{"affected":[{"ecosystem_specific":{"binaries":[{"bind":"9.20.15-160000.1.1","bind-doc":"9.20.15-160000.1.1","bind-modules-generic":"9.20.15-160000.1.1","bind-modules-ldap":"9.20.15-160000.1.1","bind-modules-mysql":"9.20.15-160000.1.1","bind-modules-perl":"9.20.15-160000.1.1","bind-modules-sqlite3":"9.20.15-160000.1.1","bind-utils":"9.20.15-160000.1.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 16.0","name":"bind","purl":"pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"9.20.15-160000.1.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"bind":"9.20.15-160000.1.1","bind-doc":"9.20.15-160000.1.1","bind-modules-generic":"9.20.15-160000.1.1","bind-modules-ldap":"9.20.15-160000.1.1","bind-modules-mysql":"9.20.15-160000.1.1","bind-modules-perl":"9.20.15-160000.1.1","bind-modules-sqlite3":"9.20.15-160000.1.1","bind-utils":"9.20.15-160000.1.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP applications 16.0","name":"bind","purl":"pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"9.20.15-160000.1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for bind fixes the following issues:\n\n- Upgrade to release 9.20.15\n  Security Fixes:\n  * CVE-2025-40778: Fixed cache poisoning attacks with unsolicited RRs (bsc#1252379)\n  * CVE-2025-40780: Fixed cache poisoning due to weak PRNG (bsc#1252380)\n  * CVE-2025-8677: Fixed resource exhaustion via malformed DNSKEY handling (bsc#1252378)\n\n  New Features:\n  * Add dnssec-policy keys configuration check to named-checkconf.\n  * Add a new option `manual-mode` to dnssec-policy.\n  * Add a new option `servfail-until-ready` to response-policy\n    zones.\n  * Support for parsing HHIT and BRID records has been added.\n  * Support for parsing DSYNC records has been added.\n\n  Removed Features:\n  * Deprecate the `tkey-gssapi-credential` statement.\n  * Obsolete the `tkey-domain` statement.\n\n  Feature Changes:\n  * Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS\n    digest type 1.\n\n  Bug Fixes:\n  * Missing DNSSEC information when CD bit is set in query.\n  * rndc sign during ZSK rollover will now replace signatures.\n  * Use signer name when disabling DNSSEC algorithms.\n  * Preserve cache when reload fails and reload the server again.\n  * Prevent spurious SERVFAILs for certain 0-TTL resource records.\n  * Fix unexpected termination if catalog-zones had undefined\n    `default-primaries`.\n  * Stale RRsets in a CNAME chain were not always refreshed.\n  * Add RPZ extended DNS error for zones with a CNAME override\n    policy configured.\n  * Fix dig +keepopen option.\n  * Log dropped or slipped responses in the query-errors category.\n  * Fix synth-from-dnssec not working in some scenarios.\n  * Clean enough memory when adding new ADB names/entries under\n    memory pressure.\n  * Prevent spurious validation failures.\n  * Ensure file descriptors 0-2 are in use before using libuv\n    [bsc#1230649]\n","id":"SUSE-SU-2026:20085-1","modified":"2026-01-15T10:43:50Z","published":"2026-01-15T10:43:50Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2026/suse-su-202620085-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1230649"},{"type":"REPORT","url":"https://bugzilla.suse.com/1252378"},{"type":"REPORT","url":"https://bugzilla.suse.com/1252379"},{"type":"REPORT","url":"https://bugzilla.suse.com/1252380"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-40778"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-40780"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8677"}],"related":["CVE-2025-40778","CVE-2025-40780","CVE-2025-8677"],"summary":"Security update for bind","upstream":["CVE-2025-40778","CVE-2025-40780","CVE-2025-8677"]}