OVAL Reference oval:org.opensuse.security:def:5522

Oval Definition:

oval:org.opensuse.security:def:5522

Revision Date:	2020-12-02	Version:	1
Title:	Security update for bind (Moderate)
Description:	This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon.
Family:	unix	Class:	patch
Status:		Reference(s):	1051510 1058115 1065600 1100369 1109160 1118367 1118368 1128220 1131277 1156205 1157051 1160947 1161168 1161360 1163524 1166965 1170232 1170415 1170667 1170713 1171313 1171417 1171740 1172073 1172366 1172958 1173115 1173233 1173307 1173311 1173983 1175306 1175443 1175721 1175749 1175882 1176011 1176092 1176235 1176278 1176381 1176423 1176482 1176485 1176674 1176698 1176721 1176722 1176723 1176725 1176732 1176877 1176907 1176922 1176990 1177027 1177086 1177121 1177165 1177206 1177226 1177410 1177411 1177470 1177511 1177513 1177724 1177725 1177766 1178003 1178123 1178330 1178393 1178622 1178765 1178782 1178838 906079 CVE-2006-2607 CVE-2009-0790 CVE-2010-0424 CVE-2011-1946 CVE-2011-3172 CVE-2011-3200 CVE-2012-0247 CVE-2012-0248 CVE-2012-1185 CVE-2012-1186 CVE-2012-2388 CVE-2012-2451 CVE-2013-0157 CVE-2013-1988 CVE-2013-2126 CVE-2013-2127 CVE-2013-2944 CVE-2013-4758 CVE-2013-5018 CVE-2013-6075 CVE-2013-6076 CVE-2013-6370 CVE-2013-6371 CVE-2013-6418 CVE-2013-6435 CVE-2014-1932 CVE-2014-2338 CVE-2014-3634 CVE-2014-3683 CVE-2014-8118 CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 CVE-2014-9114 CVE-2014-9221 CVE-2014-9805 CVE-2014-9806 CVE-2014-9807 CVE-2014-9808 CVE-2014-9809 CVE-2014-9810 CVE-2014-9811 CVE-2014-9812 CVE-2014-9813 CVE-2014-9814 CVE-2014-9815 CVE-2014-9816 CVE-2014-9817 CVE-2014-9818 CVE-2014-9819 CVE-2014-9820 CVE-2014-9821 CVE-2014-9822 CVE-2014-9823 CVE-2014-9824 CVE-2014-9825 CVE-2014-9826 CVE-2014-9828 CVE-2014-9829 CVE-2014-9830 CVE-2014-9831 CVE-2014-9832 CVE-2014-9833 CVE-2014-9834 CVE-2014-9835 CVE-2014-9836 CVE-2014-9837 CVE-2014-9838 CVE-2014-9839 CVE-2014-9840 CVE-2014-9841 CVE-2014-9842 CVE-2014-9843 CVE-2014-9844 CVE-2014-9845 CVE-2014-9846 CVE-2014-9847 CVE-2014-9848 CVE-2014-9849 CVE-2014-9850 CVE-2014-9851 CVE-2014-9852 CVE-2014-9853 CVE-2014-9854 CVE-2015-4171 CVE-2015-5218 CVE-2015-8894 CVE-2015-8895 CVE-2015-8896 CVE-2015-8897 CVE-2015-8898 CVE-2015-8900 CVE-2015-8901 CVE-2015-8902 CVE-2015-8903 CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717 CVE-2016-3718 CVE-2016-4562 CVE-2016-4563 CVE-2016-4564 CVE-2016-5010 CVE-2016-5011 CVE-2016-5118 CVE-2016-5687 CVE-2016-5688 CVE-2016-5689 CVE-2016-5690 CVE-2016-5691 CVE-2016-5841 CVE-2016-5842 CVE-2016-6491 CVE-2016-6520 CVE-2017-3136 CVE-2018-5741 CVE-2019-6477 CVE-2020-0404 CVE-2020-0427 CVE-2020-0430 CVE-2020-0431 CVE-2020-0432 CVE-2020-12351 CVE-2020-12352 CVE-2020-14351 CVE-2020-14381 CVE-2020-14390 CVE-2020-16120 CVE-2020-25212 CVE-2020-25284 CVE-2020-25285 CVE-2020-25641 CVE-2020-25643 CVE-2020-25645 CVE-2020-25656 CVE-2020-25668 CVE-2020-25704 CVE-2020-25705 CVE-2020-26088 CVE-2020-27673 CVE-2020-27675 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 CVE-2020-8694 SUSE-SU-2020:2914-1 SUSE-SU-2020:3532-1
