Knot DNS before 2.4.5 and 2.5.x before 2.5.2 contains a flaw within the TSIG protocol implementation that would allow an attacker with a valid key name and algorithm to bypass TSIG authentication if no additional ACL restrictions are set, because of an improper TSIG validity period check.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "2.6.5-3", "binary_name": "knot" }, { "binary_version": "2.6.5-3", "binary_name": "knot-dbgsym" }, { "binary_version": "2.6.5-3", "binary_name": "knot-dnsutils" }, { "binary_version": "2.6.5-3", "binary_name": "knot-dnsutils-dbgsym" }, { "binary_version": "2.6.5-3", "binary_name": "knot-doc" }, { "binary_version": "2.6.5-3", "binary_name": "knot-host" }, { "binary_version": "2.6.5-3", "binary_name": "knot-host-dbgsym" }, { "binary_version": "2.6.5-3", "binary_name": "libdnssec5" }, { "binary_version": "2.6.5-3", "binary_name": "libdnssec5-dbgsym" }, { "binary_version": "2.6.5-3", "binary_name": "libknot-dev" }, { "binary_version": "2.6.5-3", "binary_name": "libknot7" }, { "binary_version": "2.6.5-3", "binary_name": "libknot7-dbgsym" }, { "binary_version": "2.6.5-3", "binary_name": "libzscanner1" }, { "binary_version": "2.6.5-3", "binary_name": "libzscanner1-dbgsym" } ] }