Gentoo Archives: gentoo-announce

From: Alex Legler <a3li@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201111-06 ] MaraDNS: Arbitrary code execution
Date: Sun, 20 Nov 2011 18:29:40
Message-Id: 201111201912.58117.a3li@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201111-06
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: MaraDNS: Arbitrary code execution
9 Date: November 20, 2011
10 Bugs: #352569
11 ID: 201111-06
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A buffer overflow vulnerability in MaraDNS allows remote attackers to
19 execute arbitrary code or cause a Denial of Service.
20
21 Background
22 ==========
23
24 MaraDNS is a proxy DNS server with permanent caching.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 net-dns/maradns < 1.4.06 >= 1.4.06
33
34 Description
35 ===========
36
37 A long DNS hostname with a large number of labels could trigger a
38 buffer overflow in the compress_add_dlabel_points() function of
39 dns/Compress.c.
40
41 Impact
42 ======
43
44 A remote unauthenticated attacker could execute arbitrary code or cause
45 a Denial of Service.
46
47 Workaround
48 ==========
49
50 There is no known workaround at this time.
51
52 Resolution
53 ==========
54
55 All MaraDNS users should upgrade to the latest stable version:
56
57 # emerge --sync
58 # emerge --ask --oneshot --verbose ">=net-dns/maradns-1.4.06"
59
60 NOTE: This is a legacy GLSA. Updates for all affected architectures are
61 available since February 12, 2011. It is likely that your system is
62 already no longer affected by this issue.
63
64 References
65 ==========
66
67 [ 1 ] CVE-2011-0520
68 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0520
69
70 Availability
71 ============
72
73 This GLSA and any updates to it are available for viewing at
74 the Gentoo Security Website:
75
76 http://security.gentoo.org/glsa/glsa-201111-06.xml
77
78 Concerns?
79 =========
80
81 Security is a primary focus of Gentoo Linux and ensuring the
82 confidentiality and security of our users' machines is of utmost
83 importance to us. Any security concerns should be addressed to
84 security@g.o or alternatively, you may file a bug at
85 https://bugs.gentoo.org.
86
87 License
88 =======
89
90 Copyright 2011 Gentoo Foundation, Inc; referenced text
91 belongs to its owner(s).
92
93 The contents of this document are licensed under the
94 Creative Commons - Attribution / Share Alike license.
95
96 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature