PT-2019-11613 · Cz.Nic +2 · Knot Resolver +2

Name of the Vulnerable Software and Affected Versions: knot resolver versions prior to 4.1.0 Description: A vulnerability was discovered in the DNS resolver component that allows remote attackers to bypass DNSSEC validation for non-existence answers. Specifically, NXDOMAIN answers would get passe...

GHSA-H92M-42H4-82F6 postfix-mta-sts-resolver Algorithm Downgrade vulnerability

Incorrect query parsing Impact All users of versions prior to 0.5.1 can receive incorrect response from daemon under rare conditions, rendering downgrade of effective STS policy. Patches Problem has been patched in version 0.5.1 Workarounds Users may remediate this vulnerability without upgrading...

postfix-mta-sts-resolver Algorithm Downgrade vulnerability

Incorrect query parsing Impact All users of versions prior to 0.5.1 can receive incorrect response from daemon under rare conditions, rendering downgrade of effective STS policy. Patches Problem has been patched in version 0.5.1 Workarounds Users may remediate this vulnerability without upgrading...

Spring Security OAuth - Open Redirector

Spring Security OAuth - Open Redirector Exploit Title: Open Redirector in spring-security-oauth2 Date: 17 June 2019 Exploit Author: Riemann Vendor Homepage: https://spring.io/projects/spring-security-oauth Software Link: https://spring.io Version: Spring Security OAuth versions 2.3 prior to 2.3.6...

[SECURITY] Fedora 29 Update: bind-9.11.6-2.P1.fc29

BIND Berkeley Internet Name Domain is an implementation of the DNS Domain Name System protocols. BIND includes a DNS server named, which resolves host names to IP addresses; a resolver library routines for applications to use when interfacing with DNS; and tools for verifying that the DNS server ...

[SECURITY] Fedora 30 Update: bind-9.11.6-3.P1.fc30

BIND Berkeley Internet Name Domain is an implementation of the DNS Domain Name System protocols. BIND includes a DNS server named, which resolves host names to IP addresses; a resolver library routines for applications to use when interfacing with DNS; and tools for verifying that the DNS server ...

Unbound: Multiple vulnerabilities

Background Unbound is a validating, recursive, and caching DNS resolver. Description Multiple vulnerabilities have been discovered in Unbound. Please review the referenced bugs for details. Impact Please review the referenced bugs for details. Workaround There is no known workaround at this time...

[SECURITY] Fedora 29 Update: bind-9.11.5-4.P4.fc29

BIND Berkeley Internet Name Domain is an implementation of the DNS Domain Name System protocols. BIND includes a DNS server named, which resolves host names to IP addresses; a resolver library routines for applications to use when interfacing with DNS; and tools for verifying that the DNS server ...

CVE-2018-5745

"managed-keys" is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertio...

Debian DLA-1676-1 : unbound security update

Ralph Dolmans and Karst Koymans found a flaw in the way unbound, a validating, recursive, caching DNS resolver, validated wildcard-synthesized NSEC records. An improperly validated wildcard NSEC record could be used to prove the non-existence NXDOMAIN answer of an existing wildcard record, or tri...

Debian: Security Advisory (DLA-1676-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

DNS Flag Day & Akamai

Written by Jon Reed & Barry Greene DNS Flag Day is an industry event that promotes the adoption of the most up-to-date DNS features and ensures that non-standards-compliant servers don't negatively impact the global performance of the Internet. The 2019 DNS Flag Day will remove a number of...

CVE-2017-3145 Improper fetch cleanup sequencing in the resolver can cause named to crash

BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affects BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1...

Dynamic Data Resolver (DDR) - IDA Plugin

This blog post was authored by Holger Unterbrink Executive Summary Static reverse-engineering in IDA can often be problematic. Certain values are calculated at run time, which makes it difficult to understand what a certain basic block is doing. But, if you try to perform dynamic analysis by...

Denial Of Service

BIND is susceptible to denial of service. The vulnerability is possible because it does not properly handle resource records with a large RDATA value, allowing the attacker to create malicious DNS resource records causing recursive resolver or secondary server to exit unexpectedly with an asserti...

Fedora 28 : knot-resolver (2018-c894f896fd)

Knot Resolver 2.4.0 2018-07-03 ================================ Incompatible changes -------------------- - minimal libknot version is now 2.6.7 to pull in latest fixes 366 Security -------- - fix a rare case of zones incorrectly dowgraded to insecure status !576 New features ------------ - TLS...

Fedora 28 : knot-resolver (2018-b7d774a7c1)

Knot Resolver 2.4.1 2018-08-02 ================================ Security -------- - fix CVE-2018-10920: Improper input validation bug in DNS resolver component security!7, security!9 Bugfixes -------- - cache: fix TTL overflow in packet due to minttl 388, security!8 - TLS session resumption: avoi...

Fedora 28 : knot-resolver (2018-389bc4e911)

Knot Resolver 2.3.0 2018-04-23 ================================ Security -------- - fix CVE-2018-1110: denial of service triggered by malformed DNS messages !550, !558, security!2, security!4 - increase resilience against slow lorris attack security!5 Bugfixes -------- - validation: fix SERVFAIL ...

The vulnerability of the BIND DNS server lies in the improper release of resources during the processing of recursive requests to the DNS server. This allows a hacker to cause a service failure.

The vulnerability of the BIND DNS server is related to the improper release of resources during the processing of recursive requests to the DNS server when BIND operates as a DNSSEC-compliant resolver. Exploiting this vulnerability can allow a malicious actor to cause service failures...

Medium: zsh

Issue Overview: A buffer overflow flaw was found in the zsh shell symbolic link resolver. A local, unprivileged user can create a specially crafted directory path which leads to a buffer overflow in the context of the user trying to do a symbolic link resolution in the aforementioned path. If the...