From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Mon, 1 Jan 2024 15:25:05 +0000 (+0100)
Subject: update NEWS with KeyTrap
X-Git-Tag: v5.7.1~1^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b31e7e473746a455b714b34601c91101afe6a58;p=thirdparty%2Fknot-resolver.git

update NEWS with KeyTrap

in a separate commit, as it will tend to conflict if patching
---

diff --git a/NEWS b/NEWS
index 6b02cdfbb..dd8137abf 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,14 @@ Security
   * validator: limit the amount of work on SHA1 in NSEC3 proofs
   * validator: refuse to validate answers with more than 8 NSEC3 records
 
+- CVE-2023-50387 "KeyTrap": DNSSEC verification complexity
+  could be exploited to exhaust CPU resources and stall DNS resolvers.
+  Solution boils down mainly to limiting crypto-validations per packet.
+
+  We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner
+  from the German National Research Center for Applied Cybersecurity ATHENE
+  for bringing this vulnerability to our attention.
+
 Improvements
 ------------
 - update addresses of B.root-servers.net (!1478)