It was reported [1],[2] that MaraDNS's recursive resolver, Deadwood, suffers from a flaw where string bounds checking was not done correctly under certain circumstances. As a result, it was possible for a remote attacker to send Deadwood a "packet of death", which would cause Deadwood to crash. Upstream notes that it currently appears that this attack can only be exploited by an IP address with a permission to perform recursive queries against Deadwood. It looks like these are the appropriate patches in git: https://github.com/samboy/MaraDNS/commit/f015495d221f1c2b2f10db38e87cecf3839d6093 https://github.com/samboy/MaraDNS/commit/2cfcd2397cb8168d4aa4594839fabe88420d03c3 [1] http://samiam.org/blog/2014-02-12.html [2] http://secunia.com/advisories/57033/
Created maradns tracking bugs for this issue: Affects: fedora-all [bug 1066611] Affects: epel-5 [bug 1066612]
F20 update went stable few days ago. Please check facts before opening such bugs. F19 update waits for testers. I don't care about EPEL.
(In reply to Tomasz Torcz from comment #2) > F20 update went stable few days ago. Please check facts before opening such > bugs. > F19 update waits for testers. > I don't care about EPEL. Please don't close SRT bugs. This bug was not assigned to you, so please don't close it. We don't care whether you care about EPEL. The maintainer should care about it. If you're the maintainer of the EPEL version, then I'd suggest we have a problem and maybe someone who _does_ care should take care of it (since it is shipped and, presumably, supported in EPEL5).
Also, instead of making some rude comments, you could have pointed to the fixed packages: https://admin.fedoraproject.org/updates/FEDORA-2014-2421 (maradns-2.0.09-1.fc20) https://admin.fedoraproject.org/updates/FEDORA-2014-2439 (maradns-2.0.09-1.fc19, but this one is currently in testing, not stable)
(In reply to Vincent Danen from comment #3) > We don't care whether you care about EPEL. The maintainer should care about > it. If you're the maintainer of the EPEL version, then I'd suggest we have > a problem and maybe someone who _does_ care should take care of it (since it > is shipped and, presumably, supported in EPEL5). Or have it removed if it's unmaintained: https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life#EPEL
MITRE assigned the following CVEs: CVE-2014-2031 https://github.com/samboy/MaraDNS/commit/f015495d221f1c2b2f10db38e87cecf3839d6093 CVE-2014-2032 https://github.com/samboy/MaraDNS/commit/2cfcd2397cb8168d4aa4594839fabe88420d03c3 Reference: http://seclists.org/oss-sec/2014/q1/399