Security update for bind SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20091-1 Final 1 1 2026-01-22T16:45:35Z current 2026-01-22T16:45:35Z 2026-01-22T16:45:35Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for bind This update for bind fixes the following issues: Upgrade to release 9.20.18: - CVE-2025-13878: Fixed incorrect length checks for BRID and HHIT records (bsc#1256997) Feature Changes: * Add more information to the rndc recursing output about fetches. * Reduce the number of outgoing queries. * Provide more information when memory allocation fails. Bug Fixes: * Make DNSSEC key rollovers more robust. * Fix a catalog zone issue, where member zones could fail to load. * Allow glue in delegations with QTYPE=ANY. * Fix slow speed when signing a large delegation zone with NSEC3 opt-out. * Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be invalid. * Fix a possible catalog zone issue during reconfiguration. * Fix the charts in the statistics channel. * Adding NSEC3 opt-out records could leave invalid records in chain. * Fix spurious timeouts while resolving names. * Fix bug where zone switches from NSEC3 to NSEC after retransfer. * AMTRELAY type 0 presentation format handling was wrong. * Fix parsing bug in remote-servers with key or TLS. * Fix DoT reconfigure/reload bug in the resolver. * Skip unsupported algorithms when looking for a signing key. * Fix dnssec-keygen key collision checking for KEY RRtype keys. * dnssec-verify now uses exit code 1 when failing due to illegal options. * Prevent assertion failures of dig when a server is specified before the -b option. * Skip buffer allocations if not logging. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-180 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1256997 SUSE Bug 1256997 https://www.suse.com/security/cve/CVE-2025-13878/ SUSE CVE CVE-2025-13878 page openSUSE Leap 16.0 bind-9.20.18-160000.1.1 bind-doc-9.20.18-160000.1.1 bind-modules-bdbhpt-9.20.18-160000.1.1 bind-modules-generic-9.20.18-160000.1.1 bind-modules-ldap-9.20.18-160000.1.1 bind-modules-mysql-9.20.18-160000.1.1 bind-modules-perl-9.20.18-160000.1.1 bind-modules-sqlite3-9.20.18-160000.1.1 bind-utils-9.20.18-160000.1.1 bind-9.20.18-160000.1.1 as a component of openSUSE Leap 16.0 bind-doc-9.20.18-160000.1.1 as a component of openSUSE Leap 16.0 bind-modules-bdbhpt-9.20.18-160000.1.1 as a component of openSUSE Leap 16.0 bind-modules-generic-9.20.18-160000.1.1 as a component of openSUSE Leap 16.0 bind-modules-ldap-9.20.18-160000.1.1 as a component of openSUSE Leap 16.0 bind-modules-mysql-9.20.18-160000.1.1 as a component of openSUSE Leap 16.0 bind-modules-perl-9.20.18-160000.1.1 as a component of openSUSE Leap 16.0 bind-modules-sqlite3-9.20.18-160000.1.1 as a component of openSUSE Leap 16.0 bind-utils-9.20.18-160000.1.1 as a component of openSUSE Leap 16.0 Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1. CVE-2025-13878 openSUSE Leap 16.0:bind-9.20.18-160000.1.1 openSUSE Leap 16.0:bind-doc-9.20.18-160000.1.1 openSUSE Leap 16.0:bind-modules-bdbhpt-9.20.18-160000.1.1 openSUSE Leap 16.0:bind-modules-generic-9.20.18-160000.1.1 openSUSE Leap 16.0:bind-modules-ldap-9.20.18-160000.1.1 openSUSE Leap 16.0:bind-modules-mysql-9.20.18-160000.1.1 openSUSE Leap 16.0:bind-modules-perl-9.20.18-160000.1.1 openSUSE Leap 16.0:bind-modules-sqlite3-9.20.18-160000.1.1 openSUSE Leap 16.0:bind-utils-9.20.18-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13878.html CVE-2025-13878 https://bugzilla.suse.com/1256997 SUSE Bug 1256997