--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2017-31519ecf40
2017-11-16 19:47:47.826524
--------------------------------------------------------------------------------Name        : knot
Product     : Fedora 26
Version     : 2.6.1
Release     : 1.fc26
URL         : https://www.knot-dns.cz/
Summary     : High-performance authoritative DNS server
Description :
Knot DNS is a high-performance authoritative DNS server implementation.

--------------------------------------------------------------------------------Update Information:

Major updates for Knot DNS and Knot Resolver: Knot Resolver 1.5.0 (2017-11-02)
================================  Bugfixes -------- - fix loading modules on
Darwin  Improvements ------------ - new module ta_signal_query supporting
Signaling Trust Anchor Knowledge   using Keytag Query (RFC 8145 section 5); it
is enabled by default - attempt validation for more records but require it for
fewer of them   (e.g. avoids SERVFAIL when server adds extra records but omits
RRSIGs)   Knot Resolver 1.4.0 (2017-09-22) ===============================Incompatible changes -------------------- - lua: query flag-sets are no longer
represented as plain integers.   kres.query.* no longer works, and kr_query_t
lost trivial methods   'hasflag' and 'resolved'.   You can instead write code
like qry.flags.NO_0X20 = true.  Bugfixes -------- - fix exiting one of multiple
forks (#150) - cache: change the way of using LMDB transactions.  That in
particular   fixes some cases of using too much space with multiple kresd forks
(#240).  Improvements ------------ - policy.suffix: update the aho-corasick code
(#200) - root hints are now loaded from a zonefile; exposed as
hints.root_file().   You can override the path by defining ROOTHINTS during
compilation. - policy.FORWARD: work around resolvers adding unsigned NS records
(#248) - reduce unneeded records previously put into authority in wildcarded
answers   Knot Resolver 1.3.3 (2017-08-09) ===============================Security -------- - Fix a critical DNSSEC flaw.  Signatures might be accepted as
valid   even if the signed data was not in bailiwick of the DNSKEY used to
sign it, assuming the trust chain to that DNSKEY was valid.  Bugfixes -------- -iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL - utils:
fix possible incorrect seeding of the random generator - modules/http: fix
compatibility with the Prometheus text format  Improvements ------------ -policy: implement remaining special-use domain names from RFC6761 (#205),   and
make these rules apply only if no other non-chain rule applies    Knot DNS 2.6.1
(2017-11-02) ===========================  Features: ---------  - NSEC3 Opt-Out
support in the DNSSEC signing  - New CDS/CDNSKEY publish configuration option
Improvements: -------------  - Simplified DNSSEC log message with DNSKEY details
- +tls-hostname in kdig implies +tls-ca if neither +tls-ca nor +tls-pin is given
- New documentation sections for DNSSEC key rollovers and shared keys  - Keymgr
no longer prints useless algorithm number for generated key  - Kdig prints
unknown RCODE in a numeric format  - Better support for LLVM libFuzzer
Bugfixes: ---------  - Faulty DNAME semantic check if present in the zone apex
and NSEC3 is used  - Immediate zone flush not scheduled during the zone load
event  - Server crashes upon dynamic zone addition if a query module is loaded
- Kdig fails to connect over TLS due to SNI is set to server IP address  -Possible out-of-bounds memory access at the end of the input  - TCP Fast Open
enabled by default in kdig breaks TLS connection  Knot DNS 2.6.0 (2017-09-29)
===========================  Features: ---------  - On-slave (inline) signing
support  - Automatic DNSSEC key algorithm rollover  - Ed25519 algorithm support
in DNSSEC (requires GnuTLS 3.6.0)  - New 'journal-content' and 'zonefile-load'
configuration options  - keymgr tries to run as user/group set in the
configuration  - Public-only DNSSEC key import into KASP DB via keymgr  - NSEC3
resalt and parent DS query events are persistent in timer DB  - New processing
state for a response suppression within a query module  - Enabled server side
TCP Fast Open if supported  - TCP Fast Open support in kdig  Improvements:
-------------  - Better record owner compression if related to the previous
rdata dname  - NSEC(3) chain is no longer recomputed whole on every update  -Remove inconsistent and unnecessary quoting in log files  - Avoiding of
overlapping key rollovers at a time  - More DNSSSEC-related semantic checks  -Extended timestamp format in keymgr  Bugfixes: ---------  - Incorrect journal
free space computation causing inefficient space handling  - Interface-automatic
broken on Linux in the presence of asymmetric routing  Knot DNS 2.5.6
(2017-11-02) ===========================  Improvements: -------------  - Keymgr
no longer prints useless algorithm number for generated key  Bugfixes: ---------- Faulty DNAME semantic check if present in the zone apex and NSEC3 is used  -Immediate zone flush not scheduled during the zone load event  - Server crashes
upon dynamic zone addition if a query module is loaded  - Kdig fails to connect
over TLS due to SNI is set to server IP address  Knot DNS 2.5.5 (2017-09-29)
===========================  Improvements: -------------  - Constant time memory
comparison in the TSIG processing  - Proper use of the ctype functions  -Generated RRSIG records have inception time 90 minutes in the past  Bugfixes:
---------  - Incorrect online signature for NSEC in the case of a CNAME record
- Incorrect timestamps in dnstap records  - EDNS Subnet Client validation
rejects valid payloads  - Module configuration semantic checks are not executed
- Kzonecheck segfaults with unusual inputs  Knot DNS 2.5.4 (2017-08-31)
===========================  Improvements: -------------  - New minimum and
maximum refresh interval config options (Thanks to Manabu Sonoda)  - New warning
when unforced flush with disabled zone file synchronization  - New 'dnskey'
keymgr command  - Linking with libatomic on architectures that require it
(Thanks to Pierre-Olivier Mercier)  - Removed 'OK' from listing keymgr command
outputs  - Extended journal and keymgr documentation and logging  Bugfixes:
---------  - Incorrect handling of specific corner-cases with zone-in-journal  -The 'share' keymgr command doesn't work  - Server crashes if configured with
query-size and reply-size statistics options  - Malformed big integer
configuration values on some 32-bit platforms  - Keymgr uses local time when
parsing date inputs  - Memory leak in kdig upon IXFR query
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade knot' at the command line.
For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora 26: knot Security Update

