[1] RFC8482 responds to ANY in such as way as to not break Qmail
On Sat, Nov 26, 2022 at 10:34 AM Sam Trenholme wrote:
>
> Upstream here again. I have released MaraDNS 3.5.0030 and 3.4.09 with
> a security update: MaraDNS now fully supports RFC8482, which means
> MaraDNS no longer
Upstream here again. I have released MaraDNS 3.5.0030 and 3.4.09 with
a security update: MaraDNS now fully supports RFC8482, which means
MaraDNS no longer supports ANY records. [1] While MaraDNS does not
have long packet support, this removes one possible denial of service
amplification path.
If
Upstream here. I should probably summarize the security issues post
2.0.13; MaraDNS is the authoritative server and Deadwood is the
recursive server:
- A theoretical issue with the cryptographic code which doesn’t affect
gcc and clang compiles of Deadwood.
- An issue where a clever attacker could
.
Up to date information on MaraDNS’s security is available at
https://maradns.samiam.org/security.html
On Sat, Nov 2, 2019 at 6:54 AM Sam Trenholme wrote:
> Upstream here: Please close this bug.
>
> One can close this bug by removing the Python2 dependency.
>
> MaraDNS does not
> Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
> pečení chleba všeho druhu
>
> On Sat, Dec 3, 2016, at 16:47, Sam Trenholme wrote:
>> CVE-2016-9300, CVE-2016-9301, and CVE-2016-9302 are *NOT* valid bug
>> reports.
>>
>> Here’s the deal: T
CVE-2016-9300, CVE-2016-9301, and CVE-2016-9302 are *NOT* valid bug reports.
Here’s the deal: The reporter had to patch MaraDNS before he was able
to crash her.
The patch, however, treats MaraDNS’ special buffer-overflow-resistant
“js_string” as if it were an ordinary string — but it’s not. Here’
ee there is probably a bug in MaraDNS -- but I
will not treat this as an "all hands on deck" packet-of-death level
security bug until we can send an actual packet of death over UDP to kill
MaraDNS.
On Sat, Dec 3, 2016 at 6:04 AM, Sam Trenholme wrote:
> Github bug: https://gi
Github bug: https://github.com/samboy/MaraDNS/issues/33
Please go here to get the latest updates from upstream about this issue.
On Sat, Dec 3, 2016 at 5:52 AM, Sam Trenholme wrote:
> Hello there,
>
> I have just become aware of this bug. Right now, I can reproduce the crash
> in C
Hello there,
I have just become aware of this bug. Right now, I can reproduce the crash
in Cygwin 64-bit, but am unable to reproduce the crash in my 32-bit CentOS6
development environment where I would actually be able to get a full stack
trace (which was not provided in the original bug report).
Upstream here. It's a six-line patch:
http://maradns.org/download/patches/security/maradns-1.4.11-ghostdomain.patch
This should not be too difficult to apply.
Also, the security report is somewhat inaccurate. Both MaraDNS and
Deadwood were never vulnerable to the "Ghost Domain" bug as describe
Upstream here:
Here are the affected versions of MaraDNS:
All MaraDNS 0 releases (Do NOT use; not maintained)
All MaraDNS 1.0 releases (Do NOT use; not maintained)
All MaraDNS 1.1 releases (Do NOT use; not maintained)
All MaraDNS 1.2 releases (Do NOT use; not maintained)
All MaraDNS 1.3 releases
11 matches
Mail list logo
