Knot Resolver 5.7.1 released CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU validator: lower the NSEC3 iteration limit (150 -> 50) validator: similarly also limit excessive NSEC3 salt length cache: limit the amount of work on SHA1 in NSEC3 aggressive cache validator: limit the amount of work on SHA1 in NSEC3 proofs validator: refuse to validate answers with more than 8 NSEC3 records CVE-2023-50387 "KeyTrap": DNSSEC verification complexity could be exploited to exhaust CPU resources and stall DNS resolvers. Solution boils down mainly to limiting crypto-validations per packet.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5f77958c503a234dcf58feabeeb04922ccc986c commit f5f77958c503a234dcf58feabeeb04922ccc986c Author: Matthew Smith <matthew@gentoo.org> AuthorDate: 2024-02-14 08:31:27 +0000 Commit: Matthew Smith <matthew@gentoo.org> CommitDate: 2024-02-14 08:31:27 +0000 net-dns/knot-resolver: add 5.7.1 Add jemalloc USE flag to fix automagic dependency. Bug: https://bugs.gentoo.org/924459 Signed-off-by: Matthew Smith <matthew@gentoo.org> net-dns/knot-resolver/Manifest | 2 + net-dns/knot-resolver/knot-resolver-5.7.1.ebuild | 101 +++++++++++++++++++++++ 2 files changed, 103 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62c0efbb862c9a2cfb921f69c8b9c64cc0cde30b commit 62c0efbb862c9a2cfb921f69c8b9c64cc0cde30b Author: Matthew Smith <matthew@gentoo.org> AuthorDate: 2024-02-16 08:02:47 +0000 Commit: Matthew Smith <matthew@gentoo.org> CommitDate: 2024-02-16 08:02:47 +0000 net-dns/knot-resolver: drop vulnerable 5.7.0-r2 Bug: https://bugs.gentoo.org/924459 Signed-off-by: Matthew Smith <matthew@gentoo.org> net-dns/knot-resolver/Manifest | 2 - .../knot-resolver/knot-resolver-5.7.0-r2.ebuild | 99 ---------------------- 2 files changed, 101 deletions(-)
