RHEL9+, RSASHA1 and CVE-2025-8677
Ondřej Surý
ondrej at isc.org
Fri Oct 31 12:09:02 UTC 2025
Can we have a couple of reproducers please?
We do run tests on RHEL-like 8,9,10 and no current test caught failure like that, so having a solid reproducer would be nice.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
> On 31. 10. 2025, at 13:05, sthaug at nethelp.no wrote:
>
>
>>
>> No. Algorithm 5 and 7 are skipped earlier and should never reach the
>> code affected.
>
> However, the observed behavior, which started this, is that a zone
> signed with both algorithm 7 and algorithm 13, failed. The client
> (me) received SERVFAIL.
>
>> No crypto policy will change any of this, you do not have to lower
>> your security defaults to avoid that.
>
> Well, the policy change that Bjørn made definitely make the zone
> in question resolve again.
>
>> Please wait few days, proper fixed are on the way!
>
> Unfortunately the real world doesn't have that kind of patience.
>
> Steinar Haug, AS2116
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
More information about the bind-users
mailing list