Oval Definition:oval:org.opensuse.security:def:53697
Revision Date:2020-12-01Version:1
Title:Security update for bind (Moderate)
Description:

This update for bind fixes the following issues:

BIND was upgraded to version 9.16.6:

Note:

- bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC.

Fixing security issues:

- CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443).

Other issues fixed:

- Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon.
Family:unixClass:patch
Status:Reference(s):1003898
1018556
1025950
1025951
1027519
1082858
1087289
1095242
1096224
1097521
1097522
1097523
1098998
1100369
1101410
1101412
1101654
1103040
1106531
1109160
1118367
1118368
1128220
1156205
1157051
1161168
1170667
1170713
1171313
1171740
1172958
1173307
1173311
1173983
1175443
1176092
1176674
904017
906079
958331
963964
963968
963975
974092
979261
979906
CVE-2010-2547
CVE-2011-2483
CVE-2011-3177
CVE-2013-4351
CVE-2013-4402
CVE-2014-0467
CVE-2014-3636
CVE-2014-4617
CVE-2014-7824
CVE-2014-9116
CVE-2014-9474
CVE-2015-1606
CVE-2015-1607
CVE-2015-7542
CVE-2015-8629
CVE-2015-8630
CVE-2015-8631
CVE-2016-4574
CVE-2016-4579
CVE-2017-2626
CVE-2017-3136
CVE-2018-0360
CVE-2018-0361
CVE-2018-1000085
CVE-2018-11806
CVE-2018-12020
CVE-2018-12359
CVE-2018-12360
CVE-2018-12362
CVE-2018-12363
CVE-2018-12364
CVE-2018-12365
CVE-2018-12366
CVE-2018-12368
CVE-2018-12891
CVE-2018-12892
CVE-2018-12893
CVE-2018-14349
CVE-2018-14350
CVE-2018-14351
CVE-2018-14352
CVE-2018-14353
CVE-2018-14354
CVE-2018-14355
CVE-2018-14356
CVE-2018-14357
CVE-2018-14358
CVE-2018-14359
CVE-2018-14360
CVE-2018-14361
CVE-2018-14362
CVE-2018-14363
CVE-2018-14679
CVE-2018-16140
CVE-2018-3665
CVE-2018-5156
CVE-2018-5188
CVE-2018-5741
CVE-2019-6477
CVE-2020-8616
CVE-2020-8617
CVE-2020-8618
CVE-2020-8619
CVE-2020-8620
CVE-2020-8621
CVE-2020-8622
CVE-2020-8623
CVE-2020-8624
SUSE-SU-2016:0429-1
SUSE-SU-2016:1510-1
SUSE-SU-2017:0292-1
SUSE-SU-2017:0695-1
SUSE-SU-2018:0072-1
SUSE-SU-2018:2059-1
SUSE-SU-2018:2322-1
SUSE-SU-2018:2323-1
SUSE-SU-2019:1291-1
SUSE-SU-2020:2914-1
Platform(s):openSUSE Leap 15.0
openSUSE Leap 15.1
SUSE Linux Enterprise Desktop 11 SP2
SUSE Linux Enterprise Desktop 11 SP3
SUSE Linux Enterprise Desktop 11 SP4
SUSE Linux Enterprise Desktop 12
SUSE Linux Enterprise Desktop 12 SP1
SUSE Linux Enterprise Desktop 12 SP2
SUSE Linux Enterprise Desktop 12 SP3
SUSE Linux Enterprise Desktop 12 SP4
SUSE Linux Enterprise Server 12 SP1
SUSE Linux Enterprise Server 12 SP1-LTSS
SUSE Linux Enterprise Server 12 SP2
SUSE Linux Enterprise Server 12 SP2-BCL
SUSE Linux Enterprise Server 12 SP2-ESPOS
SUSE Linux Enterprise Server 12 SP3
SUSE Linux Enterprise Server 12 SP3-BCL
SUSE Linux Enterprise Server 12 SP3-ESPOS
SUSE Linux Enterprise Server 12 SP3-LTSS
SUSE Linux Enterprise Server 12 SP3-TERADATA
SUSE Linux Enterprise Server 12 SP4
SUSE Linux Enterprise Server for SAP Applications 15
SUSE Linux Enterprise Workstation Extension 15
SUSE OpenStack Cloud 6
SUSE OpenStack Cloud 6-LTSS
SUSE OpenStack Cloud 7
SUSE OpenStack Cloud 8
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud Crowbar 9
Product(s):
