Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities

[Solar Designer <solar () openwall com>]

It's not great that we're adding to a thread on Unbound, but since we
already started...

On Tue, Feb 13, 2024 at 10:52:09PM +0100, Solar Designer wrote:
> On Tue, Feb 13, 2024 at 12:06:42PM -0800, Alan Coopersmith wrote:
> > On 2/13/24 06:07, Yorgos Thessalonikefs wrote:
> > > DNSSEC protocol vulnerabilities have been discovered that render various
> > > DNSSEC validators victims of Denial Of Service while trying to validate
> > > specially crafted DNSSEC responses.
> > >
> > > There are two known vulnerabilities: CVE-2023-50387 (referred here as
> > > the KeyTrap vulnerability) and CVE-2023-50868 (referred here as the
> > > NSEC3 vulnerability).
> >
> > Similarly, dnsmasq 2.90 was published today to address these:
> > https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
>
> And fixes for these two CVEs were merged into PowerDNS today:
>
> https://github.com/PowerDNS/pdns/pull/13781

There are also three PRs (13782, 13783, 13784) with back-ports to other
supported branches.

> I hope PowerDNS will also be sending a proper advisory in here.

Turns out there is a PowerDNS advisory here:

https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released

but really it should be posted to oss-security as well.

Alexander