JP Vossen on 5 Mar 2009 13:07:29 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] IT: Dan Bernstein Confirms Security Flaw In Djbdns
IT: Dan Bernstein Confirms Security Flaw In Djbdns
Posted by timothy on Thursday March 05, @03:52PM
from the gets-yer-money-and-takes-yer-chances dept.

secmartin writes:
	"Dan Bernstein has just admitted that a security issue has been found 
in the djbdns software [1], one of most popular alternatives for the 
BIND nameserver. As part of the djbdns security guarantee, $1000 will be 
paid to Matthew Dempsky, the researcher that found the bug. The bug 
allows a nameserver running djbdns to be poisoned [2] using just a 
single packet. Other researchers have found a separate issue [3] that 
allows dnscache, the DNS cache that is also part of the djbdns package, 
to be poisoned within just 18 minutes when using the default 
configuration. Anyone using djbdns is strongly encouraged to patch their 
servers immediately."

Reader emad contributes a link to the djbdns mailing list post 
containing both a patch and a sample exploit [4], and adds:
	"In the words of Dan Kaminsky (of recent DNS security fame) [5]: 
'However, Dempsky's bug in djb's tinydns is way more surprising, if only 
because ... holy crap, he pulled an exploitable scenario out of THAT?!'"


JP Vossen, CISSP            |:::======|
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --