Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

DNSSEC fix for wildcard NSEC records. CVE-2017-15107 applies.

Browse Source 
It's OK for NSEC records to be expanded from wildcards,
but in that case, the proof of non-existence is only valid
starting at the wildcard name, *.<domain> NOT the name expanded
from the wildcard. Without this check it's possible for an
attacker to craft an NSEC which wrongly proves non-existence
in a domain which includes a wildcard for NSEC.
This commit is contained in:
Simon Kelley
2018-01-19 12:26:08 +00:00
parent 3bd4c47f31
commit 4fe6744a22
2 changed files with 114 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
CHANGELOG
View File

@@ -30,7 +30,17 @@ version 2.79
as an alternative to
--bridge-interface=int1,alias1,alias2
Thanks to Neil Jerram for work on this.
Fix for DNSSEC with wildcard-derived NSEC records.
It's OK for NSEC records to be expanded from wildcards,
but in that case, the proof of non-existence is only valid
starting at the wildcard name, *.<domain> NOT the name expanded
from the wildcard. Without this check it's possible for an
attacker to craft an NSEC which wrongly proves non-existence.
Thanks to Ralph Dolmans for finding this, and co-ordinating
the vulnerability tracking and fix release.
CVE-2017-15107 applies.
version 2.78
Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris