Fedora 28: 2018-389bc4e911 Moderate: Knot Resolver Denial Of Service

The Knot DNS Resolver is a caching full resolver implementation written in C

and LuaJIT, including both a resolver library and a daemon. Modular

architecture of the library keeps the core tiny and efficient, and provides

a state-machine like API for extensions.

The package is pre-configured as local caching resolver.

To start using it, start a single kresd instance:

$ systemctl start kresd@1.service

Knot Resolver 2.3.0 (2018-04-23) ================================ Security

-------- - fix CVE-2018-1110: denial of service triggered by malformed DNS

messages (!550, !558, security!2, security!4) - increase resilience against

slow lorris attack (security!5) Bugfixes -------- - validation: fix SERVFAIL in

case of CNAME to NXDOMAIN in a single zone (!538) - validation: fix SERVFAIL for

DS . query (!544) - lib/resolve: don't send unecessary queries to parent zone

(!513) - iterate: fix validation for zones where parent and child share NS

(!543) - TLS: improve error handling and documentation (!536, !555, !559)

Improvements ------------ - prefill: new module to periodically import root zone

into cache (replacement for RFC 7706, !511) - network_listen_fd: always create

end point for supervisor supplied file descriptor - use CPPFLAGS build

environment variable if set (!547)

* Mon Apr 23 2018 Tomas Krizek - 2.3.0-1

Knot Resolver 2.3.0 (2018-04-23)

===============================

Security

--------- fix CVE-2018-1110: denial of service triggered by malformed DNS messages

(!550, !558, security!2, security!4)

- increase resilience against slow lorris attack (security!5)

Bugfixes

--------- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538)

- validation: fix SERVFAIL for DS . query (!544)

- lib/resolve: don't send unecessary queries to parent zone (!513)

- iterate: fix validation for zones where parent and child share NS (!543)

- TLS: improve error handling and documentation (!536, !555, !559)

Improvements

------------- prefill: new module to periodically import root zone into cache

(replacement for RFC 7706, !511)

- network_listen_fd: always create end point for supervisor supplied file descriptor

- use CPPFLAGS build environment variable if set (!547)

su -c 'dnf upgrade --advisory FEDORA-2018-389bc4e911' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org