ChangeLog for: 2020-08-21 21:23:38
a/kernel-generic-5.4.60-x86_64-1.txz: Upgraded.
a/kernel-huge-5.4.60-x86_64-1.txz: Upgraded.
a/kernel-modules-5.4.60-x86_64-1.txz: Upgraded.
d/cmake-3.18.2-x86_64-1.txz: Upgraded.
d/kernel-headers-5.4.60-x86-1.txz: Upgraded.
d/nasm-2.15.04-x86_64-1.txz: Upgraded.
k/kernel-source-5.4.60-noarch-1.txz: Upgraded.
l/xapian-core-1.4.17-x86_64-1.txz: Upgraded.
n/bind-9.16.6-x86_64-1.txz: Upgraded.
This update fixes five security issues:
"update-policy" rules of type "subdomain" were incorrectly treated as
"zonesub" rules, which allowed keys used in "subdomain" rules to update
names outside of the specified subdomains. The problem was fixed by making
sure "subdomain" rules are again processed as described in the ARM.
When BIND 9 was compiled with native PKCS#11 support, it was possible to
trigger an assertion failure in code determining the number of bits in the
PKCS#11 RSA public key with a specially crafted packet.
named could crash in certain query resolution scenarios where QNAME
minimization and forwarding were both enabled.
It was possible to trigger an assertion failure by sending a specially
crafted large TCP DNS message.
It was possible to trigger an assertion failure when verifying the response
to a TSIG-signed request.
For more information, see:
https://kb.isc.org/docs/cve-2020-8624
https://kb.isc.org/docs/cve-2020-8623
https://kb.isc.org/docs/cve-2020-8621
https://kb.isc.org/docs/cve-2020-8620
https://kb.isc.org/docs/cve-2020-8622
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8624
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8623
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8621
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8620
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8622
(* Security fix *)
n/getmail-6.03-x86_64-1.txz: Upgraded.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.