924517 – <=net-dns/unbound-1.19.0: DNSSEC verification DoS (KeyTrap vulnerability)

Bug 924517 - <=net-dns/unbound-1.19.0: DNSSEC verification DoS (KeyTrap vulnerability)

Summary: <=net-dns/unbound-1.19.0: DNSSEC verification DoS (KeyTrap vulnerability)

Status:	RESOLVED DUPLICATE of bug 924457

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://nlnetlabs.nl/projects/unbound...
Whiteboard:
Keywords:	SECURITY

Depends on:
Blocks:

Reported:	2024-02-14 10:01 UTC by Marc Schiffbauer
Modified:	2024-02-14 10:35 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marc Schiffbauer gentoo-dev

2024-02-14 10:01:43 UTC

"A DNSSEC validation vulnerability has been discovered in various DNSSEC validating software. The vulnerability has an assigned number of CVE-2023-50387 and is referred here as the KeyTrap vulnerability.

The KeyTrap vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path."

Other DNS implementations are affected as well.

I already added 1.19.1 to the tree:

commit e327889602de87914ad5ed5a127eb70e57cb0c47 (HEAD -> master, origin/master, origin/HEAD)
Author: Marc Schiffbauer <mschiff@gentoo.org>
Date:   Wed Feb 14 10:53:57 2024 +0100

    net-dns/unbound: add 1.19.1

    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

Comment 1 Hans de Graaff gentoo-dev

2024-02-14 10:35:27 UTC


*** This bug has been marked as a duplicate of bug 924457 ***