rpm package
suse/bind&distro=SUSE Linux Enterprise Point of Sale 11 SP3
pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3
Vulnerabilities (25)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-25216 | — | < 9.9.6P1-0.51.26.1 | 9.9.6P1-0.51.26.1 | Apr 29, 2021 | In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running | ||
| CVE-2021-25215 | — | < 9.9.6P1-0.51.26.1 | 9.9.6P1-0.51.26.1 | Apr 29, 2021 | In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a qu | ||
| CVE-2021-25214 | — | < 9.9.6P1-0.51.26.1 | 9.9.6P1-0.51.26.1 | Apr 29, 2021 | In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of n | ||
| CVE-2020-8625 | — | < 9.9.6P1-0.51.23.1 | 9.9.6P1-0.51.23.1 | Feb 17, 2021 | BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid valu | ||
| CVE-2020-8617 | — | < 9.9.6P1-0.51.20.1 | 9.9.6P1-0.51.20.1 | May 19, 2020 | Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whos | ||
| CVE-2020-8616 | — | < 9.9.6P1-0.51.20.1 | 9.9.6P1-0.51.20.1 | May 19, 2020 | A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to proce | ||
| CVE-2019-6465 | — | < 9.9.6P1-0.51.15.4 | 9.9.6P1-0.51.15.4 | Oct 9, 2019 | Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Ver | ||
| CVE-2018-5745 | — | < 9.9.6P1-0.51.15.4 | 9.9.6P1-0.51.15.4 | Oct 9, 2019 | "managed-keys" is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit d | ||
| CVE-2018-5743 | — | < 9.9.6P1-0.51.15.4 | 9.9.6P1-0.51.15.4 | Oct 9, 2019 | By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit | ||
| CVE-2018-5741 | — | < 9.9.6P1-0.51.20.1 | 9.9.6P1-0.51.20.1 | Jan 16, 2019 | To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when | ||
| CVE-2018-5740 | — | < 9.9.6P1-0.51.15.4 | 9.9.6P1-0.51.15.4 | Jan 16, 2019 | "deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the fe | ||
| CVE-2017-3145 | — | < 9.9.6P1-0.51.7.1 | 9.9.6P1-0.51.7.1 | Jan 16, 2019 | BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affects BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9. | ||
| CVE-2017-3143 | — | < 9.9.6P1-0.50.1 | 9.9.6P1-0.50.1 | Jan 16, 2019 | An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. Affects BIND 9.4.0->9.8.8, 9.9. | ||
| CVE-2017-3142 | — | < 9.9.6P1-0.50.1 | 9.9.6P1-0.50.1 | Jan 16, 2019 | An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys f | ||
| CVE-2017-3138 | — | < 9.9.6P1-0.44.1 | 9.9.6P1-0.44.1 | Jan 16, 2019 | named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some | ||
| CVE-2017-3137 | — | < 9.9.6P1-0.44.1 | 9.9.6P1-0.44.1 | Jan 16, 2019 | Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order | ||
| CVE-2017-3136 | — | < 9.9.6P1-0.44.1 | 9.9.6P1-0.44.1 | Jan 16, 2019 | A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other p | ||
| CVE-2017-3135 | — | < 9.9.6P1-0.39.1 | 9.9.6P1-0.39.1 | Jan 16, 2019 | Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9. | ||
| CVE-2016-9444 | Hig | 7.5 | < 9.9.6P1-0.36.1 | 9.9.6P1-0.36.1 | Jan 12, 2017 | named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted DS resource record in an answer. | |
| CVE-2016-9147 | Hig | 7.5 | < 9.9.6P1-0.36.1 | 9.9.6P1-0.36.1 | Jan 12, 2017 | named in ISC BIND 9.9.9-P4, 9.9.9-S6, 9.10.4-P4, and 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a response containing an inconsistency among the DNSSEC-related RRsets. |
- CVE-2021-25216Apr 29, 2021affected < 9.9.6P1-0.51.26.1fixed 9.9.6P1-0.51.26.1
In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running
- CVE-2021-25215Apr 29, 2021affected < 9.9.6P1-0.51.26.1fixed 9.9.6P1-0.51.26.1
In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a qu
- CVE-2021-25214Apr 29, 2021affected < 9.9.6P1-0.51.26.1fixed 9.9.6P1-0.51.26.1
In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of n
- CVE-2020-8625Feb 17, 2021affected < 9.9.6P1-0.51.23.1fixed 9.9.6P1-0.51.23.1
BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid valu
- CVE-2020-8617May 19, 2020affected < 9.9.6P1-0.51.20.1fixed 9.9.6P1-0.51.20.1
Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whos
- CVE-2020-8616May 19, 2020affected < 9.9.6P1-0.51.20.1fixed 9.9.6P1-0.51.20.1
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to proce
- CVE-2019-6465Oct 9, 2019affected < 9.9.6P1-0.51.15.4fixed 9.9.6P1-0.51.15.4
Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Ver
- CVE-2018-5745Oct 9, 2019affected < 9.9.6P1-0.51.15.4fixed 9.9.6P1-0.51.15.4
"managed-keys" is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit d
- CVE-2018-5743Oct 9, 2019affected < 9.9.6P1-0.51.15.4fixed 9.9.6P1-0.51.15.4
By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit
- CVE-2018-5741Jan 16, 2019affected < 9.9.6P1-0.51.20.1fixed 9.9.6P1-0.51.20.1
To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when
- CVE-2018-5740Jan 16, 2019affected < 9.9.6P1-0.51.15.4fixed 9.9.6P1-0.51.15.4
"deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the fe
- CVE-2017-3145Jan 16, 2019affected < 9.9.6P1-0.51.7.1fixed 9.9.6P1-0.51.7.1
BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affects BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.
- CVE-2017-3143Jan 16, 2019affected < 9.9.6P1-0.50.1fixed 9.9.6P1-0.50.1
An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. Affects BIND 9.4.0->9.8.8, 9.9.
- CVE-2017-3142Jan 16, 2019affected < 9.9.6P1-0.50.1fixed 9.9.6P1-0.50.1
An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys f
- CVE-2017-3138Jan 16, 2019affected < 9.9.6P1-0.44.1fixed 9.9.6P1-0.44.1
named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some
- CVE-2017-3137Jan 16, 2019affected < 9.9.6P1-0.44.1fixed 9.9.6P1-0.44.1
Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order
- CVE-2017-3136Jan 16, 2019affected < 9.9.6P1-0.44.1fixed 9.9.6P1-0.44.1
A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other p
- CVE-2017-3135Jan 16, 2019affected < 9.9.6P1-0.39.1fixed 9.9.6P1-0.39.1
Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.
- affected < 9.9.6P1-0.36.1fixed 9.9.6P1-0.36.1
named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted DS resource record in an answer.
- affected < 9.9.6P1-0.36.1fixed 9.9.6P1-0.36.1
named in ISC BIND 9.9.9-P4, 9.9.9-S6, 9.10.4-P4, and 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a response containing an inconsistency among the DNSSEC-related RRsets.
Page 1 of 2