UbuntuUpdates.org

Package "knot-resolver"

Name: knot-resolver

Description:

caching, DNSSEC-validating DNS resolver
Latest version: 3.2.1-3ubuntu2.2
Release: focal (20.04)
Level: security
Repository: universe
Homepage: https://www.knot-resolver.cz/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "knot-resolver"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "knot-resolver" in Focal

Repository Area Version
base universe 3.2.1-3ubuntu2
updates universe 3.2.1-3ubuntu2.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.2.1-3ubuntu2.2 2024-10-02 01:07:24 UTC

  knot-resolver (3.2.1-3ubuntu2.2) focal-security; urgency=medium

  * SECURITY UPDATE: improper input validation when handling DNSSEC validation
    - debian/patches/CVE-2019-10190.patch: send EDNS with SERVFAILs when
      handling DNSSEC validation failures in lib/layer/iterate.c,
      lib/resolve.*, modules/cookies/cookiemonster.c, modules/hints/hints.c.
    - CVE-2019-10190
  * SECURITY UPDATE: poison cache via unsigned negative answer
    - debian/patches/CVE-2019-10191.patch: Don't stash a packet with a
      mismatching QNAME+QTYPE in daemon/lua/kres-gen.lua, daemon/worker.c,
      lib/cache/api.c, lib/cache/impl.h, lib/layer.h, lib/layer/iterate.c,
      lib/resolve.c, lib/rplan.h.
    - CVE-2019-10191
  * SECURITY UPDATE: denial of service via high CPU utilisation when
    processing some DNS packets
    - debian/patches/CVE-2019-19331_1_of_3.patch: improve performance when
      handling large RRsets in daemon/lua/kres-gen.*, lib/cache/api.c,
      lib/dnssec.c, lib/layer/iterate.c, lib/resolve.c, lib/utils.*.
    - debian/patches/CVE-2019-19331_2_of_3.patch: reduce CNAME chain length
      limit in daemon/lua/kres-gen.lua, lib/layer/iterate.c, lib/rplan.h.
    - debian/patches/CVE-2019-19331_3_of_3.patch: ENOMEM -> abort() in
      lib/utils.c.
    - CVE-2019-19331
  * SECURITY UPDATE: traffic amplification via a crafted DNS answer from an
    attacker-controlled server
    - debian/patches/CVE-2020-12667_1_of_2.patch: limit number of failed NS
      name resolution attempts for each request in daemon/lua/kres-gen.lua,
      lib/defines.h, lib/resolve.*.
    - debian/patches/CVE-2020-12667_2_of_2.patch: limit number of consecutive
      failures and kill whole request if limit is exceeded in
      daemon/lua/kres-gen.lua, lib/defines.h, lib/layer/iterate.c,
      lib/resolve.*.
    - CVE-2020-12667

 -- Evan Caville <email address hidden> Wed, 25 Sep 2024 11:03:16 +1000
Source diff to previous version
CVE-2019-10190 A vulnerability was discovered in DNS resolver component of knot resolver through version 3.2.0 before 4.1.0 which allows remote attackers to bypass
CVE-2019-10191 A vulnerability was discovered in DNS resolver of knot resolver before version 4.1.0 which allows remote attackers to downgrade DNSSEC-secure domains
CVE-2019-19331 knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might
CVE-2020-12667 Knot Resolver before 5.1.1 allows traffic amplification via a crafted DNS answer from an attacker-controlled server, aka an "NXNSAttack" issue. This

Version: 3.2.1-3ubuntu2.1 2023-07-13 05:07:12 UTC

  knot-resolver (3.2.1-3ubuntu2.1) focal-security; urgency=medium

  * SECURITY UPDATE: denial of service issue when server returns large ns or
    address sets
    - debian/patches/CVE-2022-40188.patch: address throttling introduced for
      large responses.
    - CVE-2022-40188

 -- Evan Caville <email address hidden> Mon, 26 Jun 2023 11:44:34 +1000
CVE-2022-40188 Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service (CPU consumption) because of algorithmic complexity. During an attack


About   -   Send Feedback to @ubuntu_updates