--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2018-c894f896fd
2018-07-12 14:18:11.697524
--------------------------------------------------------------------------------Name        : knot-resolver
Product     : Fedora 28
Version     : 2.4.0
Release     : 1.fc28
URL         : https://www.knot-resolver.cz/
Summary     : Caching full DNS Resolver
Description :
The Knot DNS Resolver is a caching full resolver implementation written in C
and LuaJIT, including both a resolver library and a daemon. Modular
architecture of the library keeps the core tiny and efficient, and provides
a state-machine like API for extensions.

The package is pre-configured as local caching resolver.
To start using it, start a single kresd instance:
$ systemctl start kresd@1.service

--------------------------------------------------------------------------------Update Information:

Knot Resolver 2.4.0 (2018-07-03) ================================  Incompatible
changes -------------------- - minimal libknot version is now 2.6.7 to pull in
latest fixes (#366)  Security -------- - fix a rare case of zones incorrectly
dowgraded to insecure status (!576)  New features ------------ - TLS session
resumption (RFC 5077), both server and client (!585, #105)   (disabled when
compiling with gnutls < 3.5) - TLS_FORWARD policy uses system CA certificate
store by default (!568) - aggressive caching for NSEC3 zones (!600) - optional
protection from DNS Rebinding attack (module rebinding, !608) - module bogus_log
to log DNSSEC bogus queries without verbose logging (!613)  Bugfixes -------- -prefill: fix ability to read certificate bundle (!578) - avoid turning off qname
minimization in some cases, e.g. co.uk. (#339) - fix validation of explicit
wildcard queries (#274) - dns64 module: more properties from the RFC implemented
(incl. bug #375)  Improvements ------------ - systemd: multiple enabled kresd
instances can now be started using kresd.target - ta_sentinel: switch to version
14 of the RFC draft (!596) - support for glibc systems with a non-Linux kernel
(!588) - support per-request variables for Lua modules (!533) - support custom
HTTP endpoints for Lua modules (!527)
--------------------------------------------------------------------------------ChangeLog:

* Tue Jul  3 2018 Tomas Krizek  - 2.4.0-1
Knot Resolver 2.4.0 (2018-07-03)
===============================
Incompatible changes
--------------------- minimal libknot version is now 2.6.7 to pull in latest fixes (#366)

Security
--------- fix a rare case of zones incorrectly dowgraded to insecure status (!576)

New features
------------- TLS session resumption (RFC 5077), both server and client (!585, #105)
  (disabled when compiling with gnutls < 3.5)
- TLS_FORWARD policy uses system CA certificate store by default (!568)
- aggressive caching for NSEC3 zones (!600)
- optional protection from DNS Rebinding attack (module rebinding, !608)
- module bogus_log to log DNSSEC bogus queries without verbose logging (!613)

Bugfixes
--------- prefill: fix ability to read certificate bundle (!578)
- avoid turning off qname minimization in some cases, e.g. co.uk. (#339)
- fix validation of explicit wildcard queries (#274)
- dns64 module: more properties from the RFC implemented (incl. bug #375)

Improvements
------------- systemd: multiple enabled kresd instances can now be started using kresd.target
- ta_sentinel: switch to version 14 of the RFC draft (!596)
- support for glibc systems with a non-Linux kernel (!588)
- support per-request variables for Lua modules (!533)
- support custom HTTP endpoints for Lua modules (!527)
* Mon Apr 23 2018 Tomas Krizek  - 2.3.0-1
Knot Resolver 2.3.0 (2018-04-23)
===============================
Security
--------- fix CVE-2018-1110: denial of service triggered by malformed DNS messages
  (!550, !558, security!2, security!4)
- increase resilience against slow lorris attack (security!5)

Bugfixes
--------- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538)
- validation: fix SERVFAIL for DS . query (!544)
- lib/resolve: don't send unecessary queries to parent zone (!513)
- iterate: fix validation for zones where parent and child share NS (!543)
- TLS: improve error handling and documentation (!536, !555, !559)

Improvements
------------- prefill: new module to periodically import root zone into cache
  (replacement for RFC 7706, !511)
- network_listen_fd: always create end point for supervisor supplied file descriptor
- use CPPFLAGS build environment variable if set (!547)
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2018-c894f896fd' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/77ATNINRPKZCLYKP56PGLWATGHEDQTME/

Fedora 28: knot-resolver Security Update 2018-c894f896fd

July 12, 2018
Knot Resolver 2.4.0 (2018-07-03) changes -------------------- - minimal libknot version is now 2.6.7 to pull in latest fixes (#366) Security -------- - fix a rare case of zones inc...

