Linux Security
    Linux Security
    Linux Security

    openSUSE: 2020:1701-1: moderate: bind

    Date 20 Oct 2020
    139
    Posted By LinuxSecurity Advisories
    An update that solves 12 vulnerabilities and has 8 fixes is now available.
       openSUSE Security Update: Security update for bind
    ______________________________________________________________________________
    
    Announcement ID:    openSUSE-SU-2020:1701-1
    Rating:             moderate
    References:         #1100369 #1109160 #1118367 #1118368 #1128220 
                        #1156205 #1157051 #1161168 #1170667 #1170713 
                        #1171313 #1171740 #1172958 #1173307 #1173311 
                        #1173983 #1175443 #1176092 #1176674 #906079 
                        
    Cross-References:   CVE-2017-3136 CVE-2018-5741 CVE-2019-6477
                        CVE-2020-8616 CVE-2020-8617 CVE-2020-8618
                        CVE-2020-8619 CVE-2020-8620 CVE-2020-8621
                        CVE-2020-8622 CVE-2020-8623 CVE-2020-8624
                       
    Affected Products:
                        openSUSE Leap 15.1
    ______________________________________________________________________________
    
       An update that solves 12 vulnerabilities and has 8 fixes is
       now available.
    
    Description:
    
       This update for bind fixes the following issues:
    
       BIND was upgraded to version 9.16.6:
    
       Note:
    
       - bind is now more strict in regards to DNSSEC. If queries are not
         working, check for DNSSEC issues. For instance, if bind is used in a
         namserver forwarder chain, the forwarding DNS servers must support
         DNSSEC.
    
       Fixing security issues:
    
       - CVE-2020-8616: Further limit the number of queries that can be triggered
         from a request.  Root and TLD servers are no longer exempt from
         max-recursion-queries.  Fetches for missing name server. (bsc#1171740)
         Address records are limited to 4 for any domain.
       - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could
         trigger an assertion failure. (bsc#1171740)
       - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass
         the tcp-clients limit (bsc#1157051).
       - CVE-2018-5741: Fixed the documentation (bsc#1109160).
       - CVE-2020-8618: It was possible to trigger an INSIST when determining
         whether a record would fit into a TCP message buffer (bsc#1172958).
       - CVE-2020-8619: It was possible to trigger an INSIST in
         lib/dns/rbtdb.c:new_reference() with a particular zone content and query
         patterns (bsc#1172958).
       - CVE-2020-8624: "update-policy" rules of type "subdomain" were
         incorrectly treated as "zonesub" rules, which allowed keys used in
         "subdomain" rules to update names outside
         of the specified subdomains. The problem was fixed by making sure
          "subdomain" rules are again processed as described in the ARM
          (bsc#1175443).
       - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
         was possible to trigger an assertion failure in code determining the
         number of bits in the PKCS#11 RSA public key with a specially crafted
         packet (bsc#1175443).
       - CVE-2020-8621: named could crash in certain query resolution scenarios
         where QNAME minimization and forwarding were both enabled (bsc#1175443).
       - CVE-2020-8620: It was possible to trigger an assertion failure by
         sending a specially crafted large TCP DNS message (bsc#1175443).
       - CVE-2020-8622: It was possible to trigger an assertion failure when
         verifying the response to a TSIG-signed request (bsc#1175443).
    
       Other issues fixed:
    
