Skip to content

Libevent 1.4.8-stable released

This is another bug fix release. Here are the problems fixed in this one:

  • Match the query in DNS replies to the query in the request; from Vsevolod Stakhov.
  • Fix a merge problem in which name_from_addr returned pointers to the stack; found by Jiang Hong.
  • Do not remove Accept-Encoding header

You can download the source from the usual place:

Categories: Libevent, News
Defined tags for this entry: ,

Libevent 1.4.7-stable released

You can download the source from the usual place:

This release fixes a bug where headers arriving in multiple packets were not parsed. The bug fix is from Jiang Hong. Thank you.
Categories: Libevent, News
Defined tags for this entry: ,

Holger Errikos Egmont Provos

Getting ready for USENIX Security

This week is going to be crazy busy with HotSec and USENIX Security in San Jose. I am chairing the HotSec workshop tomorrow. We were able to get a pretty nice program this year. At USENIX Security, I am going to give two talks. One is in the technical program talking about "All Your iFrames Point to Us" and the other one is an invited talk on web-based malware on Friday. I am still working on the slides.
Defined tags for this entry: , ,

Libevent 1.4.6-stable released

With all the DNS stuff that is going on at the moment, it took longer than planned to release libevent 1.4.6-stable, but here it is. You can download the source from the usual place:

This was meant to be a quick bug fix release, but a number of changes have crept in. Here's a brief summary:

  • Several HTTP fixes
    • Corrected handling of trailing headers in chunked replies
    • Correctly deal with multi-line HTTP headers
  • Improved signal handling for kqueue and epoll backends
  • Various other bug fixes
See the changelog for full details.

We would like to thank the people who have reported bugs and patches including Scott Lamb, Moshe Litvin, Alexander Drozdov, Adam Langley, Ian Bell and others. To report a bug, make a feature request, or submit code, you can use our sourceforge interface.
Categories: Libevent, News
Defined tags for this entry: ,

DNS And Responsible Disclosure

As everyone was upgrading their DNS infrastructure to be ready for August 7th, some security reseachers independently discovered the DNS flaw and disclosed it. For those of us, who were either informed or had figured out the problem ourselves, it is surprising to find irresponsible and grossly negligent disclosure from respected members of our community. There was a reason that Kaminsky did not disclose the flaw publicly when he found it. The DNS infrastructure needed to be upgraded and repaired.

Well, the time has run out. A current study by David Dagon and myself puts the number of open recursive resolvers using static source ports at about 78%. That is a lot of servers that need to be patched. Two more weeks till August 7th could have helped to fix many of them. Unfortunately, we will not find out now.
Categories: Hacking, Security
Defined tags for this entry: ,