Fedora 28: 2018-b7d774a7c1 Critical: Knot Resolver Input Validation Issue

The Knot DNS Resolver is a caching full resolver implementation written in C

and LuaJIT, including both a resolver library and a daemon. Modular

architecture of the library keeps the core tiny and efficient, and provides

a state-machine like API for extensions.

The package is pre-configured as local caching resolver.

To start using it, start a single kresd instance:

$ systemctl start kresd@1.service

Knot Resolver 2.4.1 (2018-08-02) ================================ Security

-------- - fix CVE-2018-10920: Improper input validation bug in DNS resolver

component (security!7, security!9) Bugfixes -------- - cache: fix TTL

overflow in packet due to min_ttl (#388, security!8) - TLS session resumption:

avoid bad scheduling of rotation (#385) - HTTP module: fix a regression in 2.4.0

which broke custom certs (!632) - cache: NSEC3 negative cache even without NS

record (#384) This fixes lower hit rate in NSEC3 zones (since 2.4.0). - minor

TCP and TLS fixes (!623, !624, !626)

* Thu Aug 2 2018 Tomas Krizek - 2.4.1-1

Knot Resolver 2.4.1 (2018-08-02)

===============================

Security

--------- fix CVE-2018-10920: Improper input validation bug in DNS resolver component

(security!7, security!9)

Bugfixes

--------- cache: fix TTL overflow in packet due to min_ttl (#388, security!8)

- TLS session resumption: avoid bad scheduling of rotation (#385)

- HTTP module: fix a regression in 2.4.0 which broke custom certs (!632)

- cache: NSEC3 negative cache even without NS record (#384)

This fixes lower hit rate in NSEC3 zones (since 2.4.0).

- minor TCP and TLS fixes (!623, !624, !626)

* Fri Jul 13 2018 Fedora Release Engineering - 2.4.0-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Tue Jul 3 2018 Tomas Krizek - 2.4.0-1

Knot Resolver 2.4.0 (2018-07-03)

===============================

Incompatible changes

--------------------- minimal libknot version is now 2.6.7 to pull in latest fixes (#366)

Security

--------- fix a rare case of zones incorrectly dowgraded to insecure status (!576)

New features

------------- TLS session resumption (RFC 5077), both server and client (!585, #105)

(disabled when compiling with gnutls < 3.5)

- TLS_FORWARD policy uses system CA certificate store by default (!568)

- aggressive caching for NSEC3 zones (!600)

- optional protection from DNS Rebinding attack (module rebinding, !608)

- module bogus_log to log DNSSEC bogus queries without verbose logging (!613)

Bugfixes

--------- prefill: fix ability to read certificate bundle (!578)

- avoid turning off qname minimization in some cases, e.g. co.uk. (#339)

- fix validation of explicit wildcard queries (#274)

- dns64 module: more properties from the RFC implemented (incl. bug #375)

Improvements

------------- systemd: multiple enabled kresd instances can now be started using kresd.target

- ta_sentinel: switch to version 14 of the RFC draft (!596)

- support for glibc systems with a non-Linux kernel (!588)

- support per-request variables for Lua modules (!533)

- support custom HTTP endpoints for Lua modules (!527)

* Mon Apr 23 2018 Tomas Krizek - 2.3.0-1

Knot Resolver 2.3.0 (2018-04-23)

===============================

Security

--------- fix CVE-2018-1110: denial of service triggered by malformed DNS messages

(!550, !558, security!2, security!4)

- increase resilience against slow lorris attack (security!5)

Bugfixes

--------- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538)

- validation: fix SERVFAIL for DS . query (!544)

- lib/resolve: don't send unecessary queries to parent zone (!513)

- iterate: fix validation for zones where parent and child share NS (!543)

- TLS: improve error handling and documentation (!536, !555, !559)

Improvements

------------- prefill: new module to periodically import root zone into cache

(replacement for RFC 7706, !511)

- network_listen_fd: always create end point for supervisor supplied file descriptor

- use CPPFLAGS build environment variable if set (!547)

[ 1 ] Bug #1610951 - CVE-2018-10920 knot-resolver: Improper input validation bug in DNS resolver component

https://bugzilla.redhat.com/show_bug.cgi?id=1610951

su -c 'dnf upgrade --advisory FEDORA-2018-b7d774a7c1' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOPIIVIQ2ZF3XIZINHYJNSZJBLLAIJ23/