Security update for bind SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1063-1 Final 1 1 2017-04-19T14:24:31Z current 2017-04-19T14:24:31Z 2017-04-19T14:24:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for bind This update for bind fixes the following issues: CVE-2017-3137 (bsc#1033467): Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could have been exploited to cause a denial of service of a bind server performing recursion. CVE-2017-3136 (bsc#1033466): An attacker could have constructed a query that would cause a denial of service of servers configured to use DNS64. CVE-2017-3138 (bsc#1033468): An attacker with access to the BIND control channel could have caused the server to stop by triggering an assertion failure. CVE-2016-6170 (bsc#987866): Primary DNS servers could have caused a denial of service of secondary DNS servers via a large AXFR response. IXFR servers could have caused a denial of service of IXFR clients via a large IXFR response. Remote authenticated users could have caused a denial of service of primary DNS servers via a large UPDATE message. CVE-2016-2775 (bsc#989528): When lwresd or the named lwres option were enabled, bind allowed remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol. One additional non-security bug was fixed: The default umask was changed to 077. (bsc#1020983) This update was imported from the SUSE:SLE-12-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00022.html E-Mail link for openSUSE-SU-2017:1063-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 bind-9.9.9P1-48.3.1 bind-chrootenv-9.9.9P1-48.3.1 bind-devel-9.9.9P1-48.3.1 bind-doc-9.9.9P1-48.3.1 bind-libs-9.9.9P1-48.3.1 bind-libs-32bit-9.9.9P1-48.3.1 bind-lwresd-9.9.9P1-48.3.1 bind-utils-9.9.9P1-48.3.1 bind-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.1 bind-chrootenv-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.1 bind-devel-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.1 bind-doc-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.1 bind-libs-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.1 bind-libs-32bit-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.1 bind-lwresd-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.1 bind-utils-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.1 bind-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.2 bind-chrootenv-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.2 bind-devel-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.2 bind-doc-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.2 bind-libs-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.2 bind-libs-32bit-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.2 bind-lwresd-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.2 bind-utils-9.9.9P1-48.3.1 as a component of openSUSE Leap 42.2 ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol. CVE-2016-2775 openSUSE Leap 42.1:bind-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-chrootenv-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-devel-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-doc-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-libs-32bit-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-libs-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-lwresd-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-utils-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-chrootenv-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-devel-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-doc-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-libs-32bit-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-libs-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-lwresd-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-utils-9.9.9P1-48.3.1 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00022.html https://www.suse.com/security/cve/CVE-2016-2775.html CVE-2016-2775 https://bugzilla.suse.com/989528 SUSE Bug 989528 ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message. CVE-2016-6170 openSUSE Leap 42.1:bind-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-chrootenv-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-devel-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-doc-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-libs-32bit-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-libs-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-lwresd-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-utils-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-chrootenv-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-devel-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-doc-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-libs-32bit-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-libs-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-lwresd-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-utils-9.9.9P1-48.3.1 moderate 5.4 AV:N/AC:H/Au:N/C:N/I:N/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00022.html https://www.suse.com/security/cve/CVE-2016-6170.html CVE-2016-6170 https://bugzilla.suse.com/987866 SUSE Bug 987866 A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Affects BIND 9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1, 9.9.3-S1 -> 9.9.9-S8. CVE-2017-3136 openSUSE Leap 42.1:bind-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-chrootenv-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-devel-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-doc-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-libs-32bit-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-libs-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-lwresd-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-utils-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-chrootenv-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-devel-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-doc-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-libs-32bit-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-libs-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-lwresd-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-utils-9.9.9P1-48.3.1 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00022.html https://www.suse.com/security/cve/CVE-2017-3136.html CVE-2017-3136 https://bugzilla.suse.com/1018700 SUSE Bug 1018700 https://bugzilla.suse.com/1018701 SUSE Bug 1018701 https://bugzilla.suse.com/1018702 SUSE Bug 1018702 https://bugzilla.suse.com/1024130 SUSE Bug 1024130 https://bugzilla.suse.com/1033461 SUSE Bug 1033461 https://bugzilla.suse.com/1033466 SUSE Bug 1033466 https://bugzilla.suse.com/1081545 SUSE Bug 1081545 Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order. Affects BIND 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0-P3, 9.11.1b1->9.11.1rc1, and 9.9.9-S8. CVE-2017-3137 openSUSE Leap 42.1:bind-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-chrootenv-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-devel-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-doc-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-libs-32bit-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-libs-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-lwresd-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-utils-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-chrootenv-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-devel-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-doc-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-libs-32bit-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-libs-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-lwresd-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-utils-9.9.9P1-48.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00022.html https://www.suse.com/security/cve/CVE-2017-3137.html CVE-2017-3137 https://bugzilla.suse.com/1018700 SUSE Bug 1018700 https://bugzilla.suse.com/1018701 SUSE Bug 1018701 https://bugzilla.suse.com/1018702 SUSE Bug 1018702 https://bugzilla.suse.com/1024130 SUSE Bug 1024130 https://bugzilla.suse.com/1033461 SUSE Bug 1033461 https://bugzilla.suse.com/1033466 SUSE Bug 1033466 https://bugzilla.suse.com/1033467 SUSE Bug 1033467 https://bugzilla.suse.com/1034162 SUSE Bug 1034162 https://bugzilla.suse.com/1076118 SUSE Bug 1076118 https://bugzilla.suse.com/1081545 SUSE Bug 1081545 named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9. CVE-2017-3138 openSUSE Leap 42.1:bind-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-chrootenv-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-devel-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-doc-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-libs-32bit-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-libs-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-lwresd-9.9.9P1-48.3.1 openSUSE Leap 42.1:bind-utils-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-chrootenv-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-devel-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-doc-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-libs-32bit-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-libs-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-lwresd-9.9.9P1-48.3.1 openSUSE Leap 42.2:bind-utils-9.9.9P1-48.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00022.html https://www.suse.com/security/cve/CVE-2017-3138.html CVE-2017-3138 https://bugzilla.suse.com/1018700 SUSE Bug 1018700 https://bugzilla.suse.com/1018701 SUSE Bug 1018701 https://bugzilla.suse.com/1018702 SUSE Bug 1018702 https://bugzilla.suse.com/1024130 SUSE Bug 1024130 https://bugzilla.suse.com/1033461 SUSE Bug 1033461 https://bugzilla.suse.com/1033466 SUSE Bug 1033466 https://bugzilla.suse.com/1033468 SUSE Bug 1033468