Bug 1779566 (CVE-2019-19331)
Summary: | CVE-2019-19331 knot-resolver: DNS packets taking few seconds to process with full CPU utilization leads to DoS | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | msiddiqu | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED UPSTREAM | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | jv+fedora, pspacek, security-response-team, tkrizek | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | knot-resolver 4.3.0 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2019-12-06 13:04:53 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1780511, 1780513 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
msiddiqu
2019-12-04 09:36:34 UTC
From upstream: Most of the issue can be mitigated by updating libknot dependency to >= 2.9.1. Otherwise a complete fix will be released in Knot Resolver 4.3.0, which also does not require libknot update. The attached patches are applicable to recent releases (when doc diff is stripped). Created attachment 1641993 [details]
big-rrset.patch
Created attachment 1641994 [details]
cname-limit.patch
Public via: https://www.openwall.com/lists/oss-security/2019/12/04/4 https://seclists.org/oss-sec/2019/q4/119 Lifting embargo. Created knot-resolver tracking bugs for this issue: Affects: fedora-all [bug 1780511] Created knot-resolver tracking bugs for this issue: Affects: epel-7 [bug 1780513] This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. |