       - Add engine support to OpenSSL EdDSA implementation.
       - Add engine support to OpenSSL ECDSA implementation.
       - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
       - Warn about AXFR streams with inconsistent message IDs.
       - Make ISC rwlock implementation the default again.
       - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
       - Installed the default files in /var/lib/named and created chroot
         environment on systems using transactional-updates (bsc#1100369,
         fate#325524)
       - Fixed an issue where bind was not working in FIPS mode (bsc#906079).
       - Fixed dependency issues (bsc#1118367 and bsc#1118368).
       - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
       - Fixed an issue with FIPS (bsc#1128220).
       - The liblwres library is discontinued upstream and is no longer included.
       - Added service dependency on NTP to make sure the clock is accurate when
         bind is starts (bsc#1170667, bsc#1170713).
       - Reject DS records at the zone apex when loading master files. Log but
         otherwise ignore attempts to add DS records at the zone apex via UPDATE.
       - The default value of "max-stale-ttl" has been changed from 1 week to 12
         hours.
       - Zone timers are now exported via statistics channel.
       - The "primary" and "secondary" keywords, when used as parameters for
         "check-names", were not processed correctly and were being ignored.
       - 'rndc dnstap -roll ' did not limit the number of saved files to
         .
       - Add 'rndc dnssec -status' command.
       - Addressed a couple of situations where named could crash.
       - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that
         named, being a/the only member of the "named" group has full r/w access
         yet cannot change directories owned by root in the case of a compromized
         named. [bsc#1173307, bind-chrootenv.conf]
       - Added "/etc/bind.keys" to NAMED_CONF_INCLUDE_FILES in
         /etc/sysconfig/named to suppress warning message re missing file
         (bsc#1173983).
       - Removed "-r /dev/urandom" from all invocations of rndc-confgen
         (init/named system/lwresd.init system/named.init in vendor-files) as
         this option is deprecated and causes rndc-confgen to fail. (bsc#1173311,
         bsc#1176674, bsc#1170713)
       - /usr/bin/genDDNSkey: Removing the use of the -r option in the call
         of /usr/sbin/dnssec-keygen as BIND now uses the random number functions
          provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as
          a source of randomness rather than /dev/random. Therefore the -r
          command line option no longer has any effect on dnssec-keygen. Leaving
          the option in genDDNSkey as to not break compatibility. Patch provided
          by Stefan Eisenwiener. [bsc#1171313]
       - Put libns into a separate subpackage to avoid file conflicts in the
         libisc subpackage due to different sonums (bsc#1176092).
       - Require /sbin/start_daemon: both init scripts, the one used in systemd
         context as well as legacy sysv, make use of start_daemon.
    
       This update was imported from the SUSE:SLE-15:Update update project.
    
    
    Patch Instructions:
    
       To install this openSUSE Security Update use the SUSE recommended installation methods
       like YaST online_update or "zypper patch".
    
       Alternatively you can run the command listed for your product:
    
       - openSUSE Leap 15.1:
    
          zypper in -t patch openSUSE-2020-1701=1
    
    
    
    Package List:
    
       - openSUSE Leap 15.1 (i586 x86_64):
    
          bind-9.16.6-lp151.11.9.1
          bind-chrootenv-9.16.6-lp151.11.9.1
          bind-debuginfo-9.16.6-lp151.11.9.1
          bind-debugsource-9.16.6-lp151.11.9.1
          bind-devel-9.16.6-lp151.11.9.1
          bind-utils-9.16.6-lp151.11.9.1
          bind-utils-debuginfo-9.16.6-lp151.11.9.1
          libbind9-1600-9.16.6-lp151.11.9.1
          libbind9-1600-debuginfo-9.16.6-lp151.11.9.1
          libdns1605-9.16.6-lp151.11.9.1
          libdns1605-debuginfo-9.16.6-lp151.11.9.1
          libirs-devel-9.16.6-lp151.11.9.1
          libirs1601-9.16.6-lp151.11.9.1
          libirs1601-debuginfo-9.16.6-lp151.11.9.1
          libisc1606-9.16.6-lp151.11.9.1
          libisc1606-debuginfo-9.16.6-lp151.11.9.1
          libisccc1600-9.16.6-lp151.11.9.1
          libisccc1600-debuginfo-9.16.6-lp151.11.9.1
          libisccfg1600-9.16.6-lp151.11.9.1
          libisccfg1600-debuginfo-9.16.6-lp151.11.9.1
          libns1604-9.16.6-lp151.11.9.1
          libns1604-debuginfo-9.16.6-lp151.11.9.1
          libuv-debugsource-1.18.0-lp151.3.3.1
          libuv-devel-1.18.0-lp151.3.3.1
          libuv1-1.18.0-lp151.3.3.1
          libuv1-debuginfo-1.18.0-lp151.3.3.1
    