Platform(s):	openSUSE 13.1 openSUSE 13.1 NonFree SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5 SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Desktop 11 SP4 SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise for SAP 12 SUSE Linux Enterprise for SAP 12 SP1 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Legacy Software 12 SUSE Linux Enterprise Module for Public Cloud 12 SUSE Linux Enterprise Module for Web Scripting 12 SUSE Linux Enterprise Point of Sale 11 SP3 SUSE Linux Enterprise Real Time Extension 12 SP1 SUSE Linux Enterprise Server 11 SP1-LTSS SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP2-LTSS SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for VMWare 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Software Development Kit 12 SP1 SUSE Linux Enterprise Software Development Kit 12 SP3 SUSE Linux Enterprise Software Development Kit 12 SP4 SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Workstation Extension 12 SP1 SUSE Linux Enterprise Workstation Extension 12 SP2 SUSE OpenStack Cloud 5	Product(s):
Definition Synopsis
SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5 is installed AND Package Information openstack-neutron-2014.2.4~a0~dev103-10.3 is installed OR openstack-neutron-dhcp-agent-2014.2.4~a0~dev103-10.3 is installed OR openstack-neutron-ha-tool-2014.2.4~a0~dev103-10.3 is installed OR openstack-neutron-l3-agent-2014.2.4~a0~dev103-10.3 is installed OR openstack-neutron-lbaas-agent-2014.2.4~a0~dev103-10.3 is installed OR openstack-neutron-linuxbridge-agent-2014.2.4~a0~dev103-10.3 is installed OR openstack-neutron-metadata-agent-2014.2.4~a0~dev103-10.3 is installed OR openstack-neutron-metering-agent-2014.2.4~a0~dev103-10.3 is installed OR openstack-neutron-openvswitch-agent-2014.2.4~a0~dev103-10.3 is installed OR openstack-neutron-vpn-agent-2014.2.4~a0~dev103-10.3 is installed OR openstack-nova-2014.2.4~a0~dev80-14.1 is installed OR openstack-nova-compute-2014.2.4~a0~dev80-14.1 is installed OR python-neutron-2014.2.4~a0~dev103-10.3 is installed OR python-nova-2014.2.4~a0~dev80-14.1 is installed OR python-python-memcached-1.54-2.1 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 11 SP4 is installed AND Package Information compat-openssl097g-0.9.7g-146.22.36.1 is installed OR compat-openssl097g-32bit-0.9.7g-146.22.36.1 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP1 is installed AND perl-Config-IniFiles-2.82-3 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP2 is installed AND Package Information ImageMagick-6.8.8.1-33 is installed OR libMagick++-6_Q16-3-6.8.8.1-33 is installed OR libMagickCore-6_Q16-1-6.8.8.1-33 is installed OR libMagickCore-6_Q16-1-32bit-6.8.8.1-33 is installed OR libMagickWand-6_Q16-1-6.8.8.1-33 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP3 is installed AND Package Information alsa-1.0.27.2-15 is installed OR libasound2-1.0.27.2-15 is installed OR libasound2-32bit-1.0.27.2-15 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP4 is installed AND Package Information augeas-1.2.0-17.3 is installed OR augeas-lenses-1.2.0-17.3 is installed OR libaugeas0-1.2.0-17.3 is installed
Definition Synopsis
SUSE Linux Enterprise for SAP 12 is installed AND Package Information openssh-6.6p1-52.1 is installed OR openssh-askpass-gnome-6.6p1-52.1 is installed OR openssh-fips-6.6p1-52.1 is installed OR openssh-helpers-6.6p1-52.1 is installed
Definition Synopsis
SUSE Linux Enterprise for SAP 12 SP1 is installed AND Package Information openvpn-2.3.8-16.17.1 is installed OR openvpn-auth-pam-plugin-2.3.8-16.17.1 is installed
Definition Synopsis