Summary

The Knot DNS Resolver is a caching full resolver implementation written in C

and LuaJIT, including both a resolver library and a daemon. Modular

architecture of the library keeps the core tiny and efficient, and provides

a state-machine like API for extensions.

The package is pre-configured as local caching resolver.

To start using it, start a single kresd instance:

$ systemctl start kresd@1.service

Knot Resolver 2.4.0 (2018-07-03) ================================ Incompatible

changes -------------------- - minimal libknot version is now 2.6.7 to pull in

latest fixes (#366) Security -------- - fix a rare case of zones incorrectly

dowgraded to insecure status (!576) New features ------------ - TLS session

resumption (RFC 5077), both server and client (!585, #105) (disabled when

compiling with gnutls < 3.5) - TLS_FORWARD policy uses system CA certificate

store by default (!568) - aggressive caching for NSEC3 zones (!600) - optional

protection from DNS Rebinding attack (module rebinding, !608) - module bogus_log

to log DNSSEC bogus queries without verbose logging (!613) Bugfixes -------- -prefill: fix ability to read certificate bundle (!578) - avoid turning off qname

minimization in some cases, e.g. co.uk. (#339) - fix validation of explicit

wildcard queries (#274) - dns64 module: more properties from the RFC implemented

(incl. bug #375) Improvements ------------ - systemd: multiple enabled kresd

instances can now be started using kresd.target - ta_sentinel: switch to version

14 of the RFC draft (!596) - support for glibc systems with a non-Linux kernel

(!588) - support per-request variables for Lua modules (!533) - support custom

HTTP endpoints for Lua modules (!527)

* Tue Jul 3 2018 Tomas Krizek - 2.4.0-1

Knot Resolver 2.4.0 (2018-07-03)

===============================

Incompatible changes

--------------------- minimal libknot version is now 2.6.7 to pull in latest fixes (#366)

Security

--------- fix a rare case of zones incorrectly dowgraded to insecure status (!576)

New features

------------- TLS session resumption (RFC 5077), both server and client (!585, #105)

(disabled when compiling with gnutls < 3.5)

- TLS_FORWARD policy uses system CA certificate store by default (!568)

- aggressive caching for NSEC3 zones (!600)

- optional protection from DNS Rebinding attack (module rebinding, !608)

- module bogus_log to log DNSSEC bogus queries without verbose logging (!613)

Bugfixes

--------- prefill: fix ability to read certificate bundle (!578)

- avoid turning off qname minimization in some cases, e.g. co.uk. (#339)

- fix validation of explicit wildcard queries (#274)

- dns64 module: more properties from the RFC implemented (incl. bug #375)

Improvements

------------- systemd: multiple enabled kresd instances can now be started using kresd.target

- ta_sentinel: switch to version 14 of the RFC draft (!596)

- support for glibc systems with a non-Linux kernel (!588)

- support per-request variables for Lua modules (!533)

- support custom HTTP endpoints for Lua modules (!527)

* Mon Apr 23 2018 Tomas Krizek - 2.3.0-1

Knot Resolver 2.3.0 (2018-04-23)

===============================

Security

--------- fix CVE-2018-1110: denial of service triggered by malformed DNS messages

(!550, !558, security!2, security!4)

- increase resilience against slow lorris attack (security!5)

Bugfixes

--------- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538)

- validation: fix SERVFAIL for DS . query (!544)

- lib/resolve: don't send unecessary queries to parent zone (!513)

- iterate: fix validation for zones where parent and child share NS (!543)

- TLS: improve error handling and documentation (!536, !555, !559)

Improvements

------------- prefill: new module to periodically import root zone into cache

(replacement for RFC 7706, !511)

- network_listen_fd: always create end point for supervisor supplied file descriptor

- use CPPFLAGS build environment variable if set (!547)

su -c 'dnf upgrade --advisory FEDORA-2018-c894f896fd' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/77ATNINRPKZCLYKP56PGLWATGHEDQTME/

