ID

VAR-202008-1238

CVE

CVE-2020-8622

TITLE

ISC BIND Security hole

DESCRIPTION

In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit. runc is a CLI (command line interface) tool for building and running containers according to the OCI specification. BIND 9.0.0 to 9.11.21, 9.12.0 to 9.16.5, 9.17.0 to 9.17.3, 9.9.3-S1 to 9.11.21-S1 have security vulnerabilities, attackers can construct a special request to cause an assertion failure Causes the target service to end abnormally. For the stable distribution (buster), these problems have been fixed in version 1:9.11.5.P4+dfsg-5.1+deb10u2. We recommend that you upgrade your bind9 packages. For the detailed security status of bind9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/bind9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl9H9LBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Riow//eYx52gDQkiERYSEFJbSK34AzF5Ee3W8JYh1BG4PFagvR/y3hwddyFEkR pHlq/t78TPWi9oQ3j8uuQL0VLMA+8jyaNXA0h6BMs/3VKzGktFyINdKPBPIghT2w 2tugfgjK1MR0LZ27rcE86I1QoyFy+jHMmd03R0B0AQPWYkjp+2sp5nxskFVM9jXO 8emXIzT3IZns8WSS7xCZOqE6D40Vk/3hP5IXDXIbHHFUgl6jCEpPHJBHCgrtw9HZ Or/EQgy4y+QUZNqsPw93kxc7cwVWhauW/PX9VZ1HWnfMIWEZX9K8fmYPHlj4dJUa 1G45uTtYT7VaLvs+N7j1UulII+f1ZT9rrljasVKfbmALt+mp28/LzzcCCBMYohkK Ka30MmBu5yZnn36LNWGwaOO5D+cCHsc58awKu3C5wUG/QMBjT+dYlhkbUbllpZVj vMMXjnrefdkCLy7LEDAul1NLgxWcSWzcQ0SyNEfu9IajtA94unFMwNzFmQb7ykql WMkHTg+7mSdPCxOI+0g9+w+pKZFdBGZxXu76cV8FB1BmRitsM8XYrtBGO9uWvkI9 hIm7pHhyJB0E008qo+cKutpnvruLZLBUCutUuNHZAirq+zaHjoVDSxiqPWEJ9jdR Sx85bc7+6f1daR04r5ay/mCuWPTQYrM1VyBsFnAvGxWoznHnmbk= =kUyE -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: bind security update Advisory ID: RHSA-2020:4183-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4183 Issue date: 2020-10-07 CVE Names: CVE-2020-8622 ==================================================================== 1. Summary: An update for bind is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: truncated TSIG response can lead to an assertion failure (CVE-2020-8622) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, the BIND daemon (named) will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1869473 - CVE-2020-8622 bind: truncated TSIG response can lead to an assertion failure 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: bind-9.8.2-0.68.rc1.el6_10.8.src.rpm i386: bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-libs-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-utils-9.8.2-0.68.rc1.el6_10.8.i686.rpm x86_64: bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-libs-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-libs-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-utils-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: bind-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-chroot-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-devel-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-sdb-9.8.2-0.68.rc1.el6_10.8.i686.rpm x86_64: bind-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-chroot-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-devel-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-devel-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-sdb-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: bind-9.8.2-0.68.rc1.el6_10.8.src.rpm x86_64: bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-libs-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-libs-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-utils-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: bind-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-chroot-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-devel-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-devel-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-sdb-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: bind-9.8.2-0.68.rc1.el6_10.8.src.rpm i386: bind-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-chroot-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-libs-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-utils-9.8.2-0.68.rc1.el6_10.8.i686.rpm ppc64: bind-9.8.2-0.68.rc1.el6_10.8.ppc64.rpm bind-chroot-9.8.2-0.68.rc1.el6_10.8.ppc64.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.ppc.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.ppc64.rpm bind-libs-9.8.2-0.68.rc1.el6_10.8.ppc.rpm bind-libs-9.8.2-0.68.rc1.el6_10.8.ppc64.rpm bind-utils-9.8.2-0.68.rc1.el6_10.8.ppc64.rpm s390x: bind-9.8.2-0.68.rc1.el6_10.8.s390x.rpm bind-chroot-9.8.2-0.68.rc1.el6_10.8.s390x.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.s390.