Merge pull request #215 from bluejekyll/master

trust-dns-server additionals processing overflows stack
rustsec · Jan 7, 2020 · 628f821 · 628f821
2 parents 4a7d05d + 1af3b6e
commit 628f821
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/crates/trust-dns-server/RUSTSEC-0000-0000.toml b/crates/trust-dns-server/RUSTSEC-0000-0000.toml
@@ -0,0 +1,25 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "trust-dns-server"
+date = "2020-01-06"
+title = "Stack overflow when resolving addional records from MX or SRV null targets"
+description = """
+There's a stack overflow leading to a crash and potential DOS when processing
+additional records for return of MX or SRV record types from the server.
+
+This is only possible when a zone is configured with a null target for MX or SRV records, i.e. '.'.
+
+Example effected zone record:
+```text
+no-service 86400 IN MX 0 .
+```
+
+Prior to 0.16.0 the additional record processing was not supported by trust-dns-server. There
+Are no known issues with upgrading from 0.16 or 0.17 to 0.18.1. The remidy should be to upgrade to
+0.18.1. If unable to do so, MX, SRV or other record types with a target to the null type, should be avoided.
+"""
+patched_versions = [">= 0.18.1"]
+unaffected_versions = ["< 0.16.0"]
+url = "https://github.com/bluejekyll/trust-dns/issues/980"
+categories = ["denial-of-service"]
+keywords = [ "stack-overflow", "crash" ]