Re: libc flaw: BIND 9 closes most holes but also opens one
From: Brett Glass (brett@lariat.org)
Date: 07/01/02
- Next message: Brett Glass: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Previous message: ¿ì¸®Ä«µåȸ¿ø ¿µ¾÷ÆÀÀå: "[±¤°í] freebsd-security´Ô Àç¹ÌÀÖ´Â »çÀºÇ°À» µå¸®°Ú½À´Ï´Ù!"
- In reply to: Michael Han: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Next in thread: Pete Ehlke: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 30 Jun 2002 20:37:52 -0600 To: Michael Han <mikehan+^$#&*@mikehan.com> From: Brett Glass <brett@lariat.org>
At 08:00 PM 6/30/2002, Michael Han wrote:
>Brett, your postings suggest that you don't understand the nature of
>the bug and libbind. libbind is an optional component which the vast
>majority of FreeBSD users would not have installed on their systems.
This is good.
>Bind itself does not link to it in the default installation, and under
>no circumstances is the Bind named server a vector for risk.
Yes, that's what the CERT advisory said.
>Only by installing the vulnerable libbind and linking software against it
>(this would not be the default behavior of any normally
>ported/portable software) can an installation of Bind introduce risk.
That's what I'm concerned about. I want to make sure that I install
a version that's not vulnerable, in case I do bring in something
that links to it. ISC's description of the library suggests that
it's useful and that apps do link to it.
>libbind is a *replacement* library (or it's possible that it could
>serve as the only implementation on a truly ancient and backwards
>system) providing name service resolution to applications that need
>that. Normally these services are gotten from the native C library,
>libc.
Which is another problem. I've got some machines dating back to
FreeBSD 2.2.7 and 2.2.8 here, some of which I cannot just upgrade
because they're running embedded systems or custom code. I've got
to find a way to patch them. Hence the concern. The latest gaggle
of bugs is so pervasive that it's difficult to create new machines
in which one can be confident, much less patch the older ones.
I really hope that there will be a 4.6.1.
--Brett
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Brett Glass: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Previous message: ¿ì¸®Ä«µåȸ¿ø ¿µ¾÷ÆÀÀå: "[±¤°í] freebsd-security´Ô Àç¹ÌÀÖ´Â »çÀºÇ°À» µå¸®°Ú½À´Ï´Ù!"
- In reply to: Michael Han: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Next in thread: Pete Ehlke: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