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.s390x.rpm bind-libs-9.8.2-0.68.rc1.el6_10.8.s390.rpm bind-libs-9.8.2-0.68.rc1.el6_10.8.s390x.rpm bind-utils-9.8.2-0.68.rc1.el6_10.8.s390x.rpm x86_64: bind-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-chroot-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-libs-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-libs-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-utils-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-devel-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-sdb-9.8.2-0.68.rc1.el6_10.8.i686.rpm ppc64: bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.ppc.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.ppc64.rpm bind-devel-9.8.2-0.68.rc1.el6_10.8.ppc.rpm bind-devel-9.8.2-0.68.rc1.el6_10.8.ppc64.rpm bind-sdb-9.8.2-0.68.rc1.el6_10.8.ppc64.rpm s390x: bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.s390.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.s390x.rpm bind-devel-9.8.2-0.68.rc1.el6_10.8.s390.rpm bind-devel-9.8.2-0.68.rc1.el6_10.8.s390x.rpm bind-sdb-9.8.2-0.68.rc1.el6_10.8.s390x.rpm x86_64: bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-devel-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-devel-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-sdb-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: bind-9.8.2-0.68.rc1.el6_10.8.src.rpm i386: bind-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-chroot-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-libs-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-utils-9.8.2-0.68.rc1.el6_10.8.i686.rpm x86_64: bind-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-chroot-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-libs-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-libs-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-utils-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-devel-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-sdb-9.8.2-0.68.rc1.el6_10.8.i686.rpm x86_64: bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-debuginfo-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-devel-9.8.2-0.68.rc1.el6_10.8.i686.rpm bind-devel-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm bind-sdb-9.8.2-0.68.rc1.el6_10.8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-8622 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX34ip9zjgjWX9erEAQggtxAAggiseLLM3omkfl5t8K2CgloI9VI+hsgl 8S2aF4eU4Fhp7mZT+bXuFhN7QxQNGCyqc6slFZrJUlBnQKvUOzDnu+zPF1C4t7N2 lhsIlwBBB1aBug89tOfmvAJ5o0mwtJgGuB2xfFoCm5QdlrSwgbt8ygQL9yfZDHGY 54wZfpQeSfN5celNJgZQabXvkLKZ2DZsn/CGjZ+UwmZeF2gPtSpdKihnMbO0EkaK cxSkwBNR4CLhc4DJ77HWn0jRHTfO4dhfGOTIM6DhvwErcWj7vN3mSGtKtflV47D4 wUUuwQ9RpmVLNpLBaAge6H9/lTb8P8SSkl07y9XLvPUu0iJhtkgZY9+s10JBSpNF 4McC7h6iDC38QNbGidB+YqIX+EDxpHQq8O7tWrOdnaaZF2/UU7NpfoF7cZXJTDqo 0r9LNvKV7WFGn66rsIEvyhke42iBKF3gZFgQA3OqLDGiQpK9C3lXBCsZMiQGY5fl XRjCfPl5jxg6/tIVWfjEJD0YdQ49ZdwOC/sU4eGmVKBRjhz/XKnaFhVoNVr9zpyK YFhfB0pdi4LFkr2XALRERfQXnduKpHT5ngw/GIvNhVfvXnqsacJ33Hf+EtvRbXi3 vx0mxmv4Sl+yRewSl4XOj24Cj2pb0QcUp8KyaiHm12lpVKHMBfWq8OsJwVuIOFHi Dn8VOOgqSzg=Q2qQ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 7) - aarch64, ppc64le, s390x 3. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 2.6.0 images: RHEL-8-CNV-2.6 =============kubevirt-cpu-node-labeller-container-v2.6.0-5 kubevirt-cpu-model-nfd-plugin-container-v2.6.0-5 node-maintenance-operator-container-v2.6.0-13 kubevirt-vmware-container-v2.6.0-5 virtio-win-container-v2.6.0-5 kubevirt-kvm-info-nfd-plugin-container-v2.6.0-5 bridge-marker-container-v2.6.0-9 kubevirt-template-validator-container-v2.6.0-9 kubevirt-v2v-conversion-container-v2.6.0-6 kubemacpool-container-v2.6.0-13 kubevirt-ssp-operator-container-v2.6.0-40 hyperconverged-cluster-webhook-container-v2.6.0-73 hyperconverged-cluster-operator-container-v2.6.0-73 ovs-cni-plugin-container-v2.6.0-10 cnv-containernetworking-plugins-container-v2.6.0-10 ovs-cni-marker-container-v2.6.0-10 cluster-network-addons-operator-container-v2.6.0-16 hostpath-provisioner-container-v2.6.0-11 hostpath-provisioner-operator-container-v2.6.0-14 vm-import-virtv2v-container-v2.6.0-21 kubernetes-nmstate-handler-container-v2.6.0-19 vm-import-controller-container-v2.6.0-21 vm-import-operator-container-v2.6.0-21 virt-api-container-v2.6.0-111 virt-controller-container-v2.6.0-111 virt-handler-container-v2.6.0-111 virt-operator-container-v2.6.0-111 virt-launcher-container-v2.6.0-111 cnv-must-gather-container-v2.6.0-54 virt-cdi-importer-container-v2.6.0-24 virt-cdi-cloner-container-v2.6.0-24 virt-cdi-controller-container-v2.6.0-24 virt-cdi-uploadserver-container-v2.6.0-24 virt-cdi-apiserver-container-v2.6.0-24 virt-cdi-uploadproxy-container-v2.6.0-24 