181128 – net-dns/maradns Denial of Service Vulnerabilities

Bug 181128 - net-dns/maradns Denial of Service Vulnerabilities

Summary: net-dns/maradns Denial of Service Vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/25406/
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2007-06-06 20:54 UTC by Lars Hartmann
Modified:	2007-06-09 20:49 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lars Hartmann 2007-06-06 20:54:21 UTC

Description:
Some vulnerabilities have been reported in MaraDNS, which can be exploited by malicious people to cause a DoS (Denial of Service).

1) A memory leak error exists in the processing of DNS queries within the IPv6 code. This can be exploited to cause a DoS due to memory consumption by sending a specially crafted DNS query.

This vulnerability is reported in versions prior to 1.2.12.05.

2) Two memory leak errors exist in the processing of DNS queries. These can be exploited to cause a DoS due to memory consumption by sending specially crafted DNS queries with a header opcode different from 0 or a class different from 1.

These vulnerabilities are reported in versions prior to 1.2.12.06.

Solution:
Update to version 1.2.12.06.

Provided and/or discovered by:
1) The vendor credits Rani Assaf.
2) The vendor credits João Antunes.

Original Advisory:
http://www.maradns.org/changelog.html

Reproducible: Always

Comment 1 Lars Hartmann 2007-06-06 20:57:52 UTC

maintainers - please advise and bump as necessary

Comment 2 MATSUU Takuto (RETIRED) gentoo-dev

2007-06-06 23:59:53 UTC

1.2.12.06 in cvs.

Comment 3 Lars Hartmann 2007-06-07 01:47:46 UTC

Arches please test and mark stable. Target keywords are:
maradns-1.2.12.06.ebuild:KEYWORDS="amd64 ppc sparc x86"

Comment 4 Christian Faulhammer (RETIRED) gentoo-dev

2007-06-07 10:23:58 UTC

x86 stable

Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev

2007-06-07 13:30:17 UTC

sparc stable.

Comment 6 Christoph Mende (RETIRED) gentoo-dev

2007-06-07 23:26:27 UTC

amd64 done

Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev

2007-06-09 14:21:07 UTC

ppc stable, ready vor GLSA voting.

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-06-09 16:48:44 UTC

I tend to vote NO.

Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-06-09 17:24:49 UTC

voting NO.

Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-06-09 20:49:17 UTC

no too. Feel free to reopen if you disagree