-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3522
                         Security update for bind
                              14 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           bind
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Denial of Service -- Remote/Unauthenticated
                   Reduced Security  -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-8624 CVE-2020-8623 CVE-2020-8622
                   CVE-2020-8621 CVE-2020-8620 CVE-2020-8619
                   CVE-2020-8618 CVE-2020-8617 CVE-2020-8616
                   CVE-2019-6477 CVE-2018-5741 CVE-2017-3136

Reference:         ESB-2020.3463
                   ESB-2020.2977

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2020/suse-su-20202914-1

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for bind

______________________________________________________________________________

Announcement ID:   SUSE-SU-2020:2914-1
Rating:            moderate
References:        #1100369 #1109160 #1118367 #1118368 #1128220 #1156205
                   #1157051 #1161168 #1170667 #1170713 #1171313 #1171740
                   #1172958 #1173307 #1173311 #1173983 #1175443 #1176092
                   #1176674 #906079
Cross-References:  CVE-2017-3136 CVE-2018-5741 CVE-2019-6477 CVE-2020-8616
                   CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620
                   CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624
Affected Products:
                   SUSE Linux Enterprise Server for SAP 15
                   SUSE Linux Enterprise Server 15-LTSS
                   SUSE Linux Enterprise Module for Server Applications 15-SP2
                   SUSE Linux Enterprise Module for Server Applications 15-SP1
                   SUSE Linux Enterprise Module for Development Tools 15-SP2
                   SUSE Linux Enterprise Module for Basesystem 15-SP2
                   SUSE Linux Enterprise Module for Basesystem 15-SP1
                   SUSE Linux Enterprise High Performance Computing 15-LTSS
                   SUSE Linux Enterprise High Performance Computing 15-ESPOS
______________________________________________________________________________

An update that solves 12 vulnerabilities, contains one feature and has 8 fixes
is now available.

Description:

This update for bind fixes the following issues:
BIND was upgraded to version 9.16.6:
Note:

  o bind is now more strict in regards to DNSSEC. If queries are not working,
    check for DNSSEC issues. For instance, if bind is used in a namserver
    forwarder chain, the forwarding DNS servers must support DNSSEC.


Fixing security issues:

  o CVE-2020-8616: Further limit the number of queries that can be triggered
    from a request. Root and TLD servers are no longer exempt from
    max-recursion-queries. Fetches for missing name server. (bsc#1171740)
    Address records are limited to 4 for any domain.
  o CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger
    an assertion failure. (bsc#1171740)
  o CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the
    tcp-clients limit (bsc#1157051).
  o CVE-2018-5741: Fixed the documentation (bsc#1109160).
  o CVE-2020-8618: It was possible to trigger an INSIST when determining
    whether a record would fit into a TCP message buffer (bsc#1172958).
  o CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/
    rbtdb.c:new_reference() with a particular zone content and query patterns
    (bsc#1172958).
  o CVE-2020-8624: "update-policy" rules of type "subdomain" were incorrectly
    treated as "zonesub" rules, which allowed keys used in "subdomain" rules to
    update names outside of the specified subdomains. The problem was fixed by
    making sure "subdomain" rules are again processed as described in the ARM
    (bsc#1175443).
  o CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was
    possible to trigger an assertion failure in code determining the number of
    bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#
    1175443).
  o CVE-2020-8621: named could crash in certain query resolution scenarios
    where QNAME minimization and forwarding were both enabled (bsc#1175443).
  o CVE-2020-8620: It was possible to trigger an assertion failure by sending a
    specially crafted large TCP DNS message (bsc#1175443).
  o CVE-2020-8622: It was possible to trigger an assertion failure when
    verifying the response to a TSIG-signed request (bsc#1175443).


Other issues fixed:

  o Add engine support to OpenSSL EdDSA implementation.
  o Add engine support to OpenSSL ECDSA implementation.
  o Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
  o Warn about AXFR streams with inconsistent message IDs.
  o Make ISC rwlock implementation the default again.
  o Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
  o Installed the default files in /var/lib/named and created chroot
    environment on systems using transactional-updates (bsc#1100369, fate#
    325524)
  o Fixed an issue where bind was not working in FIPS mode (bsc#906079).
  o Fixed dependency issues (bsc#1118367 and bsc#1118368).
  o GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
  o Fixed an issue with FIPS (bsc#1128220).
  o The liblwres library is discontinued upstream and is no longer included.
  o Added service dependency on NTP to make sure the clock is accurate when
    bind is starts (bsc#1170667, bsc#1170713).
  o Reject DS records at the zone apex when loading master files. Log but
    otherwise ignore attempts to add DS records at the zone apex via UPDATE.
  o The default value of "max-stale-ttl" has been changed from 1 week to 12
    hours.
  o Zone timers are now exported via statistics channel.
  o The "primary" and "secondary" keywords, when used as parameters for
    "check-names", were not processed correctly and were being ignored.
  o 'rndc dnstap -roll ' did not limit the number of saved files to .
  o Add 'rndc dnssec -status' command.
  o Addressed a couple of situations where named could crash.
  o Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that
    named, being a/the only member of the "named" group has full r/w access yet
    cannot change directories owned by root in the case of a compromized named.
    [bsc#1173307, bind-chrootenv.conf]
  o Added "/etc/bind.keys" to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named
    to suppress warning message re missing file (bsc#1173983).
  o Removed "-r /dev/urandom" from all invocations of rndc-confgen (init/named
    system/lwresd.init system/named.init in vendor-files) as this option is
    deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#
    1170713)
  o /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/
    sbin/dnssec-keygen as BIND now uses the random number functions provided by
    the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of
    randomness rather than /dev/random. Therefore the -r command line option no
    longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as
    to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#
    1171313]
  o Put libns into a separate subpackage to avoid file conflicts in the libisc
    subpackage due to different sonums (bsc#1176092).
  o Require /sbin/start_daemon: both init scripts, the one used in systemd
    context as well as legacy sysv, make use of start_daemon.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Server for SAP 15:
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-2914=1
  o SUSE Linux Enterprise Server 15-LTSS:
    zypper in -t patch SUSE-SLE-Product-SLES-15-2020-2914=1
  o SUSE Linux Enterprise Module for Server Applications 15-SP2:
    zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2020-2914=1
  o SUSE Linux Enterprise Module for Server Applications 15-SP1:
    zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-2914=1
  o SUSE Linux Enterprise Module for Development Tools 15-SP2:
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-2914=1
  o SUSE Linux Enterprise Module for Basesystem 15-SP2:
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-2914=1
  o SUSE Linux Enterprise Module for Basesystem 15-SP1:
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-2914=1
  o SUSE Linux Enterprise High Performance Computing 15-LTSS:
    zypper in -t patch SUSE-SLE-Product-HPC-15-2020-2914=1
  o SUSE Linux Enterprise High Performance Computing 15-ESPOS:
    zypper in -t patch SUSE-SLE-Product-HPC-15-2020-2914=1

Package List:

  o SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64):
       bind-9.16.6-12.32.1
       bind-chrootenv-9.16.6-12.32.1
       bind-debuginfo-9.16.6-12.32.1
       bind-debugsource-9.16.6-12.32.1
       bind-devel-9.16.6-12.32.1
       bind-utils-9.16.6-12.32.1
       bind-utils-debuginfo-9.16.6-12.32.1
       libbind9-1600-9.16.6-12.32.1
       libbind9-1600-debuginfo-9.16.6-12.32.1
       libdns1605-9.16.6-12.32.1
       libdns1605-debuginfo-9.16.6-12.32.1
       libirs-devel-9.16.6-12.32.1
       libirs1601-9.16.6-12.32.1
       libirs1601-debuginfo-9.16.6-12.32.1
       libisc1606-9.16.6-12.32.1
       libisc1606-debuginfo-9.16.6-12.32.1
       libisccc1600-9.16.6-12.32.1
       libisccc1600-debuginfo-9.16.6-12.32.1
       libisccfg1600-9.16.6-12.32.1
       libisccfg1600-debuginfo-9.16.6-12.32.1
       libns1604-9.16.6-12.32.1
       libns1604-debuginfo-9.16.6-12.32.1
  o SUSE Linux Enterprise Server for SAP 15 (noarch):
       bind-doc-9.16.6-12.32.1
       python3-bind-9.16.6-12.32.1
       sysuser-shadow-2.0-4.2.8
       sysuser-tools-2.0-4.2.8
  o SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x):
       bind-9.16.6-12.32.1
       bind-chrootenv-9.16.6-12.32.1
       bind-debuginfo-9.16.6-12.32.1
       bind-debugsource-9.16.6-12.32.1
       bind-devel-9.16.6-12.32.1
       bind-utils-9.16.6-12.32.1
       bind-utils-debuginfo-9.16.6-12.32.1
       libbind9-1600-9.16.6-12.32.1
       libbind9-1600-debuginfo-9.16.6-12.32.1
       libdns1605-9.16.6-12.32.1
       libdns1605-debuginfo-9.16.6-12.32.1
       libirs-devel-9.16.6-12.32.1
       libirs1601-9.16.6-12.32.1
       libirs1601-debuginfo-9.16.6-12.32.1
       libisc1606-9.16.6-12.32.1
       libisc1606-debuginfo-9.16.6-12.32.1
       libisccc1600-9.16.6-12.32.1
       libisccc1600-debuginfo-9.16.6-12.32.1
       libisccfg1600-9.16.6-12.32.1
       libisccfg1600-debuginfo-9.16.6-12.32.1
       libns1604-9.16.6-12.32.1
       libns1604-debuginfo-9.16.6-12.32.1
  o SUSE Linux Enterprise Server 15-LTSS (noarch):
       bind-doc-9.16.6-12.32.1
       python3-bind-9.16.6-12.32.1
       sysuser-shadow-2.0-4.2.8
       sysuser-tools-2.0-4.2.8
  o SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64
    ppc64le s390x x86_64):
       bind-9.16.6-12.32.1
       bind-chrootenv-9.16.6-12.32.1
       bind-debuginfo-9.16.6-12.32.1
       bind-debugsource-9.16.6-12.32.1
  o SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch):
       bind-doc-9.16.6-12.32.1
  o SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64
    ppc64le s390x x86_64):
       bind-9.16.6-12.32.1
       bind-chrootenv-9.16.6-12.32.1
       bind-debuginfo-9.16.6-12.32.1
       bind-debugsource-9.16.6-12.32.1
  o SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch):
       bind-doc-9.16.6-12.32.1
  o SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch):
       sysuser-tools-2.0-4.2.8
  o SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x
    x86_64):
       bind-debuginfo-9.16.6-12.32.1
       bind-debugsource-9.16.6-12.32.1
       bind-devel-9.16.6-12.32.1
       bind-utils-9.16.6-12.32.1
       bind-utils-debuginfo-9.16.6-12.32.1
       libbind9-1600-9.16.6-12.32.1
       libbind9-1600-debuginfo-9.16.6-12.32.1
       libdns1605-9.16.6-12.32.1
       libdns1605-debuginfo-9.16.6-12.32.1
       libirs-devel-9.16.6-12.32.1
       libirs1601-9.16.6-12.32.1
       libirs1601-debuginfo-9.16.6-12.32.1
       libisc1606-9.16.6-12.32.1
       libisc1606-debuginfo-9.16.6-12.32.1
       libisccc1600-9.16.6-12.32.1
