[MaraDNS list] MaraDNS security update

Sam Trenholme maradns at gmail.com
Mon Dec 2 06:40:28 EST 2013


While looking over the source code to Deadwood, I discovered that
Deadwood 3 releases before Deadwood-3.2.03d have a security issue
caused by a programming error I made.

Under certain exceptional circumstances, it may have been possible to
perform a blind spoofing attack against unpatched releases of
Deadwood. The IP performing the blind spoofing attack needs to appear
to have permission to perform full recursion with Deadwood in order to
carry out the attack.

Upgrading will fix the bug. Then again, administrators who already
perform good practices, making sure that only authorized IPs can use
Deadwood recursively (pretty much mandatory in light of DNS
amplification attacks) will only be affected by this bug if either a
machine with an authorized IP is compromised, or if it is possible for
the attacker to send the Deadwood server a packet with a spoofed IP.

This update was released today. MaraDNS 2.0.07d, Deadwood 3.2.03d, and
MaraDNS 1.4.13 are patched against this bug. Deadwood 2.3.08 is not
affected by this bug.

It can be downloaded here:

http://www.maradns.org/download.html
http://www.maradns.org/deadwood/stable/

- Sam


More information about the list mailing list