Date: Mon, 23 Apr 2018 14:30:02 +0200 From: Petr Špaček <petr.spacek@....cz> To: oss-security@...ts.openwall.com Subject: CVE-2018-1110: Knot Resolver <= 2.2.0 Improper Input Validation Hello, Knot Resolver software version <= 2.2.0 suffers from Improper Input Validation bugs which allow remote attacker to crash the resolver by sending specially crafted packets. Fixes ===== Knot Resolver 2.3.0 fixes all known security bugs and is available from https://www.knot-resolver.cz/download/ Backports ========= To fix the bugs we had to do major changes to some data structures so backport it most likely not feasible. We are discontinuing support for *all* versions older than 2.3.0 and discourage attempts to backport fixes because these will most likely introduce additional bugs. CVE request data ================ Fixed version: Knot Resolver 2.3.0 Vulnerability type: CWE-20: Improper Input Validation Affected component: resolver Impact of exploitation: Program crashes. Description of vulnerability: Improper input validation bugs in DNS resolver component of Knot Resolver (up to and including version 2.2.0) allow remote attacker who can create malformed packets to cause denial of service. Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Confidentiality (C): None Integrity (I): Low Availability (A): High Technical Details: CWE-20 CWE-476 CWE-626 Acknowledgment: CZ.NIC would like to thank Toshifumi Sakaguchi and Vicky Shrestha for their responsible reporting of security vulnerabilities. -- Petr Špaček @ CZ.NIC
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