SUSE-CU-2020:544-1: Security update of harbor/harbor-test

sle-updates at lists.suse.com sle-updates at lists.suse.com
Thu Oct 15 00:11:26 MDT 2020


SUSE Container Update Advisory: harbor/harbor-test
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:544-1
Container Tags        : harbor/harbor-test:2.0.3 , harbor/harbor-test:2.0.3-rev1 , harbor/harbor-test:2.0.3-rev1-build4.7
Container Release     : 4.7
Severity              : important
Type                  : security
References            : 1011548 1027282 1029377 1029902 1040164 1042670 1070853 1079761
                        1081750 1083507 1086001 1088004 1088009 1088573 1094814 1094814
                        1100369 1107030 1107030 1109160 1109663 1109847 1118367 1118368
                        1120644 1120644 1122191 1122191 1128220 1129346 1129346 1130840
                        1130840 1133452 1133452 1137942 1138459 1138459 1141853 1141853
                        1142733 1146991 1149121 1149121 1149792 1149792 1149955 1149955
                        1149955 1151490 1151490 1153238 1153238 1153943 1153946 1156205
                        1157051 1158336 1159035 1159622 1161168 1161239 1162224 1162367
                        1162423 1162825 1165424 1165580 1165894 1165894 1170667 1170713
                        1171313 1171740 1171762 1172195 1172824 1172958 1173273 1173274
                        1173307 1173311 1173470 1173529 1173539 1173983 1174079 1174091
                        1174154 1174240 1174551 1174561 1174736 1174918 1175109 1175110
                        1175342 1175443 1175568 1175592 1175811 1175830 1175831 1175844
                        1176086 1176092 1176179 1176181 1176410 1176671 1176674 1177143
                        1177479 637176 658604 673071 709442 743787 747125 751718 754447
                        754677 787526 809831 831629 834601 871152 885662 885882 906079
                        917607 942751 951166 983582 984751 985177 985348 989523 CVE-2011-3389
                        CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-1752 CVE-2013-4238
                        CVE-2014-2667 CVE-2014-4650 CVE-2016-0772 CVE-2016-1000110 CVE-2016-5636
                        CVE-2016-5699 CVE-2017-18207 CVE-2017-3136 CVE-2018-1000802 CVE-2018-1060
                        CVE-2018-1061 CVE-2018-14647 CVE-2018-20406 CVE-2018-20406 CVE-2018-20852
                        CVE-2018-20852 CVE-2018-5741 CVE-2019-10160 CVE-2019-10160 CVE-2019-15903
                        CVE-2019-16056 CVE-2019-16056 CVE-2019-16056 CVE-2019-16935 CVE-2019-16935
                        CVE-2019-20907 CVE-2019-5010 CVE-2019-5010 CVE-2019-6477 CVE-2019-9636
                        CVE-2019-9636 CVE-2019-9674 CVE-2019-9947 CVE-2019-9947 CVE-2020-14422
                        CVE-2020-15719 CVE-2020-24659 CVE-2020-24977 CVE-2020-25219 CVE-2020-26154
                        CVE-2020-8027 CVE-2020-8231 CVE-2020-8492 CVE-2020-8616 CVE-2020-8617
                        CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622
                        CVE-2020-8623 CVE-2020-8624 PM-1350 SLE-9426 
-----------------------------------------------------------------

The container harbor/harbor-test was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2170-1
Released:    Mon Oct  8 10:31:14 2018
Summary:     Recommended update for python3
Type:        recommended
Severity:    moderate
References:  1107030
This update for python3 fixes the following issues:

- Add -fwrapv to OPTS, which is default for python3 for bugs which 
  are caused by avoiding it. (bsc#1107030)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:215-1
Released:    Thu Jan 31 15:59:57 2019
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1120644,1122191,CVE-2018-20406,CVE-2019-5010
This update for python3 fixes the following issues:

Security issue fixed:

- CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191)
- CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:971-1
Released:    Wed Apr 17 14:43:26 2019
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1129346,CVE-2019-9636
This update for python3 fixes the following issues:

Security issue fixed:

- CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1352-1
Released:    Fri May 24 14:41:44 2019
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1130840,1133452,CVE-2019-9947
This update for python3 to version 3.6.8 fixes the following issues:

Security issue fixed:

- CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840).

