From maradns at gmail.com  Mon Dec  2 06:40:28 2013
From: maradns at gmail.com (Sam Trenholme)
Date: Mon, 2 Dec 2013 03:40:28 -0800
Subject: [MaraDNS list] MaraDNS security update
Message-ID: <CAJxgfkRycGwWQNUBPj3sP7qUBQ3DL0kRDLkvvL_pu3LA0tWV9g@mail.gmail.com>

While looking over the source code to Deadwood, I discovered that
Deadwood 3 releases before Deadwood-3.2.03d have a security issue
caused by a programming error I made.

Under certain exceptional circumstances, it may have been possible to
perform a blind spoofing attack against unpatched releases of
Deadwood. The IP performing the blind spoofing attack needs to appear
to have permission to perform full recursion with Deadwood in order to
carry out the attack.

Upgrading will fix the bug. Then again, administrators who already
perform good practices, making sure that only authorized IPs can use
Deadwood recursively (pretty much mandatory in light of DNS
amplification attacks) will only be affected by this bug if either a
machine with an authorized IP is compromised, or if it is possible for
the attacker to send the Deadwood server a packet with a spoofed IP.

This update was released today. MaraDNS 2.0.07d, Deadwood 3.2.03d, and
MaraDNS 1.4.13 are patched against this bug. Deadwood 2.3.08 is not
affected by this bug.

It can be downloaded here:

http://www.maradns.org/download.html
http://www.maradns.org/deadwood/stable/

- Sam

From maradns at gmail.com  Fri Dec 20 12:17:32 2013
From: maradns at gmail.com (Sam Trenholme)
Date: Fri, 20 Dec 2013 09:17:32 -0800
Subject: [MaraDNS list] Deadwood 3.2.04 released
Message-ID: <CAJxgfkTWZd4627i=gxTU9q-y77T87DFfQk3HTQLEqtpSN64WAw@mail.gmail.com>

I have released Deadwood 3.2.04.  This has, compared to Deadwood
3.2.03 (released a year ago), a number of bug fixes and one security
update.

Users of Deadwood 3.2.03d do not need to update to this release to
stay current with regards to security; however, there are a number of
bug fixes for 3.2.03d users and it is worthwhile to update.  More
information is in the CHANGELOG:

http://maradns.samiam.org/deadwood/doc/CHANGELOG

Users of older Deadwood releases who set root_servers in their
Deadwood configuration file need to change the IP for one of the root
servers from 128.8.10.90 to 199.7.91.13.

There is one bug fix which could cause issues with certain, probably
hypothetical, DNS setups on the Internet:

http://samiam.org/blog/20131206.html

It can be downloaded here:

http://maradns.samiam.org/deadwood/stable/

- Sam