| Name | CVE-2023-7008 |
| Description | A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3859-1 |
| Debian Bugs | 1059278 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| systemd (PTS) | bullseye | 247.3-7+deb11u5 | vulnerable |
| bullseye (security) | 247.3-7+deb11u6 | fixed | |
| bookworm | 252.31-1~deb12u1 | fixed | |
| trixie | 257-2 | fixed | |
| sid | 257.1-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| systemd | source | bullseye | 247.3-7+deb11u6 | DLA-3859-1 | ||
| systemd | source | bookworm | 252.21-1~deb12u1 | |||
| systemd | source | (unstable) | 255.1-3 | 1059278 |
[buster] - systemd <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2222672
https://github.com/systemd/systemd/issues/25676
systemd-resolved defaults to DNSSEC=no (disabled) everywhere, and is affected only
when manually enabled.
Introduced by: https://github.com/systemd/systemd/commit/105e151299dc1208855380be2b22d0db2d66ebc6 (v229)
Fixed by: https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 (v256)
Fixed by: https://github.com/systemd/systemd-stable/commit/6da5ca9dd69c0e3340d4439413718ad4963252de (v255.2)
Fixed by: https://github.com/systemd/systemd-stable/commit/029272750fe451aeaac87a8c783cfb067f001e16 (v254.8)
Fixed by: https://github.com/systemd/systemd-stable/commit/5c149c77cbf7b3743fa65ce7dc9d2b5a58351968 (v253.15)
Fixed by: https://github.com/systemd/systemd-stable/commit/bb78da7f955c0102047319c55fff9d853ab7c87a (v252.21)
Fixed by: https://github.com/systemd/systemd-stable/commit/f58fc88678b893162f2d6d4b2db094e7b1646386 (v251.20)
Fixed by: https://github.com/systemd/systemd-stable/commit/4ada1290584745ab6643eece9e1756a8c0e079ca (v250.14)
Fixed by: https://github.com/systemd/systemd-stable/commit/c8578cef7f0f1e8cb8193c29e5e77daf4e3a1c9f (v249.17)
Fixed by: https://github.com/systemd/systemd-stable/commit/3a409b210396c6a0bef621349f4caa3a865940f2 (v248.13)