Detections
Analytics

openSUSE 16 Security Update : bind (openSUSE-SU-2026:20039-1)

high Nessus Plugin ID 291308

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20039-1 advisory.

 - Upgrade to release 9.20.15 Security Fixes:
 * CVE-2025-40778: Fixed cache poisoning attacks with unsolicited RRs (bsc#1252379)
 * CVE-2025-40780: Fixed cache poisoning due to weak PRNG (bsc#1252380)
 * CVE-2025-8677: Fixed resource exhaustion via malformed DNSKEY handling (bsc#1252378)

 New Features:
 * Add dnssec-policy keys configuration check to named-checkconf.
 * Add a new option `manual-mode` to dnssec-policy.
 * Add a new option `servfail-until-ready` to response-policy zones.
 * Support for parsing HHIT and BRID records has been added.
 * Support for parsing DSYNC records has been added.

 Removed Features:
 * Deprecate the `tkey-gssapi-credential` statement.
 * Obsolete the `tkey-domain` statement.

 Feature Changes:
 * Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS digest type 1.

 Bug Fixes:
 * Missing DNSSEC information when CD bit is set in query.
 * rndc sign during ZSK rollover will now replace signatures.
 * Use signer name when disabling DNSSEC algorithms.
 * Preserve cache when reload fails and reload the server again.
 * Prevent spurious SERVFAILs for certain 0-TTL resource records.
 * Fix unexpected termination if catalog-zones had undefined `default-primaries`.
 * Stale RRsets in a CNAME chain were not always refreshed.
 * Add RPZ extended DNS error for zones with a CNAME override policy configured.
 * Fix dig +keepopen option.
 * Log dropped or slipped responses in the query-errors category.
 * Fix synth-from-dnssec not working in some scenarios.
 * Clean enough memory when adding new ADB names/entries under memory pressure.
 * Prevent spurious validation failures.
 * Ensure file descriptors 0-2 are in use before using libuv [bsc#1230649]

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1252378

https://bugzilla.suse.com/1252379

https://bugzilla.suse.com/1252380

https://www.suse.com/security/cve/CVE-2025-40778

https://www.suse.com/security/cve/CVE-2025-40780

https://www.suse.com/security/cve/CVE-2025-8677

https://bugzilla.suse.com/1230649

Plugin Details

Severity: High

ID: 291308

File Name: openSUSE-2026-20039-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 1/18/2026

Updated: 1/18/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.1

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2025-8677

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2025-40780

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:bind-utils, p-cpe:/a:novell:opensuse:bind-modules-perl, p-cpe:/a:novell:opensuse:bind-modules-sqlite3, p-cpe:/a:novell:opensuse:bind-modules-mysql, p-cpe:/a:novell:opensuse:bind-modules-ldap, p-cpe:/a:novell:opensuse:bind-modules-generic, p-cpe:/a:novell:opensuse:bind-modules-bdbhpt, p-cpe:/a:novell:opensuse:bind

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/15/2026

Vulnerability Publication Date: 10/22/2025

Reference Information

CVE: CVE-2025-40778, CVE-2025-40780, CVE-2025-8677

IAVA: 2025-A-0800