Source: dnsjava Version: 2.1.8-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for dnsjava. CVE-2023-50868[0]: | The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 | when RFC 9276 guidance is skipped) allows remote attackers to cause | a denial of service (CPU consumption for SHA-1 computations) via | DNSSEC responses in a random subdomain attack, aka the "NSEC3" | issue. The RFC 5155 specification implies that an algorithm must | perform thousands of iterations of a hash function in certain | situations. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-50868 https://www.cve.org/CVERecord?id=CVE-2023-50868 [1] https://github.com/advisories/GHSA-mmwx-rj87-vfgr [2] https://github.com/dnsjava/dnsjava/commit/711af79be3214f52daa5c846b95766dc0a075116 (v3.6.0) Regards, Salvatore
