You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa knot-resolver

Sigurnosni nedostatak programskog paketa knot-resolver

——————————————————————————–
Fedora Update Notification
FEDORA-2018-b7d774a7c1
2018-08-14 21:06:35.949595
——————————————————————————–

Name : knot-resolver
Product : Fedora 28
Version : 2.4.1
Release : 1.fc28
URL : https://www.knot-resolver.cz/
Summary : Caching full DNS Resolver
Description :
The Knot DNS Resolver is a caching full resolver implementation written in C
and LuaJIT, including both a resolver library and a daemon. Modular
architecture of the library keeps the core tiny and efficient, and provides
a state-machine like API for extensions.

The package is pre-configured as local caching resolver.
To start using it, start a single kresd instance:
$ systemctl start kresd@1.service

——————————————————————————–
Update Information:

Knot Resolver 2.4.1 (2018-08-02) ================================ Security
——– – fix CVE-2018-10920: Improper input validation bug in DNS resolver
component (security!7, security!9) Bugfixes ——– – cache: fix TTL
overflow in packet due to min_ttl (#388, security!8) – TLS session resumption:
avoid bad scheduling of rotation (#385) – HTTP module: fix a regression in 2.4.0
which broke custom certs (!632) – cache: NSEC3 negative cache even without NS
record (#384) This fixes lower hit rate in NSEC3 zones (since 2.4.0). – minor
TCP and TLS fixes (!623, !624, !626)
——————————————————————————–
ChangeLog:

* Thu Aug 2 2018 Tomas Krizek <tomas.krizek@nic.cz> – 2.4.1-1
Knot Resolver 2.4.1 (2018-08-02)
================================

Security
——–
– fix CVE-2018-10920: Improper input validation bug in DNS resolver component
(security!7, security!9)

Bugfixes
——–
– cache: fix TTL overflow in packet due to min_ttl (#388, security!8)
– TLS session resumption: avoid bad scheduling of rotation (#385)
– HTTP module: fix a regression in 2.4.0 which broke custom certs (!632)
– cache: NSEC3 negative cache even without NS record (#384)
This fixes lower hit rate in NSEC3 zones (since 2.4.0).
– minor TCP and TLS fixes (!623, !624, !626)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> – 2.4.0-2
– Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jul 3 2018 Tomas Krizek <tomas.krizek@nic.cz> – 2.4.0-1
Knot Resolver 2.4.0 (2018-07-03)
================================

Incompatible changes
——————–
– minimal libknot version is now 2.6.7 to pull in latest fixes (#366)

Security
——–
– fix a rare case of zones incorrectly dowgraded to insecure status (!576)

New features
————
– TLS session resumption (RFC 5077), both server and client (!585, #105)
(disabled when compiling with gnutls < 3.5)
– TLS_FORWARD policy uses system CA certificate store by default (!568)
– aggressive caching for NSEC3 zones (!600)
– optional protection from DNS Rebinding attack (module rebinding, !608)
– module bogus_log to log DNSSEC bogus queries without verbose logging (!613)

Bugfixes
——–
– prefill: fix ability to read certificate bundle (!578)
– avoid turning off qname minimization in some cases, e.g. co.uk. (#339)
– fix validation of explicit wildcard queries (#274)
– dns64 module: more properties from the RFC implemented (incl. bug #375)

Improvements
————
– systemd: multiple enabled kresd instances can now be started using kresd.target
– ta_sentinel: switch to version 14 of the RFC draft (!596)
– support for glibc systems with a non-Linux kernel (!588)
– support per-request variables for Lua modules (!533)
– support custom HTTP endpoints for Lua modules (!527)
* Mon Apr 23 2018 Tomas Krizek <tomas.krizek@nic.cz> – 2.3.0-1
Knot Resolver 2.3.0 (2018-04-23)
================================

Security
——–
– fix CVE-2018-1110: denial of service triggered by malformed DNS messages
(!550, !558, security!2, security!4)
– increase resilience against slow lorris attack (security!5)

Bugfixes
——–
– validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538)
– validation: fix SERVFAIL for DS . query (!544)
– lib/resolve: don’t send unecessary queries to parent zone (!513)
– iterate: fix validation for zones where parent and child share NS (!543)
– TLS: improve error handling and documentation (!536, !555, !559)

Improvements
————
– prefill: new module to periodically import root zone into cache
(replacement for RFC 7706, !511)
– network_listen_fd: always create end point for supervisor supplied file descriptor
– use CPPFLAGS build environment variable if set (!547)
——————————————————————————–
References:

[ 1 ] Bug #1610951 – CVE-2018-10920 knot-resolver: Improper input validation bug in DNS resolver component
https://bugzilla.redhat.com/show_bug.cgi?id=1610951
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2018-b7d774a7c1’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOPIIVIQ2ZF3XIZINHYJNSZJBLLAIJ23/

Top
More in Preporuke
Sigurnosni nedostatak programskog paketa thunderbird-enigmail

Otkriveni su sigurnosni nedostatak u programskom paketu thunderbird-enigmail za operacijski sustav Fedora. Otkriveni nedostatak potencijalnim napadačima omogućuje zaobilaženje sigurnosnih ograničenja...

Close