Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711420 (CVE-2019-10191) - net-dns/knot: Downgrade attack on DNSSEC-secure domains (CVE-2019-10191)
Summary: net-dns/knot: Downgrade attack on DNSSEC-secure domains (CVE-2019-10191)
Status: RESOLVED INVALID
Alias: CVE-2019-10191
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.knot-resolver.cz/2019-07-...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-03 13:44 UTC by Sam James
Modified: 2020-03-03 15:47 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-03 13:44:02 UTC
1) CVE-2019-10191

Description:
"fix CVE-2019-10191: do not cache negative answer with forged QNAME+QTYPE (!839)"
"A vulnerability was discovered in DNS resolver of knot resolver before version 4.1.0 which allows remote attackers to downgrade DNSSEC-secure domains to DNSSEC-insecure state, opening possibility of domain hijack using attacks against insecure DNS protocol."
Comment 1 Pierre-Olivier Mercier 2020-03-03 15:42:49 UTC
Hi @sam_c!

This CVE refers to the project knot-resolver (https://www.knot-resolver.cz/ // https://gitlab.labs.nic.cz/knot/knot-resolver // https://repology.org/project/knot-resolver) but we haven't any ebuild for it, yet.

Ebuilds 'net-dns/knot' is for the project knot-dns (https://www.knot-dns.cz/ // https://gitlab.labs.nic.cz/knot/knot-dns // https://repology.org/project/knot).

Both projects shares the libknot and are made by the same people, but knot-dns is the authoritative server (like 'net-dns/nsd') and knot-resolver is the domain name resolver (like 'net-dns/unbound').

Please mark this bug as INVALID.
Comment 2 Sam James archtester gentoo-dev Security 2020-03-03 15:47:16 UTC
(In reply to Pierre-Olivier Mercier from comment #1)
> Hi @sam_c!
> 
> This CVE refers to the project knot-resolver (https://www.knot-resolver.cz/
> // https://gitlab.labs.nic.cz/knot/knot-resolver //
> https://repology.org/project/knot-resolver) but we haven't any ebuild for
> it, yet.
> 
> Ebuilds 'net-dns/knot' is for the project knot-dns (https://www.knot-dns.cz/
> // https://gitlab.labs.nic.cz/knot/knot-dns //
> https://repology.org/project/knot).
> 
> Both projects shares the libknot and are made by the same people, but
> knot-dns is the authoritative server (like 'net-dns/nsd') and knot-resolver
> is the domain name resolver (like 'net-dns/unbound').
> 
> Please mark this bug as INVALID.

Thank you! Apologies for the mixup.