Definition Synopsis
  • openSUSE Leap 15.0 is installed
  • AND Package Information
  • bluez-5.48-lp150.3 is installed
  • OR libbluetooth3-5.48-lp150.3 is installed
    • Definition Synopsis
  • openSUSE Leap 15.1 is installed
  • AND Package Information
  • curl-7.60.0-lp151.5.3 is installed
  • OR curl-mini-7.60.0-lp151.5.3 is installed
  • OR libcurl-devel-7.60.0-lp151.5.3 is installed
  • OR libcurl-devel-32bit-7.60.0-lp151.5.3 is installed
  • OR libcurl-mini-devel-7.60.0-lp151.5.3 is installed
  • OR libcurl4-7.60.0-lp151.5.3 is installed
  • OR libcurl4-32bit-7.60.0-lp151.5.3 is installed
  • OR libcurl4-mini-7.60.0-lp151.5.3 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Desktop 11 SP2 is installed
  • AND ruby-1.8.7.p357-0.9.13 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Desktop 11 SP3 is installed
  • AND Package Information
  • bind-9.9.6P1-0.12 is installed
  • OR bind-libs-9.9.6P1-0.12 is installed
  • OR bind-libs-32bit-9.9.6P1-0.12 is installed
  • OR bind-utils-9.9.6P1-0.12 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Desktop 11 SP4 is installed
  • AND Package Information
  • augeas-0.9.0-3.17 is installed
  • OR libaugeas0-0.9.0-3.17 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Desktop 12 is installed
  • AND Package Information
  • dbus-1-1.8.12-6 is installed
  • OR dbus-1-x11-1.8.12-6 is installed
  • OR libdbus-1-3-1.8.12-6 is installed
  • OR libdbus-1-3-32bit-1.8.12-6 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Desktop 12 SP1 is installed
  • AND Package Information
  • krb5-1.12.1-25 is installed
  • OR krb5-32bit-1.12.1-25 is installed
  • OR krb5-client-1.12.1-25 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Desktop 12 SP2 is installed
  • AND Package Information
  • dbus-1-1.8.22-24.2 is installed
  • OR dbus-1-x11-1.8.22-24.2 is installed
  • OR libdbus-1-3-1.8.22-24.2 is installed
  • OR libdbus-1-3-32bit-1.8.22-24.2 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Desktop 12 SP3 is installed
  • AND yast2-core-3.2.2-1 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Desktop 12 SP4 is installed
  • AND Package Information
  • gpg2-2.0.24-9.3 is installed
  • OR gpg2-lang-2.0.24-9.3 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP1 is installed
  • AND Package Information
  • DirectFB-1.7.1-4 is installed
  • OR lib++dfb-1_7-1-1.7.1-4 is installed
  • OR libdirectfb-1_7-1-1.7.1-4 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP1-LTSS is installed
  • AND Package Information
  • xen-4.5.5_16-22.28 is installed
  • OR xen-doc-html-4.5.5_16-22.28 is installed
  • OR xen-kmp-default-4.5.5_16_k3.12.74_60.64.57-22.28 is installed
  • OR xen-libs-4.5.5_16-22.28 is installed
  • OR xen-libs-32bit-4.5.5_16-22.28 is installed
  • OR xen-tools-4.5.5_16-22.28 is installed
  • OR xen-tools-domU-4.5.5_16-22.28 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP2 is installed
  • AND binutils-2.26.1-9.12 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP2-BCL is installed
  • AND Package Information
  • xen-4.7.6_04-43.39 is installed
