openwrtv4/package/network/services
Kevin Darbyshire-Bryant a3198061f8 dnsmasq: backport dnssec security fix
CVE-2017-15107

An interesting problem has turned up in DNSSEC validation. It turns out
that NSEC records expanded from wildcards are allowed, so a domain can
include an NSEC record for *.example.org and an actual query reply could
expand that to anything in example.org  and still have it signed by the
signature for the wildcard. So, for example

!.example.org NSEC zz.example.org

is fine.

The problem is that most implementers (your author included, but also
the Google public DNS people, powerdns and Unbound) then took that
record to prove the nothing exists between !.example.org and
zz.example.org, whereas in fact it only provides that proof between
*.example.org and zz.example.org.

This gives an attacker a way to prove that anything between
!.example.org and *.example.org doesn't exists, when it may well do so.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-01-19 22:11:16 +01:00
..
dnsmasq dnsmasq: backport dnssec security fix 2018-01-19 22:11:16 +01:00
dropbear dropbear: disable MD5 HMAC and switch to sha1 fingerprints 2017-12-12 22:24:17 +01:00
ead network/services/ead: drop Build/Prepare rule in favor of default one 2016-10-15 11:36:52 +02:00
hostapd hostapd: bump PKG_RELEASE after 802.11w changes 2018-01-07 12:42:45 +01:00
igmpproxy igmpproxy: remove firewall rules when service is stopped 2017-11-14 22:01:44 +01:00
ipset-dns ipset-dns: bump to git HEAD 2017-10-08 20:51:03 +03:00
lldpd merge: packages: update branding in core packages 2017-12-08 19:41:18 +01:00
odhcpd treewide: replace LEDE_GIT with PROJECT_GIT 2018-01-10 21:27:32 +01:00
omcproxy omcproxy: silence fw3 warnings 2018-01-10 21:38:55 +01:00
openvpn add PKG_CPE_ID ids to package and tools 2017-11-17 02:24:35 +01:00
openvpn-easy-rsa openvpn-easy-rsa: update to 3.0.1 2017-05-31 00:28:26 +02:00
ppp add PKG_CPE_ID ids to package and tools 2017-11-17 02:24:35 +01:00
relayd treewide: replace LEDE_GIT with PROJECT_GIT 2018-01-10 21:27:32 +01:00
samba36 merge: packages: update branding in core packages 2017-12-08 19:41:18 +01:00
uhttpd treewide: replace LEDE_GIT with PROJECT_GIT 2018-01-10 21:27:32 +01:00
umdns treewide: replace LEDE_GIT with PROJECT_GIT 2018-01-10 21:27:32 +01:00
wireguard wireguard: bump to 20171221 2017-12-23 22:08:12 +01:00