Date: Fri, 16 Feb 2024 09:00:47 GMT From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= <fernape@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 639716da9350 - main - security/vuxml: document dns/powerdns-recursor vulnerabilities Message-ID: <202402160900.41G90lXV027909@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=639716da935095cebdf580408cfcde4f7e853ae0 commit 639716da935095cebdf580408cfcde4f7e853ae0 Author: Fernando ApesteguĂa <fernape@FreeBSD.org> AuthorDate: 2024-02-16 08:58:21 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2024-02-16 08:58:21 +0000 security/vuxml: document dns/powerdns-recursor vulnerabilities * CVE-2023-50387 * CVE-2023-50868 PR: 277048 Reported by: Ralf van der Enden <tremere@cainites.net> --- security/vuxml/vuln/2024.xml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index f0f597bbd7e4..2f68b7ce75db 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,44 @@ + <vuln vid="e15ba624-cca8-11ee-84ca-b42e991fc52e"> + <topic>powerdns-recursor -- Multiple Vulnerabilities</topic> + <affects> + <package> + <name>powerdns-recursor</name> + <range><lt>5.0.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>cve@mitre.org reports:</p> + <blockquote cite="https://access.redhat.com/security/cve/CVE-2023-50868">; + <p>CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 + when RFC 9276 guidance is skipped) allows remote attackers to cause + a denial of service (CPU consumption for SHA-1 computations) via + DNSSEC responses in a random subdomain attack, aka the "NSEC3" + issue. The RFC 5155 specification implies that an algorithm must + perform thousands of iterations of a hash function in certain + situations.</p> + <p>CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, + 6840, and related RFCs) allow remote attackers to cause a denial + of service (CPU consumption) via one or more DNSSEC responses, aka + the "KeyTrap" issue. One of the concerns is that, when + there is a zone with many DNSKEY and RRSIG records, the protocol + specification implies that an algorithm must evaluate all combinations + of DNSKEY and RRSIG records.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-50868</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-50868</url>; + <cvename>CVE-2023-50387</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-50387</url>; + </references> + <dates> + <discovery>2024-02-14</discovery> + <entry>2024-02-16</entry> + </dates> + </vuln> + <vuln vid="c97a4ecf-cc25-11ee-b0ee-0050569f0b83"> <topic>nginx-devel -- Multiple Vulnerabilities in HTTP/3</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202402160900.41G90lXV027909>