<div class="container">
<h1>Security update for bind</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:20085-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-01-15T10:43:49Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1230649">bsc#1230649</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252378">bsc#1252378</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252379">bsc#1252379</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252380">bsc#1252380</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-40778.html">CVE-2025-40778</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-40780.html">CVE-2025-40780</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-8677.html">CVE-2025-8677</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-40778</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">9.2</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-40778</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.6</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-40778</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.6</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-40780</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">9.2</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-40780</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.6</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-40780</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.6</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-8677</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.7</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-8677</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-8677</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server 16.0</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 16.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves three vulnerabilities and has one fix can now be installed.</p>
<h2>Description:</h2>
<p>This update for bind fixes the following issues:</p>
<ul>
<li>Upgrade to release 9.20.15
Security Fixes:</li>
<li>CVE-2025-40778: Fixed cache poisoning attacks with unsolicited RRs (bsc#1252379)</li>
<li>CVE-2025-40780: Fixed cache poisoning due to weak PRNG (bsc#1252380)</li>
<li>CVE-2025-8677: Fixed resource exhaustion via malformed DNSKEY handling (bsc#1252378)</li>
</ul>
<p>New Features:
* Add dnssec-policy keys configuration check to named-checkconf.
* Add a new option <code>manual-mode</code> to dnssec-policy.
* Add a new option <code>servfail-until-ready</code> to response-policy
zones.
* Support for parsing HHIT and BRID records has been added.
* Support for parsing DSYNC records has been added.</p>
<p>Removed Features:
* Deprecate the <code>tkey-gssapi-credential</code> statement.
* Obsolete the <code>tkey-domain</code> statement.</p>
<p>Feature Changes:
* Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS
digest type 1.</p>
<p>Bug Fixes:
* Missing DNSSEC information when CD bit is set in query.
* rndc sign during ZSK rollover will now replace signatures.
* Use signer name when disabling DNSSEC algorithms.
* Preserve cache when reload fails and reload the server again.
* Prevent spurious SERVFAILs for certain 0-TTL resource records.
* Fix unexpected termination if catalog-zones had undefined
<code>default-primaries</code>.
* Stale RRsets in a CNAME chain were not always refreshed.
* Add RPZ extended DNS error for zones with a CNAME override
policy configured.
* Fix dig +keepopen option.
* Log dropped or slipped responses in the query-errors category.
* Fix synth-from-dnssec not working in some scenarios.
* Clean enough memory when adding new ADB names/entries under
memory pressure.
* Prevent spurious validation failures.
* Ensure file descriptors 0-2 are in use before using libuv
[bsc#1230649]</p>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-144=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-144=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
<ul>
<li>bind-modules-perl-debuginfo-9.20.15-160000.1.1</li>
<li>bind-modules-sqlite3-9.20.15-160000.1.1</li>
<li>bind-utils-9.20.15-160000.1.1</li>
<li>bind-modules-mysql-debuginfo-9.20.15-160000.1.1</li>
<li>bind-modules-generic-9.20.15-160000.1.1</li>
<li>bind-9.20.15-160000.1.1</li>
<li>bind-debugsource-9.20.15-160000.1.1</li>
<li>bind-modules-mysql-9.20.15-160000.1.1</li>
<li>bind-modules-generic-debuginfo-9.20.15-160000.1.1</li>
<li>bind-utils-debuginfo-9.20.15-160000.1.1</li>
<li>bind-modules-ldap-debuginfo-9.20.15-160000.1.1</li>
<li>bind-modules-perl-9.20.15-160000.1.1</li>
<li>bind-debuginfo-9.20.15-160000.1.1</li>
<li>bind-modules-ldap-9.20.15-160000.1.1</li>
<li>bind-modules-sqlite3-debuginfo-9.20.15-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 16.0 (noarch)
<ul>
<li>bind-doc-9.20.15-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 16.0 (ppc64le x86_64)
<ul>
<li>bind-modules-perl-debuginfo-9.20.15-160000.1.1</li>
<li>bind-modules-sqlite3-9.20.15-160000.1.1</li>
<li>bind-utils-9.20.15-160000.1.1</li>
<li>bind-modules-mysql-debuginfo-9.20.15-160000.1.1</li>
<li>bind-modules-generic-9.20.15-160000.1.1</li>
<li>bind-9.20.15-160000.1.1</li>
<li>bind-debugsource-9.20.15-160000.1.1</li>
<li>bind-modules-mysql-9.20.15-160000.1.1</li>
<li>bind-modules-generic-debuginfo-9.20.15-160000.1.1</li>
<li>bind-utils-debuginfo-9.20.15-160000.1.1</li>
<li>bind-modules-ldap-debuginfo-9.20.15-160000.1.1</li>
<li>bind-modules-perl-9.20.15-160000.1.1</li>
<li>bind-debuginfo-9.20.15-160000.1.1</li>
<li>bind-modules-ldap-9.20.15-160000.1.1</li>
<li>bind-modules-sqlite3-debuginfo-9.20.15-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch)
<ul>
<li>bind-doc-9.20.15-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-40778.html">https://www.suse.com/security/cve/CVE-2025-40778.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-40780.html">https://www.suse.com/security/cve/CVE-2025-40780.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-8677.html">https://www.suse.com/security/cve/CVE-2025-8677.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1230649">https://bugzilla.suse.com/show_bug.cgi?id=1230649</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252378">https://bugzilla.suse.com/show_bug.cgi?id=1252378</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252379">https://bugzilla.suse.com/show_bug.cgi?id=1252379</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252380">https://bugzilla.suse.com/show_bug.cgi?id=1252380</a>
</li>
</ul>
</div>