[3.6] knot: TSIG authentication bypass due to improper TSIG validity period check (CVE-2017-11104)
Knot DNS before 2.4.5 and 2.5.x before 2.5.2 contains a flaw within
the
TSIG protocol implementation that would allow an attacker with a valid
key name and algorithm to bypass TSIG authentication if no additional
ACL restrictions are set, because of an improper TSIG validity period
check.
Fixed In Version:
knot 2.4.5, knot 2.5.2
References:
https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html
(from redmine: issue id 7546, created on 2017-07-19, closed on 2017-08-04)