Bug#1077751: dnsjava: CVE-2023-50868
Salvatore Bonaccorso
carnil at debian.org
Thu Aug 1 13:37:56 BST 2024
Source: dnsjava
Version: 2.1.8-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for dnsjava.
CVE-2023-50868[0]:
| The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155
| when RFC 9276 guidance is skipped) allows remote attackers to cause
| a denial of service (CPU consumption for SHA-1 computations) via
| DNSSEC responses in a random subdomain attack, aka the "NSEC3"
| issue. The RFC 5155 specification implies that an algorithm must
| perform thousands of iterations of a hash function in certain
| situations.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-50868
https://www.cve.org/CVERecord?id=CVE-2023-50868
[1] https://github.com/advisories/GHSA-mmwx-rj87-vfgr
[2] https://github.com/dnsjava/dnsjava/commit/711af79be3214f52daa5c846b95766dc0a075116 (v3.6.0)
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list