openwrtv4/package
Kevin Darbyshire-Bryant a3198061f8 dnsmasq: backport dnssec security fix
CVE-2017-15107

An interesting problem has turned up in DNSSEC validation. It turns out
that NSEC records expanded from wildcards are allowed, so a domain can
include an NSEC record for *.example.org and an actual query reply could
expand that to anything in example.org  and still have it signed by the
signature for the wildcard. So, for example

!.example.org NSEC zz.example.org

is fine.

The problem is that most implementers (your author included, but also
the Google public DNS people, powerdns and Unbound) then took that
record to prove the nothing exists between !.example.org and
zz.example.org, whereas in fact it only provides that proof between
*.example.org and zz.example.org.

This gives an attacker a way to prove that anything between
!.example.org and *.example.org doesn't exists, when it may well do so.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-01-19 22:11:16 +01:00
..
base-files base-files: gpio switch: check if direction can be set 2018-01-18 07:22:37 +01:00
boot uboot-envtools: add support for GL.iNet GL-AR750 2018-01-15 00:12:13 +01:00
devel strace: Update to 4.20 2017-12-07 11:46:37 +08:00
firmware ipq-wifi: align AVM FRITZ!Box 4040's board-2.bin package 2018-01-18 21:21:11 +01:00
kernel ath9k: discard undersized packets 2018-01-17 12:32:48 +01:00
libs treewide: replace LEDE_GIT with PROJECT_GIT 2018-01-10 21:27:32 +01:00
network dnsmasq: backport dnssec security fix 2018-01-19 22:11:16 +01:00
system ubox: update to latest git HEAD 2018-01-17 22:00:43 +01:00
utils util-linux: add fstrim support 2018-01-18 08:04:18 +01:00
Makefile build: remove package preconfig feature 2018-01-13 19:54:44 +01:00