Security update for bind

Announcement ID:	SUSE-SU-2024:2863-1
Rating:	important
References:	bsc#1228256 bsc#1228257 bsc#1228258
Cross-References:	CVE-2024-1737 CVE-2024-1975 CVE-2024-4076
CVSS scores:	CVE-2024-1737 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-1975 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-4076 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	openSUSE Leap 15.4 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3

An update that solves three vulnerabilities can now be installed.

Description:

This update for bind fixes the following issues:

Update to 9.16.50:

• Bug Fixes:
• A regression in cache-cleaning code enabled memory use to grow significantly more quickly than before, until the configured max-cache-size limit was reached. This has been fixed.
• Using rndc flush inadvertently caused cache cleaning to become less effective. This could ultimately lead to the configured max-cache-size limit being exceeded and has now been fixed.
• The logic for cleaning up expired cached DNS records was tweaked to be more aggressive. This change helps with enforcing max-cache-ttl and max-ncache-ttl in a timely manner.
• It was possible to trigger a use-after-free assertion when the overmem cache cleaning was initiated. This has been fixed. New Features:
• Added RESOLVER.ARPA to the built in empty zones.
• Security Fixes:
• It is possible to craft excessively large numbers of resource record types for a given owner name, which has the effect of slowing down database processing. This has been addressed by adding a configurable limit to the number of records that can be stored per name and type in a cache or zone database. The default is 100, which can be tuned with the new max-types-per-name option. (CVE-2024-1737, bsc#1228256)
• Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause excessive CPU load, leading to a denial-of-service condition. Support for SIG(0) message validation was removed from this version of named. (CVE-2024-1975, bsc#1228257)
• When looking up the NS records of parent zones as part of looking up DS records, it was possible for named to trigger an assertion failure if serve-stale was enabled. This has been fixed. (CVE-2024-4076, bsc#1228258)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4
  zypper in -t patch SUSE-2024-2863=1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-2863=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-2863=1
• SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
  zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-2863=1
• SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-2863=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-2863=1
• SUSE Manager Proxy 4.3
  zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2024-2863=1
• SUSE Manager Retail Branch Server 4.3
  zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.3-2024-2863=1
• SUSE Manager Server 4.3
  zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-2863=1

Package List:

• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
  • bind-utils-debuginfo-9.16.50-150400.5.43.1
  • bind-debugsource-9.16.50-150400.5.43.1
  • bind-debuginfo-9.16.50-150400.5.43.1
  • bind-utils-9.16.50-150400.5.43.1
  • bind-9.16.50-150400.5.43.1
• openSUSE Leap 15.4 (noarch)
  • python3-bind-9.16.50-150400.5.43.1
  • bind-doc-9.16.50-150400.5.43.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64)
  • bind-utils-debuginfo-9.16.50-150400.5.43.1
  • bind-debugsource-9.16.50-150400.5.43.1
  • bind-debuginfo-9.16.50-150400.5.43.1
  • bind-utils-9.16.50-150400.5.43.1
  • bind-9.16.50-150400.5.43.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
  • python3-bind-9.16.50-150400.5.43.1
  • bind-doc-9.16.50-150400.5.43.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64)
  • bind-utils-debuginfo-9.16.50-150400.5.43.1
  • bind-debugsource-9.16.50-150400.5.43.1
  • bind-debuginfo-9.16.50-150400.5.43.1
  • bind-utils-9.16.50-150400.5.43.1
  • bind-9.16.50-150400.5.43.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
  • python3-bind-9.16.50-150400.5.43.1
  • bind-doc-9.16.50-150400.5.43.1
• SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64)
  • bind-debugsource-9.16.50-150400.5.43.1
  • bind-utils-debuginfo-9.16.50-150400.5.43.1
  • bind-utils-9.16.50-150400.5.43.1
  • bind-debuginfo-9.16.50-150400.5.43.1
• SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (noarch)
  • python3-bind-9.16.50-150400.5.43.1
• SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x x86_64)
  • bind-utils-debuginfo-9.16.50-150400.5.43.1
  • bind-debugsource-9.16.50-150400.5.43.1
  • bind-debuginfo-9.16.50-150400.5.43.1
  • bind-utils-9.16.50-150400.5.43.1
  • bind-9.16.50-150400.5.43.1
• SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (noarch)
  • python3-bind-9.16.50-150400.5.43.1
  • bind-doc-9.16.50-150400.5.43.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
  • bind-utils-debuginfo-9.16.50-150400.5.43.1
  • bind-debugsource-9.16.50-150400.5.43.1
  • bind-debuginfo-9.16.50-150400.5.43.1
  • bind-utils-9.16.50-150400.5.43.1
  • bind-9.16.50-150400.5.43.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
  • python3-bind-9.16.50-150400.5.43.1
  • bind-doc-9.16.50-150400.5.43.1
• SUSE Manager Proxy 4.3 (x86_64)
  • bind-utils-debuginfo-9.16.50-150400.5.43.1
  • bind-debugsource-9.16.50-150400.5.43.1
  • bind-debuginfo-9.16.50-150400.5.43.1
  • bind-utils-9.16.50-150400.5.43.1
  • bind-9.16.50-150400.5.43.1
• SUSE Manager Proxy 4.3 (noarch)
  • python3-bind-9.16.50-150400.5.43.1
  • bind-doc-9.16.50-150400.5.43.1
• SUSE Manager Retail Branch Server 4.3 (x86_64)
  • bind-utils-debuginfo-9.16.50-150400.5.43.1
  • bind-debugsource-9.16.50-150400.5.43.1
  • bind-debuginfo-9.16.50-150400.5.43.1
  • bind-utils-9.16.50-150400.5.43.1
  • bind-9.16.50-150400.5.43.1
• SUSE Manager Retail Branch Server 4.3 (noarch)
  • python3-bind-9.16.50-150400.5.43.1
  • bind-doc-9.16.50-150400.5.43.1
• SUSE Manager Server 4.3 (ppc64le s390x x86_64)
  • bind-utils-debuginfo-9.16.50-150400.5.43.1
  • bind-debugsource-9.16.50-150400.5.43.1
  • bind-debuginfo-9.16.50-150400.5.43.1
  • bind-utils-9.16.50-150400.5.43.1
  • bind-9.16.50-150400.5.43.1
• SUSE Manager Server 4.3 (noarch)
  • python3-bind-9.16.50-150400.5.43.1
  • bind-doc-9.16.50-150400.5.43.1

References:

• https://www.suse.com/security/cve/CVE-2024-1737.html
• https://www.suse.com/security/cve/CVE-2024-1975.html
• https://www.suse.com/security/cve/CVE-2024-4076.html
• https://bugzilla.suse.com/show_bug.cgi?id=1228256
• https://bugzilla.suse.com/show_bug.cgi?id=1228257
• https://bugzilla.suse.com/show_bug.cgi?id=1228258