       libisccc1600-debuginfo-9.16.6-12.32.1
       libisccfg1600-9.16.6-12.32.1
       libisccfg1600-debuginfo-9.16.6-12.32.1
       libns1604-9.16.6-12.32.1
       libns1604-debuginfo-9.16.6-12.32.1
  o SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch):
       python3-bind-9.16.6-12.32.1
       sysuser-shadow-2.0-4.2.8
  o SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x
    x86_64):
       bind-debuginfo-9.16.6-12.32.1
       bind-debugsource-9.16.6-12.32.1
       bind-devel-9.16.6-12.32.1
       bind-utils-9.16.6-12.32.1
       bind-utils-debuginfo-9.16.6-12.32.1
       libbind9-1600-9.16.6-12.32.1
       libbind9-1600-debuginfo-9.16.6-12.32.1
       libdns1605-9.16.6-12.32.1
       libdns1605-debuginfo-9.16.6-12.32.1
       libirs-devel-9.16.6-12.32.1
       libirs1601-9.16.6-12.32.1
       libirs1601-debuginfo-9.16.6-12.32.1
       libisc1606-9.16.6-12.32.1
       libisc1606-debuginfo-9.16.6-12.32.1
       libisccc1600-9.16.6-12.32.1
       libisccc1600-debuginfo-9.16.6-12.32.1
       libisccfg1600-9.16.6-12.32.1
       libisccfg1600-debuginfo-9.16.6-12.32.1
       libns1604-9.16.6-12.32.1
       libns1604-debuginfo-9.16.6-12.32.1
  o SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch):
       python3-bind-9.16.6-12.32.1
       sysuser-shadow-2.0-4.2.8
       sysuser-tools-2.0-4.2.8
  o SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64):
       bind-9.16.6-12.32.1
       bind-chrootenv-9.16.6-12.32.1
       bind-debuginfo-9.16.6-12.32.1
       bind-debugsource-9.16.6-12.32.1
       bind-devel-9.16.6-12.32.1
       bind-utils-9.16.6-12.32.1
       bind-utils-debuginfo-9.16.6-12.32.1
       libbind9-1600-9.16.6-12.32.1
       libbind9-1600-debuginfo-9.16.6-12.32.1
       libdns1605-9.16.6-12.32.1
       libdns1605-debuginfo-9.16.6-12.32.1
       libirs-devel-9.16.6-12.32.1
       libirs1601-9.16.6-12.32.1
       libirs1601-debuginfo-9.16.6-12.32.1
       libisc1606-9.16.6-12.32.1
       libisc1606-debuginfo-9.16.6-12.32.1
       libisccc1600-9.16.6-12.32.1
       libisccc1600-debuginfo-9.16.6-12.32.1
       libisccfg1600-9.16.6-12.32.1
       libisccfg1600-debuginfo-9.16.6-12.32.1
       libns1604-9.16.6-12.32.1
       libns1604-debuginfo-9.16.6-12.32.1
  o SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch):
       bind-doc-9.16.6-12.32.1
       python3-bind-9.16.6-12.32.1
       sysuser-shadow-2.0-4.2.8
       sysuser-tools-2.0-4.2.8
  o SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64):
       bind-9.16.6-12.32.1
       bind-chrootenv-9.16.6-12.32.1
       bind-debuginfo-9.16.6-12.32.1
       bind-debugsource-9.16.6-12.32.1
       bind-devel-9.16.6-12.32.1
       bind-utils-9.16.6-12.32.1
       bind-utils-debuginfo-9.16.6-12.32.1
       libbind9-1600-9.16.6-12.32.1
       libbind9-1600-debuginfo-9.16.6-12.32.1
       libdns1605-9.16.6-12.32.1
       libdns1605-debuginfo-9.16.6-12.32.1
       libirs-devel-9.16.6-12.32.1
       libirs1601-9.16.6-12.32.1
       libirs1601-debuginfo-9.16.6-12.32.1
       libisc1606-9.16.6-12.32.1
       libisc1606-debuginfo-9.16.6-12.32.1
       libisccc1600-9.16.6-12.32.1
       libisccc1600-debuginfo-9.16.6-12.32.1
       libisccfg1600-9.16.6-12.32.1
       libisccfg1600-debuginfo-9.16.6-12.32.1
       libns1604-9.16.6-12.32.1
       libns1604-debuginfo-9.16.6-12.32.1
  o SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch):
       bind-doc-9.16.6-12.32.1
       python3-bind-9.16.6-12.32.1
       sysuser-shadow-2.0-4.2.8
       sysuser-tools-2.0-4.2.8


