[MaraDNS] MaraDNS security: MaraDNS 2.0.12 released
Sam Trenholme
maradns at gmail.com
Wed Aug 19 07:19:51 PDT 2015
I have released MaraDNS 2.0.12 to fix a security bug in the zoneserver
daemon. All users are encouraged to update to this version of MaraDNS.
==The bug==
I got a GitHub bug report about MaraDNS’ zoneserver program getting a
segmentation fault. In the stack trace, free() was being called
against a memory location whose value was uninitialized (and therefore
random).
This bug allows a denial of service attack; by making the zoneserver
daemon free an invalid memory location, it was possible to terminate
the zoneserver process. I do not know whether or not this bug is
remotely exploitable.
==The fix==
I now always initialize the memory location in question.
Because of the nature of this bug, I have made a MaraDNS 2.0.12
release to fix this bug. It can be downloaded here:
http://maradns.samiam.org/download.html
==Sourceforge==
As I have promised before, I am no longer updating the Sourceforge
version of MaraDNS. People may download MaraDNS from the MaraDNS web
site, or from GitHub:
https://github.com/samboy/MaraDNS
==MaraDNS 1==
This bug impacts MaraDNS 1. I will not fix this bug in older version
of MaraDNS; I have given users a three-year warning that MaraDNS 1 is
no longer supported. All MaraDNS 1 users need to upgrade to MaraDNS 2.
==Other changes in MaraDNS 2.0.12==
In addition to fixing this bug, MaraDNS 2.0.12 updates Deadwood
(documentation updates and increased maxprocs values), fixes
zoneserver to work with newer versions of dig, and has a number of
documentation updates.
==Future MaraDNS plans==
When and if letsencrypt.org becomes live and offers free HTTPS
certificates, I will get a free wildcard cert for samiam.org and start
serving MaraDNS over SSL (TLS).
Unless another security bug comes up, my next MaraDNS and Deadwood
release will be in the late summer of 2016.
More information about the List
mailing list