Bug 230182 - [MAINTAINER] dns/nsd upgrade to version 4.1.23
Summary: [MAINTAINER] dns/nsd upgrade to version 4.1.23
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Steve Wills
Depends on:
Reported: 2018-07-30 08:50 UTC by Jaap Akkerhuis
Modified: 2018-07-30 14:00 UTC (History)
0 users

See Also:

patch to upgrade (809 bytes, patch)
2018-07-30 08:50 UTC, Jaap Akkerhuis
jaap: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jaap Akkerhuis 2018-07-30 08:50:37 UTC
Created attachment 195626 [details]
patch to upgrade

NSD versions 4.1.22 and before are vulnerable in comparing TSIG
information and this can be used to discover a TSIG secret.

NSD uses TSIG to protect zone transfers.  The TSIG code uses a secret
key to protect the data.  The secret key is shared with both sides of
the zone transfer connection.  The comparison code in NSD was not time
insensitive, causing the potential for an attacker to use timing
information to discover data about the key contents.

NSD versions from 2.2.0 to 4.1.22 are vulnerable.  Upgrade to 4.1.23 or
newer to get the fix.

There is no known exploit.

It was reported by Ondrej Sury (ISC).
Comment 1 commit-hook freebsd_committer 2018-07-30 13:59:59 UTC
A commit references this bug:

Author: swills
Date: Mon Jul 30 13:59:50 UTC 2018
New revision: 475892
URL: https://svnweb.freebsd.org/changeset/ports/475892

  dns/nsd upgrade to version 4.1.23

  PR:		230182
  Submitted by:	jaap@NLnetLabs.nl (maintainer)

Comment 2 Steve Wills freebsd_committer 2018-07-30 14:00:55 UTC
Committed, thanks!