SUSE Linux Enterprise High Performance Computing 12 SP5 is installed AND Package Information bind-9.11.2-3.10 is installed OR bind-chrootenv-9.11.2-3.10 is installed OR bind-doc-9.11.2-3.10 is installed OR bind-utils-9.11.2-3.10 is installed OR libbind9-160-9.11.2-3.10 is installed OR libdns169-9.11.2-3.10 is installed OR libirs160-9.11.2-3.10 is installed OR libisc166-9.11.2-3.10 is installed OR libisc166-32bit-9.11.2-3.10 is installed OR libisccc160-9.11.2-3.10 is installed OR libisccfg160-9.11.2-3.10 is installed OR liblwres160-9.11.2-3.10 is installed OR python-bind-9.11.2-3.10 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Containers 12 is installed AND docker-1.8.3-49 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Legacy Software 12 is installed AND Package Information libopenssl0_9_8-0.9.8j-59 is installed OR libopenssl0_9_8-32bit-0.9.8j-59 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Public Cloud 12 is installed AND Package Information kernel-ec2-3.12.39-47.1 is installed OR kernel-ec2-devel-3.12.39-47.1 is installed OR kernel-ec2-extra-3.12.39-47.1 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Web Scripting 12 is installed AND python3-3.4.1-2 is installed
Definition Synopsis
SUSE Linux Enterprise Point of Sale 11 SP3 is installed AND Package Information openssh-6.2p2-0.33.2 is installed OR openssh-askpass-6.2p2-0.33.2 is installed OR openssh-askpass-gnome-6.2p2-0.33.5 is installed
Definition Synopsis
SUSE Linux Enterprise Real Time Extension 12 SP1 is installed AND Package Information kernel-compute-3.12.69-60.30.1 is installed OR kernel-compute-base-3.12.69-60.30.1 is installed OR kernel-compute-devel-3.12.69-60.30.1 is installed OR kernel-compute_debug-3.12.69-60.30.1 is installed OR kernel-compute_debug-devel-3.12.69-60.30.1 is installed OR kernel-devel-rt-3.12.69-60.30.1 is installed OR kernel-rt-3.12.69-60.30.1 is installed OR kernel-rt-base-3.12.69-60.30.1 is installed OR kernel-rt-devel-3.12.69-60.30.1 is installed OR kernel-rt_debug-3.12.69-60.30.1 is installed OR kernel-rt_debug-devel-3.12.69-60.30.1 is installed OR kernel-source-rt-3.12.69-60.30.1 is installed OR kernel-syms-rt-3.12.69-60.30.1 is installed
Definition Synopsis
SUSE Linux Enterprise Server 11 SP1-LTSS is installed AND Package Information libecpg6-9.1.9-0.3.1 is installed OR libpq5-9.1.9-0.3.1 is installed OR libpq5-32bit-9.1.9-0.3.1 is installed OR postgresql91-9.1.9-0.3.1 is installed OR postgresql91-contrib-9.1.9-0.3.1 is installed OR postgresql91-docs-9.1.9-0.3.1 is installed OR postgresql91-server-9.1.9-0.3.1 is installed
Definition Synopsis
SUSE Linux Enterprise Server 11 SP2 is installed AND LibVNCServer-0.9.1-154.24 is installed
Definition Synopsis
SUSE Linux Enterprise Server 11 SP2-LTSS is installed AND Package Information bind-9.9.6P1-0.33.1 is installed OR bind-chrootenv-9.9.6P1-0.33.1 is installed OR bind-devel-9.9.6P1-0.33.1 is installed OR bind-doc-9.9.6P1-0.33.1 is installed OR bind-libs-9.9.6P1-0.33.1 is installed OR bind-libs-32bit-9.9.6P1-0.33.1 is installed OR bind-utils-9.9.6P1-0.33.1 is installed
Definition Synopsis
SUSE Linux Enterprise Server 11 SP3 is installed AND aaa_base-11-6.90.1 is installed
Definition Synopsis
SUSE Linux Enterprise Server 11 SP4 is installed AND amavisd-new-2.7.0-18.7.1 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 is installed AND ant-1.9.4-1 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP1 is installed AND Package Information accountsservice-0.6.35-3 is installed OR accountsservice-lang-0.6.35-3 is installed OR libaccountsservice0-0.6.35-3 is installed OR typelib-1_0-AccountsService-1_0-0.6.35-3 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2 is installed AND Package Information apache2-2.4.23-14 is installed OR apache2-doc-2.4.23-14 is installed OR apache2-example-pages-2.4.23-14 is installed OR apache2-prefork-2.4.23-14 is installed OR apache2-utils-2.4.23-14 is installed OR apache2-worker-2.4.23-14 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3 