Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 924517

Summary: <=net-dns/unbound-1.19.0: DNSSEC verification DoS (KeyTrap vulnerability)
Product: Gentoo Security Reporter: Marc Schiffbauer <mschiff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal Keywords: SECURITY
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nlnetlabs.nl/projects/unbound/security-advisories/
Whiteboard:
Package list:
Runtime testing required: ---

Description Marc Schiffbauer gentoo-dev 2024-02-14 10:01:43 UTC 
"A DNSSEC validation vulnerability has been discovered in various DNSSEC validating software. The vulnerability has an assigned number of CVE-2023-50387 and is referred here as the KeyTrap vulnerability.

The KeyTrap vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path."

Other DNS implementations are affected as well.

I already added 1.19.1 to the tree:

commit e327889602de87914ad5ed5a127eb70e57cb0c47 (HEAD -> master, origin/master, origin/HEAD)
Author: Marc Schiffbauer <mschiff@gentoo.org>
Date:   Wed Feb 14 10:53:57 2024 +0100

    net-dns/unbound: add 1.19.1

    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>
Comment 1 Hans de Graaff gentoo-dev Security 2024-02-14 10:35:27 UTC 

*** This bug has been marked as a duplicate of bug 924457 ***