Back to bug 2070495
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Red Hat Bugzilla | 2022-03-31 09:42:04 UTC | Pool ID | sst_cs_infra_services_rhel_9 | |
| Red Hat One Jira (issues.redhat.com) | 2022-03-31 09:47:53 UTC | Link ID | Red Hat Issue Tracker RHELPLAN-117492 | |
| Jakub Jelen | 2022-03-31 09:56:28 UTC | CC | jjelen | |
| Petr Menšík | 2022-03-31 11:18:31 UTC | Priority | unspecified | high |
| Severity | unspecified | high | ||
| Keywords | Triaged | |||
| Petr Menšík | 2022-03-31 12:31:44 UTC | Status | NEW | ASSIGNED |
| RHEL Program Management | 2022-03-31 12:31:52 UTC | Flags | needinfo?(pemensik) | |
| Ondrej Mejzlik | 2022-03-31 12:50:30 UTC | QA Contact | rhel-cs-infra-services-qe | psklenar |
| CC | omejzlik | |||
| Petr Menšík | 2022-03-31 12:57:04 UTC | Flags | needinfo?(pemensik) | |
| Petr Menšík | 2022-03-31 13:10:37 UTC | Link ID | Gitlab redhat/centos-stream/rpms/unbound/-/merge_requests/12 | |
| Red Hat Bugzilla | 2022-03-31 22:36:44 UTC | CC | aegorenk | |
| Petr Menšík | 2022-04-01 10:10:45 UTC | Link ID | Github NLnetLabs/unbound/issues/656 | |
| Jakub Jelen | 2022-04-01 10:54:56 UTC | Depends On | 2070923 | |
| Prokop Vlasin | 2022-04-04 07:26:05 UTC | CC | pvlasin | |
| RHEL Program Management Team | 2022-04-04 07:26:46 UTC | Blocks | 2071543 | |
| AutoMiloš | 2022-04-04 12:31:42 UTC | Fixed In Version | unbound-1.13.1-13.el9_0 | |
| Keywords | AutoVerified | |||
| Petr Menšík | 2022-04-04 13:05:18 UTC | Status | ASSIGNED | MODIFIED |
| Petr Sklenar | 2022-04-05 08:21:51 UTC | Flags | needinfo?(pemensik) | |
| Petr Menšík | 2022-04-05 09:21:29 UTC | Flags | needinfo?(pemensik) | |
| errata-xmlrpc | 2022-04-06 09:52:10 UTC | Status | MODIFIED | ON_QA |
| Petr Sklenar | 2022-04-06 11:59:53 UTC | Status | ON_QA | VERIFIED |
| Petr Menšík | 2022-04-07 15:32:11 UTC | Blocks | 2073066 | |
| Marcel Härri | 2022-04-08 11:40:26 UTC | CC | mharri | |
| Peter van Dijk (PowerDNS) | 2022-04-11 09:28:45 UTC | CC | peter.van.dijk | |
| Petr Menšík | 2022-04-27 10:36:08 UTC | Doc Type | If docs needed, set a value | Bug Fix |
| Doc Text | Cause: Openssl refuses to validate SHA-1 based RSA signature in the DEFAULT crypto policy. Consequence: When Unbound tries to validate such signature, the error from openssl causes resolution to fail. Fix: Unbound disables validation support of all RSASHA1 and NSEC3RSASHA1 signatures. Result: It makes the result insecure under all crypto-policies, but resolves the query successfully. |
|||
| errata-xmlrpc | 2022-05-17 01:17:25 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2022-05-17 13:59:08 UTC | Resolution | --- | ERRATA |
| Status | RELEASE_PENDING | CLOSED | ||
| Last Closed | 2022-05-17 13:59:08 UTC | |||
| Petr Menšík | 2022-05-17 14:44:12 UTC | CC | sjanderk | |
| Flags | needinfo?(sjanderk) | |||
| Jan Fiala | 2022-05-18 08:51:30 UTC | Docs Contact | jafiala | |
| CC | jafiala | |||
| Šárka Jana | 2022-05-18 09:57:29 UTC | Flags | needinfo?(sjanderk) | |
| Doc Type | Bug Fix | Known Issue | ||
| Gabi Fialová | 2022-05-18 11:52:59 UTC | Flags | needinfo?(jafiala) | |
| CC | gfialova | |||
| Šárka Jana | 2022-05-18 12:00:49 UTC | Flags | needinfo?(jafiala) | |
| Doc Text | Cause: Openssl refuses to validate SHA-1 based RSA signature in the DEFAULT crypto policy. Consequence: When Unbound tries to validate such signature, the error from openssl causes resolution to fail. Fix: Unbound disables validation support of all RSASHA1 and NSEC3RSASHA1 signatures. Result: It makes the result insecure under all crypto-policies, but resolves the query successfully. | .Both `bind` and `unbound` disable validation of SHA-1-based signatures The `bind` and `unbound` components disable validation support of all RSA/SHA1 (algorithm number 5) and RSASHA1-NSEC3-SHA1 (algorithm number 7) signatures, and the SHA-1 usage for signatures is restricted in the DEFAULT system-wide cryptographic policy. As a result, certain DNSSEC records signed with the SHA-1, RSA/SHA1, and RSASHA1-NSEC3-SHA1 digest algorithms fail to verify in Red Hat Enterprise Linux 9 and the affected domain names become vulnerable. To work around this problem, upgrade to a different signature algorithm, such as RSA/SHA-256 or elliptic curve keys. For more information and a list of top-level domains that are affected and vulnerable, see the link:https://access.redhat.com/solutions/6955455/[DNSSEC records signed with RSASHA1 fail to verify] solution. |
||
| Gabi Fialová | 2022-08-03 12:45:43 UTC | CC | gfialova | |
| Flags | needinfo?(jafiala) | |||
| Jan Fiala | 2022-09-27 07:15:37 UTC | Flags | needinfo?(jafiala) | needinfo?(pemensik) |
| Petr Menšík | 2022-09-27 11:12:15 UTC | Flags | needinfo?(pemensik) | |
| Petr Menšík | 2022-10-18 20:52:48 UTC | Blocks | 2135933 |
Back to bug 2070495