  • OR xen-doc-html-4.7.6_04-43.39 is installed
  • OR xen-libs-4.7.6_04-43.39 is installed
  • OR xen-libs-32bit-4.7.6_04-43.39 is installed
  • OR xen-tools-4.7.6_04-43.39 is installed
  • OR xen-tools-domU-4.7.6_04-43.39 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP2-ESPOS is installed
  • AND Package Information
  • perl-5.18.2-12.14 is installed
  • OR perl-32bit-5.18.2-12.14 is installed
  • OR perl-base-5.18.2-12.14 is installed
  • OR perl-doc-5.18.2-12.14 is installed
    • Definition Synopsis
  • Release Information
  • SUSE Linux Enterprise Server 12 SP3 is installed
  • AND
  • kernel-default-4.4.180-94.100 is installed
  • OR kernel-default-base-4.4.180-94.100 is installed
  • OR kernel-default-devel-4.4.180-94.100 is installed
  • OR kernel-default-man-4.4.180-94.100 is installed
  • OR kernel-devel-4.4.180-94.100 is installed
  • OR kernel-macros-4.4.180-94.100 is installed
  • OR kernel-source-4.4.180-94.100 is installed
  • OR kernel-syms-4.4.180-94.100 is installed
  • OR kgraft-patch-4_4_180-94_100-default-1-4.3 is installed
  • OR kgraft-patch-SLE12-SP3_Update_27-1-4.3 is installed
  • OR Package Information
  • SUSE Linux Enterprise Server 12 SP3-LTSS is installed
  • AND
  • kernel-default-4.4.180-94.100 is installed
  • OR kernel-default-base-4.4.180-94.100 is installed
  • OR kernel-default-devel-4.4.180-94.100 is installed
  • OR kernel-default-man-4.4.180-94.100 is installed
  • OR kernel-devel-4.4.180-94.100 is installed
  • OR kernel-macros-4.4.180-94.100 is installed
  • OR kernel-source-4.4.180-94.100 is installed
  • OR kernel-syms-4.4.180-94.100 is installed
  • OR kgraft-patch-4_4_180-94_100-default-1-4.3 is installed
  • OR kgraft-patch-SLE12-SP3_Update_27-1-4.3 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP3 is installed
  • AND Package Information
  • jakarta-commons-fileupload-1.1.1-120 is installed
  • OR jakarta-commons-fileupload-javadoc-1.1.1-120 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP3-BCL is installed
  • AND Package Information
  • libopenssl-devel-1.0.2j-60.60 is installed
  • OR libopenssl1_0_0-1.0.2j-60.60 is installed
  • OR libopenssl1_0_0-32bit-1.0.2j-60.60 is installed
  • OR libopenssl1_0_0-hmac-1.0.2j-60.60 is installed
  • OR libopenssl1_0_0-hmac-32bit-1.0.2j-60.60 is installed
  • OR openssl-1.0.2j-60.60 is installed
  • OR openssl-doc-1.0.2j-60.60 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP3-ESPOS is installed
  • AND binutils-2.32-9.33 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP3-LTSS is installed
  • AND Package Information
  • kgraft-patch-4_4_176-94_88-default-7-2 is installed
  • OR kgraft-patch-SLE12-SP3_Update_24-7-2 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP3-TERADATA is installed
  • AND Package Information
  • libgcrypt-1.6.1-16.62 is installed
  • OR libgcrypt20-1.6.1-16.62 is installed
  • OR libgcrypt20-32bit-1.6.1-16.62 is installed
  • OR libgcrypt20-hmac-1.6.1-16.62 is installed
  • OR libgcrypt20-hmac-32bit-1.6.1-16.62 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP4 is installed
  • AND Package Information
