Re: libc flaw: BIND 9 closes most holes but also opens one

From: Brett Glass (brett@lariat.org)
Date: 06/30/02 

Date: Sat, 29 Jun 2002 22:10:05 -0600
To: Pete Ehlke <pde@rfc822.net>, security@FreeBSD.ORG
From: Brett Glass <brett@lariat.org>

At 07:18 PM 6/29/2002, Pete Ehlke wrote:

>You are aware, Brett, that you are lecturing one of the BIND authors on
>the subtleties of the BIND source?
>
>Once and for all: there is a fixed 8.3.x. There is a fixed 8.2.x. There
>is even a fixed v4.

In short, you've gone back and created fixed versions of these
"ancient" bloodlines?

If so, that's good, but it doesn't help the majority of us.

In particular, it doesn't help people who install FreeBSD now,
or who maintain it and need to make sure that everything's fixed.
We need BIND 9 (required to shield other systems, including Solaris
and Windows boxes, which are likely vulnerable) and a fixed
libbind. Oh, and a fixed Sendmail, which right now can only
be had if one risks installing a -STABLE snapshot. (4.6-RELEASE-p1,
for some reasond, does not have it.) And you can't install
binary packages if they contain statically linked binaries.

In short, right now, it's damnably difficult to secure existing
FreeBSD systems or to create new ones (for which I have clients
waiting). So, pardon me if I seem frustrated. I'm responsible
for plugging all the holes in the dikes and for building several
systems that I cannot, right now, build with confidence.

--Brett

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Quantcast