Sam Trenholme's webpage
Support this website

MaraDNS security update

 

February 12 2014

Today, I celebrate my anniversary with my wife, release a MaraDNS security update, and post a couple links given to me in private email.

==¡Happy Anniversary Marina!==

The most important thing comes first:

Four years ago today, I had the great honor of marrying the most beautiful woman in the world. My life is infinitely better than it was when I was alone. It is a great honor to celebrate four years of marriage with Marina today. I LOVE YOU! May God continue to bless our marriage.

==MaraDNS security update==

I have released MaraDNS 2.0.09, MaraDNS 1.4.14, Deadwood 3.2.05, and Deadwood 2.3.09. This is an important stability and security update and all MaraDNS users are encouraged to update at their soonest convenience.

==How to download==

Most MaraDNS users should download MaraDNS 2.0.09, which includes Deadwood 3.2.05:

http://maradns.org/download/2.0/2.0.09
https://sourceforge.net/projects/maradns/files/MaraDNS/2.0.09/
The GitHub version of MaraDNS has also been updated (it was actually the first version to be updated):

https://github.com/samboy/MaraDNS
git clone https://github.com/samboy/MaraDNS

It's also possible to download just Deadwood 3.2.05:

http://maradns.samiam.org/deadwood/stable/
https://sourceforge.net/projects/maradns/files/Deadwood/3.2.05/
People who are still using MaraDNS 1 may download MaraDNS 1.4.14 (source code "tarball" only):

http://maradns.samiam.org/download/1.4/
https://sourceforge.net/projects/maradns/files/MaraDNS/1.4.14/
Please note that MaraDNS 1 will stop being supported on June 21, 2015.

For anyone still using Deadwood 2.3, here are links to Deadwood 2.3.09:

http://maradns.samiam.org/deadwood/tiny/
https://sourceforge.net/projects/maradns/files/Deadwood/2.3.09/
Note that Deadwood 2.3 will stop being supported on June 21, 2016.

==Description of the problem==

There has been a long-standing bug in Deadwood (ever since 2007) where bounds checking for strings was not correctly done under some circumstances.

Because of this, it has been possible to send Deadwood a "packet of death" which will crash Deadwood. Since the attack causes out-of-bounds memory to be read, but not written to, the impact of the bug is denial of service. It appears this attack can only be exploited by an IP with permission to perform recursive queries against Deadwood.

This bug is fixed in Deadwood 3.2.05 and Deadwood 2.3.09. MaraDNS 2.0.09 and 1.4.14 have been updated to include Deadwood 3.2.05.

Note that this bug only affects users of the Deadwood recursive resolver.

CVE number: None

Impact: Remote denial of service

==My mistake==

The mistake I have made was to make one of the core string handling functions an overly complicated "Swiss army knife" function; when it comes to security, it's better to have two simple functions than one overly complicated function.

==VirtualBOX host-only network==

A few months ago, I posted a blog entry showing how to set up a host-only network, as well as how to edit the registry to work around a bug in how VirtualBox sets up host-only networks. David gave me the following link:

http://teamchivers.com/?p=48
==Updated link for bulk polyhedral dice==

A couple of years ago, I posted a blog entry on buying bulk polyhedral dice (I was part of a role playing game campaign at the time). Some of the links in that blog no longer work (one eBay supplier has since closed up shop) but William Joyner pointed out this new listing at Amazon:

http://www.amazon.com/gp/product/B00G1RPRUO

To post a comment about this blog entry, go to the forum (self-signed https). New accounts may post once I approve the account.