compilation bug fix for bsds

Sam Trenholme strenholme.usenet at gmail.com
Sun Jan 2 11:04:19 EST 2011


>> Not handling SIGPIPE is definitely a big deal
[..]
>> but it looks like there's been a patch for that since 2003; so
>> I would imagine that there aren't any djbdns versions with this
>> problem in service any more.

> there are still many people running unmodified 1.05.

Exactly.  Yes, people "in the know" have been running a patched djbdns
since 2003 without the SIGPIPE bug.  However, it is not widely known
that this is a serious *security* bug in djbdns that needs to be
fixed.  Again, just last year one djbdns advocate claims djbdns is
"bug-free":

http://tech.slashdot.org/comments.pl?sid=1589160&cid=31547474

"[I have] given up on BIND years ago in favor of the vastly more
efficient, user-friendly, and -- most importantly -- bug free djbdns"

This poster doesn't know that they are running a DNS server with a
trivial denial of service attack anyone who has permission to connect
to via TCP can exploit.  Indeed, a follow-up poster was (is) also
ignorant of this serious bug in djbdns:

http://tech.slashdot.org/comments.pl?sid=1589160&cid=31550996

"I know of exactly one DJBDNS bug:
djbdns<=1.05 lets AXFRed subdomains overwrite domains"

This is the problem when an author does not maintain their DNS server
and does not take responsibility for its security bugs; people end up
running unpatched servers for years and think they are secure when
they are not.

This is also why you can't trust anything people say on Slashdot; the
place was pretty clued a decade ago back when people like John Carmack
posted there but these days most posters are pretty ignorant and spout
off misinformation, in this case dangerous misinformation.

- Sam


More information about the list mailing list