FEDORA-2018-c894f896fd 2018-07-12 14:18:11.697524 Product : Fedora 28 Version : 2.4.0 Release : 1.fc28 URL : https://www.knot-resolver.cz/ Summary : Caching full DNS Resolver Description : The Knot DNS Resolver is a caching full resolver implementation written in C and LuaJIT, including both a resolver library and a daemon. Modular architecture of the library keeps the core tiny and efficient, and provides a state-machine like API for extensions. The package is pre-configured as local caching resolver. To start using it, start a single kresd instance: $ systemctl start kresd@1.service Knot Resolver 2.4.0 (2018-07-03) ================================ Incompatible changes -------------------- - minimal libknot version is now 2.6.7 to pull in latest fixes (#366) Security -------- - fix a rare case of zones incorrectly dowgraded to insecure status (!576) New features ------------ - TLS session resumption (RFC 5077), both server and client (!585, #105) (disabled when compiling with gnutls < 3.5) - TLS_FORWARD policy uses system CA certificate store by default (!568) - aggressive caching for NSEC3 zones (!600) - optional protection from DNS Rebinding attack (module rebinding, !608) - module bogus_log to log DNSSEC bogus queries without verbose logging (!613) Bugfixes -------- -prefill: fix ability to read certificate bundle (!578) - avoid turning off qname minimization in some cases, e.g. co.uk. (#339) - fix validation of explicit wildcard queries (#274) - dns64 module: more properties from the RFC implemented (incl. bug #375) Improvements ------------ - systemd: multiple enabled kresd instances can now be started using kresd.target - ta_sentinel: switch to version 14 of the RFC draft (!596) - support for glibc systems with a non-Linux kernel (!588) - support per-request variables for Lua modules (!533) - support custom HTTP endpoints for Lua modules (!527) * Tue Jul 3 2018 Tomas Krizek - 2.4.0-1 Knot Resolver 2.4.0 (2018-07-03) =============================== Incompatible changes --------------------- minimal libknot version is now 2.6.7 to pull in latest fixes (#366) Security --------- fix a rare case of zones incorrectly dowgraded to insecure status (!576) New features ------------- TLS session resumption (RFC 5077), both server and client (!585, #105) (disabled when compiling with gnutls < 3.5) - TLS_FORWARD policy uses system CA certificate store by default (!568) - aggressive caching for NSEC3 zones (!600) - optional protection from DNS Rebinding attack (module rebinding, !608) - module bogus_log to log DNSSEC bogus queries without verbose logging (!613) Bugfixes --------- prefill: fix ability to read certificate bundle (!578) - avoid turning off qname minimization in some cases, e.g. co.uk. (#339) - fix validation of explicit wildcard queries (#274) - dns64 module: more properties from the RFC implemented (incl. bug #375) Improvements ------------- systemd: multiple enabled kresd instances can now be started using kresd.target - ta_sentinel: switch to version 14 of the RFC draft (!596) - support for glibc systems with a non-Linux kernel (!588) - support per-request variables for Lua modules (!533) - support custom HTTP endpoints for Lua modules (!527) * Mon Apr 23 2018 Tomas Krizek - 2.3.0-1 Knot Resolver 2.3.0 (2018-04-23) =============================== Security --------- fix CVE-2018-1110: denial of service triggered by malformed DNS messages (!550, !558, security!2, security!4) - increase resilience against slow lorris attack (security!5) Bugfixes --------- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538) - validation: fix SERVFAIL for DS . query (!544) - lib/resolve: don't send unecessary queries to parent zone (!513) - iterate: fix validation for zones where parent and child share NS (!543) - TLS: improve error handling and documentation (!536, !555, !559) Improvements ------------- prefill: new module to periodically import root zone into cache (replacement for RFC 7706, !511) - network_listen_fd: always create end point for supervisor supplied file descriptor - use CPPFLAGS build environment variable if set (!547) su -c 'dnf upgrade --advisory FEDORA-2018-c894f896fd' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/77ATNINRPKZCLYKP56PGLWATGHEDQTME/

Change Log

References

Update Instructions

Severity
Product : Fedora 28
Version : 2.4.0
Release : 1.fc28
URL : https://www.knot-resolver.cz/
Summary : Caching full DNS Resolver

Related News

22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
1.Penguin Landscape Esm H320
1 - 2 min read
A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential
19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved