Security update for bind

Announcement ID:	SUSE-SU-2026:0348-1
Release Date:	2026-01-30T11:17:08Z
Rating:	important
References:	bsc#1256997
Cross-References:	CVE-2025-13878
CVSS scores:	CVE-2025-13878 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-13878 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-13878 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Basesystem Module 15-SP7 Server Applications Module 15-SP7 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves one vulnerability can now be installed.

Description:

This update for bind fixes the following issues:

Upgrade to release 9.20.18:

• CVE-2025-13878: Fixed incorrect length checks for BRID and HHIT records (bsc#1256997)

Feature Changes: * Add more information to the rndc recursing output about fetches. * Reduce the number of outgoing queries. * Provide more information when memory allocation fails.

Bug Fixes: * Make DNSSEC key rollovers more robust. * Fix a catalog zone issue, where member zones could fail to load. * Allow glue in delegations with QTYPE=ANY. * Fix slow speed when signing a large delegation zone with NSEC3 opt-out. * Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be invalid. * Fix a possible catalog zone issue during reconfiguration. * Fix the charts in the statistics channel. * Adding NSEC3 opt-out records could leave invalid records in chain. * Fix spurious timeouts while resolving names. * Fix bug where zone switches from NSEC3 to NSEC after retransfer. * AMTRELAY type 0 presentation format handling was wrong. * Fix parsing bug in remote-servers with key or TLS. * Fix DoT reconfigure/reload bug in the resolver. * Skip unsupported algorithms when looking for a signing key. * Fix dnssec-keygen key collision checking for KEY RRtype keys. * dnssec-verify now uses exit code 1 when failing due to illegal options. * Prevent assertion failures of dig when a server is specified before the -b option. * Skip buffer allocations if not logging.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Server Applications Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP7-2026-348=1
• Basesystem Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-348=1

Package List:

• Server Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • bind-9.20.18-150700.3.15.1
  • bind-debugsource-9.20.18-150700.3.15.1
  • bind-debuginfo-9.20.18-150700.3.15.1
• Server Applications Module 15-SP7 (noarch)
  • bind-doc-9.20.18-150700.3.15.1
• Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • bind-utils-9.20.18-150700.3.15.1
  • bind-utils-debuginfo-9.20.18-150700.3.15.1
  • bind-debugsource-9.20.18-150700.3.15.1
  • bind-debuginfo-9.20.18-150700.3.15.1

References:

• https://www.suse.com/security/cve/CVE-2025-13878.html
• https://bugzilla.suse.com/show_bug.cgi?id=1256997