Security update for dnsdist

Announcement ID:	SUSE-SU-2023:2760-2
Rating:	moderate
References:	bsc#1054799 bsc#1054802 bsc#1114511
Cross-References:	CVE-2016-7069 CVE-2017-7557 CVE-2018-14663
CVSS scores:	CVE-2016-7069 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-7557 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-14663 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:	Basesystem Module 15-SP5 openSUSE Leap 15.4 openSUSE Leap 15.5 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves three vulnerabilities can now be installed.

Description:

This update for dnsdist fixes the following issues:

• update to 1.8.0
• Implements dnsdist in SLE15 (jsc#PED-3402)

• Security fix: fixes a possible record smugging with a crafted DNS query with trailing data (CVE-2018-14663, bsc#1114511)

• update to 1.2.0 (bsc#1054799, bsc#1054802) This release also addresses two security issues of low severity, CVE-2016-7069 and CVE-2017-7557. The first issue can lead to a denial of service on 32-bit if a backend sends crafted answers, and the second to an alteration of dnsdist’s ACL if the API is enabled, writable and an authenticated user is tricked into visiting a crafted website.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15-SP5
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-2760=1
• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2023-2760=1
• openSUSE Leap 15.5
  zypper in -t patch openSUSE-SLE-15.5-2023-2760=1

Package List:

• Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
  • dnsdist-debuginfo-1.8.0-150400.9.3.1
  • dnsdist-debugsource-1.8.0-150400.9.3.1
  • libluajit-5_1-2-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
  • dnsdist-1.8.0-150400.9.3.1
• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
  • dnsdist-debuginfo-1.8.0-150400.9.3.1
  • luajit-devel-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
  • dnsdist-debugsource-1.8.0-150400.9.3.1
  • libluajit-5_1-2-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
  • libluajit-5_1-2-debuginfo-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
  • luajit-debuginfo-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
  • luajit-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
  • luajit-debugsource-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
  • dnsdist-1.8.0-150400.9.3.1
• openSUSE Leap 15.4 (x86_64)
  • libluajit-5_1-2-32bit-debuginfo-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
  • libluajit-5_1-2-32bit-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
  • dnsdist-debuginfo-1.8.0-150400.9.3.1
  • luajit-devel-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
  • dnsdist-debugsource-1.8.0-150400.9.3.1
  • libluajit-5_1-2-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
  • libluajit-5_1-2-debuginfo-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
  • luajit-debuginfo-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
  • luajit-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
  • luajit-debugsource-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
  • dnsdist-1.8.0-150400.9.3.1
• openSUSE Leap 15.5 (x86_64)
  • libluajit-5_1-2-32bit-debuginfo-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1
  • libluajit-5_1-2-32bit-2.1.0~beta3+git.1624618403.e9577376-150400.4.2.1

References:

• https://www.suse.com/security/cve/CVE-2016-7069.html
• https://www.suse.com/security/cve/CVE-2017-7557.html
• https://www.suse.com/security/cve/CVE-2018-14663.html
• https://bugzilla.suse.com/show_bug.cgi?id=1054799
• https://bugzilla.suse.com/show_bug.cgi?id=1054802
• https://bugzilla.suse.com/show_bug.cgi?id=1114511