Re: named 8.3.2-T1B vulnerable?
From: Doug Barton (DougB@FreeBSD.org)
Date: 06/30/02
- Next message: Doug Barton: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Previous message: Brett Glass: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- In reply to: John Long: "named 8.3.2-T1B vulnerable?"
- Next in thread: Brett Glass: "Re: named 8.3.2-T1B vulnerable?"
- Reply: Brett Glass: "Re: named 8.3.2-T1B vulnerable?"
- Reply: John Long: "Re: named 8.3.2-T1B vulnerable?"
- Reply: Alessandro de Manzano: "Re: named 8.3.2-T1B vulnerable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 29 Jun 2002 17:15:42 -0700 (PDT) From: Doug Barton <DougB@FreeBSD.org> To: John Long <fbsd1@sstec.com>
On Sat, 29 Jun 2002, John Long wrote:
> Running tag=RELENG_4_6
> FreeBSD 4.6-RELEASE-p1 #2: Thu Jun 27 23:35:36 PDT 2002
> 4 boxes, 8 rebuilds, libc now this libbind thing.
>
> My named 8.3.2-T1B Thu Jun 27 22:17:53 PDT 2002 appears to be vulnerable.
Note, there are three seperate problems here. First, there is a libc
resolver vulnerability. This is fixed in the base by the security team
already. If your machines have a fixed libc, or if they are behind a BIND
9.2.1 resolver, they are safe; as long as they don't make any resolver
calls that don't go through the actual 9.2.1 resolver.
Next, libbind has the same resolver bug as our libc did. BUT, if you don't
link against libbind (and you'd know if you did) then you don't need to
worry about it.
Finally, if you are actually running named on any of these machines, you
should be using 8.3.3 if you're using BIND 8. You can build the bind8 port
with:
make clean ; make -DPORT_REPLACES_BASE_BIND8 install
and it will update the version of BIND on your system. You could also
leave off the flag if you'd rather have the new bind in /usr/local, but
8.3.2-T1B had some icky bugs so I recommend just writing over it to be
safe.
> Any ideas on when/if the new bind will be getting to 4_6 ?
I will be importing it into -current this weekend, if -current isn't too
terribly broken. I'll give that a week or so to shake out before importing
to RELENG_4. I doubt that the security officer team will want to import
BIND 8.3.3 into any of the RELENG_4_x branches. The port will do the same
work now, and will require less finagling.
Hope this helps,
Doug
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Doug Barton: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Previous message: Brett Glass: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- In reply to: John Long: "named 8.3.2-T1B vulnerable?"
- Next in thread: Brett Glass: "Re: named 8.3.2-T1B vulnerable?"
- Reply: Brett Glass: "Re: named 8.3.2-T1B vulnerable?"
- Reply: John Long: "Re: named 8.3.2-T1B vulnerable?"
- Reply: Alessandro de Manzano: "Re: named 8.3.2-T1B vulnerable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
