Описание
Security update for pdns-recursor
This update for pdns-recursor fixes the following issues:
Update to 4.8.6:
- fixes case when crafted DNSSEC records in a zone can lead to a denial of service in Recursor https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html (boo#1219823, boo#1219826, CVE-2023-50387, CVE-2023-50868)
Changes in 4.8.5:
- (I)XFR: handle partial read of len prefix.
- YaHTTP: Prevent integer overflow on very large chunks.
- Fix setting of policy tags for packet cache hits.
Changes in 4.8.4:
- Deterred spoofing attempts can lead to authoritative servers being marked unavailable (boo#1209897, CVE-2023-26437)
Список пакетов
SUSE Package Hub 15 SP5
openSUSE Leap 15.5
Ссылки
- E-Mail link for openSUSE-SU-2024:0048-1
- SUSE Security Ratings
- SUSE Bug 1209897
- SUSE Bug 1219823
- SUSE Bug 1219826
- SUSE CVE CVE-2023-26437 page
- SUSE CVE CVE-2023-50387 page
- SUSE CVE CVE-2023-50868 page
Описание
Denial of service vulnerability in PowerDNS Recursor allows authoritative servers to be marked unavailable.This issue affects Recursor: through 4.6.5, through 4.7.4 , through 4.8.3.
Затронутые продукты
Ссылки
- CVE-2023-26437
- SUSE Bug 1209897
Описание
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
Затронутые продукты
Ссылки
- CVE-2023-50387
- SUSE Bug 1219823
- SUSE Bug 1220717
- SUSE Bug 1221586
Описание
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
Затронутые продукты
Ссылки
- CVE-2023-50868
- SUSE Bug 1219823
- SUSE Bug 1219826
- SUSE Bug 1221586