       - openSUSE Leap 15.1 (x86_64):
    
          bind-devel-32bit-9.16.6-lp151.11.9.1
          libbind9-1600-32bit-9.16.6-lp151.11.9.1
          libbind9-1600-32bit-debuginfo-9.16.6-lp151.11.9.1
          libdns1605-32bit-9.16.6-lp151.11.9.1
          libdns1605-32bit-debuginfo-9.16.6-lp151.11.9.1
          libirs1601-32bit-9.16.6-lp151.11.9.1
          libirs1601-32bit-debuginfo-9.16.6-lp151.11.9.1
          libisc1606-32bit-9.16.6-lp151.11.9.1
          libisc1606-32bit-debuginfo-9.16.6-lp151.11.9.1
          libisccc1600-32bit-9.16.6-lp151.11.9.1
          libisccc1600-32bit-debuginfo-9.16.6-lp151.11.9.1
          libisccfg1600-32bit-9.16.6-lp151.11.9.1
          libisccfg1600-32bit-debuginfo-9.16.6-lp151.11.9.1
          libns1604-32bit-9.16.6-lp151.11.9.1
          libns1604-32bit-debuginfo-9.16.6-lp151.11.9.1
          libuv1-32bit-1.18.0-lp151.3.3.1
          libuv1-32bit-debuginfo-1.18.0-lp151.3.3.1
    
       - openSUSE Leap 15.1 (noarch):
    
          bind-doc-9.16.6-lp151.11.9.1
          python3-bind-9.16.6-lp151.11.9.1
          sysuser-shadow-2.0-lp151.4.3.1
          sysuser-tools-2.0-lp151.4.3.1
    
    
    References:
    
       https://www.suse.com/security/cve/CVE-2017-3136.html
       https://www.suse.com/security/cve/CVE-2018-5741.html
       https://www.suse.com/security/cve/CVE-2019-6477.html
       https://www.suse.com/security/cve/CVE-2020-8616.html
       https://www.suse.com/security/cve/CVE-2020-8617.html
       https://www.suse.com/security/cve/CVE-2020-8618.html
       https://www.suse.com/security/cve/CVE-2020-8619.html
       https://www.suse.com/security/cve/CVE-2020-8620.html
       https://www.suse.com/security/cve/CVE-2020-8621.html
       https://www.suse.com/security/cve/CVE-2020-8622.html
       https://www.suse.com/security/cve/CVE-2020-8623.html
       https://www.suse.com/security/cve/CVE-2020-8624.html
       https://bugzilla.suse.com/1100369
       https://bugzilla.suse.com/1109160
       https://bugzilla.suse.com/1118367
       https://bugzilla.suse.com/1118368
       https://bugzilla.suse.com/1128220
       https://bugzilla.suse.com/1156205
       https://bugzilla.suse.com/1157051
       https://bugzilla.suse.com/1161168
       https://bugzilla.suse.com/1170667
       https://bugzilla.suse.com/1170713
       https://bugzilla.suse.com/1171313
       https://bugzilla.suse.com/1171740
       https://bugzilla.suse.com/1172958
       https://bugzilla.suse.com/1173307
       https://bugzilla.suse.com/1173311
       https://bugzilla.suse.com/1173983
       https://bugzilla.suse.com/1175443
       https://bugzilla.suse.com/1176092
       https://bugzilla.suse.com/1176674
       https://bugzilla.suse.com/906079
    
    -- 
    

    Advisories

    LinuxSecurity Poll

    How long have you been using Linux?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /main-polls/46-how-long-have-you-been-using-linux?task=poll.vote&format=json
    46
    radio
    [{"id":"160","title":"Just made the switch!","votes":"3","type":"x","order":"1","pct":9.68,"resources":[]},{"id":"161","title":"1-5 years","votes":"5","type":"x","order":"2","pct":16.13,"resources":[]},{"id":"162","title":"6-10 years","votes":"1","type":"x","order":"3","pct":3.23,"resources":[]},{"id":"163","title":">10 years - I'm a veteran!","votes":"22","type":"x","order":"4","pct":70.97,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.