Today, we released version 4.1.23 of the authoritative DNS name server NSD.
NSD versions 4.1.22 and before are vulnerable in comparing TSIG information and this can be used to discover a TSIG secret.
NSD uses TSIG to protect zone transfers. The TSIG code uses a secret key to protect the data. The secret key is shared with both sides of the zone transfer connection. The comparison code in NSD was not time insensitive, causing the potential for an attacker to use timing information to discover data about the key contents.
NSD versions from 2.2.0 to 4.1.22 are vulnerable. Upgrade to 4.1.23 or newer to get the fix.
It was reported by Ondrej Sury (ISC).
You can get source packages of this version from the downloads page.