Bugzilla – Bug 1218297
VUL-0: CVE-2023-7008: systemd-resolved: Unsigned name response in signed zone is not refused when DNSSEC=yes
Last modified: 2024-07-19 13:04:46 UTC
systemd-resolved accepts records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7008
Upstream issue: https://github.com/systemd/systemd/issues/25676 Upstream fix: https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Affected code found in: - SUSE:ALP:Source:Standard:1.0/systemd - SUSE:SLE-15-SP4:Update/systemd - openSUSE:Factory/systemd
(In reply to Gabriele Sonnu from comment #2) > Upstream fix: > > https://github.com/systemd/systemd/commit/ > 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 > This fix has already been released for these code streams: > Affected code found in: > > - SUSE:ALP:Source:Standard:1.0/systemd > - SUSE:SLE-15-SP4:Update/systemd > - openSUSE:Factory/systemd However the reference of this issue in the respective changelogs was missing. This has been addressed but I don't think it's worth submitting this single change alone. Reassigning to the security team.
This is an autogenerated message for OBS integration: This bug (1218297) was mentioned in https://build.opensuse.org/request/show/1144939 Factory / systemd
All done, closing.