Описание
Security update for bind
This update for bind fixes the following issues:
-
Amended documentation referring to rule types 'krb5-subdomain' and 'ms-subdomain'. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. [CVE-2018-5741]
-
Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server address records are limited to 4 for any domain. [CVE-2020-8616]
-
Replaying a TSIG BADTIME response as a request could trigger an assertion failure. [CVE-2020-8617] [bsc#1109160, bsc#1171740, CVE-2018-5741, bind-CVE-2018-5741.patch, CVE-2020-8616, bind-CVE-2020-8616.patch, CVE-2020-8617, bind-CVE-2020-8617.patch]
-
Don't rely on /etc/insserv.conf anymore for proper dependencies against nss-lookup.target in named.service and lwresd.service (bsc#1118367 bsc#1118368)
-
Using a drop-in file
Список пакетов
HPE Helion OpenStack 8
SUSE Enterprise Storage 5
SUSE Linux Enterprise Server 12 SP2-BCL
SUSE Linux Enterprise Server 12 SP2-LTSS
SUSE Linux Enterprise Server 12 SP3-BCL
SUSE Linux Enterprise Server 12 SP3-LTSS
SUSE Linux Enterprise Server for SAP Applications 12 SP2
SUSE Linux Enterprise Server for SAP Applications 12 SP3
SUSE OpenStack Cloud 7
SUSE OpenStack Cloud 8
SUSE OpenStack Cloud Crowbar 8
Ссылки
- Link for SUSE-SU-2020:1914-1
- E-Mail link for SUSE-SU-2020:1914-1
- SUSE Security Ratings
- SUSE Bug 1109160
- SUSE Bug 1118367
- SUSE Bug 1118368
- SUSE Bug 1171740
- SUSE CVE CVE-2018-5741 page
- SUSE CVE CVE-2020-8616 page
- SUSE CVE CVE-2020-8617 page
Описание
To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.
Затронутые продукты
Ссылки
- CVE-2018-5741
- SUSE Bug 1109160
- SUSE Bug 1171740
Описание
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
Затронутые продукты
Ссылки
- CVE-2020-8616
- SUSE Bug 1109160
- SUSE Bug 1171740
Описание
Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results.
Затронутые продукты
Ссылки
- CVE-2020-8617
- SUSE Bug 1109160
- SUSE Bug 1171740