[nsd-users] NSD 4.1.23 released

Wouter Wijngaards wouter at nlnetlabs.nl
Mon Jul 30 07:40:32 UTC 2018


NSD 4.1.23 is available:
sha256 f60ed8bd676b94a1c83c4335e8a51d61baa1a952660ecf21673a1414244b85fd
pgp https://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.23.tar.gz.asc

NSD versions 4.1.22 and before are vulnerable in comparing TSIG
information and this can be used to discover a TSIG secret.

NSD uses TSIG to protect zone transfers.  The TSIG code uses a secret
key to protect the data.  The secret key is shared with both sides of
the zone transfer connection.  The comparison code in NSD was not time
insensitive, causing the potential for an attacker to use timing
information to discover data about the key contents.

NSD versions from 2.2.0 to 4.1.22 are vulnerable.  Upgrade to 4.1.23 or
newer to get the fix.

It was reported by Ondrej Sury (ISC).

        - Fix NSD time sensitive TSIG compare vulnerability.

Best regards, Wouter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20180730/ba0704e6/attachment.bin>

More information about the nsd-users mailing list