November 16, 2017
Major updates for Knot DNS and Knot Resolver: Knot Resolver 1.5.0 (2017-11-02) Darwin Improvements ------------ - new module ta_signal_query supporting Signaling Trust Anchor Knowl...

Summary

Knot DNS is a high-performance authoritative DNS server implementation.

Major updates for Knot DNS and Knot Resolver: Knot Resolver 1.5.0 (2017-11-02)

================================ Bugfixes -------- - fix loading modules on

Darwin Improvements ------------ - new module ta_signal_query supporting

Signaling Trust Anchor Knowledge using Keytag Query (RFC 8145 section 5); it

is enabled by default - attempt validation for more records but require it for

fewer of them (e.g. avoids SERVFAIL when server adds extra records but omits

RRSIGs) Knot Resolver 1.4.0 (2017-09-22) ===============================Incompatible changes -------------------- - lua: query flag-sets are no longer

represented as plain integers. kres.query.* no longer works, and kr_query_t

lost trivial methods 'hasflag' and 'resolved'. You can instead write code

like qry.flags.NO_0X20 = true. Bugfixes -------- - fix exiting one of multiple

forks (#150) - cache: change the way of using LMDB transactions. That in

particular fixes some cases of using too much space with multiple kresd forks

(#240). Improvements ------------ - policy.suffix: update the aho-corasick code

(#200) - root hints are now loaded from a zonefile; exposed as

hints.root_file(). You can override the path by defining ROOTHINTS during

compilation. - policy.FORWARD: work around resolvers adding unsigned NS records

(#248) - reduce unneeded records previously put into authority in wildcarded

answers Knot Resolver 1.3.3 (2017-08-09) ===============================Security -------- - Fix a critical DNSSEC flaw. Signatures might be accepted as

valid even if the signed data was not in bailiwick of the DNSKEY used to

sign it, assuming the trust chain to that DNSKEY was valid. Bugfixes -------- -iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL - utils:

fix possible incorrect seeding of the random generator - modules/http: fix

compatibility with the Prometheus text format Improvements ------------ -policy: implement remaining special-use domain names from RFC6761 (#205), and

make these rules apply only if no other non-chain rule applies Knot DNS 2.6.1

(2017-11-02) =========================== Features: --------- - NSEC3 Opt-Out

support in the DNSSEC signing - New CDS/CDNSKEY publish configuration option

Improvements: ------------- - Simplified DNSSEC log message with DNSKEY details

- +tls-hostname in kdig implies +tls-ca if neither +tls-ca nor +tls-pin is given

- New documentation sections for DNSSEC key rollovers and shared keys - Keymgr

no longer prints useless algorithm number for generated key - Kdig prints

unknown RCODE in a numeric format - Better support for LLVM libFuzzer

Bugfixes: --------- - Faulty DNAME semantic check if present in the zone apex

and NSEC3 is used - Immediate zone flush not scheduled during the zone load

event - Server crashes upon dynamic zone addition if a query module is loaded

- Kdig fails to connect over TLS due to SNI is set to server IP address -Possible out-of-bounds memory access at the end of the input - TCP Fast Open

enabled by default in kdig breaks TLS connection Knot DNS 2.6.0 (2017-09-29)

