[MaraDNS list] CVE status fo maradns
Sam Trenholme
maradns at gmail.com
Sat Jan 14 18:37:42 EST 2012
To add even more confusion:
I did a final tweak to the hash compression function yesterday.
TL;DR summary: Use MaraDNS 1.3.07.14, 1.4.10, any 2.0 release, or
apply this patch to an older release of MaraDNS:
http://maradns.org/download/patches/maradns-1.3-better_hash.patch
Long summary:
I made one release, realized that had problems, made another release
the next day, realized *that* had problems, and made a (hopefully
final) third update yesterday:
http://samiam.org/blog/20111229.html
http://samiam.org/blog/20111230.html
http://samiam.org/blog/20120113.html
And, oh, yeah you could argue that MaraDNS 2.0 has the issue, but it's
much much less of an issue since someone has to control the zones
MaraDNS uses to trigger the bug. But, yeah, since they filed a CVE
for it, the latest 2.0 snapshot also has the bug fixed:
http://maradns.org/download/2.0/snap/
I'm going to make a MaraDNS 2.0 release with this issue fixed once
Deadwood 3.2 is out the door, probably in a month or so.
- Sam
On Sat, Jan 14, 2012 at 5:03 AM, Nicholas Bamber <nicholas at periapt.co.uk> wrote:
> Sam,
> The CVE status seems to be getting more and more confused.
>
> As I understand it
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0024 is what you
> were attempting to fix in 1.4.08. However they have issued a new number
> for the second attempt in
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5055.
>
> As for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5056, I
> don't know what is going on there.
>
> Please confirm and clarify as necessary.
>
> --
> Nicholas Bamber | http://www.periapt.co.uk/
> PGP key 3BFFE73C from pgp.mit.edu
More information about the list
mailing list