From nobody Tue Feb 13 23:13:41 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TZHFK6J2yz5B39F; Tue, 13 Feb 2024 23:13:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TZHFK4Nbbz4kSb; Tue, 13 Feb 2024 23:13:41 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707866021; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2N+Fn7cE46d1+xGAu4cgZq4gfXkr3t/jgs89L8lAJ18=; b=FWaHm91CRCh0lsvDeYezE4OJ8ZecmS+Zz3pkHZHQ1/jvg7fCssWwG9SQTofXDRNF4g5WZ9 Fjg9ycmQqtU4kpnRc+vDGpYpGIccACQ5qcygg+Mau13Xgg/NqXMqbeyn3P2PEWBa/3Ue0G LKGzVVKU/2fQwkVXDPsCNtZC+awSjokKATcqL4dqpR01IGpyq/mCYscpX20+GzRaQCogXn 3JSpXmsRD8E/YRUzmYVWaL7NEU6ukZkZlczJHD6Y1XMQtKF1s0PAb53ZjpL0G9iXgyAGyL C/oP/zIu9PG7A0wJWyPr1lY3+NYGvwG0TSEWPprop0BgoBHhVHUNvk5UZpHFJg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707866021; a=rsa-sha256; cv=none; b=HvMWbPs8I0A//L9ByuL/7oruBnCKXzW2HybBZw6hYBidDcx2x7dCi6xKqyOP+edtL4puei JLw8aAY9LYwypNLPLTwkYnLsNrbC6kKnZN1x+kFHHAsFrSNGirGMm7LhjI76ArwpPU96wN PGnRPlKSni/FfT1zQN+/ADhkNBdbV89YmDWUE9RYAAGNs4/yWUvMZfg8XKTWz2zen2O213 ImdorcCM+tOAR5bss6HM77s8VfBTw5MYfTA8PWRvKe2e44WnS2kZvHFXdO/zny+JOJlmPb VrEegLlegZGfaBcoUsktKnNumT2NdBjRCiluJGOtF8WInArwoLPd+nxz6Ei50w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707866021; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2N+Fn7cE46d1+xGAu4cgZq4gfXkr3t/jgs89L8lAJ18=; b=e454bBu4eWUWGWL8OV8VV48q0xbCdwGFg90RvvHfed2JfffZ5sD6bZmMdTkcleMpUPCiO1 tFRNH0aXRB5R08a/Iitdo+gn8efi2RH32uc2dvghFAyR9yct5LyK/LReBcZAj/IANwSNDj mjnN5i6DryqWli6BQjP2pJLOfy+u+46b+6ACSto9bzaverD80bzzG4GGVi41b+T4UcQJqa CHJHSs1anDgaqf3QtnYVXfWN9V1C0CKIytdcFP6FllXm3WF9n+dFTOSxwlHQ64RhXRliqz 3NPyTiXvZAzupEYrQYoSjVjXCA1vhnIkgeKp0CUYijKLcsI7IInqz/TncDKdDg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TZHFK3TTLzZrQ; Tue, 13 Feb 2024 23:13:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 41DNDfK3094032; Tue, 13 Feb 2024 23:13:41 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 41DNDftE094029; Tue, 13 Feb 2024 23:13:41 GMT (envelope-from git) Date: Tue, 13 Feb 2024 23:13:41 GMT Message-Id: <202402132313.41DNDftE094029@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Matthias Andree Subject: git: 58e048cad653 - main - security/vuxml: document dnssec validating resolver DoS vuln... List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 58e048cad653819eebf91af5840e4b00f155bb1b Auto-Submitted: auto-generated The branch main has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=58e048cad653819eebf91af5840e4b00f155bb1b commit 58e048cad653819eebf91af5840e4b00f155bb1b Author: Matthias Andree AuthorDate: 2024-02-13 23:12:14 +0000 Commit: Matthias Andree CommitDate: 2024-02-13 23:13:16 +0000 security/vuxml: document dnssec validating resolver DoS vuln... for Bind9, dnsmasq, PowerDNS, Unbound. Security: 21a854cc-cac1-11ee-b7a7-353f1e043d9a Security: CVE-2023-50387 Security: CVE-2023-50868 --- security/vuxml/vuln/2024.xml | 74 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 5ce1aa06740f..e9571ce9674b 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,77 @@ + + DNSSEC validators -- denial-of-service/CPU exhaustion from KeyTrap and NSEC3 vulnerabilities + + + bind916 + 9.16.48 + + + bind918 + 9.18.24 + + + bind9-devel + 9.19.21 + + + dnsmasq + 2.90 + + + dnsmasq-devel + 2.90 + + + powerdns-recursor + 5.0.2 + + + unbound + 1.19.1 + + + + +

Simon Kelley reports:

+
+

If DNSSEC validation is enabled, then an attacker who can force a + DNS server to validate a specially crafted signed domain can use a + lot of CPU in the validator. This only affects dnsmasq installations + with DNSSEC enabled.

+
+

Stichting NLnet Labs reports:

+
+

+ The KeyTrap [CVE-2023-50387] vulnerability works by using a + combination of Keys (also colliding Keys), Signatures and number of + RRSETs on a malicious zone. Answers from that zone can force a + DNSSEC validator down a very CPU intensive and time costly + validation path. +

+

+ The NSEC3 [CVE-2023-50868] vulnerability uses specially crafted responses on a + malicious zone with multiple NSEC3 RRSETs to force a DNSSEC + validator down a very CPU intensive and time costly NSEC3 hash + calculation path. +

+
+ +
+ + CVE-2023-50387 + CVE-2023-50868 + https://kb.isc.org/docs/cve-2023-50387 + https://kb.isc.org/docs/cve-2023-50868 + https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html + https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released + https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ + + + 2024-02-06 + 2024-02-13 + +
+ phpmyfaq -- multiple vulnerabilities