Overview
Security update for bind

This update for bind fixes the following issues:

BIND was upgraded to version 9.16.6:

Note:

- bind is now more strict in regards to DNSSEC. If queries are not working,
check for DNSSEC issues. For instance, if bind is used in a namserver
forwarder chain, the forwarding DNS servers must support DNSSEC.

Fixing security issues:

- CVE-2020-8616: Further limit the number of queries that can be triggered from
a request. Root and TLD servers are no longer exempt
from max-recursion-queries. Fetches for missing name server. (bsc#1171740)
Address records are limited to 4 for any domain.
- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an
assertion failure. (bsc#1171740)
- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass
the tcp-clients limit (bsc#1157051).
- CVE-2018-5741: Fixed the documentation (bsc#1109160).
- CVE-2020-8618: It was possible to trigger an INSIST when determining
whether a record would fit into a TCP message buffer (bsc#1172958).
- CVE-2020-8619: It was possible to trigger an INSIST in
lib/dns/rbtdb.c:new_reference() with a particular zone content
and query patterns (bsc#1172958).
- CVE-2020-8624: "update-policy" rules of type "subdomain" were
incorrectly treated as "zonesub" rules, which allowed
keys used in "subdomain" rules to update names outside
of the specified subdomains. The problem was fixed by
making sure "subdomain" rules are again processed as
described in the ARM (bsc#1175443).
- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code
determining the number of bits in the PKCS#11 RSA public
key with a specially crafted packet (bsc#1175443).
- CVE-2020-8621: named could crash in certain query resolution scenarios
where QNAME minimization and forwarding were both
enabled (bsc#1175443).
- CVE-2020-8620: It was possible to trigger an assertion failure by
sending a specially crafted large TCP DNS message (bsc#1175443).
- CVE-2020-8622: It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request (bsc#1175443).

Other issues fixed:

- Add engine support to OpenSSL EdDSA implementation.
- Add engine support to OpenSSL ECDSA implementation.
- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
- Warn about AXFR streams with inconsistent message IDs.
- Make ISC rwlock implementation the default again.
- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
- Installed the default files in /var/lib/named and created
chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
- Fixed an issue where bind was not working in FIPS mode (bsc#906079).
- Fixed dependency issues (bsc#1118367 and bsc#1118368).
- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
- Fixed an issue with FIPS (bsc#1128220).
- The liblwres library is discontinued upstream and is no longer included.
- Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
- Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
- The default value of "max-stale-ttl" has been changed from 1 week to 12 hours.
- Zone timers are now exported via statistics channel.
- The "primary" and "secondary" keywords, when used as parameters for "check-names", were not processed correctly and were being ignored.
- 'rndc dnstap -roll ' did not limit the number of saved files to .
- Add 'rndc dnssec -status' command.
- Addressed a couple of situations where named could crash.
- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
so that named, being a/the only member of the "named" group
has full r/w access yet cannot change directories owned by root
in the case of a compromized named.
[bsc#1173307, bind-chrootenv.conf]
- Added "/etc/bind.keys" to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
- Removed "-r /dev/urandom" from all invocations of rndc-confgen
(init/named system/lwresd.init system/named.init in vendor-files)
as this option is deprecated and causes rndc-confgen to fail.
(bsc#1173311, bsc#1176674, bsc#1170713)
- /usr/bin/genDDNSkey: Removing the use of the -r option in the call
of /usr/sbin/dnssec-keygen as BIND now uses the random number
functions provided by the crypto library (i.e., OpenSSL or a
PKCS#11 provider) as a source of randomness rather than /dev/random.
Therefore the -r command line option no longer has any effect on
dnssec-keygen. Leaving the option in genDDNSkey as to not break
compatibility. Patch provided by Stefan Eisenwiener.
[bsc#1171313]
- Put libns into a separate subpackage to avoid file conflicts
in the libisc subpackage due to different sonums (bsc#1176092).
- Require /sbin/start_daemon: both init scripts, the one used in
systemd context as well as legacy sysv, make use of start_daemon.

This update was imported from the SUSE:SLE-15:Update update project.

Fixed bugs
bnc#1176092
network/bind: Bug file conflict in libns.so.1604
bnc#1171313
genDDNSkey no longer working
bnc#1173311
[Build 20200624-1] openQA test fails in yast_dns_server
bnc#1176674
[Build 20200917-1] bind regression: openQA test fails in yast_dns_server
bnc#906079
FIPS: bind: not working in FIPS mode
bnc#1100369
bind/bind-chrootenv and transactional updates
bnc#1109160
VUL-1: CVE-2018-5741: bind: Incorrect documentation of krb5-subdomain and ms-subdomain update policies
bnc#1118367
Please add proper dependencies in lwresd.service against nss-lookup.target
bnc#1118368
Please include proper dependencies in named.service against nss-lookup.target
bnc#1128220
re-add bind-fix-fips.patch which was mistakenly removed
bnc#1156205
bind: GeoIP support is discontinued
bnc#1157051
VUL-0: CVE-2019-6477: bind: TCP Pipelining doesn't limit TCP clients on a single connection
bnc#1161168
bind - cookie-secrets not working
bnc#1170667
[Build 20200428-1] openQA test fails in bind
bnc#1170713
Bind-- maintenance update S:M:13024:216821 cause dns forwarder failed
bnc#1171740
VUL-0: CVE-2020-8616, CVE-2020-8617: bind: two vulnerabilities
bnc#1172958
VUL-1: CVE-2020-8618, CVE-2020-8619: bind: two vulnerabilities
bnc#1173307
bnc#1173983
bnc#1175443
VUL-0: CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624: bind: multiple vulnerabilities
CVE-2017-3136
CVE-2018-5741
CVE-2019-6477
CVE-2020-8616
CVE-2020-8617
CVE-2020-8618
CVE-2020-8619
CVE-2020-8620
CVE-2020-8621
CVE-2020-8622
CVE-2020-8623
CVE-2020-8624
fate#325524
Selected Binaries
openSUSE Build Service is sponsored by
Places