[SECURITY] Fedora 28 Update: knot-resolver-2.4.0-1.fc28

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2018-c894f896fd 2018-07-12 14:18:11.697524 -------------------------------------------------------------------------------- Name : knot-resolver Product : Fedora 28 Version : 2.4.0 Release : 1.fc28 URL : https://www.knot-resolver.cz/ Summary : Caching full DNS Resolver Description : The Knot DNS Resolver is a caching full resolver implementation written in C and LuaJIT, including both a resolver library and a daemon. Modular architecture of the library keeps the core tiny and efficient, and provides a state-machine like API for extensions. The package is pre-configured as local caching resolver. To start using it, start a single kresd instance: $ systemctl start kresd(a)1.service -------------------------------------------------------------------------------- Update Information: Knot Resolver 2.4.0 (2018-07-03) ================================ Incompatible changes -------------------- - minimal libknot version is now 2.6.7 to pull in latest fixes (#366) Security -------- - fix a rare case of zones incorrectly dowgraded to insecure status (!576) New features ------------ - TLS session resumption (RFC 5077), both server and client (!585, #105) (disabled when compiling with gnutls < 3.5) - TLS_FORWARD policy uses system CA certificate store by default (!568) - aggressive caching for NSEC3 zones (!600) - optional protection from DNS Rebinding attack (module rebinding, !608) - module bogus_log to log DNSSEC bogus queries without verbose logging (!613) Bugfixes -------- - prefill: fix ability to read certificate bundle (!578) - avoid turning off qname minimization in some cases, e.g. co.uk. (#339) - fix validation of explicit wildcard queries (#274) - dns64 module: more properties from the RFC implemented (incl. bug #375) Improvements ------------ - systemd: multiple enabled kresd instances can now be started using kresd.target - ta_sentinel: switch to version 14 of the RFC draft (!596) - support for glibc systems with a non-Linux kernel (!588) - support per-request variables for Lua modules (!533) - support custom HTTP endpoints for Lua modules (!527) -------------------------------------------------------------------------------- ChangeLog: * Tue Jul 3 2018 Tomas Krizek <tomas.krizek(a)nic.cz&gt; - 2.4.0-1 Knot Resolver 2.4.0 (2018-07-03) ================================ Incompatible changes -------------------- - minimal libknot version is now 2.6.7 to pull in latest fixes (#366) Security -------- - fix a rare case of zones incorrectly dowgraded to insecure status (!576) New features ------------ - TLS session resumption (RFC 5077), both server and client (!585, #105) (disabled when compiling with gnutls < 3.5) - TLS_FORWARD policy uses system CA certificate store by default (!568) - aggressive caching for NSEC3 zones (!600) - optional protection from DNS Rebinding attack (module rebinding, !608) - module bogus_log to log DNSSEC bogus queries without verbose logging (!613) Bugfixes -------- - prefill: fix ability to read certificate bundle (!578) - avoid turning off qname minimization in some cases, e.g. co.uk. (#339) - fix validation of explicit wildcard queries (#274) - dns64 module: more properties from the RFC implemented (incl. bug #375) Improvements ------------ - systemd: multiple enabled kresd instances can now be started using kresd.target - ta_sentinel: switch to version 14 of the RFC draft (!596) - support for glibc systems with a non-Linux kernel (!588) - support per-request variables for Lua modules (!533) - support custom HTTP endpoints for Lua modules (!527) * Mon Apr 23 2018 Tomas Krizek <tomas.krizek(a)nic.cz&gt; - 2.3.0-1 Knot Resolver 2.3.0 (2018-04-23) ================================ Security -------- - fix CVE-2018-1110: denial of service triggered by malformed DNS messages (!550, !558, security!2, security!4) - increase resilience against slow lorris attack (security!5) Bugfixes -------- - validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538) - validation: fix SERVFAIL for DS . query (!544) - lib/resolve: don't send unecessary queries to parent zone (!513) - iterate: fix validation for zones where parent and child share NS (!543) - TLS: improve error handling and documentation (!536, !555, !559) Improvements ------------ - prefill: new module to periodically import root zone into cache (replacement for RFC 7706, !511) - network_listen_fd: always create end point for supervisor supplied file descriptor - use CPPFLAGS build environment variable if set (!547) -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-c894f896fd' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------