From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Tue, 13 Feb 2024 12:32:32 +0000 (+0100)
Subject: NEWS for 6.0.6
X-Git-Tag: v6.0.6^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d24ba0be96e2f20bde9c9f06083614ad71c0966c;p=thirdparty%2Fknot-resolver.git

NEWS for 6.0.6
---

diff --git a/NEWS b/NEWS
index 341792fec..6c5be8af3 100644
--- a/NEWS
+++ b/NEWS
@@ -1,10 +1,32 @@
-Knot Resolver 6.0.6 (2024-0m-dd)
+Knot Resolver 6.0.6 (2024-02-13)
 ================================
 
+Security
+--------
+- CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU
+  * validator: lower the NSEC3 iteration limit (150 -> 50)
+  * validator: similarly also limit excessive NSEC3 salt length
+  * cache: limit the amount of work on SHA1 in NSEC3 aggressive cache
+  * validator: limit the amount of work on SHA1 in NSEC3 proofs
+  * validator: refuse to validate answers with more than 8 NSEC3 records
+
+- CVE-2023-50387 "KeyTrap": DNSSEC verification complexity
+  could be exploited to exhaust CPU resources and stall DNS resolvers.
+  Solution boils down mainly to limiting crypto-validations per packet.
+
+  We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner
+  from the German National Research Center for Applied Cybersecurity ATHENE
+  for bringing this vulnerability to our attention.
+
 Improvements
 ------------
+- update addresses of B.root-servers.net (!1478)
 - tweak the default run_dir on non-Linux (!1481)
 
+Bugfixes
+--------
+- fix potential SERVFAIL deadlocks if net.ipv6 = false (#880)
+
 
 Knot Resolver 6.0.5 (2024-01-09)
 ================================