276 matches found
Linux Distros Unpatched Vulnerability : CVE-2018-5745
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - managed-keys is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC...
Hickory DNS failure to verify self-signed RRSIG for DNSKEYs
Summary The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to...
DEBIAN-CVE-2025-25188
Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior to versions 0.24.3 and 0.25.0-alpha.5 impacts Hickory DNS users relying on DNSSEC verification in the client library, stub resolver, or recursive resolver. The DNSSEC validati...
GHSA-37WC-H8XC-5HC4 Hickory DNS's DNSSEC validation may accept broken authentication chains
Summary The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to...
CVE-2025-25188 DNSSEC validation may accept broken authentication chains
Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior to versions 0.24.3 and 0.25.0-alpha.5 impacts Hickory DNS users relying on DNSSEC verification in the client library, stub resolver, or recursive resolver. The DNSSEC validati...
Hickory DNS 数据伪造问题漏洞
Hickory DNS is a Rust-based DNS client, server, and resolver from the Hickory DNS open source. A data forgery issue vulnerability exists in Hickory DNS version 0.8.0 and earlier, which stems from the DNSSEC validation mechanism incorrectly treating DNSKEY records across RRsets as trusted, and a...
RUSTSEC-2025-0006 Hickory DNS failure to verify self-signed RRSIG for DNSKEYs
Summary The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to...
Security update for dnsmasq
This update for dnsmasq fixes the following issues: Version update to 2.90: CVE-2023-50387: Fixed a Denial Of Service while trying to validate specially crafted DNSSEC responses. bsc1219823 CVE-2023-50868: Fixed a Denial Of Service while trying to validate specially crafted DNSSEC responses...
Important: bind
Issue Overview: Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname of any RTYPE can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versio...
SUSE CVE-2024-1975
If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG0 signed requests. This issue affects BIND 9 versions 9.0.0 through...
RHEL 5 : bind97 (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - bind: An error in TSIG authentication can permit unauthorized dynamic updates CVE-2017-3143 - named in IS...
bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator
Processing specially crafted responses coming from DNSSEC-signed zones can lead to uncontrolled CPU usage, leading to a Denial of Service in the DNSSEC-validating resolver side. This vulnerability applies only for systems where DNSSEC validation is enabled...
bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources
A flaw was found in bind9. By flooding a DNSSEC resolver with responses coming from a DNSEC-signed zone using NSEC3, an attacker can lead the targeted resolver to a CPU exhaustion, further leading to a Denial of Service on the targeted host. This vulnerability applies only for systems where DNSSE...
[SECURITY] [DLA 3795-1] knot-resolver security update
Debian LTS Advisory DLA-3795-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany April 26, 2024 https://wiki.debian.org/LTS Package : knot-resolver Version : 3.2.1-3+deb10u2 CVE ID : CVE-2019-10190 CVE-2019-10191 CVE-2019-19331 CVE-2020-12667 Debian Bug : 932048...
USN-6657-2 dnsmasq vulnerabilities
USN-6657-1 fixed several vulnerabilities in Dnsmasq. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered that Dnsmasq icorrectly handled validating DNSSEC...
[SECURITY] Fedora 40 Update: unbound-1.19.3-1.fc40
Unbound is a validating, recursive, and caching DNSSEC resolver. The C implementation of Unbound is developed and maintained by NLnet Labs. It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modula...
bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources
A flaw was found in bind9. By flooding a DNSSEC resolver with responses coming from a DNSEC-signed zone using NSEC3, an attacker can lead the targeted resolver to a CPU exhaustion, further leading to a Denial of Service on the targeted host. This vulnerability applies only for systems where DNSSE...
USN-6665-1 unbound vulnerabilities
Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered that Unbound incorrectly handled validating DNSSEC messages. A remote attacker could possibly use this issue to cause Unbound to consume resources, leading to a denial of service. CVE-2023-50387 It was discovered that...
bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator
Processing specially crafted responses coming from DNSSEC-signed zones can lead to uncontrolled CPU usage, leading to a Denial of Service in the DNSSEC-validating resolver side. This vulnerability applies only for systems where DNSSEC validation is enabled...
bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources
A flaw was found in bind9. By flooding a DNSSEC resolver with responses coming from a DNSEC-signed zone using NSEC3, an attacker can lead the targeted resolver to a CPU exhaustion, further leading to a Denial of Service on the targeted host. This vulnerability applies only for systems where DNSSE...