Package: maradns Version: 1.2.12.05 Hello everyone, this is upstream for the package maradns.
There is an important security hole that has been patched in MaraDNS 1.2.12.06. The impact of this security hole is: Remote denial of service. In more detail, the security problem allows a remote attacker to cause MaraDNS to allocate an arbitrary large amount of memory. MaraDNS 1.2.12.06 resolves this issue. Now, I'm a little frustrated with the Debian bureaucracy. As it turns out, the 1.2 branch is a STABLE branch. I don't add new features to this branch. I only add bugfixes that are unlikely to cause problems. Compared to MaraDNS 1.2.12.04, the only changes in 1.2.12.06 are as follows: * LOC records with a precision that is a multiple of 10 now work. * Memory leak found by Rani Assaf plugged. * Whether to give a NXDOMAIN or a "not there" reply with star records fixed to be RFC1034 and RFC4074 compliant. * Hosts in a csv2_default_zonefile now correctly return a "not there" instead of a NXDOMAIN (unless there is no host of any RR type that matches the desired name). * João Antunes Predator tool found two memory leaks. Fixed. These are really minor bugfixes. The patches probably total less than 250 lines of code. These fixes fix RFC violations that cause real-world problems (well, except for the "be anal" fix that makes host names with stars 100% RFC1034 section 4.3.3 compliant, but that's disabled by default), or security issues (three, count them, three remote memory leaks). I see no reason whatsoever to stay with 1.2.12.04. It's ultimately your decision whether to stay with maradns-1.2.12.04 or allow Debian's user to update to a bug fix release that adds no features and only fixes bugs. But, the idea that a software release with more bugs, including security bugs, is somehow more stable just because it has been around is rather silly. Anyway, enough of my rant. 1.2.12.06 is available at the following places: http://www.maradns.org/download.html http://sourceforge.net/projects/maradns http://hotaru.chaosring.org/~sam/maradns-1.2.12.06/ And I would like to see Debian update to this release. Thank you for your time, - Sam (MaraDNS upstream)
