From 58d60bd283c6401db8fcad94e3c45e2115a16553 Mon Sep 17 00:00:00 2001 From: Kevin Darbyshire-Bryant Date: Fri, 19 Jan 2018 17:15:41 +0000 Subject: dnsmasq: backport dnssec security fix for 17.01 CVE-2017-15107 An interesting problem has turned up in DNSSEC validation. It turns out that NSEC records expanded from wildcards are allowed, so a domain can include an NSEC record for *.example.org and an actual query reply could expand that to anything in example.org and still have it signed by the signature for the wildcard. So, for example !.example.org NSEC zz.example.org is fine. The problem is that most implementers (your author included, but also the Google public DNS people, powerdns and Unbound) then took that record to prove the nothing exists between !.example.org and zz.example.org, whereas in fact it only provides that proof between *.example.org and zz.example.org. This gives an attacker a way to prove that anything between !.example.org and *.example.org doesn't exists, when it may well do so. Signed-off-by: Kevin Darbyshire-Bryant --- package/network/services/dnsmasq/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'package/network/services/dnsmasq/Makefile') diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index 01c7191192..f09b3a2d97 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq PKG_VERSION:=2.78 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/ -- cgit v1.2.3