Security update for bind

Announcement ID:	SUSE-SU-2022:2713-1
Rating:	important
References:	bsc#1192146 bsc#1197135 bsc#1197136 bsc#1199044 bsc#1200685 jsc#SLE-24600
Cross-References:	CVE-2021-25219 CVE-2021-25220 CVE-2022-0396
CVSS scores:	CVE-2021-25219 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-25219 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-25220 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N CVE-2021-25220 ( NVD ): 6.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N CVE-2022-0396 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2022-0396 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products:	Basesystem Module 15-SP4 openSUSE Leap 15.4 Server Applications Module 15-SP4 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3

An update that solves three vulnerabilities, contains one feature and has two security fixes can now be installed.

Description:

This update for bind fixes the following issues:

• CVE-2021-25219: Fixed flaw that allowed abusing lame cache to severely degrade resolver performance (bsc#1192146).
• CVE-2021-25220: Fixed potentially incorrect answers by cached forwarders (bsc#1197135).
• CVE-2022-0396: Fixed a incorrect handling of TCP connection slots time frame leading to deny of service (bsc#1197136).

The following non-security bugs were fixed:

• Update to release 9.16.31 (jsc#SLE-24600).
• Logrotation broken since dropping chroot (bsc#1200685).
• A non-existent initialization script (eg a leftorver "createNamedConfInclude" in /etc/sysconfig/named) may cause named not to start. A warning message is printed in named.prep and the fact is ignored. Also, the return value of a failed script was not handled properly causing a failed script to not prevent named to start. This is now fixed properly. [bsc#1199044, vendor-files.tar.bz2]

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2022-2713=1
• Basesystem Module 15-SP4
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-2713=1
• Server Applications Module 15-SP4
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP4-2022-2713=1

Package List:

• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
  • bind-utils-9.16.31-150400.5.6.1
  • bind-9.16.31-150400.5.6.1
  • bind-utils-debuginfo-9.16.31-150400.5.6.1
  • bind-debugsource-9.16.31-150400.5.6.1
  • bind-debuginfo-9.16.31-150400.5.6.1
• openSUSE Leap 15.4 (noarch)
  • python3-bind-9.16.31-150400.5.6.1
  • bind-doc-9.16.31-150400.5.6.1
• Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64)
  • bind-utils-debuginfo-9.16.31-150400.5.6.1
  • bind-debuginfo-9.16.31-150400.5.6.1
  • bind-utils-9.16.31-150400.5.6.1
  • bind-debugsource-9.16.31-150400.5.6.1
• Basesystem Module 15-SP4 (noarch)
  • python3-bind-9.16.31-150400.5.6.1
• Server Applications Module 15-SP4 (aarch64 ppc64le s390x x86_64)
  • bind-9.16.31-150400.5.6.1
  • bind-debuginfo-9.16.31-150400.5.6.1
  • bind-debugsource-9.16.31-150400.5.6.1
• Server Applications Module 15-SP4 (noarch)
  • bind-doc-9.16.31-150400.5.6.1

References:

• https://www.suse.com/security/cve/CVE-2021-25219.html
• https://www.suse.com/security/cve/CVE-2021-25220.html
• https://www.suse.com/security/cve/CVE-2022-0396.html
• https://bugzilla.suse.com/show_bug.cgi?id=1192146
• https://bugzilla.suse.com/show_bug.cgi?id=1197135
• https://bugzilla.suse.com/show_bug.cgi?id=1197136
• https://bugzilla.suse.com/show_bug.cgi?id=1199044
• https://bugzilla.suse.com/show_bug.cgi?id=1200685
• https://jira.suse.com/browse/SLE-24600