Security update for bind SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1826-1 Final 1 1 2021-07-10T17:28:43Z current 2021-07-10T17:28:43Z 2021-07-10T17:28:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for bind This update for bind fixes the following issues: - CVE-2021-25214: Fixed a broken inbound incremental zone update (IXFR) which could have caused named to terminate unexpectedly (bsc#1185345). - CVE-2021-25215: Fixed an assertion check which could have failed while answering queries for DNAME records that required the DNAME to be processed to resolve itself (bsc#1185345). - Switched from /var/run to /run (bsc#1185073) - Hardening: Compiled binary with PIE flags to make it position independent The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-SLE-15.3-2021-1826 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HSDG2HIUJDFCATG54EOVCAT5D4AVXXKE/ E-Mail link for openSUSE-SU-2021:1826-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1183453 SUSE Bug 1183453 https://bugzilla.suse.com/1185073 SUSE Bug 1185073 https://www.suse.com/security/cve/CVE-2021-25214/ SUSE CVE CVE-2021-25214 page https://www.suse.com/security/cve/CVE-2021-25215/ SUSE CVE CVE-2021-25215 page openSUSE Leap 15.3 bind-9.16.6-22.7.1 bind-chrootenv-9.16.6-22.7.1 bind-devel-9.16.6-22.7.1 bind-doc-9.16.6-22.7.1 bind-utils-9.16.6-22.7.1 libbind9-1600-9.16.6-22.7.1 libdns1605-9.16.6-22.7.1 libirs-devel-9.16.6-22.7.1 libirs1601-9.16.6-22.7.1 libisc1606-9.16.6-22.7.1 libisccc1600-9.16.6-22.7.1 libisccfg1600-9.16.6-22.7.1 libns1604-9.16.6-22.7.1 python3-bind-9.16.6-22.7.1 bind-9.16.6-22.7.1 as a component of openSUSE Leap 15.3 bind-chrootenv-9.16.6-22.7.1 as a component of openSUSE Leap 15.3 bind-devel-9.16.6-22.7.1 as a component of openSUSE Leap 15.3 bind-doc-9.16.6-22.7.1 as a component of openSUSE Leap 15.3 bind-utils-9.16.6-22.7.1 as a component of openSUSE Leap 15.3 libbind9-1600-9.16.6-22.7.1 as a component of openSUSE Leap 15.3 libdns1605-9.16.6-22.7.1 as a component of openSUSE Leap 15.3 libirs-devel-9.16.6-22.7.1 as a component of openSUSE Leap 15.3 libirs1601-9.16.6-22.7.1 as a component of openSUSE Leap 15.3 libisc1606-9.16.6-22.7.1 as a component of openSUSE Leap 15.3 libisccc1600-9.16.6-22.7.1 as a component of openSUSE Leap 15.3 libisccfg1600-9.16.6-22.7.1 as a component of openSUSE Leap 15.3 libns1604-9.16.6-22.7.1 as a component of openSUSE Leap 15.3 python3-bind-9.16.6-22.7.1 as a component of openSUSE Leap 15.3 In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed. CVE-2021-25214 openSUSE Leap 15.3:bind-9.16.6-22.7.1 openSUSE Leap 15.3:bind-chrootenv-9.16.6-22.7.1 openSUSE Leap 15.3:bind-devel-9.16.6-22.7.1 openSUSE Leap 15.3:bind-doc-9.16.6-22.7.1 openSUSE Leap 15.3:bind-utils-9.16.6-22.7.1 openSUSE Leap 15.3:libbind9-1600-9.16.6-22.7.1 openSUSE Leap 15.3:libdns1605-9.16.6-22.7.1 openSUSE Leap 15.3:libirs-devel-9.16.6-22.7.1 openSUSE Leap 15.3:libirs1601-9.16.6-22.7.1 openSUSE Leap 15.3:libisc1606-9.16.6-22.7.1 openSUSE Leap 15.3:libisccc1600-9.16.6-22.7.1 openSUSE Leap 15.3:libisccfg1600-9.16.6-22.7.1 openSUSE Leap 15.3:libns1604-9.16.6-22.7.1 openSUSE Leap 15.3:python3-bind-9.16.6-22.7.1 important 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HSDG2HIUJDFCATG54EOVCAT5D4AVXXKE/ https://www.suse.com/security/cve/CVE-2021-25214.html CVE-2021-25214 https://bugzilla.suse.com/1185345 SUSE Bug 1185345 In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check. The vulnerability affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other versions of BIND 9. CVE-2021-25215 openSUSE Leap 15.3:bind-9.16.6-22.7.1 openSUSE Leap 15.3:bind-chrootenv-9.16.6-22.7.1 openSUSE Leap 15.3:bind-devel-9.16.6-22.7.1 openSUSE Leap 15.3:bind-doc-9.16.6-22.7.1 openSUSE Leap 15.3:bind-utils-9.16.6-22.7.1 openSUSE Leap 15.3:libbind9-1600-9.16.6-22.7.1 openSUSE Leap 15.3:libdns1605-9.16.6-22.7.1 openSUSE Leap 15.3:libirs-devel-9.16.6-22.7.1 openSUSE Leap 15.3:libirs1601-9.16.6-22.7.1 openSUSE Leap 15.3:libisc1606-9.16.6-22.7.1 openSUSE Leap 15.3:libisccc1600-9.16.6-22.7.1 openSUSE Leap 15.3:libisccfg1600-9.16.6-22.7.1 openSUSE Leap 15.3:libns1604-9.16.6-22.7.1 openSUSE Leap 15.3:python3-bind-9.16.6-22.7.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HSDG2HIUJDFCATG54EOVCAT5D4AVXXKE/ https://www.suse.com/security/cve/CVE-2021-25215.html CVE-2021-25215 https://bugzilla.suse.com/1185345 SUSE Bug 1185345 https://bugzilla.suse.com/1189848 SUSE Bug 1189848 https://bugzilla.suse.com/1196172 SUSE Bug 1196172 https://bugzilla.suse.com/1199298 SUSE Bug 1199298 https://bugzilla.suse.com/1225626 SUSE Bug 1225626