CVE-2023-50868

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

References

Affected packages

Git

github.com/isc-projects/bind9

Affected ranges

Type: GIT
Repo: https://github.com/isc-projects/bind9
Events: Introduced

d281b39456519db31c6213d010d30d99df8cf852

Fixed

0dab57e15f7d02d8b0c9bff513fe1c735f499322

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-50868.json"

github.com/powerdns/pdns

Affected ranges

Type: GIT
Repo: https://github.com/powerdns/pdns
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a06ef30be67538e93f8cc08ccac78eaefbbfd4cc

Affected versions

auth-3.*

auth-3.1-rc1

auth-3.1-rc2

auth-3.1-rc3

auth-3.2-rc1

auth-3.2-rc2

auth-3.2-rc3

auth-3.2-rc4

auth-3.3

auth-3.3-rc1

auth-3.3-rc2

auth-3.4.0

auth-3.4.0-rc1

auth-3.4.0-rc2

auth-4.*

auth-4.0.0

auth-4.0.0-alpha1

auth-4.0.0-alpha2

auth-4.0.0-alpha3

auth-4.0.0-beta1

auth-4.0.0-rc1

auth-4.0.0-rc2

auth-4.0.1

auth-4.1.0

auth-4.1.0-rc1

auth-4.1.0-rc2

auth-4.1.0-rc3

auth-4.2.0-alpha1

auth-4.2.0-beta1

auth-4.2.0-rc1

auth-4.2.0-rc2

auth-4.3.0-alpha1

auth-4.3.0-beta1

auth-4.3.0-beta2

auth-4.3.0-rc1

auth-4.4.0-alpha0

auth-4.4.0-alpha1

auth-4.4.0-alpha2

auth-4.4.0-alpha3

auth-4.4.0-beta1

auth-4.5.0-alpha0

auth-4.5.0-alpha1

auth-4.5.0-beta1

auth-4.6.0-alpha0

auth-4.6.0-alpha1

auth-4.6.0-beta1

auth-4.7.0-alpha0

auth-4.7.0-alpha1

auth-4.8.0-alpha0

dnsdist-1.*

dnsdist-1.0.0

dnsdist-1.0.0-alpha1

dnsdist-1.0.0-alpha2

dnsdist-1.0.0-beta1

dnsdist-1.1.0

dnsdist-1.1.0-beta1

dnsdist-1.1.0-beta2

dnsdist-1.2.0

dnsdist-1.3.0

dnsdist-1.3.1

dnsdist-1.3.2

dnsdist-1.3.3

dnsdist-1.4.0

dnsdist-1.4.0-alpha1

dnsdist-1.4.0-alpha2

dnsdist-1.4.0-beta1

dnsdist-1.4.0-rc1

dnsdist-1.4.0-rc2

dnsdist-1.4.0-rc3

dnsdist-1.4.0-rc4

dnsdist-1.4.0-rc5

dnsdist-1.5.0

dnsdist-1.5.0-alpha1

dnsdist-1.5.0-rc1

dnsdist-1.5.0-rc2

dnsdist-1.5.0-rc3

dnsdist-1.5.0-rc4

dnsdist-1.6.0

dnsdist-1.6.0-alpha0

dnsdist-1.6.0-alpha1

dnsdist-1.6.0-alpha2

dnsdist-1.6.0-alpha3

dnsdist-1.6.0-rc1

dnsdist-1.6.0-rc2

dnsdist-1.7.0-alpha0

dnsdist-1.7.0-alpha1

dnsdist-1.7.0-alpha2

dnsdist-1.7.0-beta1

dnsdist-1.7.0-beta2

dnsdist-1.8.0-alpha0

Other

rec-3-0

rec-3-0-1

rec-3.*

rec-3.0

rec-3.0.1

rec-3.1.4

rec-3.3.1

rec-3.5

rec-3.5-rc1

rec-3.5-rc3

rec-3.5-rc4

rec-3.5-rc5

rec-3.6.0

rec-3.6.0-rc1

rec-3.7.0

rec-3.7.0-rc1

rec-3.7.0-rc2

rec-4.*

rec-4.0.0

rec-4.0.0-alpha1

rec-4.0.0-alpha2

rec-4.0.0-alpha3

rec-4.0.0-beta1

rec-4.0.0-rc1

rec-4.0.1

rec-4.0.2

rec-4.1.0

rec-4.1.0-alpha1

rec-4.1.0-rc1

rec-4.1.0-rc2

rec-4.1.0-rc3

rec-4.2.0-alpha1

rec-4.2.0-beta1

rec-4.2.0-rc1

rec-4.3.0-alpha1

rec-4.3.0-alpha2

rec-4.3.0-alpha3

rec-4.3.0-beta1

rec-4.4.0-alpha0

rec-4.4.0-alpha1

rec-4.4.0-alpha2

rec-4.4.0-beta1

rec-4.5.0-alpha0

rec-4.5.0-alpha1

rec-4.5.0-alpha2

rec-4.5.0-alpha3

rec-4.5.0-beta1

rec-4.6.0-alpha0

rec-4.6.0-alpha1

rec-4.6.0-alpha2

rec-4.6.0-beta1

rec-4.6.0-beta2

rec-4.7.0-alpha0

rec-4.7.0-alpha1

rec-4.7.0-beta1

rec-4.8.0

rec-4.8.0-alpha0

rec-4.8.0-alpha1

rec-4.8.0-beta1

rec-4.8.0-beta2

rec-4.8.0-rc1

rec-4.8.1

rec-4.8.2

rec-4.8.3

rec-4.8.4

rec-4.9.0-alpha0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-50868.json"

gitlab.isc.org/isc-projects/bind9

Affected ranges

Type: GIT
Repo: https://gitlab.isc.org/isc-projects/bind9
Events: Introduced

19d6c56085e97cf4ac559cdc27edd624127bcb32

Fixed

0dab57e15f7d02d8b0c9bff513fe1c735f499322

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-50868.json"