Sam Trenholme's webpage
Support this website

MaraDNS 2.0.12


August 19 2015

I have released MaraDNS 2.0.12 to fix a security bug in the zoneserver daemon. All users are encouraged to update to this version of MaraDNS.

==The bug==

I got a GitHub bug report about MaraDNS’ zoneserver program getting a segmentation fault. In the stack trace, free() was being called against a memory location whose value was uninitialized (and therefore random).

This bug allows a denial of service attack; by making the zoneserver daemon free an invalid memory location, it was possible to terminate the zoneserver process. I do not know whether or not this bug is remotely exploitable.

==The fix==

I now always initialize the memory location in question.

Because of the nature of this bug, I have made a MaraDNS 2.0.12 release to fix this bug. It can be downloaded here:

As I have promised before, I am no longer updating the Sourceforge version of MaraDNS. People may download MaraDNS from the MaraDNS web site, or from GitHub:
==MaraDNS 1==

This bug impacts MaraDNS 1. I will not fix this bug in older versions of MaraDNS; I have given users a three-year warning that MaraDNS 1 is no longer supported. All MaraDNS 1 users need to upgrade to MaraDNS 2.

==Other changes in MaraDNS 2.0.12==

In addition to fixing this bug, MaraDNS 2.0.12 updates Deadwood (documentation updates and increased maxprocs values), fixes zoneserver to work with newer versions of dig, and has a number of documentation updates.

==Future MaraDNS plans==

When and if becomes live and offers free HTTPS certificates, I will get a free wildcard cert for and start serving MaraDNS over SSL (TLS).

Unless another security bug comes up, my next MaraDNS and Deadwood release will be in the late summer of 2016.

Comments are closed