  • colord-gtk-lang-0.1.26-6 is installed
  • OR libcolord-gtk1-0.1.26-6 is installed
  • OR libcolord2-1.3.3-12 is installed
  • OR libcolord2-32bit-1.3.3-12 is installed
  • OR libcolorhug2-1.3.3-12 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Server for SAP Applications 15 is installed
  • AND Package Information
  • bind-9.16.6-12.32 is installed
  • OR bind-chrootenv-9.16.6-12.32 is installed
  • OR bind-devel-9.16.6-12.32 is installed
  • OR bind-doc-9.16.6-12.32 is installed
  • OR bind-utils-9.16.6-12.32 is installed
  • OR libbind9-1600-9.16.6-12.32 is installed
  • OR libdns1605-9.16.6-12.32 is installed
  • OR libirs-devel-9.16.6-12.32 is installed
  • OR libirs1601-9.16.6-12.32 is installed
  • OR libisc1606-9.16.6-12.32 is installed
  • OR libisccc1600-9.16.6-12.32 is installed
  • OR libisccfg1600-9.16.6-12.32 is installed
  • OR libns1604-9.16.6-12.32 is installed
  • OR python3-bind-9.16.6-12.32 is installed
  • OR sysuser-shadow-2.0-4.2 is installed
  • OR sysuser-tools-2.0-4.2 is installed
    • Definition Synopsis
  • SUSE Linux Enterprise Workstation Extension 15 is installed
  • AND transfig-3.2.6a-4.3 is installed
    • Definition Synopsis
  • SUSE OpenStack Cloud 6 is installed
  • AND Package Information
  • openstack-nova-12.0.2~a0~dev18-1 is installed
  • OR openstack-nova-api-12.0.2~a0~dev18-1 is installed
  • OR openstack-nova-cells-12.0.2~a0~dev18-1 is installed
  • OR openstack-nova-cert-12.0.2~a0~dev18-1 is installed
  • OR openstack-nova-compute-12.0.2~a0~dev18-1 is installed
  • OR openstack-nova-conductor-12.0.2~a0~dev18-1 is installed
  • OR openstack-nova-console-12.0.2~a0~dev18-1 is installed
  • OR openstack-nova-consoleauth-12.0.2~a0~dev18-1 is installed
  • OR openstack-nova-novncproxy-12.0.2~a0~dev18-1 is installed
  • OR openstack-nova-objectstore-12.0.2~a0~dev18-1 is installed
  • OR openstack-nova-scheduler-12.0.2~a0~dev18-1 is installed
  • OR openstack-nova-serialproxy-12.0.2~a0~dev18-1 is installed
  • OR openstack-nova-vncproxy-12.0.2~a0~dev18-1 is installed
  • OR python-nova-12.0.2~a0~dev18-1 is installed
    • Definition Synopsis
  • SUSE OpenStack Cloud 6-LTSS is installed
  • AND python-setuptools-18.0.1-4.8 is installed
    • Definition Synopsis
  • SUSE OpenStack Cloud 7 is installed
  • AND Package Information
  • java-1_7_0-openjdk-1.7.0.201-43.18 is installed
  • OR java-1_7_0-openjdk-demo-1.7.0.201-43.18 is installed
  • OR java-1_7_0-openjdk-devel-1.7.0.201-43.18 is installed
  • OR java-1_7_0-openjdk-headless-1.7.0.201-43.18 is installed
    • Definition Synopsis
  • SUSE OpenStack Cloud 8 is installed
  • AND Package Information
  • ghostscript-9.27-23.31 is installed
  • OR ghostscript-x11-9.27-23.31 is installed
    • Definition Synopsis
  • SUSE OpenStack Cloud Crowbar 8 is installed
  • AND Package Information
  • dnsmasq-2.78-18.6 is installed
  • OR dnsmasq-utils-2.78-18.6 is installed
    • Definition Synopsis
  • SUSE OpenStack Cloud Crowbar 9 is installed
  • AND Package Information
  • mariadb-10.2.25-3.19 is installed
  • OR mariadb-galera-10.2.25-3.19 is installed
    • BACK