Описание
Security update for dnsmasq
This update for dnsmasq fixes the following issues:
- Version update to 2.90:
- CVE-2023-50387: Fixed a Denial Of Service while trying to validate specially crafted DNSSEC responses. (bsc#1219823)
- CVE-2023-50868: Fixed a Denial Of Service while trying to validate specially crafted DNSSEC responses. (bsc#1219826)
Список пакетов
SUSE Enterprise Storage 7.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
SUSE Linux Enterprise Micro 5.1
SUSE Linux Enterprise Micro 5.2
SUSE Linux Enterprise Server 15 SP3-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP3
Ссылки
- Link for SUSE-SU-2025:0130-1
- E-Mail link for SUSE-SU-2025:0130-1
- SUSE Security Ratings
- SUSE Bug 1200344
- SUSE Bug 1207174
- SUSE Bug 1214884
- SUSE Bug 1219823
- SUSE Bug 1219826
- SUSE Bug 1235517
- SUSE CVE CVE-2023-50387 page
- SUSE CVE CVE-2023-50868 page
Описание
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
Затронутые продукты
Ссылки
- CVE-2023-50387
- SUSE Bug 1219823
- SUSE Bug 1220717
- SUSE Bug 1221586
Описание
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
Затронутые продукты
Ссылки
- CVE-2023-50868
- SUSE Bug 1219823
- SUSE Bug 1219826
- SUSE Bug 1221586