http://bugzilla.opensuse.org/show_bug.cgi?id=1090572 Bug ID: 1090572 Summary: VUL-0: CVE-2018-1110: CVE-2018-1110: Knot Resolver <= 2.2.0 Improper Input Validation Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other URL: https://smash.suse.de/issue/204731/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: i@marguerite.su Reporter: kbabioch@suse.com QA Contact: security-team@suse.de CC: detlef@die-mafia.de, mrueckert@suse.com, pascal.bleser@opensuse.org Found By: Security Response Team Blocker: --- CVE-2018-1110 Hello, Knot Resolver software version <= 2.2.0 suffers from Improper Input Validation bugs which allow remote attacker to crash the resolver by sending specially crafted packets. Fixes ===== Knot Resolver 2.3.0 fixes all known security bugs and is available from https://www.knot-resolver.cz/download/ Backports ========= To fix the bugs we had to do major changes to some data structures so backport it most likely not feasible. We are discontinuing support for *all* versions older than 2.3.0 and discourage attempts to backport fixes because these will most likely introduce additional bugs. CVE request data ================ Fixed version: Knot Resolver 2.3.0 Vulnerability type: CWE-20: Improper Input Validation Affected component: resolver Impact of exploitation: Program crashes. Description of vulnerability: Improper input validation bugs in DNS resolver component of Knot Resolver (up to and including version 2.2.0) allow remote attacker who can create malformed packets to cause denial of service. Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Confidentiality (C): None Integrity (I): Low Availability (A): High Technical Details: CWE-20 CWE-476 CWE-626 Acknowledgment: CZ.NIC would like to thank Toshifumi Sakaguchi and Vicky Shrestha for their responsible reporting of security vulnerabilities. -- Petr Špaček @ CZ.NIC References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1110 http://seclists.org/oss-sec/2018/q2/63 -- You are receiving this mail because: You are on the CC list for the bug.