openSUSE Security Update: Security update for bind
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2020:1699-1
Rating:             moderate
References:         #1100369 #1109160 #1118367 #1118368 #1128220 
                    #1156205 #1157051 #1161168 #1170667 #1170713 
                    #1171313 #1171740 #1172958 #1173307 #1173311 
                    #1173983 #1175443 #1176092 #1176674 #906079 
                    
Cross-References:   CVE-2017-3136 CVE-2018-5741 CVE-2019-6477
                    CVE-2020-8616 CVE-2020-8617 CVE-2020-8618
                    CVE-2020-8619 CVE-2020-8620 CVE-2020-8621
                    CVE-2020-8622 CVE-2020-8623 CVE-2020-8624
                   
Affected Products:
                    openSUSE Leap 15.2
______________________________________________________________________________

   An update that solves 12 vulnerabilities and has 8 fixes is
   now available.

Description:

   This update for bind fixes the following issues:

   BIND was upgraded to version 9.16.6:

   Note:

   - bind is now more strict in regards to DNSSEC. If queries are not
     working, check for DNSSEC issues. For instance, if bind is used in a
     namserver forwarder chain, the forwarding DNS servers must support
     DNSSEC.

   Fixing security issues:

   - CVE-2020-8616: Further limit the number of queries that can be triggered
     from a request.  Root and TLD servers are no longer exempt from
     max-recursion-queries.  Fetches for missing name server. (bsc#1171740)
     Address records are limited to 4 for any domain.
   - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could
     trigger an assertion failure. (bsc#1171740)
   - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass
     the tcp-clients limit (bsc#1157051).
   - CVE-2018-5741: Fixed the documentation (bsc#1109160).
   - CVE-2020-8618: It was possible to trigger an INSIST when determining
     whether a record would fit into a TCP message buffer (bsc#1172958).
   - CVE-2020-8619: It was possible to trigger an INSIST in
     lib/dns/rbtdb.c:new_reference() with a particular zone content and query
     patterns (bsc#1172958).
   - CVE-2020-8624: "update-policy" rules of type "subdomain" were
     incorrectly treated as "zonesub" rules, which allowed keys used in
     "subdomain" rules to update names outside
     of the specified subdomains. The problem was fixed by making sure
      "subdomain" rules are again processed as described in the ARM
      (bsc#1175443).
   - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
     was possible to trigger an assertion failure in code determining the
     number of bits in the PKCS#11 RSA public key with a specially crafted
     packet (bsc#1175443).
   - CVE-2020-8621: named could crash in certain query resolution scenarios
     where QNAME minimization and forwarding were both enabled (bsc#1175443).
   - CVE-2020-8620: It was possible to trigger an assertion failure by
     sending a specially crafted large TCP DNS message (bsc#1175443).
   - CVE-2020-8622: It was possible to trigger an assertion failure when
     verifying the response to a TSIG-signed request (bsc#1175443).

   Other issues fixed:

