Mehrere Probleme in bind
ID: | openSUSE-SU-2020:1699-1 |
Distribution: | SUSE |
Plattformen: | openSUSE Leap 15.2 |
Datum: | Di, 20. Oktober 2020, 07:06 |
Referenzen: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8624
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5741 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8621 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3136 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8618 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6477 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8622 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8619 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8623 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8616 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8617 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8620 |
Applikationen: | BIND |
Originalnachricht |
|
openSUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:1699-1 Rating: moderate References: #1100369 #1109160 #1118367 #1118368 #1128220 #1156205 #1157051 #1161168 #1170667 #1170713 #1171313 #1171740 #1172958 #1173307 #1173311 #1173983 #1175443 #1176092 #1176674 #906079 Cross-References: CVE-2017-3136 CVE-2018-5741 CVE-2019-6477 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 8 fixes is now available. Description: This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: "update-policy" rules of type "subdomain" were incorrectly treated as "zonesub" rules, which allowed keys used in "subdomain" rules to update names outside of the specified subdomains. The problem was fixed by making sure "subdomain" rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of "max-stale-ttl" has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The "primary" and "secondary" keywords, when used as parameters for "check-names", were not processed correctly and were being ignored. - 'rndc dnstap -roll |