Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv

From: Brett Glass (brett@lariat.org)
Date: 06/26/02


Date: Wed, 26 Jun 2002 14:37:27 -0600
To: "H. Wade Minter" <minter@lunenburg.org>, freebsd-security@freebsd.org
From: Brett Glass <brett@lariat.org>

At 01:26 PM 6/26/2002, H. Wade Minter wrote:

>So am I correct in assuming that this fix requires a complete system
>rebuild (make buildworld) as opposed to just rebuilding a particular
>module?

Worse than that. Every package or port must be reinstalled
or rebuilt too. Ditto everything you've built from source.
Basically, the entire system must be ripped up by the roots.

This is scary.

There may be one mitigating factor, though. Suppose you
block direct DNS to and from the outside world, allowing
your systems to resolve names only through a DNS server
on your own network that you know is safely patched.
Will this hold off the hordes at the gates? Or is there
a way for a malicious response to sneak through anyway
(as with DNS cache poisoning)?

Also, is the DNS cache in Squid vulnerable?

--Brett

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message