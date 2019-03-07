GnuTLS and adns security buxfixes
Antoine Beaupré: CVE-2020-13777 GnuTLS audit: be scared
You are reading this correctly: supposedly encrypted TLS connections made with affected GnuTLS releases are vulnerable to passive cleartext recovery attack (and active for 1.3, but who uses that anyways). That is extremely bad. It's pretty close to just switching everyone to HTTP instead of HTTPS, more or less. I would have a lot more to say about the security of GnuTLS in particular -- and security in general -- but I am mostly concerned about patching holes in the roof right now, so this article is not about that.
adns 1.5.2, adns 1.6.0 - SECURITY FIXES
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 It is with mixed feelings that I announce the release of adns 1.5.2 and adns 1.6.0. adns is a DNS resolver library for C (and C++) programs, and a collection of useful DNS lookup utilities. The C library, and the command line utilities, provide a convenient interface. adns is capable of doing DNS lookups in an asynchronous, event-driven, fashion. For more information about adns, please see one of: https://www.chiark.greenend.org.uk/~ian/adns/ https://www.gnu.org/software/adns/ These are security bugfix releases. All users should upgrade ASAP. 1.5.2 has precisely the security fixes; it does not contain supporting tests or other noncritical bugfixes. 1.6.0 contains everything in 1.5.2 plus some additional build fixes, tests for the bugfixes, etc., and minor new features (forwards-compatible in API, ABI and CLI). It will be evident from the CVEs (and the commit timestamps in the git repository) that this release has taken an entirely unreasonbly long time to prepare. I can only apologise. You can download adns as a tarball, or from the git repository which contains signed git tags. d8dc389e19dcf4d091ea54d41e83745ade0f04ccabc3452ce4dbca4bf8aa2a7d adns-1.5.2.tar.gz 2cfa0b229ad4b2792e7bf97f2bb924d97af38b8fbdcd854cb5e92863152f334a adns-1.5.2.tar.gz.sig fb427265a981e033d1548f2b117cc021073dc8be2eaf2c45fd64ab7b00ed20de adns-1.6.0.tar.gz 50e33a021a786b6cba1d2aaf339482a5d52ccd1983f02adc9018b917f2e5cd54 adns-1.6.0.tar.gz.sig adns (1.6.0) Bugfixes: * adnshost: Support --reverse in -f mode input stream * timeout robustness against clock skew: track query start time and duration. Clock instability may now only cause spurious timeouts rather than indefinite hangs or even assertion failures. New features: * adnshost: Offer ability to set adns checkc flags * adnslogres: Honour --checkc-freq (if it comes first) * adnsresfilter: Honour --checkc-freq and --checkc-entex * time handling: Support use of CLOCK_MONOTONIC via an init flag. * adns_str* etc.: Improve robustness; more allowable inputs values. Build system improvements: * clean targets: Delete $(TARGETS) too! * Remove all m4 output files from the distributed source tree. * Support DESTDIR=/some/absolute/path on `make install'. * Provide autogen.sh. * Rerun autoheader and autoconf (2.69). Internal changes: * adnshost: adh-opts.c: Whitespace adjustments to option table Tests: * New tests for fixes in 1.5.3. * Fixes to test harness to avoid false positives during fuzzing. * Other changes to support use with AFL. * Many supporting improvements and refactorings. * Fix skipped tests ($$ reference in Makefile) adns (1.5.2) * Important security fixes: CVE-2017-9103 CVE-2017-9104 CVE-2017-9105 CVE-2017-9109: Vulnerable applications: all adns callers. Exploitable by: the local recursive resolver. Likely worst case: Remote code execution. CVE-2017-9106: Vulnerable applications: those that make SOA queries. Exploitable by: upstream DNS data sources. Likely worst case: DoS (crash of the adns-using application) CVE-2017-9107: Vulnerable applications: those that use adns_qf_quoteok_query. Exploitable by: sources of query domain names. Likely worst case: DoS (crash of the adns-using application) CVE-2017-9108: Vulnerable applications: adnshost. Exploitable by: code responsible for framing the input. Likely worst case: DoS (adnshost crashes at EOF). All found by AFL 2.35b. Thanks to the University of Cambridge Department of Applied Mathematics for computing facilities. Bugfixes: * Do not include spurious external symbol `data' (fixes GCC10 build). * If server sends TC flag over TCP, bail rather than retrying. * Do not crash on certain strange resolv.conf contents. * Fix various crashes if a global system failure occurs, or adns_finish is called with outstanding queries. * Correct a parsing error message very slightly. * DNS packet parsing: Slight fix when packet is truncated. * Fix ABI compatibility in string conversion of certain RR types. * internal.h: Use `unsigned' for nextid; fixes theoretical C UB. Portability fix: * common.make.in: add -Wno-unused-value. Fixes build with GCC9. Internal changes: * Additional comments describing some internal code restrions. * Robustness assert() against malfunctioning write() system call.
GNU's "adns" DNS Resolver Library Hit By An Array Of Security Issues
For those making use of GNU's "adns" asynchronous DNS client library, important security updates are out today.
This DNS resolver library is out with version adns 1.5.2 in shipping these pressing security fixes as well as adns 1.6.0 as a new feature release incorporating these important fixes as well as new improvements that accumulated over the past three years.
There are four CVEs from 2017 for adns that pertain to remote code execution possibilities. Additionally, there are another three CVEs (also from 2017) relating to possible denial of service via potential crashes.
