[Bug 273172] category/port: ldns used in this project is vulnerable

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 273172] ldns is vulnerable"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 17 Aug 2023 06:07:57 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273172

            Bug ID: 273172
           Summary: category/port: ldns used in this project is vulnerable
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: thresh416@outlook.com

Branch
stable/13, releng/13.0, releng/13.1, releng/13.2

What is the security issue or vulnerability?
As CVE-2020-19860 described, when ldns version 1.7.1 verifies a zone file, the
ldns_rr_new_frm_str_internal function has a heap out of bounds read
vulnerability. An attacker can leak information on the heap by constructing a
zone file payload. This vulnerability still exists in this project.
This can be easily fixed by apply the patch of this CVE ( CVE-2020-19860 ) , as
listed in the next section.

Security issue or vulnerability information
CVE-2020-19860's description:https://nvd.nist.gov/vuln/detail/CVE-2020-19860
CVE-2020-19860's patch commit:NLnetLabs/ldns@15d9620

-- 
You are receiving this mail because:
You are the assignee for the bug.