]> git.ipfire.org Git - thirdparty/knot-resolver.git/commitdiff
projects / thirdparty / knot-resolver.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a05cf1d)
add NEWS for NSEC3 mitigations from the previous few commits
authorVladimír Čunát <vladimir.cunat@nic.cz>
Mon, 12 Feb 2024 10:23:42 +0000 (11:23 +0100)
committerVladimír Čunát <vladimir.cunat@nic.cz>
Mon, 12 Feb 2024 10:23:42 +0000 (11:23 +0100)
NEWS patch | blob | blame | history

diff --git a/NEWS b/NEWS
index 57af638c433ba5de3659f56d511b76ab72ecaf40..6b02cdfbb44e2c69044253d4b416f095148b0257 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,15 @@
-Knot Resolver 5.x.y (202y-mm-dd)
+Knot Resolver 5.7.1 (2024-02-13)
 ================================
 
+Security
+--------
+- CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU
+  * validator: lower the NSEC3 iteration limit (150 -> 50)
+  * validator: similarly also limit excessive NSEC3 salt length
+  * cache: limit the amount of work on SHA1 in NSEC3 aggressive cache
+  * validator: limit the amount of work on SHA1 in NSEC3 proofs
+  * validator: refuse to validate answers with more than 8 NSEC3 records
+
 Improvements
 ------------
 - update addresses of B.root-servers.net (!1478)
Mirror of https://gitlab.nic.cz/knot/knot-resolver.git