Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <ad030315-66c0-608e-62fd-622413bf6188@nic.cz>
Date: Fri, 9 Feb 2018 08:47:00 +0100
From: Petr Špaček <petr.spacek@....cz>
To: Anthony Liguori <aliguori@...zon.com>, oss-security@...ts.openwall.com
Cc: Jan Pavlinec <jan.pavlinec@....cz>,
 Remi Gacogne <remi.gacogne@...erdns.com>, Solar Designer
 <solar@...nwall.com>, Kristian Fiskerstrand <k_f@...too.org>
Subject: Re: bug in DNS resolvers - DNSSEC validation

Please accept my apology for this omission, the issue were made public
right after end of embargo but I totally forgot about posting it again here.

On 9.2.2018 02:46, Anthony Liguori wrote:
> The following issues were reported on distros@ on Jan 15th and
> subsequently made public without a post here.  I'm referencing the
> public announcements I've found with hope that Petr et al can provide
> more specific information here.
> 
> https://nvd.nist.gov/vuln/detail/CVE-2018-1000002?cpeVersion=2.2
> https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html

Announcement for Knot Resolver 1.5.2 is here:
https://lists.nic.cz/pipermail/knot-resolver-users/2018/000000.html

Nature of the issue is that original DNSSEC specification in dection 5.4
of [RFC4035] under-specifies the algorithm for checking nonexistence
proofs.

While implementing DNSSEC validation into Knot Resolver, we forgot to
implement additional conditions explained in RFC 6840, so our DNSSEC
validator could accept an NSEC or NSEC3 RR proofs from an ancestor zone
as proving the nonexistence of an RR in a child zone.


Please note that Knot Resolver versions older than latest 1.5.z are
obsolete and not maintained by CZ.NIC anymore so all users all advised
to upgrade immediatelly to to latests 1.5 or 2.0 branches.

Version 1.5.z is going to be end-of-life in approximatelly one month so
direct upgrade to version 2.0 or later is strongly recommended.

Petr Špaček  @  CZ.NIC


> The distros@ list has a policy that after the embargo lifts, the report
> is also made to oss-security to ensure there is a public record of what
> has been reported.
> 
> Regards,
> 
> Anthony Liguori

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.