is installed AND python-requests-2.8.1-6.16 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP4 is installed AND Package Information apache2-mod_apparmor-2.8.2-49 is installed OR apparmor-docs-2.8.2-49 is installed OR apparmor-parser-2.8.2-49 is installed OR apparmor-profiles-2.8.2-49 is installed OR apparmor-utils-2.8.2-49 is installed OR libapparmor1-2.8.2-49 is installed OR libapparmor1-32bit-2.8.2-49 is installed OR pam_apparmor-2.8.2-49 is installed OR pam_apparmor-32bit-2.8.2-49 is installed OR perl-apparmor-2.8.2-49 is installed
Definition Synopsis
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 is installed AND Package Information DirectFB-1.7.1-6 is installed OR lib++dfb-1_7-1-1.7.1-6 is installed OR libdirectfb-1_7-1-1.7.1-6 is installed
Definition Synopsis
SUSE Linux Enterprise Server for SAP Applications 12 SP1 is installed AND Package Information kgraft-patch-3_12_69-60_64_32-default-6-2 is installed OR kgraft-patch-3_12_69-60_64_32-xen-6-2 is installed OR kgraft-patch-SLE12-SP1_Update_13-6-2 is installed
Definition Synopsis
SUSE Linux Enterprise Server for SAP Applications 15 is installed AND Package Information bind-9.16.6-12.32 is installed OR bind-chrootenv-9.16.6-12.32 is installed OR bind-devel-9.16.6-12.32 is installed OR bind-doc-9.16.6-12.32 is installed OR bind-utils-9.16.6-12.32 is installed OR libbind9-1600-9.16.6-12.32 is installed OR libdns1605-9.16.6-12.32 is installed OR libirs-devel-9.16.6-12.32 is installed OR libirs1601-9.16.6-12.32 is installed OR libisc1606-9.16.6-12.32 is installed OR libisccc1600-9.16.6-12.32 is installed OR libisccfg1600-9.16.6-12.32 is installed OR libns1604-9.16.6-12.32 is installed OR python3-bind-9.16.6-12.32 is installed OR sysuser-shadow-2.0-4.2 is installed OR sysuser-tools-2.0-4.2 is installed
Definition Synopsis
SUSE Linux Enterprise Software Development Kit 11 SP2 is installed AND Package Information freetype2-devel-2.3.7-25.32.1 is installed OR freetype2-devel-32bit-2.3.7-25.32.1 is installed
Definition Synopsis
SUSE Linux Enterprise Software Development Kit 11 SP4 is installed AND Package Information libapr1-1.3.3-11.18.19.8 is installed OR libapr1-devel-1.3.3-11.18.19.8 is installed OR libapr1-devel-32bit-1.3.3-11.18.19.8 is installed
Definition Synopsis
SUSE Linux Enterprise Software Development Kit 12 is installed AND Package Information bash-devel-4.2-75 is installed OR readline-devel-6.2-75 is installed
Definition Synopsis
SUSE Linux Enterprise Software Development Kit 12 SP1 is installed AND Package Information FastCGI-2.4.0-167 is installed OR perl-FastCGI-2.4.0-167 is installed
Definition Synopsis
SUSE Linux Enterprise Software Development Kit 12 SP3 is installed AND libxerces-c-devel-3.1.1-12 is installed
Definition Synopsis
SUSE Linux Enterprise Software Development Kit 12 SP4 is installed AND Package Information avahi-compat-howl-devel-0.6.32-30 is installed OR avahi-compat-mDNSResponder-devel-0.6.32-30 is installed OR libavahi-devel-0.6.32-30 is installed OR libhowl0-0.6.32-30 is installed OR python-avahi-0.6.32-30 is installed
Definition Synopsis
SUSE Linux Enterprise Workstation Extension 12 is installed AND raptor-2.0.10-3 is installed
Definition Synopsis
SUSE Linux Enterprise Workstation Extension 12 SP1 is installed AND bogofilter-1.2.4-3 is installed
Definition Synopsis
SUSE Linux Enterprise Workstation Extension 12 SP2 is installed AND Package Information NetworkManager-1.0.12-8 is installed OR NetworkManager-lang-1.0.12-8 is installed OR typelib-1_0-NM-1_0-1.0.12-8 is installed

BACK