update NEWS with KeyTrap

in a separate commit, as it will tend to conflict if patching
author: Vladimír Čunát <vladimir.cunat@nic.cz> 2024-01-01 16:25:05 +0100
committer: Vladimír Čunát <vladimir.cunat@nic.cz> 2024-02-13 09:49:54 +0100
commit: 7b31e7e473746a455b714b34601c91101afe6a58 (patch)
tree: 5a805e5c7af4fa361db69fa22e6aea9a54014928
parent: mitigate KeyTrap DoS = CVE-2023-50387 (diff)
download: knot-resolver-7b31e7e473746a455b714b34601c91101afe6a58.tar.xz
knot-resolver-7b31e7e473746a455b714b34601c91101afe6a58.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 6b02cdfb..dd8137ab 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,14 @@ Security
   * validator: limit the amount of work on SHA1 in NSEC3 proofs
   * validator: refuse to validate answers with more than 8 NSEC3 records
 
+- CVE-2023-50387 "KeyTrap": DNSSEC verification complexity
+  could be exploited to exhaust CPU resources and stall DNS resolvers.
+  Solution boils down mainly to limiting crypto-validations per packet.
+
+  We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner
+  from the German National Research Center for Applied Cybersecurity ATHENE
+  for bringing this vulnerability to our attention.
+
 Improvements
 ------------
 - update addresses of B.root-servers.net (!1478)
author	Vladimír Čunát <vladimir.cunat@nic.cz>	2024-01-01 16:25:05 +0100
committer	Vladimír Čunát <vladimir.cunat@nic.cz>	2024-02-13 09:49:54 +0100
commit	7b31e7e473746a455b714b34601c91101afe6a58 (patch)
tree	5a805e5c7af4fa361db69fa22e6aea9a54014928
parent	mitigate KeyTrap DoS = CVE-2023-50387 (diff)
download	knot-resolver-7b31e7e473746a455b714b34601c91101afe6a58.tar.xz knot-resolver-7b31e7e473746a455b714b34601c91101afe6a58.zip