bind-9.16.20-1.4 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10650 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z bind-9.16.20-1.4 on GA media These are all security issues fixed in the bind-9.16.20-1.4 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10650 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10650 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2006-4339/ SUSE CVE CVE-2006-4339 page https://www.suse.com/security/cve/CVE-2007-2925/ SUSE CVE CVE-2007-2925 page https://www.suse.com/security/cve/CVE-2007-2926/ SUSE CVE CVE-2007-2926 page https://www.suse.com/security/cve/CVE-2015-8461/ SUSE CVE CVE-2015-8461 page https://www.suse.com/security/cve/CVE-2016-2775/ SUSE CVE CVE-2016-2775 page https://www.suse.com/security/cve/CVE-2016-9131/ SUSE CVE CVE-2016-9131 page https://www.suse.com/security/cve/CVE-2016-9778/ SUSE CVE CVE-2016-9778 page https://www.suse.com/security/cve/CVE-2017-3135/ SUSE CVE CVE-2017-3135 page https://www.suse.com/security/cve/CVE-2017-3141/ SUSE CVE CVE-2017-3141 page https://www.suse.com/security/cve/CVE-2017-3142/ SUSE CVE CVE-2017-3142 page https://www.suse.com/security/cve/CVE-2017-3145/ SUSE CVE CVE-2017-3145 page https://www.suse.com/security/cve/CVE-2018-5737/ SUSE CVE CVE-2018-5737 page https://www.suse.com/security/cve/CVE-2018-5743/ SUSE CVE CVE-2018-5743 page https://www.suse.com/security/cve/CVE-2018-5745/ SUSE CVE CVE-2018-5745 page https://www.suse.com/security/cve/CVE-2019-6465/ SUSE CVE CVE-2019-6465 page https://www.suse.com/security/cve/CVE-2019-6471/ SUSE CVE CVE-2019-6471 page https://www.suse.com/security/cve/CVE-2019-6476/ SUSE CVE CVE-2019-6476 page https://www.suse.com/security/cve/CVE-2019-6477/ SUSE CVE CVE-2019-6477 page https://www.suse.com/security/cve/CVE-2020-8616/ SUSE CVE CVE-2020-8616 page https://www.suse.com/security/cve/CVE-2020-8617/ SUSE CVE CVE-2020-8617 page https://www.suse.com/security/cve/CVE-2020-8618/ SUSE CVE CVE-2020-8618 page https://www.suse.com/security/cve/CVE-2020-8619/ SUSE CVE CVE-2020-8619 page https://www.suse.com/security/cve/CVE-2020-8620/ SUSE CVE CVE-2020-8620 page https://www.suse.com/security/cve/CVE-2020-8621/ SUSE CVE CVE-2020-8621 page https://www.suse.com/security/cve/CVE-2020-8622/ SUSE CVE CVE-2020-8622 page https://www.suse.com/security/cve/CVE-2020-8623/ SUSE CVE CVE-2020-8623 page https://www.suse.com/security/cve/CVE-2020-8624/ SUSE CVE CVE-2020-8624 page https://www.suse.com/security/cve/CVE-2020-8625/ SUSE CVE CVE-2020-8625 page https://www.suse.com/security/cve/CVE-2021-25214/ SUSE CVE CVE-2021-25214 page https://www.suse.com/security/cve/CVE-2021-25215/ SUSE CVE CVE-2021-25215 page https://www.suse.com/security/cve/CVE-2021-25216/ SUSE CVE CVE-2021-25216 page https://www.suse.com/security/cve/CVE-2021-25218/ SUSE CVE CVE-2021-25218 page openSUSE Tumbleweed bind-9.16.20-1.4 bind-doc-9.16.20-1.4 bind-utils-9.16.20-1.4 python3-bind-9.16.20-1.4 bind-9.16.20-1.4 as a component of openSUSE Tumbleweed bind-doc-9.16.20-1.4 as a component of openSUSE Tumbleweed bind-utils-9.16.20-1.4 as a component of openSUSE Tumbleweed python3-bind-9.16.20-1.4 as a component of openSUSE Tumbleweed OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1. CVE-2006-4339 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2006-4339.html CVE-2006-4339 https://bugzilla.suse.com/202366 SUSE Bug 202366 https://bugzilla.suse.com/203595 SUSE Bug 203595 https://bugzilla.suse.com/206636 SUSE Bug 206636 https://bugzilla.suse.com/207635 SUSE Bug 207635 https://bugzilla.suse.com/215623 SUSE Bug 215623 https://bugzilla.suse.com/218303 SUSE Bug 218303 https://bugzilla.suse.com/233584 SUSE Bug 233584 https://bugzilla.suse.com/564512 SUSE Bug 564512 The default access control lists (ACL) in ISC BIND 9.4.0, 9.4.1, and 9.5.0a1 through 9.5.0a5 do not set the allow-recursion and allow-query-cache ACLs, which allows remote attackers to make recursive queries and query the cache. CVE-2007-2925 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-2925.html CVE-2007-2925 https://bugzilla.suse.com/294403 SUSE Bug 294403 ISC BIND 9 through 9.5.0a5 uses a weak random number generator during generation of