Re: named 8.3.2-T1B vulnerable?

From: Doug Barton (DougB@FreeBSD.org)
Date: 06/30/02 

Date: Sun, 30 Jun 2002 13:37:03 -0700
From: Doug Barton <DougB@FreeBSD.org>
To: Alessandro de Manzano <adm@unixmania.net>

Alessandro de Manzano wrote:

> I've a question about replacing with PORT_REPLACES_BASE_BIND8.
>
> If today I install BIND 8.3.3 from the port with that option it will
> overwrite the system one but next time I'll do a buildworld /
> installworld I'll get again 8.3.2-T1B or whatever RELENG_4(_6) will
> have that time.. right ?

        Correct. There is currently a make.conf option for NO_BIND. In
addition, some of us are working on a more thorough solution which will
add some magic to the bsd.*.mk files so that you can put
PORT_REPLACES_BASE_FOO in your /etc/make.conf, and it will automatically
imply NO_FOO as well. Currently I'm testing a final buildworld for the
bind 8.3.3 import on -current. Once that's done, I'll be sending some
patches and more info on this topic to the freebsd-arch mailing list.

> More, I'll get an entry in the installed packages database for BIND
> 8.3.3 that is "dangerous", since if I'll ever pkg_delete it I'll lost
> the real/overwritten BIND...

        Yep. One of the things I'm adding to my little patch is to change the
name of the port from foo-version to foo-system-version when installing
to give you a clue as to what's about to happen. BUT, you are absolutely
right in saying that this option is dangerous. However, there are lots
of ways to shoot yourself in the foot here... it's up to you to find a
better target. :) Also, the system will still run without BIND, unless
of course you're using that particular system as a name server. I have
been using the "port overwrites base" stuff at Yahoo! for almost a year,
and we haven't had any catastrophes yet.
 
Hope this helps,

Doug

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages