Re: BIND update?


I hope I can distance myself from Josh in terms of tone. I think he's
completely out of line with his snotty posts. That said, I think there
is a legitimate question here.

I'm interested in this issue, because it sounds as if FreeBSD folk
didn't become aware of this problem until the announcement. I would
have expected ISC to notify you ahead of the announcement. The
patched code has been available to some for several weeks (at least).
I was anticipating seeing everyone pushing patched code out on the same
day.

That means 11 out of 81 entries were able to determine the status of
their product/code before the advisory went public. Here's that list,
please note I trimmed the vulnerable/not vulnerable status:

Of course, any vendor running vanilla BIND would be vulnerable.

What's more important is that we not panic, especially since _public_
details are very sparse. There are mitigations that are mentioned in
that report, along with elsewhere. Putting these mitigations in place,
if necessary, is your best option while those entrusted to do the work
are doing said work to make sure we have a co-ordinated and accurate
response.

There really aren't any effective mitigations for folks running resolvers.
Patched code to implement source port randomization is our only hope.
Of course, that code exists and is available from ISC, and it will work
fine under FreeBSD, so there is clearly a path forward.

I think it might have been helpful (and still might be) if the security
officer had pushed out a notification of 'work underway' with some possible
indication as to when a fix might be available. I realize that providing a
date might be extraordinarily difficult, but it helps inform planning for
FreeBSD users (and, of course, gives us something to kvetch about when
the date slips :-)

I appreciate the FreeBSD security team efforts and will happily buy you
guys beer (or other beverage of choice) any time we're in the same room
together.

mark

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: BIND update?
    ... because it sounds as if FreeBSD folk ... I was anticipating seeing everyone pushing patched code out on the same ... please note I trimmed the vulnerable/not vulnerable status: ... Putting these mitigations in place, ...
    (FreeBSD-Security)
  • Re: USB mouse problems
    ... and then "backported" to RELENG_7 (what you would call FreeBSD ... You can confirm this by looking at cvsweb for the file in question: ... the patched code will be downloaded and used. ... You'll have to rebuild ...
    (freebsd-questions)