--- maradns-1.4.02/doc/en/webpage/security.embed 2009-08-04 11:52:42.000000000 -0500
+++ maradns-1.4.03/doc/en/webpage/security.embed 2010-02-02 11:10:21.000000000 -0600
@@ -2,7 +2,7 @@
<i>For people who just want to quickly get current with MaraDNS' security
history should jump to the <A href="#history">history section</A>. Note
-that MaraDNS last reported security problem was on August 29, 2007</i><p>
+that MaraDNS last reported security problem was on February 2, 2010</i><p>
MaraDNS should be a secure DNS server.
@@ -317,4 +317,31 @@
Impact: Remote denial of service.
+A bug introduced in MaraDNS 1.3.03 (January 2007): Hostnames that
+incorrectly not end with a dot result in a string being deallocated then used.
+MaraDNS 1.2 does not have this issue.
+This issue can <b>not</b> be exploited from zones loaded using DNS's zone
+transfer mechanism; fetchzone filters data obtained this way. This issue
+can <b>only</b> be exploited in the unusual case of an attacker having control
+of the contents of a csv2 zone file to be parsed by MaraDNS.
+This issue, on Linux systems, results in a null pointer dereference that
+terminates that MaraDNS process.
+This issue was fixed in MaraDNS 1.4.03 and 1.3.07.10, released February 2,
+Impact: Denial of service.