CZ.NIC has released Knot DNS 2.5.2 and Knot DNS 2.4.5. Beside several fixes and improvements, these versions fix a flaw within the TSIG protocol implementation that would allow an attacker with a valid key name and algorithm to bypass the TSIG authentication if no additional ACL restrictions is set. From $url: References: http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf https://bugs.debian.org/865678 https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html
Ping Maintainer, could you please confirm that the bug is fixed in the tree? It seems that the bug was fixed in the next version (2.5.3 is the latest stable version right now) and the tree has 2.5.2 Thanks
Unfortunately we had to drop the maintainer.
Hi, Indeed, this bug is fixed in the tree. There are only 2.4.5 and 2.5.3 versions in tree (which both include fix in upstream tarball).
(In reply to Pierre-Olivier Mercier from comment #3) > Hi, > > Indeed, this bug is fixed in the tree. There are only 2.4.5 and 2.5.3 > versions in tree (which both include fix in upstream tarball). Thank you for the info. @Security I dropped to ~3 since there are no stable versions in the tree. Could you please confirm to be able to close de report? Thanks Gentoo Security Padawan ChrisADR