Divergentdave

**Name of the Vulnerable Software and Affected Versions** Hickory DNS versions 0.8.0 through 0.24.2 Hickory DNS versions 0.25.0-alpha.1 through 0.25.0-alpha.4 **Description** The issue is related to insufficient authentication of data in the `verify dnskey rrset()` function of the Hickory DNS client. This can allow a remote attacker to bypass security restrictions and gain unauthorized access to protected information. The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. If a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to authenticate other records in the zone. There is also a variant of this issue involving DS records, where an authenticated DS record covering one DNSKEY leads to trust in signatures made by an unrelated DNSKEY in the same zone. **Recommendations** For Hickory DNS versions 0.8.0 through 0.24.2, update to version 0.24.3 or later. For Hickory DNS versions 0.25.0-alpha.1 through 0.25.0-alpha.4, update to version 0.25.0-alpha.5 or later. As a temporary workaround, consider restricting the use of the `verify dnskey rrset()` function until a patch is available. Restrict access to the DNSKEY records to minimize the risk of exploitation. Avoid using the `verify rrset with dnskey()` function with different keys and signatures until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** trillium-http versions prior to 0.3.12 trillium-client versions prior to 0.5.4 **Description** Insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have sufficient control over headers. This only affects use cases where attackers have control of request headers, and can insert "r " sequences. Specifically, if untrusted and unvalidated input is inserted into header names or values. Outbound `trillium http::HeaderValue` and `trillium http::HeaderName` can be constructed infallibly and were not checked for illegal bytes when sending requests from the client or responses from the server. Thus, if an attacker has sufficient control over header values (or names) in a request or response that they could inject `r ` sequences, they could get the client and server out of sync, and then pivot to gain control over other parts of requests or responses. **Recommendations** For trillium-http versions prior to 0.3.12, update to version 0.3.12 or later. For trillium-client versions prior to 0.5.4, update to version 0.5.4 or later. As a temporary workaround, Trillium services and client applications should sanitize or validate untrusted input that is included in header values and header names. Carriage return, newline, and null characters are not allowed.