openSUSE: 2020:1699-1: moderate: bind
Description
This update for bind fixes the following issues:
BIND was upgraded to version 9.16.6:
Note:
- bind is now more strict in regards to DNSSEC. If queries are not
working, check for DNSSEC issues. For instance, if bind is used in a
namserver forwarder chain, the forwarding DNS servers must support
DNSSEC.
Fixing security issues:
- CVE-2020-8616: Further limit the number of queries that can be triggered
from a request. Root and TLD servers are no longer exempt from
max-recursion-queries. Fetches for missing name server. (bsc#1171740)
Address records are limited to 4 for any domain.
- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could
trigger an assertion failure. (bsc#1171740)
- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass
the tcp-clients limit (bsc#1157051).
- CVE-2018-5741: Fixed the documentation (bsc#1109160).
- CVE-2020-8618: It was possible to trigger an INSIST when determining
whether a record would fit into a TCP message buffer (bsc#1172958).
- CVE-2020-8619: It was possible to trigger an INSIST in
lib/dns/rbtdb.c:new_reference() with a particular zone content and query
patterns (bsc#1172958).
- CVE-2020-8624: "update-policy" rules of type "subdomain" were
incorrectly treated as "zonesub" rules, which allowed keys used in
"subdomain" rules to update names outside
of the specified subdomains. The problem was fixed by making sure
"subdomain" rules are again processed as described in the ARM
(bsc#1175443).
- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code determining the
number of bits in the PKCS#11 RSA public key with a specially crafted
packet (bsc#1175443).
- CVE-2020-8621: named could crash in certain query resolution scenarios
where QNAME minimization and forwarding were both enabled (bsc#1175443).
- CVE-2020-8620: It was possible to trigger an assertion failure by
sending a specially crafted large TCP DNS message (bsc#1175443).
- CVE-2020-8622: It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request (bsc#1175443).
Other issues fixed:
- Add engine support to OpenSSL EdDSA implementation.
- Add engine support to OpenSSL ECDSA implementation.
- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
- Warn about AXFR streams with inconsistent message IDs.
- Make ISC rwlock implementation the default again.
- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
- Installed the default files in /var/lib/named and created chroot
environment on systems using transactional-updates (bsc#1100369,
fate#325524)
- Fixed an issue where bind was not working in FIPS mode (bsc#906079).
- Fixed dependency issues (bsc#1118367 and bsc#1118368).
- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
- Fixed an issue with FIPS (bsc#1128220).
- The liblwres library is discontinued upstream and is no longer included.
- Added service dependency on NTP to make sure the clock is accurate when
bind is starts (bsc#1170667, bsc#1170713).
- Reject DS records at the zone apex when loading master files. Log but
otherwise ignore attempts to add DS records at the zone apex via UPDATE.
- The default value of "max-stale-ttl" has been changed from 1 week to 12
hours.
- Zone timers are now exported via statistics channel.
- The "primary" and "secondary" keywords, when used as parameters for
"check-names", were not processed correctly and were being ignored.
