From maradns at gmail.com Wed Feb 5 15:22:07 2014 From: maradns at gmail.com (Sam Trenholme) Date: Wed, 5 Feb 2014 12:22:07 -0800 Subject: [MaraDNS list] MaraDNS is now available in GitHub Message-ID: == MaraDNS on GitHub == There has been some talk about setting up a repository for MaraDNS. I have now made it so: MaraDNS is available on GitHub. For people who wish to make their own fork of MaraDNS, or who prefer to download with git instead of downloading a tarball, one can now grab MaraDNS thusly: git clone https://github.com/samboy/MaraDNS The above link can also be opened in a browser; I have gone to some effort to ensure MaraDNS compiles when downloaded via git or if GitHub's zip file of MaraDNS (on the linked webpage) is downloaded. Feel free to fork this repo, but please do not name your fork "MaraDNS"; some names that can be used are "MaraDNS-ng" or "N-MaraDNS". Note that having MaraDNS in git does not affect future tarball/zipfile releases of MaraDNS; those continue to be built and released separately from git. == A personal note == The reason I have done this is because I am getting laid off. Some employers like to see files in GitHub when looking at candidates, so I have added MaraDNS there. If anyone has suggestions where I can find a job, or would like to see my resume, please feel free to send me an email. - Sam From maradns at gmail.com Wed Feb 12 12:45:52 2014 From: maradns at gmail.com (Sam Trenholme) Date: Wed, 12 Feb 2014 09:45:52 -0800 Subject: [MaraDNS list] MaraDNS security update Message-ID: I have released MaraDNS 2.0.09, MaraDNS 1.4.14, Deadwood 3.2.05, and Deadwood 2.3.09. This is an important stability and security update and all MaraDNS users are encouraged to update at their soonest convenience. == How to download == Most MaraDNS should download MaraDNS 2.0.09, which includes Deadwood 3.2.05: http://maradns.org/download/2.0/2.0.09 https://sourceforge.net/projects/maradns/files/MaraDNS/2.0.09/ The GitHub version of MaraDNS has also been updated (it was actually the first version to be updated): https://github.com/samboy/MaraDNS git clone https://github.com/samboy/MaraDNS It's also possible to download just Deadwood 3.2.05: http://maradns.samiam.org/deadwood/stable/ https://sourceforge.net/projects/maradns/files/Deadwood/3.2.05/ People who are still using MaraDNS 1 may download MaraDNS 1.4.14 (source code "tarball" only): http://maradns.samiam.org/download/1.4/ https://sourceforge.net/projects/maradns/files/MaraDNS/1.4.14/ Please note that MaraDNS 1 will stop being supported on June 21, 2015. For anyone still using Deadwood 2.3, here are links to Deadwood 2.3.09: http://maradns.samiam.org/deadwood/tiny/ https://sourceforge.net/projects/maradns/files/Deadwood/2.3.09/ Note that Deadwood 2.3 will stop being supported on June 21, 2016. == Description of the problem == There has been a long-standing bug in Deadwood (ever since 2007) where bounds checking for strings was not correctly done under some circumstances. Because of this, it has been possible to send Deadwood a "packet of death" which will crash Deadwood. Since the attack causes out-of-bounds memory to be read, but not written to, the impact of the bug is denial of service. It appears this attack can only be exploited by an IP with permission to perform recursive queries against Deadwood. This bug is fixed in Deadwood 3.2.05 and Deadwood 2.3.09. MaraDNS 2.0.09 and 1.4.14 have been updated to include Deadwood 3.2.05. Note that this bug only affects users of the Deadwood recursive resolver. CVE number: None Impact: Remote denial of service == My mistake == The mistake I have made was to make one of the core string handling functions an overly complicated "swiss army knife" function; when it comes to security, it's better to have two simple functions than one overly complicated function. Actually, these days, it's usually better to write something in a scripting language which leads me to my... == Job search update == I am slowly but surely getting interviews and phone screenings in my job hunt. There actually is a lot more interest in my recent experience with Python, PHP, and other scripting languages than with my expertise in C (MaraDNS' primary language) and DNS. If anyone has any pointers for a job which matches my skill set (MaraDNS and DNS of course, but I was programming in Python, PHP, and other scripting languages in my most recent job), please send me a private email. My resume is here: http://samiam.org/resume/ - Sam