References:

  o https://www.suse.com/security/cve/CVE-2017-3136.html
  o https://www.suse.com/security/cve/CVE-2018-5741.html
  o https://www.suse.com/security/cve/CVE-2019-6477.html
  o https://www.suse.com/security/cve/CVE-2020-8616.html
  o https://www.suse.com/security/cve/CVE-2020-8617.html
  o https://www.suse.com/security/cve/CVE-2020-8618.html
  o https://www.suse.com/security/cve/CVE-2020-8619.html
  o https://www.suse.com/security/cve/CVE-2020-8620.html
  o https://www.suse.com/security/cve/CVE-2020-8621.html
  o https://www.suse.com/security/cve/CVE-2020-8622.html
  o https://www.suse.com/security/cve/CVE-2020-8623.html
  o https://www.suse.com/security/cve/CVE-2020-8624.html
  o https://bugzilla.suse.com/1100369
  o https://bugzilla.suse.com/1109160
  o https://bugzilla.suse.com/1118367
  o https://bugzilla.suse.com/1118368
  o https://bugzilla.suse.com/1128220
  o https://bugzilla.suse.com/1156205
  o https://bugzilla.suse.com/1157051
  o https://bugzilla.suse.com/1161168
  o https://bugzilla.suse.com/1170667
  o https://bugzilla.suse.com/1170713
  o https://bugzilla.suse.com/1171313
  o https://bugzilla.suse.com/1171740
  o https://bugzilla.suse.com/1172958
  o https://bugzilla.suse.com/1173307
  o https://bugzilla.suse.com/1173311
  o https://bugzilla.suse.com/1173983
  o https://bugzilla.suse.com/1175443
  o https://bugzilla.suse.com/1176092
  o https://bugzilla.suse.com/1176674
  o https://bugzilla.suse.com/906079

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX4aBB+NLKJtyKPYoAQilmA/9GLZrDTp7ZtxQmVq3ybjdJvvfF4bCzQ48
3TM3ifhq7TubCQcuWoG2uF7ItZAWDX6AEHDosek2cuInoLFCBhsmbrxc+IhdI8ZU
1Jx2PRtJ/ROmQF/aOe6BGCe3CZ0d9TDiuwYIm6Z0DspKpTGMckli6OSayOcqiTua
V57VnG13WI8ZvTjzR5z6VjLuIaU7Rtl98X56JWg+L7MDMO3K6h8qufQnxya2ImL9
G4HUOOAA0l7CqgNm3rCK5XVJUewSEJvmKy/DrSy0L6h0fNH4hYlP0PdAv6igGqwo
dXJzUUUIj3tw2wL/UKPFMxpFsm2MetKZyYgB7QeUMqjh1H+dYB7g1/lc/+gUUQ6P
wDarpYNLv5pbJWYgH/jS0pVk8Wx2H8pR4WDeA3iHhhkwAisM0m/VG3uawznn0MWF
HZ/cUq0jf8+CZgmRGpP1psd0XO3cSSC8aWp90OPmL/sMD0zpzPFnRG5RmT7ok6FL
sWjA/cEPzzqJU1ZQNbRlp3EPv6pyeSsASSZUVCTjoEN/IJ6cUhUHBVwocbOjz404
0UxUCNnJmIOU+7jKprrEMEt/osnPviW8UtIiBs5jG4UfzitNUf5/IxD4hg4RzTpx
sYlLdrFQmqq1aQqUEY7ypC28m3bEYT9eKGMXzP4/CS3ZkfOXgCBajc36378Xy85P
E3hrieYzoqM=
=klM1
-----END PGP SIGNATURE-----