Bug 1944328 (CVE-2018-1110)

Summary: CVE-2018-1110 knot-resolver: Denial of service triggered by malformed DNS messages
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dns-sig, gehefes286, jakub.ruzicka, jv+fedora, nicki, pspacek, vladimir.cunat
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Knot Resolver 2.3.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in knot-resolver. Malformed DNS messages may cause denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-21 05:12:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1944324    

Description Pedro Sampaio 2021-03-29 18:30:37 UTC 
A flaw was found in knot-resolver before version 2.3.0. Malformed DNS messages may cause denial of service.

References:

https://www.knot-resolver.cz/2018-04-23-knot-resolver-2.3.0.html
Comment 1 Pedro Sampaio 2021-03-29 18:31:29 UTC 
External References:

https://www.knot-resolver.cz/2018-04-23-knot-resolver-2.3.0.html
Comment 2 Petr Špaček 2021-03-30 06:06:21 UTC 
For my education, what is this? This bug was fixed three years ago - why do we need an open Bugzilla for it now?

Thank you for information.
Comment 3 Pedro Sampaio 2021-03-30 13:36:39 UTC 
In reply to comment #2:
> For my education, what is this? This bug was fixed three years ago - why do
> we need an open Bugzilla for it now?
> 
> Thank you for information.

The CVE was assigned by Red Hat so we must have a bug to reference in the publication to Mitre's site.
Comment 5 williamanregal 2023-11-09 11:51:23 UTC 
The https://www.ace4sure.com/PT0-002-questions.html, also known as the CompTIA PenTest+ certification, is a globally recognized credential that validates your skills in penetration testing and vulnerability management. It's designed for professionals who want to excel in the field of cybersecurity, ensuring they can identify and manage security threats effectively.
Comment 6 Jakub Ruzicka 2023-11-09 17:57:12 UTC 
Why am I needinfo here? Why is anyone needinfo here, actually?

Why is noone assigned to this?

Why is this not closed?

C̵͉̎H̴̤̀A̸͕̽Ǫ̴̑S̶̠̉ ̵̳̀R̵̆ͅE̴̻̚Ȋ̶̫G̴͇̋Ṋ̶̇S̸͔̑

This bug has been fixed long time ago as Petr noted. It was reported against 2.3.0, but all active Fedora/EPEL releases are at 5.7.0 - it's been 3 major releases since this bug.

I'd close this but I can't ಠ_ಠ