Bug#665012: CVE-2012-1570: maradns deleted domain record cache persistance flaw
Upstream here. It's a six-line patch: http://maradns.org/download/patches/security/maradns-1.4.11-ghostdomain.patch This should not be too difficult to apply. Also, the security report is somewhat inaccurate. Both MaraDNS and Deadwood were never vulnerable to the Ghost Domain bug as described in the original report...something said report points out. However, the programs were vulnerable to caching records with a long TTL...easily fixed by capping TTLs to only last one day. Finally, MaraDNS 1.4 will no longer be supported by me on June 21, 2015. Please be sure to update all MaraDNS packages to 2.0 before then. - Sam --- maradns-1.4.11/server/recursive.c 2012-01-13 13:39:01.0 -0600 +++ maradns-1.4.12/server/recursive.c 2012-03-17 09:52:27.0 -0600 @@ -1370,6 +1370,10 @@ ttl = js_readuint32(server_reply,offset); if(ttl == JS_ERROR) return JS_ERROR; +if(ttl 20) +ttl = 20; +if(ttl 86400) /* One day; Ghost domain fix */ +ttl = 86400; offset += 4; /* Get the rdlength of the SOA record */ rdlength = js_readuint16(server_reply,offset); @@ -2019,8 +2023,8 @@ problems that Franky reported */ if(ttl 20) ttl = 20; -if(ttl 63072000) /* Two years */ -ttl = 63072000; +if(ttl 86400) /* One day; Ghost domain fix */ +ttl = 86400; /* If this is a CNAME answer then we don't store it for over * 15 minutes */ if(ttl 900 cname_original_record != 0) On Thu, Jan 17, 2013 at 3:42 AM, Jonathan Wiltshire j...@debian.org wrote: Package: maradns Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.7) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/665012/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#665012: CVE-2012-1570: maradns deleted domain record cache persistance flaw
Package: maradns Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.7) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/665012/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#665012: CVE-2012-1570: maradns deleted domain record cache persistance flaw
Package: maradns Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It was reported that MaraDNS suffers from a flaw where it is susceptible to spoofing attacks. Due to an error in the cache update policy, which does not properly handle revoked domain names, a remote attacker could keep a domain name resolvable after it has been deleted from the registration. This flaw is fixed in versions 1.3.0.7.15 and 1.4.12, and is reported to affect all prior versions. References: http://www.maradns.org/changelog.html https://secunia.com/advisories/48492/ https://bugzilla.redhat.com/show_bug.cgi?id=804770 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAk9q/sIACgkQNxpp46476arqDQCfSFeWlawN7py9L5lKIE+xR1ix ATIAn0DxeHe7ugtuET2C9uHbJcAkIwkz =Pu/Y -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#665012: CVE-2012-1570: maradns deleted domain record cache persistance flaw
Upstream here: Here are the affected versions of MaraDNS: All MaraDNS 0 releases (Do NOT use; not maintained) All MaraDNS 1.0 releases (Do NOT use; not maintained) All MaraDNS 1.1 releases (Do NOT use; not maintained) All MaraDNS 1.2 releases (Do NOT use; not maintained) All MaraDNS 1.3 releases besides 1.3.07 (Do NOT use; not maintained) All MaraDNS 1.3.07 releases before MaraDNS 1.3.07.15 All MaraDNS 1.4 releases before MaraDNS 1.4.12 All MaraDNS 2 releases before MaraDNS 2.0.06 All Deadwood 3 (subpackage of MaraDNS) releases before Deadwood 3.2.02 All Deadwood 2 releases besides 2.3 (Do NOT use; not maintained) All Deadwood 2.3 releases before Deadwood 2.3.08 MaraDNS 1.3.07.15, 1.4.12, 2.0.06, as well as Deadwood 3.2.02 and 2.3.08 have been released to address this security bug. It is important that all MaraDNS users update to one of these versions. Also: MaraDNS 1.3.07 will no longer be supported on December 21, 2012. Please upgrade to MaraDNS 1.4 or 2.0 at your soonest convenience if feasible. Here is an update guide: http://maradns.org/tutorial/update.html Distributions and users who wish to continue, against my wishes, supporting an outdated version of MaraDNS 1 may (or may not) be able to update MaraDNS 1 by using this patch: http://maradns.org/download/patches/security/maradns-1.4.11-ghostdomain.patch - Sam On Thu, Mar 22, 2012 at 6:28 AM, Giuseppe Iuculano iucul...@debian.org wrote: Package: maradns Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It was reported that MaraDNS suffers from a flaw where it is susceptible to spoofing attacks. Due to an error in the cache update policy, which does not properly handle revoked domain names, a remote attacker could keep a domain name resolvable after it has been deleted from the registration. This flaw is fixed in versions 1.3.0.7.15 and 1.4.12, and is reported to affect all prior versions. References: http://www.maradns.org/changelog.html https://secunia.com/advisories/48492/ https://bugzilla.redhat.com/show_bug.cgi?id=804770 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAk9q/sIACgkQNxpp46476arqDQCfSFeWlawN7py9L5lKIE+xR1ix ATIAn0DxeHe7ugtuET2C9uHbJcAkIwkz =Pu/Y -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
