CVE-2023-50387
HIGH7.5EPSS 43.7%pdns-recursor - security update
Published: 2/14/2024Modified: 4/28/2026
Description
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
Affected packages (15)
- Alpine/bindfrom 0, < 9.16.48-r0
- Alpine/dnsmasqfrom 0, < 2.90-r0
- Alpine/unboundfrom 0, < 1.19.1-r0
- Debian/bind9from 0, < 1:9.16.48-1
- Debian/bind9from 0, < 1:9.11.5.P4+dfsg-5.1+deb10u11
- Debian/dnsjavafrom 0
- Debian/dnsmasqfrom 0, < 2.85-1+deb11u1
- Debian/knot-resolverfrom 0
- Debian/pdns-recursorfrom 0, < 4.8.6-1
- Debian/pdns-recursorfrom 0
- Debian/systemdfrom 0, < 247.3-7+deb11u6
- Debian/systemdfrom 0, < 247.3-7+deb11u6
- Debian/unboundfrom 0, < 1.13.1-1+deb11u2
- Debian/unboundfrom 0, < 1.13.1-1+deb11u2
- Debian/unboundfrom 0, < 1.9.0-2+deb10u4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |