9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
An update that fixes two vulnerabilities is now available.
Description:
This update for nsd fixes the following issues:
nsd was updated to the new upstream release 4.3.4
FEATURES:
BUG FIXES:
New upstream release 4.3.3:
FEATURES:
Follow DNS flag day 2020 advice and set default EDNS message size to
1232.
Merged PR #113 with fixes. Instead of listing an IP-address to listen
on, an interface name can be specified in nsd.conf, with ip-address:
eth0. The IP-addresses for that interface are then used.
New upstream release 4.3.2
FEATURES:
BUG FIXES:
New upstream release 4.3.1
BUG FIXES:
New upstream release 4.3.0
FEATURES:
BUG FIXES:
Fix whitespace in nsd.conf.sample.in, patch from Paul Wouters.
use-systemd is ignored in nsd.conf, when NSD is compiled with libsystemd
it always signals readiness, if possible.
Note that use-systemd is not necessary and ignored in man page.
Fix responses for IXFR so that the authority section is not echoed in
the response.
Fix that the retry wait does not exceed one day for zone transfers.
Update keyring as per https://nlnetlabs.nl/people/
New upstream release 4.2.3:
* confine-to-zone configures NSD to not return out-of-zone additional
information.
* pidfile "" allows to run NSD without a pidfile
* adds support for readiness notification with READY_FD
* fix excessive logging of ixfr failures, it stops the log when fallback
to axfr is possible. log is enabled at high verbosity.
* The nsd.conf includes are sorted ascending, for include statements
with a '*' from glob.
* Fix log address and failure reason with tls handshake errors,
squelches (the same as unbound) some unless high verbosity is used.
* Number of different UDP handlers has been reduced to one. recvmmsg and
sendmmsg implementations are now used on all platforms.
* Socket options are now set in designated functions for easy reuse.
* Socket setup has been simplified for easy reuse.
* Configuration parser is now aware of the context in which an option
was specified.
* document that remote-control is a top-level nsd.conf attribute.
New upstream release 4.2.2:
* Fix #20: CVE-2019-13207 Stack-based Buffer Overflow in the
dname_concatenate() function. Reported by Frederic Cambus. It causes
the zone parser to crash on a malformed zone file, with assertions
enabled, an assertion catches it.
* Fix #19: Out-of-bounds read caused by improper validation of array
index. Reported by Frederic Cambus. The zone parser fails on type
SIG because of mismatched definition with RRSIG.
* PR #23: Fix typo in nsd.conf man-page.
* Fix that NSD warns for wrong length of the hash in SSHFP records.
* Fix #25: NSD doesn't refresh zones after extended downtime, it
refreshes the old zones.
* Set no renegotiation on the SSL context to stop client session
renegotiation.
* Fix #29: SSHFP check NULL pointer dereference.
* Fix #30: SSHFP check failure due to missing domain name.
* Fix to timeval_add in minievent for remaining second in microseconds.
* PR #31: nsd-control: Add missing stdio header.
* PR #32: tsig: Fix compilation without HAVE_SSL.
* Cleanup tls context on xfrd exit.
* Fix #33: Fix segfault in service of remaining streams on exit.
* Fix error message for out of zone data to have more information.
New upstream release 4.2.1:
* FEATURES:
- Added num.tls and num.tls6 stat counters.
- PR #12: send-buffer-size, receive-buffer-size, tcp-reject-overflow
options for nsd.conf, from Jeroen Koekkoek.
- Fix #14, tcp connections have 1/10 to be active and have to work
every second, and then they get time to complete during a reload,
this is a process that lingers with the old version during a version
update.
* BUG FIXES:
- Fix #13: Stray dot at the end of some log entries, removes dot after
updated serial number in log entry.
- Fix TLS cipher selection, the previous was redundant, prefers
CHACHA20-POLY1305 over AESGCM and was not as readable as it could be.
- Fix #15: crash in SSL library, initialize variables for TCP access
when TLS is configured.
- Fix tls handshake event callback function mistake, reported by
Mykhailo Danylenko.
- Fix output of nsd-checkconf -h.
New upstream release 4.2.0:
* Implement TCP fast open
* Added DNS over TLS
* TLS OCSP stapling support with the tls-service-ocsp option
* New option hide-identity can be used in nsd.conf to stop NSD from
responding with the hostname for probe queries that elicit the chaos
class response, this is conform RFC4892
* Disable TLS1.0, TLS1.1 and weak ciphers, enable
CIPHER_SERVER_PREFERENCE
Update to upstream release 4.1.27:
FEATURES:
BUG FIXES:
Update to upstream release 4.1.26:
* FEATURES:
- DNSTAP support for NSD, --enable-dnstap and then config in nsd.conf.
- Support SO_REUSEPORT_LB in FreeBSD 12 with the reuseport: yes
option in nsd.conf.
- Added nsd-control changezone. nsd-control changezone name pattern
allows the change of a zone pattern option without downtime for the
zone, in one operation.
* BUG FIXES:
- Fix #4194: Zone file parser derailed by non-FQDN names in RHS of
DNSSEC RRs.
- Fix #4202: nsd-control delzone incorrect exit code on error.
- Fix to not set GLOB_NOSORT so the nsd.conf include: files are sorted
and in a predictable order.
- Fix #3433: document that reconfig does not change per-zone stats.
Update to upstream release 4.1.25:
* FEATURES:
- nsd-control prints neater errors for file failures.
* BUG FIXES:
- Fix that nsec3 precompile deletion happens before the RRs of the
zone are deleted.
- Fix printout of accepted remote control connection for unix sockets.
- Fix use_systemd typo/leftover in remote.c.
- Fix codingstyle in nsd-checkconf.c in patch from Sharp Liu.
- append_trailing_slash has one implementation and is not repeated
differently.
- Fix coding style in nsd.c
- Fix to combine the same error function into one, from Xiaobo Liu.
- Fix initialisation in remote.c.
- please clang analyzer and fix parse of IPSECKEY with bad gateway.
- Fix nsd-checkconf fail on bad zone name.
- Annotate exit functions with noreturn.
- Remove unused if clause during server service startup.
- Fix #4156: Fix systemd service manager state change notification
When it is compiled, systemd readiness signalling is enabled. The
option in nsd.conf is not used, it is ignored when read.
Update to upstream release 4.1.24:
Features
Update to upstream release 4.1.23:
- Fix NSD time sensitive TSIG compare vulnerability.
Update to upstream release 4.1.22:
- Features:
* refuse-any sends truncation (+TC) in reply to ANY queries
over UDP, and allows TCP queries like normal.
* Use accept4 to speed up answer of TCP queries
- Bug fixes:
* Fix nsec3 hash of parent and child co-hosted nsec3 enabled zones.
* Fix to use same condition for nsec3 hash allocation and free.
Changes in version 4.1.21:
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
openSUSE Leap 15.2:
zypper in -t patch openSUSE-2020-2222=1
openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-2222=1
openSUSE Backports SLE-15-SP2:
zypper in -t patch openSUSE-2020-2222=1
openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2020-2222=1
SUSE Package Hub for SUSE Linux Enterprise 12:
zypper in -t patch openSUSE-2020-2222=1
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P