CVE-2019-19331
https://notcve.org/view.php?id=CVE-2019-19331
knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB). knot-resolver versiones anteriores a 4.3.0, es vulnerable a una denegación de servicio por medio de una alta utilización de la CPU. Las respuestas de DNS con muchos registros de recursos podrían ser procesadas de manera muy ineficiente, en casos extremos, tomar incluso varios segundos de CPU para cada mensaje no almacenado en caché. Por ejemplo, algunos miles de registros A pueden ser agrupados en un mensaje DNS (el límite es 64kB). • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19331 https://lists.debian.org/debian-lts-announce/2024/04/msg00017.html https://www.knot-resolver.cz/2019-12-04-knot-resolver-4.3.0.html • CWE-404: Improper Resource Shutdown or Release CWE-407: Inefficient Algorithmic Complexity •
CVE-2013-5661
https://notcve.org/view.php?id=CVE-2013-5661
Cache Poisoning issue exists in DNS Response Rate Limiting. Existe Un problema de envenenamiento de caché en el DNS Response Rate Limiting. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5661 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-5661 https://security-tracker.debian.org/tracker/CVE-2013-5661 • CWE-290: Authentication Bypass by Spoofing •
CVE-2019-16159
https://notcve.org/view.php?id=CVE-2019-16159
BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through 2.0.5 has a stack-based buffer overflow. The BGP daemon's support for RFC 8203 administrative shutdown communication messages included an incorrect logical expression when checking the validity of an input message. Sending a shutdown communication with a sufficient message length causes a four-byte overflow to occur while processing the message, where two of the overflow bytes are attacker-controlled and two are fixed. BIRD Internet Routing Daemon versiones 1.6.x hasta 1.6.7 y versiones 2.x hasta 2.0.5, presenta un desbordamiento de búfer en la región stack de la memoria. El soporte del demonio BGP para los mensajes de comunicación de apagado administrativo RFC 8203 incluía una expresión lógica incorrecta cuando se comprueba la validez de un mensaje de entrada. • http://bird.network.cz http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00063.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00065.html http://trubka.network.cz/pipermail/bird-users/2019-September/013718.html http://trubka.network.cz/pipermail/bird-users/2019-September/013720.html http://trubka.network.cz/pipermail/bird-users/2019-September/013722.html https://gitlab.labs.nic.cz/labs/bird/commit/1657c41c96b3c07d9265b07dd4912033ead4124b https://gitlab.labs.nic.cz/l • CWE-787: Out-of-bounds Write •
CVE-2019-10191
https://notcve.org/view.php?id=CVE-2019-10191
A vulnerability was discovered in DNS resolver of knot resolver before version 4.1.0 which allows remote attackers to downgrade DNSSEC-secure domains to DNSSEC-insecure state, opening possibility of domain hijack using attacks against insecure DNS protocol. Se detectó una vulnerabilidad en la resolución de DNS de knot resolver anteriores a la versión 4.1.0, que permite a los atacantes remotos degradar los dominios seguros de DNSSEC a un estado no seguro de DNSSEC, abriendo la posibilidad de un secuestro de dominio mediante el uso de ataques contra el protocolo DNS no seguro. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10191 https://lists.debian.org/debian-lts-announce/2024/04/msg00017.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMSSWBHINIX4WE6UDXWM66L7JYEK6XS6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZV5YZZ5766UIG2TFLFJL6EESQNAP5X5 https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html • CWE-20: Improper Input Validation •
CVE-2019-10190
https://notcve.org/view.php?id=CVE-2019-10190
A vulnerability was discovered in DNS resolver component of knot resolver through version 3.2.0 before 4.1.0 which allows remote attackers to bypass DNSSEC validation for non-existence answer. NXDOMAIN answer would get passed through to the client even if its DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this particular bug but see CVE-2019-10191. Se detectó una vulnerabilidad en el componente de resolución de DNS de knot resolver hasta la versión 3.2.0 anterior a 4.1.0, que permite a los atacantes remotos omitir la comprobación DNSSEC para una respuesta de no existencia. La respuesta NXDOMAIN se pasaría hacia el cliente incluso si fallara la comprobación DNSSEC, en lugar de enviar un paquete SERVFAIL. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10190 https://lists.debian.org/debian-lts-announce/2024/04/msg00017.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMSSWBHINIX4WE6UDXWM66L7JYEK6XS6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZV5YZZ5766UIG2TFLFJL6EESQNAP5X5 https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html • CWE-20: Improper Input Validation •