Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 924459 - <net-dns/knot-resolver-5.7.1: "KeyTrap" DNS DoS vulnerability
Summary: <net-dns/knot-resolver-5.7.1: "KeyTrap" DNS DoS vulnerability
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.knot-resolver.cz/2024-02-...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 924497
Blocks: CVE-2023-50387, CVE-2023-50868
  Show dependency tree
 
Reported: 2024-02-14 07:27 UTC by Hans de Graaff
Modified: 2025-02-16 07:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2024-02-14 07:27:15 UTC 
Knot Resolver 5.7.1 released

CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU

        validator: lower the NSEC3 iteration limit (150 -> 50)
        validator: similarly also limit excessive NSEC3 salt length
        cache: limit the amount of work on SHA1 in NSEC3 aggressive cache
        validator: limit the amount of work on SHA1 in NSEC3 proofs
        validator: refuse to validate answers with more than 8 NSEC3 records

CVE-2023-50387 "KeyTrap": DNSSEC verification complexity could be exploited to exhaust CPU resources and stall DNS resolvers. Solution boils down mainly to limiting crypto-validations per packet.
Comment 1 Larry the Git Cow gentoo-dev 2024-02-14 08:32:48 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5f77958c503a234dcf58feabeeb04922ccc986c

commit f5f77958c503a234dcf58feabeeb04922ccc986c
Author:     Matthew Smith <matthew@gentoo.org>
AuthorDate: 2024-02-14 08:31:27 +0000
Commit:     Matthew Smith <matthew@gentoo.org>
CommitDate: 2024-02-14 08:31:27 +0000

    net-dns/knot-resolver: add 5.7.1
    
    Add jemalloc USE flag to fix automagic dependency.
    
    Bug: https://bugs.gentoo.org/924459
    Signed-off-by: Matthew Smith <matthew@gentoo.org>

 net-dns/knot-resolver/Manifest                   |   2 +
 net-dns/knot-resolver/knot-resolver-5.7.1.ebuild | 101 +++++++++++++++++++++++
 2 files changed, 103 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-02-16 08:03:09 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62c0efbb862c9a2cfb921f69c8b9c64cc0cde30b

commit 62c0efbb862c9a2cfb921f69c8b9c64cc0cde30b
Author:     Matthew Smith <matthew@gentoo.org>
AuthorDate: 2024-02-16 08:02:47 +0000
Commit:     Matthew Smith <matthew@gentoo.org>
CommitDate: 2024-02-16 08:02:47 +0000

    net-dns/knot-resolver: drop vulnerable 5.7.0-r2
    
    Bug: https://bugs.gentoo.org/924459
    Signed-off-by: Matthew Smith <matthew@gentoo.org>

 net-dns/knot-resolver/Manifest                     |  2 -
 .../knot-resolver/knot-resolver-5.7.0-r2.ebuild    | 99 ----------------------
 2 files changed, 101 deletions(-)
Comment 3 Nicolas PARLANT 2025-02-12 10:28:45 UTC 
Could you please close the bug as there is no affected version in tree?
Comment 4 Hans de Graaff gentoo-dev Security 2025-02-16 07:16:27 UTC 
(In reply to Nicolas PARLANT from comment #3)
> Could you please close the bug as there is no affected version in tree?

No, because there are still steps to be taken by the security team (and we have a large backlog for "minor" security issues).