virt-cdi-operator-container-v2.6.0-24 hco-bundle-registry-container-v2.6.0-582 Security Fix(es): * golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283) * golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference (CVE-2020-29652) * gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121) * golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040) * golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586) * golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845) * jwt-go: access restriction bypass vulnerability (CVE-2020-26160) * golang-github-gorilla-websocket: integer overflow leads to denial of service (CVE-2020-27813) * golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362) * containernetworking-cni: Arbitrary path injection via type field in CNI configuration (CVE-2021-20206) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/): 1732329 - Virtual Machine is missing documentation of its properties in yaml editor 1783192 - Guest kernel panic when start RHEL6.10 guest with q35 machine type and virtio disk in cnv 1791753 - [RFE] [SSP] Template validator should check validations in template's parent template 1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic 1848954 - KMP missing CA extensions in cabundle of mutatingwebhookconfiguration 1848956 - KMP requires downtime for CA stabilization during certificate rotation 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash 1853911 - VM with dot in network name fails to start with unclear message 1854098 - NodeNetworkState on workers doesn't have "status" key due to nmstate-handler pod failure to run "nmstatectl show" 1856347 - SR-IOV : Missing network name for sriov during vm setup 1856953 - CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS 1859235 - Common Templates - after upgrade there are 2 common templates per each os-workload-flavor combination 1860714 - No API information from `oc explain` 1860992 - CNV upgrade - users are not removed from privileged SecurityContextConstraints 1864577 - [v2v][RHV to CNV non migratable source VM fails to import to Ceph-rbd / File system due to overhead required for Filesystem 1866593 - CDI is not handling vm disk clone 1867099 - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs 1868817 - Container-native Virtualization 2.6.0 Images 1873771 - Improve the VMCreationFailed error message caused by VM low memory 1874812 - SR-IOV: Guest Agent expose link-local ipv6 address for sometime and then remove it 1878499 - DV import doesn't recover from scratch space PVC deletion 1879108 - Inconsistent naming of "oc virt" command in help text 1881874 - openshift-cnv namespace is getting stuck if the user tries to delete it while CNV is running 1883232 - Webscale: kubevirt/CNV datavolume importer pod inability to disable sidecar injection if namespace has sidecar injection enabled but VM Template does NOT 1883371 - CVE-2020-26160 jwt-go: access restriction bypass vulnerability 1885153 - [v2v][RHV to CNv VM import] Wrong Network mapping do not show a relevant error message 1885418 - [openshift-cnv] issues with memory overhead calculation when limits are used 1887398 - [openshift-cnv][CNV] nodes need to exist and be labeled first, *before* the NodeNetworkConfigurationPolicy is applied 1889295 - [v2v][VMware to CNV VM import API] diskMappings: volumeMode Block is not passed on to PVC request. 1891285 - Common templates and kubevirt-config cm - update machine-type 1891440 - [v2v][VMware to CNV VM import API]Source VM with no network interface fail with unclear error 1892227 - [SSP] cluster scoped resources are not being reconciled 1893278 - openshift-virtualization-os-images namespace not seen by user 1893646 - [HCO] Pod placement configuration - dry run is not performed for all the configuration stanza 1894428 - Message for VMI not migratable is not clear enough 1894824 - [v2v][VM import] Pick the smallest template for the imported VM, and not always Medium 1894897 - [v2v][VMIO] VMimport CR is not reported as failed when target VM is deleted during the import 1895414 - Virt-operator is accepting updates to the placement of its workload components even with running VMs 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1898072 - Add Fedora33 to Fedora common templates 1898840 - [v2v] VM import VMWare to CNV Import 63 chars vm name should not fail 1899558 - CNV 2.6 - nmstate fails to set state 1901480 - VM disk io can't worked if namespace have label kubemacpool 1902046 - Not possible to edit CDIConfig (through CDI CR / CDIConfig) 1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service 1903014 - hco-webhook pod in CreateContainerError 1903585 - [v2v] Windows 2012 VM imported from RHV goes into Windows repair mode 1904797 - [VMIO][vmware] A migrated RHEL/Windows VM starts in emergency mode/safe mode when target storage is NFS and target namespace is NOT "default" 1906199 - [CNV-2.5] CNV Tries to Install on Windows Workers 1907151 - kubevirt version is not reported correctly via virtctl 1907352 - VM/VMI link changes to `kubevirt.io~v1~VirtualMachineInstance` on CNV 2.6 1907691 - [CNV] Configuring NodeNetworkConfigurationPolicy caused "Internal error occurred" for creating datavolume 1907988 - VM loses dynamic IP address of its default interface after migration 1908363 - Applying NodeNetworkConfigurationPolicy for different NIC than default disables br-ex bridge and nodes lose connectivity 1908421 - [v2v] [VM import RHV to CNV] Windows imported VM boot failed: INACCESSIBLE BOOT DEVICE error 1908883 - CVE-2020-29652 golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference 1909458 - [V2V][VMware to CNV VM import via api using VMIO] VM import to Ceph RBD/BLOCK fails on "qemu-img: /data/disk.img" error 1910857 - Provide a mechanism to enable the HotplugVolumes feature gate via HCO 1911118 - Windows VMI LiveMigration / shutdown fails on 'XML error: non unique alias detected: ua-') 1911396 - Set networkInterfaceMultiqueue false in rhel 6 template for e1000e interface 1911662 - el6 guests don't work properly if virtio bus is specified on various devices 1912908 - Allow using "scsi" bus for disks in template validation 1913248 - Creating vlan interface on top of a bond device via NodeNetworkConfigurationPolicy fails 1913320 - Informative message needed with virtctl image-upload, that additional step is needed from the user 1913717 - Users should have read permitions for golden images data volumes 1913756 - Migrating to Ceph-RBD + Block fails when skipping zeroes 1914177 - CNV does not preallocate blank file data volumes 1914608 - Obsolete CPU models (kubevirt-cpu-plugin-configmap) are set on worker nodes 1914947 - HPP golden images - DV shoudld not be created with WaitForFirstConsumer 1917908 - [VMIO] vmimport pod fail to create when using ceph-rbd/block 1917963 - [CNV 2.6] Unable to install CNV disconnected - requires kvm-info-nfd-plugin which is not mirrored 1919391 - CVE-2021-20206 containernetworking-cni: Arbitrary path injection via type field in CNI configuration 1920576 - HCO can report ready=true when it failed to create a CR for a component operator 1920610 - e2e-aws-4.7-cnv consistently failing on Hyperconverged Cluster Operator 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1923979 - kubernetes-nmstate: nmstate-handler pod crashes when configuring bridge device using ip tool 1927373 - NoExecute taint violates pdb; VMIs are not live migrated 1931376 - VMs disconnected from nmstate-defined bridge after CNV-2.5.4->CNV-2.6.0 upgrade 5. ========================================================================== Ubuntu Security Notice USN-4468-1 August 21, 2020 bind9 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Bind. Software Description: - bind9: Internet Domain Name Server Details: Emanuel Almeida discovered that Bind incorrectly handled certain TCP payloads. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-8620) Joseph Gullo discovered that Bind incorrectly handled QNAME minimization when used in certain configurations. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-8621) Dave Feldman, Jeff Warren, and Joel Cunningham discovered that Bind incorrectly handled certain truncated responses to a TSIG-signed request. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2020-8622) Lyu Chiy discovered that Bind incorrectly handled certain queries. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2020-8623) Joop Boonen discovered that Bind incorrectly handled certain subdomain update-policy rules. A remote attacker granted privileges to change certain parts of a zone could use this issue to change other contents of the zone, contrary to expectations. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-8624) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: bind9 1:9.16.1-0ubuntu2.3 Ubuntu 18.04 LTS: bind9 1:9.11.3+dfsg-1ubuntu1.13 Ubuntu 16.04 LTS: bind9 1:9.10.3.dfsg.P4-8ubuntu1.17 In general, a standard system update will make all the necessary changes. 7) - x86_64 3. Bug Fix(es): * BIND stops DNSKEY lookup in get_dst_key() when a key with unsupported algorithm is found first [RHEL7] (BZ#1884530) 4

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

other

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2026-02-06T20:33:52.757000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE