Re: libc flaw: BIND 9 closes most holes but also opens one
From: Mark.Andrews@isc.org
Date: 07/01/02
- Next message: ¿ì¸®Ä«µåȸ¿ø ¿µ¾÷ÆÀÀå: "[±¤°í] freebsd-security´Ô Àç¹ÌÀÖ´Â »çÀºÇ°À» µå¸®°Ú½À´Ï´Ù!"
- Previous message: Michael Han: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- In reply to: Brett Glass: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Next in thread: Brett Glass: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Reply: Brett Glass: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Brett Glass <brett@lariat.org> From: Mark.Andrews@isc.org Date: Mon, 01 Jul 2002 12:08:43 +1000
> At 07:18 PM 6/29/2002, Pete Ehlke wrote:
>
> >You are aware, Brett, that you are lecturing one of the BIND authors on
> >the subtleties of the BIND source?
> >
> >Once and for all: there is a fixed 8.3.x. There is a fixed 8.2.x. There
> >is even a fixed v4.
>
> In short, you've gone back and created fixed versions of these
> "ancient" bloodlines?
>
> If so, that's good, but it doesn't help the majority of us.
You have been told how to fix the problem. Install libbind
from BIND 8 (that implies the include files).
BIND9:
don't call configure with --enable-libbind (this is the default)
BIND8:
remove "bin" from "SUBDIRS= include port lib bin" in the top
level Makefile
Install both BIND 8 and BIND 9. "--enable-libbind" effectively
does just that.
Mark
> In particular, it doesn't help people who install FreeBSD now,
> or who maintain it and need to make sure that everything's fixed.
> We need BIND 9 (required to shield other systems, including Solaris
> and Windows boxes, which are likely vulnerable) and a fixed
> libbind. Oh, and a fixed Sendmail, which right now can only
> be had if one risks installing a -STABLE snapshot. (4.6-RELEASE-p1,
> for some reasond, does not have it.) And you can't install
> binary packages if they contain statically linked binaries.
>
> In short, right now, it's damnably difficult to secure existing
> FreeBSD systems or to create new ones (for which I have clients
> waiting). So, pardon me if I seem frustrated. I'm responsible
> for plugging all the holes in the dikes and for building several
> systems that I cannot, right now, build with confidence.
>
> --Brett
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
-- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: ¿ì¸®Ä«µåȸ¿ø ¿µ¾÷ÆÀÀå: "[±¤°í] freebsd-security´Ô Àç¹ÌÀÖ´Â »çÀºÇ°À» µå¸®°Ú½À´Ï´Ù!"
- Previous message: Michael Han: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- In reply to: Brett Glass: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Next in thread: Brett Glass: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Reply: Brett Glass: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
