http://securityandthe.net/2009/03/05/security-issue-in-djbdns-confirmed/ Security and the Net Mar. 05, 2009 Last week, Matthew Dempsky posted an attack against Dan Bernstein.s djbdns software. Djbdns is one of several alternatives for the popular BIND nameserver, and is backed by a unique security guarantee that offers $1000 to the first person to publicly report a verifiable security hole in djbdns. The problem found by Dempsky allows an attacker to poison DNS records: The security hole here is that an administrator that uses djbdns 1.05 to serve DNS content does not expect that configuring his name server as above will cause it to send records for names outside of burlap.dempsky.org. I.e., an attacker can trick the administrator.s name servers to include arbitrary DNS records in response to queries for names within domains he controls. Less than a week later, D.J. Bernstein has acknowledged that this was indeed a security issue: Even though this bug affects very few users, it is a violation of the expected security policy in a reasonable situation, so it is a security hole in djbdns. Third-party DNS service is discouraged in the djbdns documentation but is nevertheless supported. Dempsky is hereby awarded $1000. There will be a new release of djbdns soon that will fix this bug and will come with a new security guarantee. This is a big contrast with the way a supposed security issue in qmail was handled. In that case, Bernstein denied there was a security issue because "Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmail's assumption that allocated array lengths fit comfortably into 32 bits." [...] _______________________________________________ Best Selling Security Books and More! http://www.shopinfosecnews.org/Received on Thu Mar 05 2009 - 23:01:22 PST
This archive was generated by hypermail 2.2.0 : Thu Mar 05 2009 - 23:07:21 PST