   - Add engine support to OpenSSL EdDSA implementation.
   - Add engine support to OpenSSL ECDSA implementation.
   - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
   - Warn about AXFR streams with inconsistent message IDs.
   - Make ISC rwlock implementation the default again.
   - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
   - Installed the default files in /var/lib/named and created chroot
     environment on systems using transactional-updates (bsc#1100369,
     fate#325524)
   - Fixed an issue where bind was not working in FIPS mode (bsc#906079).
   - Fixed dependency issues (bsc#1118367 and bsc#1118368).
   - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
   - Fixed an issue with FIPS (bsc#1128220).
   - The liblwres library is discontinued upstream and is no longer included.
   - Added service dependency on NTP to make sure the clock is accurate when
     bind is starts (bsc#1170667, bsc#1170713).
   - Reject DS records at the zone apex when loading master files. Log but
     otherwise ignore attempts to add DS records at the zone apex via UPDATE.
   - The default value of "max-stale-ttl" has been changed from 1 week to 12
     hours.
   - Zone timers are now exported via statistics channel.
   - The "primary" and "secondary" keywords, when used as parameters for
     "check-names", were not processed correctly and were being ignored.
   - 'rndc dnstap -roll ' did not limit the number of saved files to
     .
   - Add 'rndc dnssec -status' command.
   - Addressed a couple of situations where named could crash.
   - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that
     named, being a/the only member of the "named" group has full r/w access
     yet cannot change directories owned by root in the case of a compromized
     named. [bsc#1173307, bind-chrootenv.conf]
   - Added "/etc/bind.keys" to NAMED_CONF_INCLUDE_FILES in
     /etc/sysconfig/named to suppress warning message re missing file
     (bsc#1173983).
   - Removed "-r /dev/urandom" from all invocations of rndc-confgen
     (init/named system/lwresd.init system/named.init in vendor-files) as
     this option is deprecated and causes rndc-confgen to fail. (bsc#1173311,
     bsc#1176674, bsc#1170713)
   - /usr/bin/genDDNSkey: Removing the use of the -r option in the call
     of /usr/sbin/dnssec-keygen as BIND now uses the random number functions
      provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as
      a source of randomness rather than /dev/random. Therefore the -r
      command line option no longer has any effect on dnssec-keygen. Leaving
      the option in genDDNSkey as to not break compatibility. Patch provided
      by Stefan Eisenwiener. [bsc#1171313]
   - Put libns into a separate subpackage to avoid file conflicts in the
     libisc subpackage due to different sonums (bsc#1176092).
   - Require /sbin/start_daemon: both init scripts, the one used in systemd
     context as well as legacy sysv, make use of start_daemon.

   This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.2:

      zypper in -t patch openSUSE-2020-1699=1



Package List:

   - openSUSE Leap 15.2 (i586 x86_64):

      bind-9.16.6-lp152.14.3.1
      bind-chrootenv-9.16.6-lp152.14.3.1
      bind-debuginfo-9.16.6-lp152.14.3.1
      bind-debugsource-9.16.6-lp152.14.3.1
      bind-devel-9.16.6-lp152.14.3.1
      bind-utils-9.16.6-lp152.14.3.1
      bind-utils-debuginfo-9.16.6-lp152.14.3.1
      libbind9-1600-9.16.6-lp152.14.3.1
      libbind9-1600-debuginfo-9.16.6-lp152.14.3.1
      libdns1605-9.16.6-lp152.14.3.1
      libdns1605-debuginfo-9.16.6-lp152.14.3.1
      libirs-devel-9.16.6-lp152.14.3.1
      libirs1601-9.16.6-lp152.14.3.1
      libirs1601-debuginfo-9.16.6-lp152.14.3.1
      libisc1606-9.16.6-lp152.14.3.1
      libisc1606-debuginfo-9.16.6-lp152.14.3.1
      libisccc1600-9.16.6-lp152.14.3.1
      libisccc1600-debuginfo-9.16.6-lp152.14.3.1
      libisccfg1600-9.16.6-lp152.14.3.1
      libisccfg1600-debuginfo-9.16.6-lp152.14.3.1
      libns1604-9.16.6-lp152.14.3.1
      libns1604-debuginfo-9.16.6-lp152.14.3.1
      libuv-debugsource-1.18.0-lp152.4.3.1
      libuv-devel-1.18.0-lp152.4.3.1
      libuv1-1.18.0-lp152.4.3.1
      libuv1-debuginfo-1.18.0-lp152.4.3.1

   - openSUSE Leap 15.2 (noarch):

      bind-doc-9.16.6-lp152.14.3.1
      python3-bind-9.16.6-lp152.14.3.1
      sysuser-shadow-2.0-lp152.5.3.1
      sysuser-tools-2.0-lp152.5.3.1

   - openSUSE Leap 15.2 (x86_64):

      bind-devel-32bit-9.16.6-lp152.14.3.1
      libbind9-1600-32bit-9.16.6-lp152.14.3.1
      libbind9-1600-32bit-debuginfo-9.16.6-lp152.14.3.1
      libdns1605-32bit-9.16.6-lp152.14.3.1
      libdns1605-32bit-debuginfo-9.16.6-lp152.14.3.1
      libirs1601-32bit-9.16.6-lp152.14.3.1
      libirs1601-32bit-debuginfo-9.16.6-lp152.14.3.1
      libisc1606-32bit-9.16.6-lp152.14.3.1
      libisc1606-32bit-debuginfo-9.16.6-lp152.14.3.1
      libisccc1600-32bit-9.16.6-lp152.14.3.1
      libisccc1600-32bit-debuginfo-9.16.6-lp152.14.3.1
      libisccfg1600-32bit-9.16.6-lp152.14.3.1
      libisccfg1600-32bit-debuginfo-9.16.6-lp152.14.3.1
      libns1604-32bit-9.16.6-lp152.14.3.1
      libns1604-32bit-debuginfo-9.16.6-lp152.14.3.1
      libuv1-32bit-1.18.0-lp152.4.3.1
      libuv1-32bit-debuginfo-1.18.0-lp152.4.3.1


References:

   https://www.suse.com/security/cve/CVE-2017-3136.html
   https://www.suse.com/security/cve/CVE-2018-5741.html
   https://www.suse.com/security/cve/CVE-2019-6477.html
   https://www.suse.com/security/cve/CVE-2020-8616.html
   https://www.suse.com/security/cve/CVE-2020-8617.html
   https://www.suse.com/security/cve/CVE-2020-8618.html
   https://www.suse.com/security/cve/CVE-2020-8619.html
   https://www.suse.com/security/cve/CVE-2020-8620.html
   https://www.suse.com/security/cve/CVE-2020-8621.html
   https://www.suse.com/security/cve/CVE-2020-8622.html
   https://www.suse.com/security/cve/CVE-2020-8623.html
   https://www.suse.com/security/cve/CVE-2020-8624.html
   https://bugzilla.suse.com/1100369
   https://bugzilla.suse.com/1109160
   https://bugzilla.suse.com/1118367
   https://bugzilla.suse.com/1118368
   https://bugzilla.suse.com/1128220
   https://bugzilla.suse.com/1156205
   https://bugzilla.suse.com/1157051
   https://bugzilla.suse.com/1161168
   https://bugzilla.suse.com/1170667
   https://bugzilla.suse.com/1170713
   https://bugzilla.suse.com/1171313
   https://bugzilla.suse.com/1171740
   https://bugzilla.suse.com/1172958
   https://bugzilla.suse.com/1173307
   https://bugzilla.suse.com/1173311
   https://bugzilla.suse.com/1173983
   https://bugzilla.suse.com/1175443
   https://bugzilla.suse.com/1176092
   https://bugzilla.suse.com/1176674
   https://bugzilla.suse.com/906079

--

openSUSE: 2020:1699-1: moderate: bind

October 19, 2020
An update that solves 12 vulnerabilities and has 8 fixes is now available.

Description

This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: "update-policy" rules of type "subdomain" were incorrectly treated as "zonesub" rules, which allowed keys used in "subdomain" rules to update names outside of the specified subdomains. The problem was fixed by making sure "subdomain" rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of "max-stale-ttl" has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The "primary" and "secondary" keywords, when used as parameters for "check-names", were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the "named" group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added "/etc/bind.keys" to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed "-r /dev/urandom" from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon. This update was imported from the SUSE:SLE-15:Update update project.

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-1699=1


Package List

- openSUSE Leap 15.2 (i586 x86_64): bind-9.16.6-lp152.14.3.1 bind-chrootenv-9.16.6-lp152.14.3.1 bind-debuginfo-9.16.6-lp152.14.3.1 bind-debugsource-9.16.6-lp152.14.3.1 bind-devel-9.16.6-lp152.14.3.1 bind-utils-9.16.6-lp152.14.3.1 bind-utils-debuginfo-9.16.6-lp152.14.3.1 libbind9-1600-9.16.6-lp152.14.3.1 libbind9-1600-debuginfo-9.16.6-lp152.14.3.1 libdns1605-9.16.6-lp152.14.3.1 libdns1605-debuginfo-9.16.6-lp152.14.3.1 libirs-devel-9.16.6-lp152.14.3.1 libirs1601-9.16.6-lp152.14.3.1 libirs1601-debuginfo-9.16.6-lp152.14.3.1 libisc1606-9.16.6-lp152.14.3.1 libisc1606-debuginfo-9.16.6-lp152.14.3.1 libisccc1600-9.16.6-lp152.14.3.1 libisccc1600-debuginfo-9.16.6-lp152.14.3.1 libisccfg1600-9.16.6-lp152.14.3.1 libisccfg1600-debuginfo-9.16.6-lp152.14.3.1 libns1604-9.16.6-lp152.14.3.1 libns1604-debuginfo-9.16.6-lp152.14.3.1 libuv-debugsource-1.18.0-lp152.4.3.1 libuv-devel-1.18.0-lp152.4.3.1 libuv1-1.18.0-lp152.4.3.1 libuv1-debuginfo-1.18.0-lp152.4.3.1 - openSUSE Leap 15.2 (noarch): bind-doc-9.16.6-lp152.14.3.1 python3-bind-9.16.6-lp152.14.3.1 sysuser-shadow-2.0-lp152.5.3.1 sysuser-tools-2.0-lp152.5.3.1 - openSUSE Leap 15.2 (x86_64): bind-devel-32bit-9.16.6-lp152.14.3.1 libbind9-1600-32bit-9.16.6-lp152.14.3.1 libbind9-1600-32bit-debuginfo-9.16.6-lp152.14.3.1 libdns1605-32bit-9.16.6-lp152.14.3.1 libdns1605-32bit-debuginfo-9.16.6-lp152.14.3.1 libirs1601-32bit-9.16.6-lp152.14.3.1 libirs1601-32bit-debuginfo-9.16.6-lp152.14.3.1 libisc1606-32bit-9.16.6-lp152.14.3.1 libisc1606-32bit-debuginfo-9.16.6-lp152.14.3.1 libisccc1600-32bit-9.16.6-lp152.14.3.1 libisccc1600-32bit-debuginfo-9.16.6-lp152.14.3.1 libisccfg1600-32bit-9.16.6-lp152.14.3.1 libisccfg1600-32bit-debuginfo-9.16.6-lp152.14.3.1 libns1604-32bit-9.16.6-lp152.14.3.1 libns1604-32bit-debuginfo-9.16.6-lp152.14.3.1 libuv1-32bit-1.18.0-lp152.4.3.1 libuv1-32bit-debuginfo-1.18.0-lp152.4.3.1


References

https://www.suse.com/security/cve/CVE-2017-3136.html https://www.suse.com/security/cve/CVE-2018-5741.html https://www.suse.com/security/cve/CVE-2019-6477.html https://www.suse.com/security/cve/CVE-2020-8616.html https://www.suse.com/security/cve/CVE-2020-8617.html https://www.suse.com/security/cve/CVE-2020-8618.html https://www.suse.com/security/cve/CVE-2020-8619.html https://www.suse.com/security/cve/CVE-2020-8620.html https://www.suse.com/security/cve/CVE-2020-8621.html https://www.suse.com/security/cve/CVE-2020-8622.html https://www.suse.com/security/cve/CVE-2020-8623.html https://www.suse.com/security/cve/CVE-2020-8624.html https://bugzilla.suse.com/1100369 https://bugzilla.suse.com/1109160 https://bugzilla.suse.com/1118367 https://bugzilla.suse.com/1118368 https://bugzilla.suse.com/1128220 https://bugzilla.suse.com/1156205 https://bugzilla.suse.com/1157051 https://bugzilla.suse.com/1161168 https://bugzilla.suse.com/1170667 https://bugzilla.suse.com/1170713 https://bugzilla.suse.com/1171313 https://bugzilla.suse.com/1171740 https://bugzilla.suse.com/1172958 https://bugzilla.suse.com/1173307 https://bugzilla.suse.com/1173311 https://bugzilla.suse.com/1173983 https://bugzilla.suse.com/1175443 https://bugzilla.suse.com/1176092 https://bugzilla.suse.com/1176674 https://bugzilla.suse.com/906079--


Severity
Announcement ID: openSUSE-SU-2020:1699-1
Rating: moderate
Affected Products: openSUSE Leap 15.2 le.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved