tags 844121 + wontfix
notfound 844121 2.0.13-1.2
thanks
Hi all
In meanwhile the CVEs were properly rejected by MITRE. I'm closing
this bugreport now.
Regards,
Salvatore
Thank you for verifying this is not a bug. I would rather have a false
bug report than have a real security issue out there that I’m not
aware of.
I should explain why the MaraDNS code is so messy and hard to follow:
Back in 2001, there was precisely one and only one open-source DNS
server:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Greetings,
The CERT/CC is tracking this as VR-554, please retain VR-554 in the subject of
future replies related to this issue.
Considering the issue and CVE IDs are already being publicly discussed, we are
unlikely to take further action at this
Sam and others,
I most deeply apologize, you are right in your assessment.
I somehow missed the extra four additional sanity checks at the
beginning of the getudp() function that seems to catch the error
conditions on those input buffers.
Cheers,
--
Ondřej Surý
Knot DNS
CVE-2016-9300, CVE-2016-9301, and CVE-2016-9302 are *NOT* valid bug reports.
Here’s the deal: The reporter had to patch MaraDNS before he was able
to crash her.
The patch, however, treats MaraDNS’ special buffer-overflow-resistant
“js_string” as if it were an ordinary string — but it’s not.
5 matches
Mail list logo