compilation bug fix for bsds

Yarin yarin at warpmail.net
Tue Jan 4 01:45:51 EST 2011


> there are still many people running unmodified 1.05.

Heh, well, in those cases, that sounds a lot like a poor sys admin,
I imagine it's kind of obvious that using unmaintained software that hasn't been even updated in 10 years is a bad idea regardless.

> Again, just last year one djbdns advocate claims djbdns is
> "bug-free":

> This is also why you can't trust anything people say on Slashdot

I read the posts the first time.
Maybe you should bring the Slashdot community up to speed on the matter :-)

Yarin

----- Original message -----
From: "Sam Trenholme" <strenholme.usenet at gmail.com>
To: list at maradns.org
Date: Sun, 2 Jan 2011 09:04:19 -0700
Subject: Re: compilation bug fix for bsds

>> Not handling SIGPIPE is definitely a big deal
[..]
>> but it looks like there's been a patch for that since 2003; so
>> I would imagine that there aren't any djbdns versions with this
>> problem in service any more.

> there are still many people running unmodified 1.05.

Exactly.  Yes, people "in the know" have been running a patched djbdns
since 2003 without the SIGPIPE bug.  However, it is not widely known
that this is a serious *security* bug in djbdns that needs to be
fixed.  Again, just last year one djbdns advocate claims djbdns is
"bug-free":

http://tech.slashdot.org/comments.pl?sid=1589160&cid=31547474

"[I have] given up on BIND years ago in favor of the vastly more
efficient, user-friendly, and -- most importantly -- bug free djbdns"

This poster doesn't know that they are running a DNS server with a
trivial denial of service attack anyone who has permission to connect
to via TCP can exploit.  Indeed, a follow-up poster was (is) also
ignorant of this serious bug in djbdns:

http://tech.slashdot.org/comments.pl?sid=1589160&cid=31550996

"I know of exactly one DJBDNS bug:
djbdns<=1.05 lets AXFRed subdomains overwrite domains"

This is the problem when an author does not maintain their DNS server
and does not take responsibility for its security bugs; people end up
running unpatched servers for years and think they are secure when
they are not.

This is also why you can't trust anything people say on Slashdot; the
place was pretty clued a decade ago back when people like John Carmack
posted there but these days most posters are pretty ignorant and spout
off misinformation, in this case dangerous misinformation.

- Sam



More information about the list mailing list