- 'rndc dnstap -roll
Patch
Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-1699=1
Package List
- openSUSE Leap 15.2 (i586 x86_64): bind-9.16.6-lp152.14.3.1 bind-chrootenv-9.16.6-lp152.14.3.1 bind-debuginfo-9.16.6-lp152.14.3.1 bind-debugsource-9.16.6-lp152.14.3.1 bind-devel-9.16.6-lp152.14.3.1 bind-utils-9.16.6-lp152.14.3.1 bind-utils-debuginfo-9.16.6-lp152.14.3.1 libbind9-1600-9.16.6-lp152.14.3.1 libbind9-1600-debuginfo-9.16.6-lp152.14.3.1 libdns1605-9.16.6-lp152.14.3.1 libdns1605-debuginfo-9.16.6-lp152.14.3.1 libirs-devel-9.16.6-lp152.14.3.1 libirs1601-9.16.6-lp152.14.3.1 libirs1601-debuginfo-9.16.6-lp152.14.3.1 libisc1606-9.16.6-lp152.14.3.1 libisc1606-debuginfo-9.16.6-lp152.14.3.1 libisccc1600-9.16.6-lp152.14.3.1 libisccc1600-debuginfo-9.16.6-lp152.14.3.1 libisccfg1600-9.16.6-lp152.14.3.1 libisccfg1600-debuginfo-9.16.6-lp152.14.3.1 libns1604-9.16.6-lp152.14.3.1 libns1604-debuginfo-9.16.6-lp152.14.3.1 libuv-debugsource-1.18.0-lp152.4.3.1 libuv-devel-1.18.0-lp152.4.3.1 libuv1-1.18.0-lp152.4.3.1 libuv1-debuginfo-1.18.0-lp152.4.3.1 - openSUSE Leap 15.2 (noarch): bind-doc-9.16.6-lp152.14.3.1 python3-bind-9.16.6-lp152.14.3.1 sysuser-shadow-2.0-lp152.5.3.1 sysuser-tools-2.0-lp152.5.3.1 - openSUSE Leap 15.2 (x86_64): bind-devel-32bit-9.16.6-lp152.14.3.1 libbind9-1600-32bit-9.16.6-lp152.14.3.1 libbind9-1600-32bit-debuginfo-9.16.6-lp152.14.3.1 libdns1605-32bit-9.16.6-lp152.14.3.1 libdns1605-32bit-debuginfo-9.16.6-lp152.14.3.1 libirs1601-32bit-9.16.6-lp152.14.3.1 libirs1601-32bit-debuginfo-9.16.6-lp152.14.3.1 libisc1606-32bit-9.16.6-lp152.14.3.1 libisc1606-32bit-debuginfo-9.16.6-lp152.14.3.1 libisccc1600-32bit-9.16.6-lp152.14.3.1 libisccc1600-32bit-debuginfo-9.16.6-lp152.14.3.1 libisccfg1600-32bit-9.16.6-lp152.14.3.1 libisccfg1600-32bit-debuginfo-9.16.6-lp152.14.3.1 libns1604-32bit-9.16.6-lp152.14.3.1 libns1604-32bit-debuginfo-9.16.6-lp152.14.3.1 libuv1-32bit-1.18.0-lp152.4.3.1 libuv1-32bit-debuginfo-1.18.0-lp152.4.3.1
References
https://www.suse.com/security/cve/CVE-2017-3136.html https://www.suse.com/security/cve/CVE-2018-5741.html https://www.suse.com/security/cve/CVE-2019-6477.html https://www.suse.com/security/cve/CVE-2020-8616.html https://www.suse.com/security/cve/CVE-2020-8617.html https://www.suse.com/security/cve/CVE-2020-8618.html https://www.suse.com/security/cve/CVE-2020-8619.html https://www.suse.com/security/cve/CVE-2020-8620.html https://www.suse.com/security/cve/CVE-2020-8621.html https://www.suse.com/security/cve/CVE-2020-8622.html https://www.suse.com/security/cve/CVE-2020-8623.html https://www.suse.com/security/cve/CVE-2020-8624.html https://bugzilla.suse.com/1100369 https://bugzilla.suse.com/1109160 https://bugzilla.suse.com/1118367 https://bugzilla.suse.com/1118368 https://bugzilla.suse.com/1128220 https://bugzilla.suse.com/1156205 https://bugzilla.suse.com/1157051 https://bugzilla.suse.com/1161168 https://bugzilla.suse.com/1170667 https://bugzilla.suse.com/1170713 https://bugzilla.suse.com/1171313 https://bugzilla.suse.com/1171740 https://bugzilla.suse.com/1172958 https://bugzilla.suse.com/1173307 https://bugzilla.suse.com/1173311 https://bugzilla.suse.com/1173983 https://bugzilla.suse.com/1175443 https://bugzilla.suse.com/1176092 https://bugzilla.suse.com/1176674 https://bugzilla.suse.com/906079--