Date: Tue, 18 Feb 2014 18:59:33 +0100 From: Martin Prpic <mprpic@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE request: MaraDNS DoS due to incorrect bounds checking on certain strings Hi, can a CVE be assigned to the following issue? It was reported that MaraDNS's recursive resolver, Deadwood, suffers from a flaw where string bounds checking was not done correctly under certain circumstances. As a result, it was possible for a remote attacker to send Deadwood a "packet of death", which would cause Deadwood to crash. Upstream notes that it currently appears that this attack can only be exploited by an IP address with a permission to perform recursive queries against Deadwood. It looks like these are the appropriate patches in git: https://github.com/samboy/MaraDNS/commit/f015495d221f1c2b2f10db38e87cecf3839d6093 https://github.com/samboy/MaraDNS/commit/2cfcd2397cb8168d4aa4594839fabe88420d03c3 References: http://samiam.org/blog/2014-02-12.html http://secunia.com/advisories/57033/ https://bugzilla.redhat.com/show_bug.cgi?id=1066609 -- Martin Prpič / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