DNS query ids when answering resolver questions or sending NOTIFY messages to slave name servers, which makes it easier for remote attackers to guess the next query id and perform DNS cache poisoning. CVE-2007-2926 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-2926.html CVE-2007-2926 https://bugzilla.suse.com/294403 SUSE Bug 294403 https://bugzilla.suse.com/295040 SUSE Bug 295040 Race condition in resolver.c in named in ISC BIND 9.9.8 before 9.9.8-P2 and 9.10.3 before 9.10.3-P2 allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via unspecified vectors. CVE-2015-8461 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8461.html CVE-2015-8461 https://bugzilla.suse.com/958861 SUSE Bug 958861 https://bugzilla.suse.com/958862 SUSE Bug 958862 ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol. CVE-2016-2775 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2775.html CVE-2016-2775 https://bugzilla.suse.com/989528 SUSE Bug 989528 named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed response to an RTYPE ANY query. CVE-2016-9131 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9131.html CVE-2016-9131 https://bugzilla.suse.com/1018699 SUSE Bug 1018699 https://bugzilla.suse.com/1018700 SUSE Bug 1018700 https://bugzilla.suse.com/1018701 SUSE Bug 1018701 https://bugzilla.suse.com/1018702 SUSE Bug 1018702 https://bugzilla.suse.com/1033466 SUSE Bug 1033466 An error in handling certain queries can cause an assertion failure when a server is using the nxdomain-redirect feature to cover a zone for which it is also providing authoritative service. A vulnerable server could be intentionally stopped by an attacker if it was using a configuration that met the criteria for the vulnerability and if the attacker could cause it to accept a query that possessed the required attributes. Please note: This vulnerability affects the "nxdomain-redirect" feature, which is one of two methods of handling NXDOMAIN redirection, and is only available in certain versions of BIND. Redirection using zones of type "redirect" is not affected by this vulnerability. Affects BIND 9.9.8-S1 -> 9.9.8-S3, 9.9.9-S1 -> 9.9.9-S6, 9.11.0-9.11.0-P1. CVE-2016-9778 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9778.html CVE-2016-9778 https://bugzilla.suse.com/1018699 SUSE Bug 1018699 https://bugzilla.suse.com/1018703 SUSE Bug 1018703 Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1. CVE-2017-3135 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-3135.html CVE-2017-3135 https://bugzilla.suse.com/1018700 SUSE Bug 1018700 https://bugzilla.suse.com/1018701 SUSE Bug 1018701 https://bugzilla.suse.com/1018702 SUSE Bug 1018702 https://bugzilla.suse.com/1024130 SUSE Bug 1024130 https://bugzilla.suse.com/1033466 SUSE Bug 1033466 The BIND installer on Windows uses an unquoted service path which can enable a local user to achieve privilege escalation if the host file system permissions allow this. Affects BIND 9.2.6-P2->9.2.9, 9.3.2-P1->9.3.6, 9.4.0->9.8.8, 9.9.0->9.9.10, 9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, 9.10.5-S1. CVE-2017-3141 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-3141.html CVE-2017-3141 https://bugzilla.suse.com/1044225 SUSE Bug 1044225 https://bugzilla.suse.com/1044226 SUSE Bug 1044226 An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: providing an AXFR of a zone to an unauthorized recipient or accepting bogus NOTIFY packets. Affects BIND 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2. CVE-2017-3142 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-3142.html CVE-2017-3142 https://bugzilla.suse.com/1024130 SUSE Bug 1024130 https://bugzilla.suse.com/1046554 SUSE Bug 1046554 https://bugzilla.suse.com/1046555 SUSE Bug 1046555 BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affects BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, 9.12.0a1 to 9.12.0rc1. CVE-2017-3145 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-3145.html CVE-2017-3145 https://bugzilla.suse.com/1076118 SUSE Bug 1076118 https://bugzilla.suse.com/1101131 SUSE Bug 1101131 https://bugzilla.suse.com/1177790 SUSE Bug 1177790 A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off. Additionally, problematic