From 86dcfbaf7f5bd11d535fce2533063e28500486cc Mon Sep 17 00:00:00 2001
From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Mon, 12 Feb 2024 11:23:42 +0100
Subject: [PATCH] add NEWS for NSEC3 mitigations from the previous few commits

---
 NEWS | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 57af638c4..6b02cdfbb 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,15 @@
-Knot Resolver 5.x.y (202y-mm-dd)
+Knot Resolver 5.7.1 (2024-02-13)
 ================================
 
+Security
+--------
+- CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU
+  * validator: lower the NSEC3 iteration limit (150 -> 50)
+  * validator: similarly also limit excessive NSEC3 salt length
+  * cache: limit the amount of work on SHA1 in NSEC3 aggressive cache
+  * validator: limit the amount of work on SHA1 in NSEC3 proofs
+  * validator: refuse to validate answers with more than 8 NSEC3 records
+
 Improvements
 ------------
 - update addresses of B.root-servers.net (!1478)
-- 
2.47.2