Overview

File _patchinfo of Package patchinfo.13024

<patchinfo incident="13024">
  <issue tracker="bnc" id="1176092">network/bind: Bug file conflict in libns.so.1604</issue>
  <issue tracker="bnc" id="1171313">genDDNSkey no longer working</issue>
  <issue tracker="bnc" id="1173311">[Build 20200624-1] openQA test fails in yast_dns_server</issue>
  <issue tracker="bnc" id="1176674">[Build 20200917-1] bind regression: openQA test fails in yast_dns_server</issue>
  <issue tracker="bnc" id="906079">FIPS: bind: not working in FIPS mode</issue>
  <issue tracker="bnc" id="1100369">bind/bind-chrootenv and transactional updates</issue>
  <issue tracker="bnc" id="1109160">VUL-1: CVE-2018-5741: bind: Incorrect documentation of krb5-subdomain and ms-subdomain update policies</issue>
  <issue tracker="bnc" id="1118367">Please add proper dependencies in lwresd.service against nss-lookup.target</issue>
  <issue tracker="bnc" id="1118368">Please include proper dependencies in named.service against nss-lookup.target</issue>
  <issue tracker="bnc" id="1128220">re-add bind-fix-fips.patch which was mistakenly removed</issue>
  <issue tracker="bnc" id="1156205">bind: GeoIP support is discontinued</issue>
  <issue tracker="bnc" id="1157051">VUL-0: CVE-2019-6477: bind: TCP Pipelining doesn't limit TCP clients on a single connection</issue>
  <issue tracker="bnc" id="1161168">bind - cookie-secrets not working</issue>
  <issue tracker="bnc" id="1170667">[Build 20200428-1] openQA test fails in bind</issue>
  <issue tracker="bnc" id="1170713">Bind-- maintenance update S:M:13024:216821  cause dns forwarder failed</issue>
  <issue tracker="bnc" id="1171740">VUL-0: CVE-2020-8616, CVE-2020-8617: bind: two vulnerabilities</issue>
  <issue tracker="bnc" id="1172958">VUL-1: CVE-2020-8618, CVE-2020-8619: bind: two vulnerabilities</issue>
  <issue tracker="bnc" id="1173307"></issue>
  <issue tracker="bnc" id="1173983"></issue>
  <issue tracker="bnc" id="1175443"></issue>
  <issue tracker="cve" id="2017-3136"/>
  <issue tracker="cve" id="2018-5741"/>
  <issue tracker="cve" id="2019-6477"/>
  <issue tracker="cve" id="2020-8616"/>
  <issue tracker="cve" id="2020-8617"/>
  <issue tracker="cve" id="2020-8618"/>
  <issue tracker="cve" id="2020-8619"/>
  <issue tracker="cve" id="2020-8620"/>
  <issue tracker="cve" id="2020-8621"/>
  <issue tracker="cve" id="2020-8622"/>
  <issue tracker="cve" id="2020-8623"/>
  <issue tracker="cve" id="2020-8624"/>
  <issue tracker="fate" id="325524"/>
  <issue tracker="jsc" id="ECO-1402"/>
  <packager>nkukreja</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for bind</summary>
  <description>This update for bind fixes the following issues:

BIND was upgraded to version 9.16.6:

Note:

- bind is now more strict in regards to DNSSEC. If queries are not working,
  check for DNSSEC issues. For instance, if bind is used in a namserver
  forwarder chain, the forwarding DNS servers must support DNSSEC.

Fixing security issues:

- CVE-2020-8616: Further limit the number of queries that can be triggered from
  a request.  Root and TLD servers are no longer exempt
  from max-recursion-queries.  Fetches for missing name server. (bsc#1171740)
  Address records are limited to 4 for any domain.
- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an
  assertion failure. (bsc#1171740)
- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass 
  the tcp-clients limit (bsc#1157051).
- CVE-2018-5741: Fixed the documentation (bsc#1109160).
- CVE-2020-8618: It was possible to trigger an INSIST when determining
  whether a record would fit into a TCP message buffer (bsc#1172958).
- CVE-2020-8619: It was possible to trigger an INSIST in
  lib/dns/rbtdb.c:new_reference() with a particular zone content
  and query patterns (bsc#1172958).
- CVE-2020-8624: "update-policy" rules of type "subdomain" were
  incorrectly treated as "zonesub" rules, which allowed
  keys used in "subdomain" rules to update names outside
  of the specified subdomains. The problem was fixed by
  making sure "subdomain" rules are again processed as
  described in the ARM (bsc#1175443).
- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
  was possible to trigger an assertion failure in code
  determining the number of bits in the PKCS#11 RSA public
  key with a specially crafted packet (bsc#1175443).
- CVE-2020-8621: named could crash in certain query resolution scenarios
  where QNAME minimization and forwarding were both
  enabled (bsc#1175443).
- CVE-2020-8620: It was possible to trigger an assertion failure by
  sending a specially crafted large TCP DNS message (bsc#1175443).
- CVE-2020-8622: It was possible to trigger an assertion failure when
  verifying the response to a TSIG-signed request (bsc#1175443).

Other issues fixed:

- Add engine support to OpenSSL EdDSA implementation.
- Add engine support to OpenSSL ECDSA implementation.
- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
- Warn about AXFR streams with inconsistent message IDs.
- Make ISC rwlock implementation the default again.
- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
- Installed the default files in /var/lib/named and created 
  chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
- Fixed an issue where bind was not working in FIPS mode (bsc#906079).
- Fixed dependency issues (bsc#1118367 and bsc#1118368).
- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
- Fixed an issue with FIPS (bsc#1128220).
- The liblwres library is discontinued upstream and is no longer included.
- Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
- Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
- The default value of "max-stale-ttl" has been changed from 1 week to 12 hours.
- Zone timers are now exported via statistics channel.
- The "primary" and "secondary" keywords, when used as parameters for "check-names", were not processed correctly and were being ignored.
- 'rndc dnstap -roll &lt;value&gt;' did not limit the number of saved files to &lt;value&gt;.
- Add 'rndc dnssec -status' command.
- Addressed a couple of situations where named could crash.
- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
  so that named, being a/the only member of the "named" group
  has full r/w access yet cannot change directories owned by root
  in the case of a compromized named.
  [bsc#1173307, bind-chrootenv.conf]
- Added "/etc/bind.keys" to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
- Removed "-r /dev/urandom" from all invocations of rndc-confgen
  (init/named system/lwresd.init system/named.init in vendor-files)
  as this option is deprecated and causes rndc-confgen to fail.
  (bsc#1173311, bsc#1176674, bsc#1170713)
- /usr/bin/genDDNSkey: Removing the use of the -r option in the call
  of /usr/sbin/dnssec-keygen as BIND now uses the random number
  functions provided by the crypto library (i.e., OpenSSL or a
  PKCS#11 provider) as a source of randomness rather than /dev/random.
  Therefore the -r command line option no longer has any effect on
  dnssec-keygen. Leaving the option in genDDNSkey as to not break
  compatibility. Patch provided by Stefan Eisenwiener.
  [bsc#1171313]
- Put libns into a separate subpackage to avoid file conflicts
  in the libisc subpackage due to different sonums (bsc#1176092).
- Require /sbin/start_daemon: both init scripts, the one used in
  systemd context as well as legacy sysv, make use of start_daemon.
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places