compilation bug fix for bsds
Sam Trenholme
strenholme.usenet at gmail.com
Sun Jan 2 11:04:19 EST 2011
>> Not handling SIGPIPE is definitely a big deal
[..]
>> but it looks like there's been a patch for that since 2003; so
>> I would imagine that there aren't any djbdns versions with this
>> problem in service any more.
> there are still many people running unmodified 1.05.
Exactly. Yes, people "in the know" have been running a patched djbdns
since 2003 without the SIGPIPE bug. However, it is not widely known
that this is a serious *security* bug in djbdns that needs to be
fixed. Again, just last year one djbdns advocate claims djbdns is
"bug-free":
http://tech.slashdot.org/comments.pl?sid=1589160&cid=31547474
"[I have] given up on BIND years ago in favor of the vastly more
efficient, user-friendly, and -- most importantly -- bug free djbdns"
This poster doesn't know that they are running a DNS server with a
trivial denial of service attack anyone who has permission to connect
to via TCP can exploit. Indeed, a follow-up poster was (is) also
ignorant of this serious bug in djbdns:
http://tech.slashdot.org/comments.pl?sid=1589160&cid=31550996
"I know of exactly one DJBDNS bug:
djbdns<=1.05 lets AXFRed subdomains overwrite domains"
This is the problem when an author does not maintain their DNS server
and does not take responsibility for its security bugs; people end up
running unpatched servers for years and think they are secure when
they are not.
This is also why you can't trust anything people say on Slashdot; the
place was pretty clued a decade ago back when people like John Carmack
posted there but these days most posters are pretty ignorant and spout
off misinformation, in this case dangerous misinformation.
- Sam
More information about the list
mailing list