libc flaw: BIND 9 closes most holes but also opens one

From: Brett Glass (brett@lariat.org)
Date: 06/29/02

• Next message: Trevor Johnson: "Re: SSH Patches"
• Previous message: Poul-Henning Kamp: "Re: Jailing SSHd [Was: Re: OpenSSH Security (just a question, please no f-war)]"
• Next in thread: Andrew McNaughton: "Re: libc flaw: BIND 9 closes most holes but also opens one"
• Reply: Andrew McNaughton: "Re: libc flaw: BIND 9 closes most holes but also opens one"
• Reply: Mark.Andrews@isc.org: "Re: libc flaw: BIND 9 closes most holes but also opens one"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 28 Jun 2002 16:59:25 -0600 (MDT)
From: Brett Glass <brett@lariat.org>
To: security@freebsd.org

I've installed BIND 9 on our main domain name server to shield systems
(including Windows boxes, which may be vulnerable) from the libc hole.
Unfortunately, according to ISC, BIND 9 comes with a version of
libbind that's vulnerable. (See http://www.cert.org/advisories/CA-2002-19.html.)
So, if you load up BIND 9 and an app that uses it (such as Sendmail) links
to the vulnerable libbind, you're still exposed.

This problem may take even longer to mop up than I first thought (and I was
pessimistic to start with). I was slated to build a new server today, but
since 4.6-RELEASE-p1 isn't yet up on the Japanese snapshot server yet,
I think I'll wait.

--Brett

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Trevor Johnson: "Re: SSH Patches"
• Previous message: Poul-Henning Kamp: "Re: Jailing SSHd [Was: Re: OpenSSH Security (just a question, please no f-war)]"
• Next in thread: Andrew McNaughton: "Re: libc flaw: BIND 9 closes most holes but also opens one"
• Reply: Andrew McNaughton: "Re: libc flaw: BIND 9 closes most holes but also opens one"
• Reply: Mark.Andrews@isc.org: "Re: libc flaw: BIND 9 closes most holes but also opens one"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [UNIX] Hardening the BIND DNS Server ... Hardening the BIND DNS Server ... Your Domain Name Service is the road sign to your systems on the Internet. ... (Securiteam) Re: PDC Is not replicating !! ... Manage to change the Driver issue to boot the server. ... Starting test: Connectivity ... Starting test: Replications ... LDAP Bind. ... (microsoft.public.win2000.active_directory) Re: Mail server security - best practices? ... Both BIND and qmail are pretty secure, ... and mail on a server that's 'half-internal' in that you seem not to ... I still employ IMAP-SSL on the private server, ... (comp.unix.bsd.openbsd.misc) Re: DNS Poisoning, pharming, pollution ... running Windows 2003 and have the "secure cache against pollution" setting ... the next thing to look for would be a malicious program on the server. ... >> Every server is configured with our ISP's DNS resolvers as forwarders. ... but I don't think we're running BIND. ... (microsoft.public.windows.server.dns) Re: bind hack? ... He writes BIND 9. ... rfcs as documentation and therefor basis for design it is a shitload ... dns server software developed, tested and finally deployed. ... security dilemma since this monoculture defines the standard. ... (FreeBSD-Security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint