is installed OR libgnutls28-32bit-3.3.27-1 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3-BCL is installed AND Package Information ghostscript-9.27-23.28 is installed OR ghostscript-x11-9.27-23.28 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3-ESPOS is installed AND Package Information java-1_7_1-ibm-1.7.1_sr4.50-38.41 is installed OR java-1_7_1-ibm-alsa-1.7.1_sr4.50-38.41 is installed OR java-1_7_1-ibm-jdbc-1.7.1_sr4.50-38.41 is installed OR java-1_7_1-ibm-plugin-1.7.1_sr4.50-38.41 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3-LTSS is installed AND Package Information libsolv-0.6.36-2.16 is installed OR libsolv-tools-0.6.36-2.16 is installed OR libzypp-16.20.0-2.39 is installed OR perl-solv-0.6.36-2.16 is installed OR python-solv-0.6.36-2.16 is installed OR zypper-1.13.51-21.26 is installed OR zypper-log-1.13.51-21.26 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3-TERADATA is installed AND Package Information cups-filters-1.0.58-19.2 is installed OR cups-filters-cups-browsed-1.0.58-19.2 is installed OR cups-filters-foomatic-rip-1.0.58-19.2 is installed OR cups-filters-ghostscript-1.0.58-19.2 is installed OR libqpdf18-7.1.1-3.3 is installed OR qpdf-7.1.1-3.3 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP4 is installed AND Package Information libgraphite2-3-1.3.1-10.3 is installed OR libgraphite2-3-32bit-1.3.1-10.3 is installed Definition Synopsis SUSE Linux Enterprise Server 15-LTSS is installed AND Package Information bind-9.16.6-12.32 is installed OR bind-chrootenv-9.16.6-12.32 is installed OR bind-devel-9.16.6-12.32 is installed OR bind-doc-9.16.6-12.32 is installed OR bind-utils-9.16.6-12.32 is installed OR libbind9-1600-9.16.6-12.32 is installed OR libdns1605-9.16.6-12.32 is installed OR libirs-devel-9.16.6-12.32 is installed OR libirs1601-9.16.6-12.32 is installed OR libisc1606-9.16.6-12.32 is installed OR libisccc1600-9.16.6-12.32 is installed OR libisccfg1600-9.16.6-12.32 is installed OR libns1604-9.16.6-12.32 is installed OR python3-bind-9.16.6-12.32 is installed OR sysuser-shadow-2.0-4.2 is installed OR sysuser-tools-2.0-4.2 is installed Definition Synopsis SUSE Linux Enterprise Server for SAP Applications 15 is installed AND Package Information libmariadb-devel-3.1.8-3.18 is installed OR libmariadb3-3.1.8-3.18 is installed OR libmariadb_plugins-3.1.8-3.18 is installed OR libmariadbprivate-3.1.8-3.18 is installed OR mariadb-connector-c-3.1.8-3.18 is installed Definition Synopsis SUSE OpenStack Cloud 6 is installed AND Package Information openstack-cinder-7.0.2~a0~dev1-1 is installed OR openstack-cinder-api-7.0.2~a0~dev1-1 is installed OR openstack-cinder-backup-7.0.2~a0~dev1-1 is installed OR openstack-cinder-scheduler-7.0.2~a0~dev1-1 is installed OR openstack-cinder-volume-7.0.2~a0~dev1-1 is installed OR python-cinder-7.0.2~a0~dev1-1 is installed Definition Synopsis SUSE OpenStack Cloud 7 is installed AND Package Information ImageMagick-6.8.8.1-71.108 is installed OR ImageMagick-config-6-SUSE-6.8.8.1-71.108 is installed OR ImageMagick-config-6-upstream-6.8.8.1-71.108 is installed OR libMagickCore-6_Q16-1-6.8.8.1-71.108 is installed OR libMagickWand-6_Q16-1-6.8.8.1-71.108 is installed Definition Synopsis SUSE OpenStack Cloud 8 is installed AND Package Information pdns-4.1.2-3.3 is installed OR pdns-backend-mysql-4.1.2-3.3 is installed Definition Synopsis SUSE OpenStack Cloud Crowbar 8 is installed AND Package Information libsystemd0-228-150.82 is installed OR libsystemd0-32bit-228-150.82 is installed OR libudev-devel-228-150.82 is installed OR libudev1-228-150.82 is installed OR libudev1-32bit-228-150.82 is installed OR systemd-228-150.82 is installed OR systemd-32bit-228-150.82 is installed OR systemd-bash-completion-228-150.82 is installed OR systemd-sysvinit-228-150.82 is installed OR udev-228-150.82 is installed Definition Synopsis SUSE OpenStack Cloud Crowbar 9 is installed AND python-Django1-1.11.20-3.6 is installed
BACK