=========================== Features: --------- - On-slave (inline) signing

support - Automatic DNSSEC key algorithm rollover - Ed25519 algorithm support

in DNSSEC (requires GnuTLS 3.6.0) - New 'journal-content' and 'zonefile-load'

configuration options - keymgr tries to run as user/group set in the

configuration - Public-only DNSSEC key import into KASP DB via keymgr - NSEC3

resalt and parent DS query events are persistent in timer DB - New processing

state for a response suppression within a query module - Enabled server side

TCP Fast Open if supported - TCP Fast Open support in kdig Improvements:

------------- - Better record owner compression if related to the previous

rdata dname - NSEC(3) chain is no longer recomputed whole on every update -Remove inconsistent and unnecessary quoting in log files - Avoiding of

overlapping key rollovers at a time - More DNSSSEC-related semantic checks -Extended timestamp format in keymgr Bugfixes: --------- - Incorrect journal

free space computation causing inefficient space handling - Interface-automatic

broken on Linux in the presence of asymmetric routing Knot DNS 2.5.6

(2017-11-02) =========================== Improvements: ------------- - Keymgr

no longer prints useless algorithm number for generated key Bugfixes: ---------- Faulty DNAME semantic check if present in the zone apex and NSEC3 is used -Immediate zone flush not scheduled during the zone load event - Server crashes

upon dynamic zone addition if a query module is loaded - Kdig fails to connect

over TLS due to SNI is set to server IP address Knot DNS 2.5.5 (2017-09-29)

=========================== Improvements: ------------- - Constant time memory

comparison in the TSIG processing - Proper use of the ctype functions -Generated RRSIG records have inception time 90 minutes in the past Bugfixes:

--------- - Incorrect online signature for NSEC in the case of a CNAME record

- Incorrect timestamps in dnstap records - EDNS Subnet Client validation

rejects valid payloads - Module configuration semantic checks are not executed

- Kzonecheck segfaults with unusual inputs Knot DNS 2.5.4 (2017-08-31)

=========================== Improvements: ------------- - New minimum and

maximum refresh interval config options (Thanks to Manabu Sonoda) - New warning

when unforced flush with disabled zone file synchronization - New 'dnskey'

keymgr command - Linking with libatomic on architectures that require it

(Thanks to Pierre-Olivier Mercier) - Removed 'OK' from listing keymgr command

outputs - Extended journal and keymgr documentation and logging Bugfixes:

--------- - Incorrect handling of specific corner-cases with zone-in-journal -The 'share' keymgr command doesn't work - Server crashes if configured with

query-size and reply-size statistics options - Malformed big integer

configuration values on some 32-bit platforms - Keymgr uses local time when

parsing date inputs - Memory leak in kdig upon IXFR query

su -c 'dnf upgrade knot' at the command line.

