https://bugzilla.mindrot.org/show_bug.cgi?id=3966
Damien Miller <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Blocks| |3942 CC| |[email protected] Resolution|--- |FIXED --- Comment #2 from Damien Miller <[email protected]> --- Thanks for the report. AIUI the system resolver is meant to hide DNS0x20 randomisation from applications, but if that is not happening on real systems then we need to work around it. I've applied your fix and it will be in openssh-10.4, due in the next couple of months. Thanks --- commit df18979e1137f41a3ffa25f9d06c4fc55073cb34 (HEAD -> master, origin/master, origin/HEAD) Author: [email protected] <[email protected]> Date: Sun May 31 05:55:21 2026 +0000 upstream: DNS0x20[1] can randomise the case of domain names returned by lookup to force some more uniqueness in queries to reduce the likelihood of spoofing attacks succeeding. Normally this should be hidden from the user by the resolver, but in some cases it can leak through. When it does, it can mess up ssh's CanonicalizePermittedCNAMEs. Fix this by forcing the name we received from the system resolver to lowercase. bz3966, report and fix by Martin D Kealey [1] https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00 OpenBSD-Commit-ID: e0b300d3b3af289e053d928380af71949f95bfb0 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3942 [Bug 3942] Tracking bug for openssh-10.4 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
