Re: BIND update?
- From: Mark Boolootian <booloo@xxxxxxxx>
- Date: Wed, 9 Jul 2008 11:29:06 -0700
I hope I can distance myself from Josh in terms of tone. I think he's
completely out of line with his snotty posts. That said, I think there
is a legitimate question here.
I'm interested in this issue, because it sounds as if FreeBSD folk
didn't become aware of this problem until the announcement. I would
have expected ISC to notify you ahead of the announcement. The
patched code has been available to some for several weeks (at least).
I was anticipating seeing everyone pushing patched code out on the same
That means 11 out of 81 entries were able to determine the status of
their product/code before the advisory went public. Here's that list,
please note I trimmed the vulnerable/not vulnerable status:
Of course, any vendor running vanilla BIND would be vulnerable.
What's more important is that we not panic, especially since _public_
details are very sparse. There are mitigations that are mentioned in
that report, along with elsewhere. Putting these mitigations in place,
if necessary, is your best option while those entrusted to do the work
are doing said work to make sure we have a co-ordinated and accurate
There really aren't any effective mitigations for folks running resolvers.
Patched code to implement source port randomization is our only hope.
Of course, that code exists and is available from ISC, and it will work
fine under FreeBSD, so there is clearly a path forward.
I think it might have been helpful (and still might be) if the security
officer had pushed out a notification of 'work underway' with some possible
indication as to when a fix might be available. I realize that providing a
date might be extraordinarily difficult, but it helps inform planning for
FreeBSD users (and, of course, gives us something to kvetch about when
the date slips :-)
I appreciate the FreeBSD security team efforts and will happily buy you
guys beer (or other beverage of choice) any time we're in the same room
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- Prev by Date: Re: BIND update?
- Next by Date: Here is how to fix your nameserver - was Re: BIND update?
- Previous by thread: Re: BIND update?
- Next by thread: Re: BIND update?