Re: What about BIND 9.3.4 in FreeBSD in base system ?

From: Doug Barton <dougb@xxxxxxxxxxx>
Date: Thu, 01 Feb 2007 23:19:46 -0800

Mark Andrews wrote:

Chris Marlatt wrote:
Doug Barton wrote:
plan to MFC it after 4 or 5 days. I am actually considering only
MFC'ing it to RELENG_6 to help provide some incentive for those on 5.x
to upgrade.

One would assume that the release would be supported up until the EOL provided on freebsd.org of May 31, 2008.
Yes, but whether a full upgrade is needed for "support" or not depends on your definition. Given that FreeBSD is not vulnerable to these issues in its default configuration, one could easily argue that an upgrade for RELENG_5 isn't necessary.

Doug

The subject here is 9.3.4. All the issues raised
in this thread so far were addressed as of 9.3.2-P2
/ 9.3.3. To the best of my knowledge these have
already been addresed.

There are two new issue for 9.3.4.

CVE-2007-0494 which is only a problem if you are
doing DNSEC validation.

CVE-2007-0493 which any recursive 9.3.x (x<4) named is vulnerable.

Both of these are problems if you allow untrusted users access to the name server (likely if you're in a production environment). The way FreeBSD ships, named is off, and the example configuration files are set up to create a recursive resolver that only listens on 127.0.0.1. I would expect that users who rely on BIND in a production setting to either have upgraded to FreeBSD 6-stable, be using the port, or some other custom configuration, or both.

Doug

--

This .signature sanitized for your protection

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: What about BIND 9.3.4 in FreeBSD in base system ?
  - From: Chris Marlatt

References:
- Re: What about BIND 9.3.4 in FreeBSD in base system ?
  - From: Mark Andrews

Prev by Date: Re: What about BIND 9.3.4 in FreeBSD in base system ?
Next by Date: Re: What about BIND 9.3.4 in FreeBSD in base system ?
Previous by thread: Re: What about BIND 9.3.4 in FreeBSD in base system ?
Next by thread: Re: What about BIND 9.3.4 in FreeBSD in base system ?
Index(es):
- Date
- Thread

Relevant Pages

std::codecvt undefined
... tweak some things there, like upgrade to CW 9.6 or whatever, but I'd kind of ... hate to lose my working development configuration for that project. ... is not Mac-oriented and is a post from 2001 in the days when I guess gcc ... r MacOS X Support ...
(comp.sys.mac.programmer.codewarrior)
Re: Upgrading laptop processor
... Where they get this renewal income every year or 2 as you are forced to upgrade. ... L1 Cache 64KB+64KB ... Process Type 90 nm ... 64 bit Support Yes ...
(microsoft.public.windowsxp.hardware)
Re: Mobile 5
... So I went ahead and made my purchase, knowing that Dell ... a USER can upgrade ... >limited support resources, designed something that is ...
(microsoft.public.pocketpc)
RE: Security and EOL issues (was RE: WMF Exploit Patch released)
... Why not set up paid upgrade systems using annual contracts? ... The commitment on the contract is to continue to support as long as contracts are paid with the restriction that the needed support mst be technically feasible and as timely notification as is possible when support is not technically feasible will be provided. ... While I sympathies with those that feel that Microsoft is getting richer ... Compare AIX to Windows, ...
(Security-Basics)
Re: What so special about PostgreSQL and other RDBMS?
... the vendor demands that you upgrade if you ... > want to continue to receive support and bug fixes. ... > else" cost cycle. ... > which customers have the freedom to choose what to upgrade and how much ...
(comp.lang.php)