Upstream here: Here are the affected versions of MaraDNS:
All MaraDNS 0 releases (Do NOT use; not maintained) All MaraDNS 1.0 releases (Do NOT use; not maintained) All MaraDNS 1.1 releases (Do NOT use; not maintained) All MaraDNS 1.2 releases (Do NOT use; not maintained) All MaraDNS 1.3 releases besides 1.3.07 (Do NOT use; not maintained) All MaraDNS 1.3.07 releases before MaraDNS 1.3.07.15 All MaraDNS 1.4 releases before MaraDNS 1.4.12 All MaraDNS 2 releases before MaraDNS 2.0.06 All Deadwood 3 (subpackage of MaraDNS) releases before Deadwood 3.2.02 All Deadwood 2 releases besides 2.3 (Do NOT use; not maintained) All Deadwood 2.3 releases before Deadwood 2.3.08 MaraDNS 1.3.07.15, 1.4.12, 2.0.06, as well as Deadwood 3.2.02 and 2.3.08 have been released to address this security bug. It is important that all MaraDNS users update to one of these versions. Also: MaraDNS 1.3.07 will no longer be supported on December 21, 2012. Please upgrade to MaraDNS 1.4 or 2.0 at your soonest convenience if feasible. Here is an update guide: http://maradns.org/tutorial/update.html Distributions and users who wish to continue, against my wishes, supporting an outdated version of MaraDNS 1 may (or may not) be able to update MaraDNS 1 by using this patch: http://maradns.org/download/patches/security/maradns-1.4.11-ghostdomain.patch - Sam On Thu, Mar 22, 2012 at 6:28 AM, Giuseppe Iuculano <iucul...@debian.org> wrote: > Package: maradns > Severity: serious > Tags: security > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > It was reported that MaraDNS suffers from a flaw where it is susceptible to > spoofing attacks. Due to an error in the cache update policy, which > does not properly handle revoked domain names, a remote attacker could keep a > domain name resolvable after it has been deleted from the registration. > > This flaw is fixed in versions 1.3.0.7.15 and 1.4.12, and is reported to > affect all prior versions. > > References: > > http://www.maradns.org/changelog.html > https://secunia.com/advisories/48492/ > https://bugzilla.redhat.com/show_bug.cgi?id=804770 > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > > iEYEARECAAYFAk9q/sIACgkQNxpp46476arqDQCfSFeWlawN7py9L5lKIE+xR1ix > ATIAn0DxeHe7ugtuET2C9uHbJcAkIwkz > =Pu/Y > -----END PGP SIGNATURE----- > > > -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
