From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Mon, 12 Feb 2024 10:23:42 +0000 (+0100)
Subject: add NEWS for NSEC3 mitigations from the previous few commits
X-Git-Tag: v5.7.1~2^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=86dcfbaf7f5bd11d535fce2533063e28500486cc;p=thirdparty%2Fknot-resolver.git

add NEWS for NSEC3 mitigations from the previous few commits
---

diff --git a/NEWS b/NEWS
index 57af638c4..6b02cdfbb 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,15 @@
-Knot Resolver 5.x.y (202y-mm-dd)
+Knot Resolver 5.7.1 (2024-02-13)
 ================================
 
+Security
+--------
+- CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU
+  * validator: lower the NSEC3 iteration limit (150 -> 50)
+  * validator: similarly also limit excessive NSEC3 salt length
+  * cache: limit the amount of work on SHA1 in NSEC3 aggressive cache
+  * validator: limit the amount of work on SHA1 in NSEC3 proofs
+  * validator: refuse to validate answers with more than 8 NSEC3 records
+
 Improvements
 ------------
 - update addresses of B.root-servers.net (!1478)