[Pkg-dns-devel] Bug#865678: knot: Improper TSIG validity period check can allow TSIG forgery
Yves-Alexis Perez
corsac at debian.org
Fri Jul 14 20:09:28 UTC 2017
On Fri, 2017-06-23 at 19:01 +0200, Salvatore Bonaccorso wrote:
> Source: knot
> Version: 2.4.3-1
> Severity: grave
> Tags: security upstream patch
> Control: found -1 2.5.1-1
>
> Hi
>
> See
> https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html
> and
> http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf
> and filling a bug in BTS to have a reference, afaik there is no CVE
> yet assigned.
>
> [16:19] < KGB-1> Yves-Alexis Perez 52846 /data/CVE/list add temporary entry
> for knot
> [16:21] < Corsac> ondrej: I guess you know about it?
I went ahead and uploaded fixes to jessie and stretch. I've also pushed my
branches to https://anonscm.debian.org/cgit/users/corsac/security/knot.git/ in
case you want to reimport them.
Regards,
--
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-dns-devel/attachments/20170714/82e7352e/attachment.sig>
More information about the pkg-dns-devel
mailing list