interaction between the serve-stale feature and NSEC aggressive negative caching can in some cases cause undesirable behavior from named, such as a recursion loop or excessive logging. Deliberate exploitation of this condition could cause operational problems depending on the particular manifestation -- either degradation or denial of service. Affects BIND 9.12.0 and 9.12.1. CVE-2018-5737 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5737.html CVE-2018-5737 https://bugzilla.suse.com/1093448 SUSE Bug 1093448 https://bugzilla.suse.com/1093449 SUSE Bug 1093449 By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, 9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -> 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743. CVE-2018-5743 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5743.html CVE-2018-5743 https://bugzilla.suse.com/1133185 SUSE Bug 1133185 https://bugzilla.suse.com/1148887 SUSE Bug 1148887 https://bugzilla.suse.com/1157051 SUSE Bug 1157051 "managed-keys" is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5745. CVE-2018-5745 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5745.html CVE-2018-5745 https://bugzilla.suse.com/1126068 SUSE Bug 1126068 https://bugzilla.suse.com/1141730 SUSE Bug 1141730 https://bugzilla.suse.com/1148887 SUSE Bug 1148887 https://bugzilla.suse.com/1177790 SUSE Bug 1177790 Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465. CVE-2019-6465 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-6465.html CVE-2019-6465 https://bugzilla.suse.com/1126069 SUSE Bug 1126069 https://bugzilla.suse.com/1141730 SUSE Bug 1141730 https://bugzilla.suse.com/1148887 SUSE Bug 1148887 A race condition which may occur when discarding malformed packets can result in BIND exiting due to a REQUIRE assertion failure in dispatch.c. Versions affected: BIND 9.11.0 -> 9.11.7, 9.12.0 -> 9.12.4-P1, 9.14.0 -> 9.14.2. Also all releases of the BIND 9.13 development branch and version 9.15.0 of the BIND 9.15 development branch and BIND Supported Preview Edition versions 9.11.3-S1 -> 9.11.7-S1. CVE-2019-6471 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-6471.html CVE-2019-6471 https://bugzilla.suse.com/1138687 SUSE Bug 1138687 A defect in code added to support QNAME minimization can cause named to exit with an assertion failure if a forwarder returns a referral rather than resolving the query. This affects BIND versions 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4. CVE-2019-6476 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-6476.html CVE-2019-6476 https://bugzilla.suse.com/1153993 SUSE Bug 1153993 https://bugzilla.suse.com/1153994 SUSE Bug 1153994 With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem). CVE-2019-6477 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-6477.html CVE-2019-6477 https://bugzilla.suse.com/1157051 SUSE Bug 1157051 https://bugzilla.suse.com/1197136 SUSE Bug 1197136 A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor. CVE-2020-8616 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8616.html CVE-2020-8616 https://bugzilla.suse.com/1109160 SUSE Bug 1109160 https://bugzilla.suse.com/1171740 SUSE Bug 1171740 Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results. CVE-2020-8617 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8617.html CVE-2020-8617 https://bugzilla.suse.com/1109160 SUSE Bug 1109160 https://bugzilla.suse.com/1171740 SUSE Bug 1171740 An attacker who is permitted to send zone data to a server via zone transfer can exploit this to intentionally trigger the assertion failure with a specially constructed zone, denying service to clients. CVE-2020-8618 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8618.html CVE-2020-8618 https://bugzilla.suse.com/1172958 SUSE Bug 1172958 In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1: Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, this defect cannot be encountered. A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable. CVE-2020-8619 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8619.html CVE-2020-8619 https://bugzilla.suse.com/1172958 SUSE Bug 1172958 In BIND 9.15.6 -> 9.16.5, 