1 files changed, 39 insertions, 0 deletions

diff --git a/backport-CVE-2023-50868.patch b/backport-CVE-2023-50868.patch
new file mode 100644
index 0000000..c50cfb4
--- /dev/null
+++ b/backport-CVE-2023-50868.patch
@@ -0,0 +1,39 @@
+From 572692f0bdd6a3fabe3dd4a3e8e5565cc69b5e14 Mon Sep 17 00:00:00 2001
+From: Ronan Pigott <ronan@rjp.ie>
+Date: Sun, 25 Feb 2024 00:23:32 -0700
+Subject: [PATCH] resolved: reduce the maximum nsec3 iterations to 100
+
+According to RFC9267, the 2500 value is not helpful, and in fact it can
+be harmful to permit a large number of iterations. Combined with limits
+on the number of signature validations, I expect this will mitigate the
+impact of maliciously crafted domains designed to cause excessive
+cryptographic work.
+
+(cherry picked from commit eba291124bc11f03732d1fc468db3bfac069f9cb)
+
+Conflict:NA
+Reference:https://github.com/systemd/systemd-stable/commit/572692f0bdd6a3fabe3dd4a3e8e5565cc69b5e14
+
+---
+ src/resolve/resolved-dns-dnssec.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
+index aa87820dca..a192d82083 100644
+--- a/src/resolve/resolved-dns-dnssec.c
++++ b/src/resolve/resolved-dns-dnssec.c
+@@ -28,8 +28,9 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_KEY*, EC_KEY_free, NULL);
+ /* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
+ #define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
+ 
+-/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value */
+-#define NSEC3_ITERATIONS_MAX 2500
++/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value, but
++ * RFC9276 § 3.2 says that we should reduce the acceptable iteration count */
++#define NSEC3_ITERATIONS_MAX 100
+ 
+ /*
+  * The DNSSEC Chain of trust:
+-- 
+2.33.0
+