Under certain exceptional circumstances, it may have been possible to perform a blind spoofing attack against unpatched releases of Deadwood. The IP performing the blind spoofing attack needs to appear to have permission to perform full recursion with Deadwood in order to carry out the attack.
Upgrading will fix the bug. Then again, administrators who already perform good practices, making sure that only authorized IPs can use Deadwood recursively (pretty much mandatory in light of DNS amplification attacks) will only be affected by this bug if either a machine with an authorized IP is compromised, or if it is possible for the attacker to send the Deadwood server a packet with a spoofed IP.
This update was released today. MaraDNS 2.0.07d, Deadwood 3.2.03d, and MaraDNS 1.4.13 are patched against this bug. Deadwood 2.3.08 is not affected by this bug.
It can be downloaded here:
To post a comment about this blog entry, go to the forum (self-signed https). New accounts may post once I approve the account.