[MaraDNS list] MaraDNS security update
Sam Trenholme
maradns at gmail.com
Wed Feb 12 12:45:52 EST 2014
I have released MaraDNS 2.0.09, MaraDNS 1.4.14, Deadwood 3.2.05, and
Deadwood 2.3.09. This is an important stability and security update
and all MaraDNS users are encouraged to update at their soonest
convenience.
== How to download ==
Most MaraDNS should download MaraDNS 2.0.09, which includes Deadwood 3.2.05:
http://maradns.org/download/2.0/2.0.09
https://sourceforge.net/projects/maradns/files/MaraDNS/2.0.09/
The GitHub version of MaraDNS has also been updated (it was actually
the first version to be updated):
https://github.com/samboy/MaraDNS
git clone https://github.com/samboy/MaraDNS
It's also possible to download just Deadwood 3.2.05:
http://maradns.samiam.org/deadwood/stable/
https://sourceforge.net/projects/maradns/files/Deadwood/3.2.05/
People who are still using MaraDNS 1 may download MaraDNS 1.4.14
(source code "tarball" only):
http://maradns.samiam.org/download/1.4/
https://sourceforge.net/projects/maradns/files/MaraDNS/1.4.14/
Please note that MaraDNS 1 will stop being supported on June 21, 2015.
For anyone still using Deadwood 2.3, here are links to Deadwood 2.3.09:
http://maradns.samiam.org/deadwood/tiny/
https://sourceforge.net/projects/maradns/files/Deadwood/2.3.09/
Note that Deadwood 2.3 will stop being supported on June 21, 2016.
== Description of the problem ==
There has been a long-standing bug in Deadwood (ever since 2007) where
bounds checking for strings was not correctly done under some
circumstances.
Because of this, it has been possible to send Deadwood a "packet of
death" which will crash Deadwood. Since the attack causes
out-of-bounds memory to be read, but not written to, the impact of the
bug is denial of service. It appears this attack can only be exploited
by an IP with permission to perform recursive queries against
Deadwood.
This bug is fixed in Deadwood 3.2.05 and Deadwood 2.3.09. MaraDNS
2.0.09 and 1.4.14 have been updated to include Deadwood 3.2.05.
Note that this bug only affects users of the Deadwood recursive resolver.
CVE number: None
Impact: Remote denial of service
== My mistake ==
The mistake I have made was to make one of the core string handling
functions an overly complicated "swiss army knife" function; when it
comes to security, it's better to have two simple functions than one
overly complicated function.
Actually, these days, it's usually better to write something in a
scripting language which leads me to my...
== Job search update ==
I am slowly but surely getting interviews and phone screenings in my
job hunt. There actually is a lot more interest in my recent
experience with Python, PHP, and other scripting languages than with
my expertise in C (MaraDNS' primary language) and DNS.
If anyone has any pointers for a job which matches my skill set
(MaraDNS and DNS of course, but I was programming in Python, PHP, and
other scripting languages in my most recent job), please send me a
private email. My resume is here:
http://samiam.org/resume/
- Sam
More information about the list
mailing list