FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-25 21:13:12 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
21a854cc-cac1-11ee-b7a7-353f1e043d9aDNSSEC validators -- denial-of-service/CPU exhaustion from KeyTrap and NSEC3 vulnerabilities

Simon Kelley reports:

If DNSSEC validation is enabled, then an attacker who can force a DNS server to validate a specially crafted signed domain can use a lot of CPU in the validator. This only affects dnsmasq installations with DNSSEC enabled.

Stichting NLnet Labs reports:

The KeyTrap [CVE-2023-50387] vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path.

The NSEC3 [CVE-2023-50868] vulnerability uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path.


Discovery 2024-02-06
Entry 2024-02-13
Modified 2024-04-01
bind916
< 9.16.48

bind918
< 9.18.24

bind9-devel
< 9.19.21

dnsmasq
< 2.90

dnsmasq-devel
< 2.90

powerdns-recursor
< 5.0.2

unbound
< 1.19.1

FreeBSD
ge 14.0 lt 14.0_6

ge 13.2 lt 13.2_11

CVE-2023-50387
CVE-2023-50868
https://kb.isc.org/docs/cve-2023-50387
https://kb.isc.org/docs/cve-2023-50868
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
SA-24:03.unbound
e15ba624-cca8-11ee-84ca-b42e991fc52epowerdns-recursor -- Multiple Vulnerabilities

cve@mitre.org reports:

CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.


Discovery 2024-02-14
Entry 2024-02-16
powerdns-recursor
< 5.0.2

CVE-2023-50868
https://nvd.nist.gov/vuln/detail/CVE-2023-50868
CVE-2023-50387
https://nvd.nist.gov/vuln/detail/CVE-2023-50387
dc33795f-ced7-11ed-b1fe-6805ca2fa271powerdns-recursor -- denial of service

PowerDNS Team reports:

PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable


Discovery 2023-03-29
Entry 2023-03-30
powerdns-recursor
< 4.8.4

CVE-2023-26437
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html