Bug 1175443 (CVE-2020-8620)

Summary: VUL-0: CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624: bind: multiple vulnerabilities
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Josef Möllers <josef.moellers>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gianluca.gabrielli, max, meissner, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/265609/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-8620:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2020-8621:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2020-8622:6.5:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2020-8623:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2020-8624:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 5 Josef Möllers 2020-08-21 08:05:21 UTC 
Submission for Factory:
https://build.opensuse.org/request/show/828392
Comment 6 Robert Frohl 2020-08-21 09:56:33 UTC 
On August 20, 2020, we (Internet Systems Consortium) have disclosed five
vulnerabilities in our BIND 9 software:

   CVE-2020-8620: A specially crafted large TCP payload can trigger
   an assertion failure in tcpdns.c
   https://kb.isc.org/docs/cve-2020-8620

   CVE-2020-8621: Attempting QNAME minimization after forwarding can
   lead to an assertion failure in resolver.c
   https://kb.isc.org/docs/cve-2020-8621

   CVE-2020-8622: A truncated TSIG response can lead to an assertion failure
   https://kb.isc.org/docs/cve-2020-8622

   CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely
   triggerable assertion failure in pk11.c
   https://kb.isc.org/docs/cve-2020-8623

   CVE-2020-8624: update-policy rules of type "subdomain" are enforced incorrectly
   https://kb.isc.org/docs/cve-2020-8624

New versions of BIND are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches selectively can
find individual vulnerability-specific patches in the "patches" subdirectory
of the release directory for our two stable release branches (9.11 and 9.16)

  https://downloads.isc.org/isc/bind9/9.11.22/patches
  https://downloads.isc.org/isc/bind9/9.16.6/patches

With the public announcement of these vulnerabilities, the embargo
period is ended and any updated software packages that have been
prepared may be released.
Comment 8 Josef Möllers 2020-08-21 10:01:16 UTC 
Submitted from openSUSE.org:network/bind to SUSE:SLE-15:Update
https://build.suse.de/request/show/224928
Comment 11 Josef Möllers 2020-08-21 14:20:08 UTC 
As I will be ooo the next two weeks, I have added Reinhard Max as CC in the hope that he will be available.
Comment 13 Swamp Workflow Management 2020-10-13 19:15:18 UTC 
SUSE-RU-2020:2915-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: recommended (moderate)
Bug References: 1092283,1094236,1127583,1173983,1175443
CVE References: CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    bind-9.11.22-3.22.1
SUSE OpenStack Cloud 9 (src):    bind-9.11.22-3.22.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    bind-9.11.22-3.22.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    bind-9.11.22-3.22.1
SUSE Linux Enterprise Server 12-SP5 (src):    bind-9.11.22-3.22.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    bind-9.11.22-3.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-10-13 20:16:34 UTC 
SUSE-SU-2020:2914-1: An update that solves 12 vulnerabilities, contains one feature and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079
CVE References: CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
JIRA References: ECO-1402
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8
SUSE Linux Enterprise Server 15-LTSS (src):    bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    bind-9.16.6-12.32.1
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    bind-9.16.6-12.32.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    sysuser-tools-2.0-4.2.8
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Josef Möllers 2020-10-14 06:22:30 UTC 
As per comment #13 and comment #14
Comment 16 Wolfgang Frisch 2020-10-15 11:34:08 UTC 
Released.
Comment 17 Swamp Workflow Management 2020-10-19 22:16:22 UTC 
openSUSE-SU-2020:1699-1: An update that solves 12 vulnerabilities and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079
CVE References: CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    bind-9.16.6-lp152.14.3.1, libuv-1.18.0-lp152.4.3.1, sysuser-tools-2.0-lp152.5.3.1
Comment 18 Swamp Workflow Management 2020-10-20 10:18:14 UTC 
openSUSE-SU-2020:1701-1: An update that solves 12 vulnerabilities and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079
CVE References: CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    bind-9.16.6-lp151.11.9.1, libuv-1.18.0-lp151.3.3.1, sysuser-tools-2.0-lp151.4.3.1
Comment 19 Swamp Workflow Management 2021-08-30 19:17:44 UTC 
# maintenance_jira_update_notice
SUSE-SU-2021:2876-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1175443,1188888
CVE References: CVE-2020-8622
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    bind-9.9.9P1-63.28.1
SUSE OpenStack Cloud 8 (src):    bind-9.9.9P1-63.28.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    bind-9.9.9P1-63.28.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    bind-9.9.9P1-63.28.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    bind-9.9.9P1-63.28.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    bind-9.9.9P1-63.28.1
HPE Helion Openstack 8 (src):    bind-9.9.9P1-63.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Gianluca Gabrielli 2022-01-14 16:27:35 UTC 
Hi Josef,

I see that the fix for the mentioned CVEs were addressed by submitting a version bump, but in that version bump CVE-2020-8620 and CVE-2020-8621 were not been backported, could you please submit the fixes?

Thanks
Comment 21 Josef Möllers 2022-01-26 16:02:31 UTC 
Ouch I almost missed this one ...

(In reply to Gianluca Gabrielli from comment #20)
> Hi Josef,
> 
> I see that the fix for the mentioned CVEs were addressed by submitting a
> version bump, but in that version bump CVE-2020-8620 and CVE-2020-8621 were
> not been backported, could you please submit the fixes?

Which code stream are you referring to?
Comment 22 Gianluca Gabrielli 2022-01-27 09:19:36 UTC 
(In reply to Josef Möllers from comment #21)
> Ouch I almost missed this one ...
> 
> (In reply to Gianluca Gabrielli from comment #20)
> > Hi Josef,
> > 
> > I see that the fix for the mentioned CVEs were addressed by submitting a
> > version bump, but in that version bump CVE-2020-8620 and CVE-2020-8621 were
> > not been backported, could you please submit the fixes?
> 
> Which code stream are you referring to?

SUSE:SLE-12-SP4:Update
Comment 23 Josef Möllers 2022-01-27 13:14:59 UTC 
(In reply to Gianluca Gabrielli from comment #20)
> Hi Josef,
> 
> I see that the fix for the mentioned CVEs were addressed by submitting a
> version bump, but in that version bump CVE-2020-8620 and CVE-2020-8621 were
> not been backported, could you please submit the fixes?
> 
> Thanks

SLE-12-SP4:Update has bind-9.11.22
According to
https://nvd.nist.gov/vuln/detail/CVE-2020-8620
and
https://nvd.nist.gov/vuln/detail/CVE-2020-8621
the oldes affected version is 9.14.0

IOW SLE-12-SP4:Update is not affected by these bugs/CVEs