9.17.0 -> 9.17.3, An attacker who can establish a TCP connection with the server and send data on that connection can exploit this to trigger the assertion failure, causing the server to exit. CVE-2020-8620 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8620.html CVE-2020-8620 https://bugzilla.suse.com/1175443 SUSE Bug 1175443 https://bugzilla.suse.com/1191120 SUSE Bug 1191120 In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition that will cause the server to crash. Servers that 'forward only' are not affected. CVE-2020-8621 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8621.html CVE-2020-8621 https://bugzilla.suse.com/1175443 SUSE Bug 1175443 https://bugzilla.suse.com/1191120 SUSE Bug 1191120 In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit. CVE-2020-8622 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8622.html CVE-2020-8622 https://bugzilla.suse.com/1175443 SUSE Bug 1175443 https://bugzilla.suse.com/1188888 SUSE Bug 1188888 https://bugzilla.suse.com/1191120 SUSE Bug 1191120 In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with "--enable-native-pkcs11" * be signing one or more zones with an RSA key * be able to receive queries from a possible attacker CVE-2020-8623 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8623.html CVE-2020-8623 https://bugzilla.suse.com/1175443 SUSE Bug 1175443 https://bugzilla.suse.com/1191120 SUSE Bug 1191120 In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker who has been granted privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone. CVE-2020-8624 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8624.html CVE-2020-8624 https://bugzilla.suse.com/1175443 SUSE Bug 1175443 https://bugzilla.suse.com/1191120 SUSE Bug 1191120 BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch CVE-2020-8625 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8625.html CVE-2020-8625 https://bugzilla.suse.com/1182246 SUSE Bug 1182246 https://bugzilla.suse.com/1182483 SUSE Bug 1182483 https://bugzilla.suse.com/1192708 SUSE Bug 1192708 https://bugzilla.suse.com/1196172 SUSE Bug 1196172 https://bugzilla.suse.com/1218478 SUSE Bug 1218478 https://bugzilla.suse.com/1225626 SUSE Bug 1225626 In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed. CVE-2021-25214 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-25214.html CVE-2021-25214 https://bugzilla.suse.com/1185345 SUSE Bug 1185345 In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check. The vulnerability affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other versions of BIND 9. CVE-2021-25215 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-25215.html CVE-2021-25215 https://bugzilla.suse.com/1185345 SUSE Bug 1185345 https://bugzilla.suse.com/1189848 SUSE Bug 1189848 https://bugzilla.suse.com/1196172 SUSE Bug 1196172 https://bugzilla.suse.com/1199298 SUSE Bug 1199298 https://bugzilla.suse.com/1225626 SUSE Bug 1225626 In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. We have determined that standard SPNEGO implementations are available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems, rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16 (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation, we have made an exception in this case for reasons of stability and security. CVE-2021-25216 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-25216.html CVE-2021-25216 https://bugzilla.suse.com/1185345 SUSE Bug 1185345 https://bugzilla.suse.com/1189848 SUSE Bug 1189848 In BIND 9.16.19, 9.17.16. Also, version 9.16.19-S1 of BIND Supported Preview Edition When a vulnerable version of named receives a query under the circumstances described above, the named process will terminate due to a failed assertion check. The vulnerability affects only BIND 9 releases 9.16.19, 9.17.16, and release 9.16.19-S1 of the BIND Supported Preview Edition. CVE-2021-25218 openSUSE Tumbleweed:bind-9.16.20-1.4 openSUSE Tumbleweed:bind-doc-9.16.20-1.4 openSUSE Tumbleweed:bind-utils-9.16.20-1.4 openSUSE Tumbleweed:python3-bind-9.16.20-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-25218.html CVE-2021-25218 https://bugzilla.suse.com/1189460 SUSE Bug 1189460