Date: Tue, 18 Feb 2014 18:59:33 +0100 From: Martin Prpic <mprpic@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE request: MaraDNS DoS due to incorrect bounds checking on certain strings Hi, can a CVE be assigned to the following issue? It was reported that MaraDNS's recursive resolver, Deadwood, suffers from a flaw where string bounds checking was not done correctly under certain circumstances. As a result, it was possible for a remote attacker to send Deadwood a "packet of death", which would cause Deadwood to crash. Upstream notes that it currently appears that this attack can only be exploited by an IP address with a permission to perform recursive queries against Deadwood. It looks like these are the appropriate patches in git: https://github.com/samboy/MaraDNS/commit/f015495d221f1c2b2f10db38e87cecf3839d6093 https://github.com/samboy/MaraDNS/commit/2cfcd2397cb8168d4aa4594839fabe88420d03c3 References: http://samiam.org/blog/2014-02-12.html http://secunia.com/advisories/57033/ https://bugzilla.redhat.com/show_bug.cgi?id=1066609 -- Martin Prpič / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.