For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

FEDORA-2017-31519ecf40 2017-11-16 19:47:47.826524 Product : Fedora 26 Version : 2.6.1 Release : 1.fc26 URL : https://www.knot-dns.cz/ Summary : High-performance authoritative DNS server Description : Knot DNS is a high-performance authoritative DNS server implementation. Major updates for Knot DNS and Knot Resolver: Knot Resolver 1.5.0 (2017-11-02) ================================ Bugfixes -------- - fix loading modules on Darwin Improvements ------------ - new module ta_signal_query supporting Signaling Trust Anchor Knowledge using Keytag Query (RFC 8145 section 5); it is enabled by default - attempt validation for more records but require it for fewer of them (e.g. avoids SERVFAIL when server adds extra records but omits RRSIGs) Knot Resolver 1.4.0 (2017-09-22) ===============================Incompatible changes -------------------- - lua: query flag-sets are no longer represented as plain integers. kres.query.* no longer works, and kr_query_t lost trivial methods 'hasflag' and 'resolved'. You can instead write code like qry.flags.NO_0X20 = true. Bugfixes -------- - fix exiting one of multiple forks (#150) - cache: change the way of using LMDB transactions. That in particular fixes some cases of using too much space with multiple kresd forks (#240). Improvements ------------ - policy.suffix: update the aho-corasick code (#200) - root hints are now loaded from a zonefile; exposed as hints.root_file(). You can override the path by defining ROOTHINTS during compilation. - policy.FORWARD: work around resolvers adding unsigned NS records (#248) - reduce unneeded records previously put into authority in wildcarded answers Knot Resolver 1.3.3 (2017-08-09) ===============================Security -------- - Fix a critical DNSSEC flaw. Signatures might be accepted as valid even if the signed data was not in bailiwick of the DNSKEY used to sign it, assuming the trust chain to that DNSKEY was valid. Bugfixes -------- -iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL - utils: fix possible incorrect seeding of the random generator - modules/http: fix compatibility with the Prometheus text format Improvements ------------ -policy: implement remaining special-use domain names from RFC6761 (#205), and make these rules apply only if no other non-chain rule applies Knot DNS 2.6.1 (2017-11-02) =========================== Features: --------- - NSEC3 Opt-Out support in the DNSSEC signing - New CDS/CDNSKEY publish configuration option Improvements: ------------- - Simplified DNSSEC log message with DNSKEY details - +tls-hostname in kdig implies +tls-ca if neither +tls-ca nor +tls-pin is given - New documentation sections for DNSSEC key rollovers and shared keys - Keymgr no longer prints useless algorithm number for generated key - Kdig prints unknown RCODE in a numeric format - Better support for LLVM libFuzzer Bugfixes: --------- - Faulty DNAME semantic check if present in the zone apex and NSEC3 is used - Immediate zone flush not scheduled during the zone load event - Server crashes upon dynamic zone addition if a query module is loaded - Kdig fails to connect over TLS due to SNI is set to server IP address -Possible out-of-bounds memory access at the end of the input - TCP Fast Open enabled by default in kdig breaks TLS connection Knot DNS 2.6.0 (2017-09-29) =========================== Features: --------- - On-slave (inline) signing support - Automatic DNSSEC key algorithm rollover - Ed25519 algorithm support in DNSSEC (requires GnuTLS 3.6.0) - New 'journal-content' and 'zonefile-load' configuration options - keymgr tries to run as user/group set in the configuration - Public-only DNSSEC key import into KASP DB via keymgr - NSEC3 resalt and parent DS query events are persistent in timer DB - New processing state for a response suppression within a query module - Enabled server side TCP Fast Open if supported - TCP Fast Open support in kdig Improvements: ------------- - Better record owner compression if related to the previous rdata dname - NSEC(3) chain is no longer recomputed whole on every update -Remove inconsistent and unnecessary quoting in log files - Avoiding of overlapping key rollovers at a time - More DNSSSEC-related semantic checks -Extended timestamp format in keymgr Bugfixes: --------- - Incorrect journal free space computation causing inefficient space handling - Interface-automatic broken on Linux in the presence of asymmetric routing Knot DNS 2.5.6 (2017-11-02) =========================== Improvements: ------------- - Keymgr no longer prints useless algorithm number for generated key Bugfixes: ---------- Faulty DNAME semantic check if present in the zone apex and NSEC3 is used -Immediate zone flush not scheduled during the zone load event - Server crashes upon dynamic zone addition if a query module is loaded - Kdig fails to connect over TLS due to SNI is set to server IP address Knot DNS 2.5.5 (2017-09-29) =========================== Improvements: ------------- - Constant time memory comparison in the TSIG processing - Proper use of the ctype functions -Generated RRSIG records have inception time 90 minutes in the past Bugfixes: --------- - Incorrect online signature for NSEC in the case of a CNAME record - Incorrect timestamps in dnstap records - EDNS Subnet Client validation rejects valid payloads - Module configuration semantic checks are not executed - Kzonecheck segfaults with unusual inputs Knot DNS 2.5.4 (2017-08-31) =========================== Improvements: ------------- - New minimum and maximum refresh interval config options (Thanks to Manabu Sonoda) - New warning when unforced flush with disabled zone file synchronization - New 'dnskey' keymgr command - Linking with libatomic on architectures that require it (Thanks to Pierre-Olivier Mercier) - Removed 'OK' from listing keymgr command outputs - Extended journal and keymgr documentation and logging Bugfixes: --------- - Incorrect handling of specific corner-cases with zone-in-journal -The 'share' keymgr command doesn't work - Server crashes if configured with query-size and reply-size statistics options - Malformed big integer configuration values on some 32-bit platforms - Keymgr uses local time when parsing date inputs - Memory leak in kdig upon IXFR query su -c 'dnf upgrade knot' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Change Log

References

Update Instructions

Severity
Product : Fedora 26
Version : 2.6.1
Release : 1.fc26
URL : https://www.knot-dns.cz/
Summary : High-performance authoritative DNS server

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved