Poslib multiple vulnerabilities fix [23-12-2003] ================================================ Overview -------- This document adresses three known vulnerabilities in Poslib 1.0.x, and their solutions. Products affected ----------------- o Poslib, all versions prior to 1.0.2-1 The Posadis DNS server depends on Poslib. The Windows version of Posadis comes with Poslib bundled with it, so it should be updated as a whole to fix these issues. For other operating systems, a mere upgrade of Poslib is enough to fix Poslib-dependent applications. Details ------- Two people reported some problems with Poslib 1.0.2 after its release: o IP spoofing flood Poslib answers queries that have the QA bit (determining whether a message is a query or an answer) to 'answer'. If one succeeds in sending a query spoofed from a Poslib-based server address to a Poslib-based server, this will cause the servers to flood each other with useless DNS messages. This problem was reported by roy at dnss.ec. o Pthreads detach leak Poslib uses pthreads to create threads, but forgets to detach threads when they're closed down, causing a memory leak every time a thread closes down. This problem was reported by dou0228 at msn.com. o Crash when out of threads When Poslib is out of threads, it will dismiss further incoming queries by sending back a "server failure" message. However in doing this, it asserts the query has an entry in the question section, so if a malicious client would send an incorrect DNS query with an empty question section if the server is out of threads, a crash occurs. This problem was reported by dou0228 at msn.com. Fix --- New builds of Poslib 1.0.2 that adress these three issues can be found at the Posadis download page: http://www.posadis.org/download.php On this page, you will find a patch for Poslib 1.0.2 as well as upgraded source and binary packages. Contact ------- For more information, I can be reached at meilof@users.sourceforge.net Changelog --------- o Tue 23 Dec 2003: Initial release o Tue 23 Dec 2003: Fixed typo: 'RA' should be 'QA', removed dot after email address