Sam Trenholme's webpage
Support this website

New MaraDNS CVE: 2012-1570


March 22 2012

In today's blog entry, I discuss CVE-2012-1570 as well as Deadwood 2.3.


CVE-2012-1570 is the CVE number assigned for MaraDNS updates made in light of the "ghost domain" bug. I have already updated Deadwood as well as the legacy MaraDNS 1 branch; this CVE just formally declares these updates to be serious security updates.

Here is a rundown of all MaraDNS versions affected by the ghost domain security bug:

  • All MaraDNS 0 releases with recursion (Do NOT use; not maintained)
  • All MaraDNS 1.0 releases (Do NOT use; not maintained)
  • All MaraDNS 1.1 releases (Do NOT use; not maintained)
  • All MaraDNS 1.2 releases (Do NOT use; not maintained)
  • All MaraDNS 1.3 releases besides 1.3.07 (Do NOT use; not maintained)
  • All MaraDNS 1.3.07 releases before MaraDNS
  • All MaraDNS 1.4 releases before MaraDNS 1.4.12
  • All MaraDNS 2 releases before MaraDNS 2.0.06
  • All Deadwood 3 (subpackage of MaraDNS) releases before Deadwood 3.2.02
  • All Deadwood 2 releases besides 2.3 (Do NOT use; not maintained)
  • All Deadwood 2.3 releases before Deadwood 2.3.08
The following releases have been patched to address this bug: MaraDNS, 1.4.12, 2.0.06, as well as Deadwood 3.2.02 and Deadwood 2.3.08 have been released to address this security bug. It is very important that all MaraDNS users update to one of these versions.

Please note that MaraDNS 1.3.07 will no longer be supported on December 21, 2012. Please upgrade to MaraDNS 1.4 or 2.0 at your soonest convenience if feasible. Here is an update guide:
Distributions and users who wish to continue, against my wishes, supporting an outdated version of MaraDNS 1 may (or may not) be able to update MaraDNS 1 by using this patch:

Deadwood update

As noted above, I have updated the older "tiny" branch of Deadwood to address the important "ghost domain" bug; Deadwood 2.3.08 has been released.

This took all morning to do; the "tiny" branch has diverged from the main branch of Deadwood enough that it was necessary to completely redo the patch by hand.

After doing that, a number of SQA regressions failed because CentOS 5 has changed enough since the last time I ran the Deadwood 2.3 regressions: has a different A record, netstat's output format has changed, and Valgrind complains about "possibly lost" memory it wasn't complaining about before. I had to verify the failed SQA regressions were caused by issues external to Deadwood, and that the code changes did not break anything.

It can be downloaded here:
At this point, I am only supporting Deadwood 2.3 for security and other critical bugs. Deadwood 2.3 only makes sense if one is in an environment where it's better to have a 32 kilobyte non-recursive DNS cache instead of a 64 kilobyte fully recursive DNS cache.

Also: Because of how Deadwood 2.3 works, records with TTLs longer than one day will show a longer TTL when said record is retrieved. This update only affects how long the record is stored in Deadwood 2.3's cache. If there is any suspicion that resolvers downstream from a Deadwood 2.3 cache honor large TTLs, please upgrade to Deadwood 3. Also note that Deadwood 2.3 doesn't properly age TTLs.

I plan to work on MaraDNS/Deadwood again one day next month, after the 20th, unless another critical security bug is found.

To post a comment about an entry, send me an email and I may or may not post your comment (with or without editing)