oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

adns (dns resolver library) multiple vulns

From: Ian Jackson <ijackson () chiark greenend org uk>
Date: Thu, 11 Jun 2020 19:35:57 +0100
Hi.  I'm the upstream maintainer for adns.  There were outstanding
security problems which I have sat on for far too long, but I have now
finally dealt with them properly.  My apologies.

The fixes have incorporated in adns 1.5.2 and 1.6.0.  See the release
announcement here:
  https://www.chiark.greenend.org.uk/pipermail/adns-announce/2020/000004.html

If you prefer to apply specific patches, the relevant commits are
in my git repository:
  https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/adns.git/
  https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/githttp/adns.git
in this commit range
  2f6e879e0fca1715d5c5946bcedb4f821ce64d77..bb4e05849170034447d60a6f7cb71d5f255b0ecc
(which you will find is covered by the signed tag adns-1.5.2).

The most serious problems are remote code execution, within the
adns-using application, exploitable by the local recursive resolver.

Thanks for your attention.

Ian.

-- 
Ian Jackson <ijackson () chiark greenend org uk>   These opinions are my own.  

Pronouns: they/he.  If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
Previous By Date Next
Previous By Thread Next

Current thread: