CVE-2010-2444 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2444): parse/Csv2_parse.c in MaraDNS 1.3.03, and other versions before 1.4.03, does not properly handle hostnames that do not end in a "." (dot) character, which allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted csv2 zone file.
Additional research required here, maybe the maintainer knows more? When will 1.4.x go stable?
FYI, the link to maradns-1.4.02-parse_segfault.patch at maradns.org from NVD is br0ken. RedHat keeps local copy https://bugzilla.redhat.com/show_bug.cgi?id=600741 CAUSION: i haven't used net-dns/maradns.
1.4.03 in cvs. its fixed by upstream. please mark stable 1.4.03.
Arches, please test and mark stable: =net-dns/maradns-1.3.07.09-r1 Target keywords : "amd64 ppc sparc x86"
Which one do you want? 1.4.03 or 1.3.07.09-r1 ( comments #3 and #4 )
Sorry, that was an accident with the automatic script we use to generate the message. As you said in #3, 1.4.03 can be marked stable, so we take the newer version: Arches, please test and mark stable: =net-dns/maradns-1.4.03 Target keywords : "amd64 ppc sparc x86"
Just for your notice: * QA Notice: Files built without respecting LDFLAGS have been detected * Please include the following list of files in your report: * /usr/sbin/zoneserver * /usr/sbin/maradns * /usr/bin/getzone * /usr/bin/askmara * /usr/bin/fetchzone * /usr/bin/duende
x86 stable
I patched the ebuild to respect LDFLAGS marked stable for amd64
sparc stable
Marked ppc stable.
GLSA Vote: No.
Vote: NO, closing noglsa.
