FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-23 17:01:17 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
21a854cc-cac1-11ee-b7a7-353f1e043d9a	DNSSEC validators -- denial-of-service/CPU exhaustion from KeyTrap and NSEC3 vulnerabilities Simon Kelley reports: If DNSSEC validation is enabled, then an attacker who can force a DNS server to validate a specially crafted signed domain can use a lot of CPU in the validator. This only affects dnsmasq installations with DNSSEC enabled. Stichting NLnet Labs reports: The KeyTrap [CVE-2023-50387] vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path. The NSEC3 [CVE-2023-50868] vulnerability uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path. Discovery 2024-02-06 Entry 2024-02-13 Modified 2024-04-01 bind916 < 9.16.48 bind918 < 9.18.24 bind9-devel < 9.19.21 dnsmasq < 2.90 dnsmasq-devel < 2.90 powerdns-recursor < 5.0.2 unbound < 1.19.1 FreeBSD >= 14.0 lt 14.0_6 >= 13.2 lt 13.2_11 CVE-2023-50387 CVE-2023-50868 https://kb.isc.org/docs/cve-2023-50387 https://kb.isc.org/docs/cve-2023-50868 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ SA-24:03.unbound
c6861494-1ffb-11e7-934d-d05099c0ae8c	BIND -- multiple vulnerabilities ISC reports: A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order. named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Discovery 2017-04-12 Entry 2017-04-13 Modified 2017-04-13 bind99 < 9.9.9P8 bind910 < 9.10.4P8 bind911 < 9.11.0P5 bind9-devel <= 9.12.0.a.2017.03.25 CVE-2017-3136 CVE-2017-3137 CVE-2017-3138 https://kb.isc.org/article/AA-01465/0 https://kb.isc.org/article/AA-01466/0 https://kb.isc.org/article/AA-01471/0

VuXML ID

Description

21a854cc-cac1-11ee-b7a7-353f1e043d9a

DNSSEC validators -- denial-of-service/CPU exhaustion from KeyTrap and NSEC3 vulnerabilities

Simon Kelley reports:

If DNSSEC validation is enabled, then an attacker who can force a DNS server to validate a specially crafted signed domain can use a lot of CPU in the validator. This only affects dnsmasq installations with DNSSEC enabled.

Stichting NLnet Labs reports:

The KeyTrap [CVE-2023-50387] vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path.

The NSEC3 [CVE-2023-50868] vulnerability uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path.

Discovery 2024-02-06
Entry 2024-02-13
Modified 2024-04-01
bind916

< 9.16.48

bind918

< 9.18.24

bind9-devel

< 9.19.21

dnsmasq

< 2.90

dnsmasq-devel

< 2.90

powerdns-recursor

< 5.0.2

unbound

< 1.19.1

FreeBSD

>= 14.0 lt 14.0_6

>= 13.2 lt 13.2_11

CVE-2023-50387
CVE-2023-50868
https://kb.isc.org/docs/cve-2023-50387
https://kb.isc.org/docs/cve-2023-50868
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
SA-24:03.unbound

c6861494-1ffb-11e7-934d-d05099c0ae8c

BIND -- multiple vulnerabilities

ISC reports:

A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate.

An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met.

Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order.

named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc.

A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string.

Discovery 2017-04-12
Entry 2017-04-13
Modified 2017-04-13
bind99

< 9.9.9P8

bind910

< 9.10.4P8

bind911

< 9.11.0P5

bind9-devel

<= 9.12.0.a.2017.03.25

CVE-2017-3136
CVE-2017-3137
CVE-2017-3138
https://kb.isc.org/article/AA-01465/0
https://kb.isc.org/article/AA-01466/0
https://kb.isc.org/article/AA-01471/0