[MaraDNS list] New MaraDNS CVE: 2012-1570

Sam Trenholme maradns at gmail.com
Thu Mar 22 15:53:57 EDT 2012 

In this post, I discuss CVE-2012-1570 as well as Deadwood 2.3.

== CVE-2012-1570 ==

CVE-2012-1570 is the CVE number assigned for MaraDNS updates made in
light of the "ghost domain" bug. I have already updated Deadwood as
well as the legacy MaraDNS 1 branch; this CVE just formally declares
these updates to be serious security updates.

Here is a rundown of all MaraDNS versions affected by the ghost domain
security bug:

  * All MaraDNS 0 releases with recursion (Do NOT use; not maintained)

  * All MaraDNS 1.0 releases (Do NOT use; not maintained)

  * All MaraDNS 1.1 releases (Do NOT use; not maintained)

  * All MaraDNS 1.2 releases (Do NOT use; not maintained)

  * All MaraDNS 1.3 releases besides 1.3.07 (Do NOT use; not maintained)

  * All MaraDNS 1.3.07 releases before MaraDNS 1.3.07.15

  * All MaraDNS 1.4 releases before MaraDNS 1.4.12

  * All MaraDNS 2 releases before MaraDNS 2.0.06

  * All Deadwood 3 (subpackage of MaraDNS) releases before Deadwood 3.2.02

  * All Deadwood 2 releases besides 2.3 (Do NOT use; not maintained)

  * All Deadwood 2.3 releases before Deadwood 2.3.08

The following releases have been patched to address this bug: MaraDNS
1.3.07.15, 1.4.12, 2.0.06, as well as Deadwood 3.2.02 and Deadwood
2.3.08 have been released to address this security bug. It is very
important that all MaraDNS users update to one of these versions.

Please note that MaraDNS 1.3.07 will no longer be supported on
December 21, 2012. Please upgrade to MaraDNS 1.4 or 2.0 at your
soonest convenience if feasible. Here is an update guide:

  http://maradns.org/tutorial/update.html

Distributions and users who wish to continue, against my wishes,
supporting an outdated version of MaraDNS 1 may (or may not) be able
to update MaraDNS 1 by using this patch:

  http://maradns.org/download/patches/security/maradns-1.4.11-ghostdomain.patch

== Deadwood update ==

As noted above, I have updated the older "tiny" branch of Deadwood to
address the important "ghost domain" bug; Deadwood 2.3.08 has been
released.

This took all morning to do; the "tiny" branch has diverged from the
main branch of Deadwood enough that it was necessary to completely
redo the patch by hand.

After doing that, a number of SQA regressions failed because CentOS 5
has changed enough since the last time I ran the Deadwood 2.3
regressions: example.com has a different A record, netstat's output
format has changed, and Valgrind complains about "possibly lost"
memory it wasn't complaining about before. I had to verify the failed
SQA regressions were caused by issues external to Deadwood, and that
the code changes did not break anything.

It can be downloaded here:

  http://www.maradns.org/deadwood/tiny/

At this point, I am only supporting Deadwood 2.3 for security and
other critical bugs. Deadwood 2.3 only makes sense if one is in an
environment where it's better to have a 32 kilobyte non-recursive DNS
cache instead of a 64 kilobyte fully recursive DNS cache.

Also: Because of how Deadwood 2.3 works, records with TTLs longer than
one day will show a longer TTL when said record is retrieved. This
update only affects how long the record is stored in Deadwood 2.3's
cache. If there is any suspicion that resolvers downstream from a
Deadwood 2.3 cache honor large TTLs, please upgrade to Deadwood 3.
Also note that Deadwood 2.3 doesn't properly age TTLs.

I plan to work on MaraDNS/Deadwood again one day next month, after the
20th, unless another critical security bug is found.

- Sam (Now, back to my day job)

More information about the list mailing list