Non-security issue fixed:

- Fixed broken debuginfo packages by switching off LTO and PGO optimization (bsc#1133452).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2050-1
Released:    Tue Aug  6 09:42:37 2019
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1094814,1138459,1141853,CVE-2018-20852,CVE-2019-10160
This update for python3 fixes the following issues:

Security issue fixed:

- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853).

Non-security issue fixed:

- Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2802-1
Released:    Tue Oct 29 11:39:05 2019
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1149121,1149792,1149955,1151490,1153238,CVE-2019-16056,CVE-2019-16935,PM-1350,SLE-9426
This update for python3 to 3.6.9 fixes the following issues:

Security issues fixed:

- CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955)
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).

Non-security issues fixed:

- Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490)
- Improved locale handling by implementing PEP 538.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:114-1
Released:    Thu Jan 16 10:11:52 2020
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
This update for python3 to version 3.6.10 fixes the following issues:

- CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507).
- CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955).
- CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:467-1
Released:    Tue Feb 25 12:00:39 2020
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492
This update for python3 fixes the following issues:

Security issues fixed:

- CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825).
- CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367).

Non-security issue fixed:

- If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:777-1
Released:    Tue Mar 24 18:07:52 2020
Summary:     Recommended update for python3
Type:        recommended
Severity:    moderate
References:  1165894
This update for python3 fixes the following issue:

- Rename idle icons to idle3 in order to not conflict with python2
  variant of the package (bsc#1165894)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1342-1
Released:    Tue May 19 13:27:31 2020
Summary:     Recommended update for python3
Type:        recommended
Severity:    moderate
References:  1149955,1165894,CVE-2019-16056
This update for python3 fixes the following issues:

- Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1822-1
Released:    Thu Jul  2 11:30:42 2020
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1173274,CVE-2020-14422
This update for python3 fixes the following issues:

- CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface 
  could have led to denial of service (bsc#1173274).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2277-1
Released:    Wed Aug 19 13:24:03 2020
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1174091,CVE-2019-20907
This update for python3 fixes the following issues:

- bsc#1174091, CVE-2019-20907: avoiding possible infinite loop in specifically crafted tarball.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2411-1
Released:    Tue Sep  1 13:28:47 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1142733,1146991,1158336,1172195,1172824,1173539
This update for systemd fixes the following issues:

- Improve logging when PID1 fails at setting a namespace up when spawning a command specified by
  'Exec*='. (bsc#1172824, bsc#1142733)
  
  pid1: improve message when setting up namespace fails.
  
  execute: let's close glibc syslog channels too.
  
  execute: normalize logging in *execute.c*.
  
  execute: fix typo in error message.
  
  execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary.
  
  execute: make use of the new logging mode in *execute.c*
  
  log: add a mode where we open the log fds for every single log message.
  
  log: let's make use of the fact that our functions return the negative error code for *log_oom()* too.
  
  execute: downgrade a log message ERR → WARNING, since we proceed ignoring its result.
  
  execute: rework logging in *setup_keyring()* to include unit info.
  
  execute: improve and augment execution log messages.
  
- vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539)
- fix infinite timeout. (bsc#1158336)
- bpf: mount bpffs by default on boot. (bsc#1146991)
- man: explain precedence for options which take a list.
- man: unify titling, fix description of precedence in sysusers.d(5)
- udev-event: fix timeout log messages.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2420-1
Released:    Tue Sep  1 13:48:35 2020
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1174551,1174736
This update for zlib provides the following fixes:

- Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
- Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2445-1
Released:    Wed Sep  2 09:33:02 2020
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1175109,CVE-2020-8231
This update for curl fixes the following issues:

- An application that performs multiple requests with libcurl's
  multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in
  rare circumstances experience that when subsequently using the
  setup connect-only transfer, libcurl will pick and use the wrong
  connection and instead pick another one the application has
  created since then. [bsc#1175109, CVE-2020-8231]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2581-1
Released:    Wed Sep  9 13:07:07 2020
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1174154,CVE-2020-15719
This update for openldap2 fixes the following issues:

- bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509
  SAN's falling back to CN validation in violation of rfc6125.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2612-1
Released:    Fri Sep 11 11:18:01 2020
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1176179,CVE-2020-24977
This update for libxml2 fixes the following issues:

- CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2638-1
Released:    Tue Sep 15 15:41:32 2020
Summary:     Recommended update for cryptsetup
Type:        recommended
Severity:    moderate
References:  1165580
This update for cryptsetup fixes the following issues:

Update from version 2.0.5 to version 2.0.6. (jsc#SLE-5911, bsc#1165580)

- Fix support of larger metadata areas in *LUKS2* header.

  This release properly supports all specified metadata areas, as documented
  in *LUKS2* format description.
  Currently, only default metadata area size is used (in format or convert).
  Later cryptsetup versions will allow increasing this metadata area size.

- If *AEAD* (authenticated encryption) is used, cryptsetup now tries to check
  if the requested *AEAD* algorithm with specified key size is available in kernel crypto API.
  This change avoids formatting a device that cannot be later activated.

  For this function, the kernel must be compiled with the *CONFIG_CRYPTO_USER_API_AEAD* option enabled. 
  Note that kernel user crypto API options (*CONFIG_CRYPTO_USER_API* and *CONFIG_CRYPTO_USER_API_SKCIPHER*) 
  are already mandatory for LUKS2.

- Fix setting of integrity no-journal flag. Now you can store this flag to metadata using *\--persistent* option.

- Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt.

- Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested 
  sector size. Previously it was possible, and the device was rejected to activate by kernel later.

- Fix checking of hash algorithms availability for *PBKDF* early. Previously *LUKS2* format allowed non-existent hash 
  algorithm with invalid keyslot preventing the device from activation.

- Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used
  both for data encryption and keyslot encryption in *LUKS1/2* devices.

  For benchmark, use:
    
      # cryptsetup benchmark -c xchacha12,aes-adiantum
      # cryptsetup benchmark -c xchacha20,aes-adiantum

  For LUKS format:
  
      # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 <device>

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2651-1
Released:    Wed Sep 16 14:42:55 2020
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1175811,1175830,1175831
This update for zlib fixes the following issues:

- Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
- Enable hardware compression on s390/s390x (jsc#SLE-13776)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2704-1
Released:    Tue Sep 22 15:06:36 2020
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1174079
This update for krb5 fixes the following issue:

- Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2712-1
Released:    Tue Sep 22 17:08:03 2020
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1175568,CVE-2020-8027
This update for openldap2 fixes the following issues:

- CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2819-1
Released:    Thu Oct  1 10:39:16 2020
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592
This update for libzypp, zypper provides the following fixes:

Changes in libzypp:
- VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
- Support buildnr with commit hash in purge-kernels. This adds special behaviour for when
  a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
- Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
- Make sure reading from lsof does not block forever. (bsc#1174240)
- Just collect details for the signatures found.

Changes in zypper:
- man: Enhance description of the global package cache. (bsc#1175592)
- man: Point out that plain rpm packages are not downloaded to the global package cache.
  (bsc#1173273)
- Directly list subcommands in 'zypper help'. (bsc#1165424)
- Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
- Point out that plaindir repos do not follow symlinks. (bsc#1174561)
- Fix help command for list-patches.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2850-1
Released:    Fri Oct  2 12:26:03 2020
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1175110
This update for lvm2 fixes the following issues:

- Fixed an issue when the hot spares in LVM not added automatically. (bsc#1175110)  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2852-1
Released:    Fri Oct  2 16:55:39 2020
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1173470,1175844
This update for openssl-1_1 fixes the following issues:

FIPS:

* Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1175844, bsc#1173470).
* Add shared secret KAT to FIPS DH selftest (bsc#1175844).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2864-1
Released:    Tue Oct  6 10:34:14 2020
Summary:     Security update for gnutls
Type:        security
Severity:    moderate
References:  1176086,1176181,1176671,CVE-2020-24659
This update for gnutls fixes the following issues:

- Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181)
- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
- FIPS: Add TLS KDF selftest (bsc#1176671)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2869-1
Released:    Tue Oct  6 16:13:20 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1011548,1153943,1153946,1161239,1171762
This update for aaa_base fixes the following issues:

- DIR_COLORS (bug#1006973):
  
  - add screen.xterm-256color
  - add TERM rxvt-unicode-256color
  - sort and merge TERM entries in etc/DIR_COLORS
  
- check for Packages.db and use this instead of Packages. (bsc#1171762)
- Rename path() to _path() to avoid using a general name.
- refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
- etc/profile add some missing ;; in case esac statements
- profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
- backup-rpmdb: exit if zypper is running (bsc#1161239)
- Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2893-1
Released:    Mon Oct 12 14:14:55 2020
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1177479
This update for openssl-1_1 fixes the following issues:

- Restore private key check in EC_KEY_check_key (bsc#1177479)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2901-1
Released:    Tue Oct 13 14:22:43 2020
Summary:     Security update for libproxy
Type:        security
Severity:    important
References:  1176410,1177143,CVE-2020-25219,CVE-2020-26154
This update for libproxy fixes the following issues:

- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2914-1
Released:    Tue Oct 13 17:25:20 2020
Summary:     Security update for bind
Type:        security
Severity:    moderate
References:  1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
This update for bind fixes the following issues:

BIND was upgraded to version 9.16.6:

Note:

- bind is now more strict in regards to DNSSEC. If queries are not working,
  check for DNSSEC issues. For instance, if bind is used in a namserver
  forwarder chain, the forwarding DNS servers must support DNSSEC.

Fixing security issues:

- CVE-2020-8616: Further limit the number of queries that can be triggered from
  a request.  Root and TLD servers are no longer exempt
  from max-recursion-queries.  Fetches for missing name server. (bsc#1171740)
  Address records are limited to 4 for any domain.
- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an
  assertion failure. (bsc#1171740)
- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass 
  the tcp-clients limit (bsc#1157051).
- CVE-2018-5741: Fixed the documentation (bsc#1109160).
- CVE-2020-8618: It was possible to trigger an INSIST when determining
  whether a record would fit into a TCP message buffer (bsc#1172958).
- CVE-2020-8619: It was possible to trigger an INSIST in
  lib/dns/rbtdb.c:new_reference() with a particular zone content
  and query patterns (bsc#1172958).
- CVE-2020-8624: 'update-policy' rules of type 'subdomain' were
  incorrectly treated as 'zonesub' rules, which allowed
  keys used in 'subdomain' rules to update names outside
  of the specified subdomains. The problem was fixed by
  making sure 'subdomain' rules are again processed as
  described in the ARM (bsc#1175443).
- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
  was possible to trigger an assertion failure in code
  determining the number of bits in the PKCS#11 RSA public
  key with a specially crafted packet (bsc#1175443).
- CVE-2020-8621: named could crash in certain query resolution scenarios
  where QNAME minimization and forwarding were both
  enabled (bsc#1175443).
- CVE-2020-8620: It was possible to trigger an assertion failure by
  sending a specially crafted large TCP DNS message (bsc#1175443).
- CVE-2020-8622: It was possible to trigger an assertion failure when
  verifying the response to a TSIG-signed request (bsc#1175443).

Other issues fixed:

- Add engine support to OpenSSL EdDSA implementation.
- Add engine support to OpenSSL ECDSA implementation.
- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
- Warn about AXFR streams with inconsistent message IDs.
- Make ISC rwlock implementation the default again.
- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
- Installed the default files in /var/lib/named and created 
  chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
- Fixed an issue where bind was not working in FIPS mode (bsc#906079).
- Fixed dependency issues (bsc#1118367 and bsc#1118368).
- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
- Fixed an issue with FIPS (bsc#1128220).
- The liblwres library is discontinued upstream and is no longer included.
- Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
- Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
- The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.
- Zone timers are now exported via statistics channel.
- The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.
- 'rndc dnstap -roll <value>' did not limit the number of saved files to <value>.
- Add 'rndc dnssec -status' command.
- Addressed a couple of situations where named could crash.
- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
  so that named, being a/the only member of the 'named' group
  has full r/w access yet cannot change directories owned by root
  in the case of a compromized named.
  [bsc#1173307, bind-chrootenv.conf]
- Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
- Removed '-r /dev/urandom' from all invocations of rndc-confgen
  (init/named system/lwresd.init system/named.init in vendor-files)
  as this option is deprecated and causes rndc-confgen to fail.
  (bsc#1173311, bsc#1176674, bsc#1170713)
- /usr/bin/genDDNSkey: Removing the use of the -r option in the call
  of /usr/sbin/dnssec-keygen as BIND now uses the random number
  functions provided by the crypto library (i.e., OpenSSL or a
  PKCS#11 provider) as a source of randomness rather than /dev/random.
  Therefore the -r command line option no longer has any effect on
  dnssec-keygen. Leaving the option in genDDNSkey as to not break
  compatibility. Patch provided by Stefan Eisenwiener.
  [bsc#1171313]
- Put libns into a separate subpackage to avoid file conflicts
  in the libisc subpackage due to different sonums (bsc#1176092).
- Require /sbin/start_daemon: both init scripts, the one used in
  systemd context as well as legacy sysv, make use of start_daemon.



More information about the sle-updates mailing list