Upstream here. It's a six-line patch:
http://maradns.org/download/patches/security/maradns-1.4.11-ghostdomain.patch
This should not be too difficult to apply.
Also, the security report is somewhat inaccurate. Both MaraDNS and
Deadwood were never vulnerable to the "Ghost Domain" bug as described
in the original report...something said report points out. However,
the programs were vulnerable to caching records with a long
TTL...easily fixed by capping TTLs to only last one day.
Finally, MaraDNS 1.4 will no longer be supported by me on June 21,
2015. Please be sure to update all MaraDNS packages to 2.0 before
then.
- Sam
--- maradns-1.4.11/server/recursive.c 2012-01-13 13:39:01.000000000 -0600
+++ maradns-1.4.12/server/recursive.c 2012-03-17 09:52:27.000000000 -0600
@@ -1370,6 +1370,10 @@
ttl = js_readuint32(server_reply,offset);
if(ttl == JS_ERROR)
return JS_ERROR;
+ if(ttl < 20)
+ ttl = 20;
+ if(ttl > 86400) /* One day; Ghost domain fix */
+ ttl = 86400;
offset += 4;
/* Get the rdlength of the SOA record */
rdlength = js_readuint16(server_reply,offset);
@@ -2019,8 +2023,8 @@
problems that Franky reported */
if(ttl < 20)
ttl = 20;
- if(ttl > 63072000) /* Two years */
- ttl = 63072000;
+ if(ttl > 86400) /* One day; Ghost domain fix */
+ ttl = 86400;
/* If this is a CNAME answer then we don't store it for over
* 15 minutes */
if(ttl > 900 && cname_original_record != 0)
On Thu, Jan 17, 2013 at 3:42 AM, Jonathan Wiltshire <j...@debian.org> wrote:
> Package: maradns
>
> Dear maintainer,
>
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
>
> squeeze (6.0.7) - use target "stable"
>
> Please prepare a minimal-changes upload targetting each of these suites,
> and submit a debdiff to the Release Team [0] for consideration. They will
> offer additional guidance or instruct you to upload your package.
>
> I will happily assist you at any stage if the patch is straightforward and
> you need help. Please keep me in CC at all times so I can
> track [1] the progress of this request.
>
> For details of this process and the rationale, please see the original
> announcement [2] and my blog post [3].
>
> 0: debian-rele...@lists.debian.org
> 1: http://prsc.debian.net/tracker/665012/
> 2: <201101232332.11736.th...@debian.org>
> 3: http://deb.li/prsc
>
> Thanks,
>
> with his security hat on:
> --
> Jonathan Wiltshire j...@debian.org
> Debian Developer http://people.debian.org/~jmw
>
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
>
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
