[Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]



Dear all,

Doug just updated the ports tree with the updated BIND ports. If you urgently want to upgrade and really cannot wait for the advisory. Please use the ports system to get up to speed.

Thanks Doug for working on this on such short notice!

Cheers,
remko

-------- Original Message --------
Subject: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo
Date: Wed, 9 Jul 2008 19:02:01 +0000 (UTC)
From: Doug Barton <dougb@xxxxxxxxxxx>
To: ports-committers@xxxxxxxxxxx, cvs-ports@xxxxxxxxxxx, cvs-all@xxxxxxxxxxx

dougb 2008-07-09 19:02:01 UTC

FreeBSD ports repository

Modified files:
dns/bind9 Makefile distinfo
dns/bind94 Makefile distinfo
dns/bind95 Makefile distinfo
Log:
Upgrade to the -P1 versions of each port, which add stronger randomization
of the UDP query-source ports. The server will still use the same query
port for the life of the process, so users for whom the issue of cache
poisoning is highly significant may wish to periodically restart their
server using /etc/rc.d/named restart, or other suitable method.

In order to take advantage of this randomization users MUST have an
appropriate firewall configuration to allow UDP queries to be sent and
answers to be received on random ports; and users MUST NOT specify a
port number using the query-source[-v6] option.

The avoid-v[46]-udp-ports options exist for users who wish to eliminate
certain port numbers from being chosen by named for this purpose. See
the ARM Chatper 6 for more information.

Also please note, this issue applies only to UDP query ports. A random
ephemeral port is always chosen for TCP queries.

This issue applies primarily to name servers whose main purpose is to
resolve random queries (sometimes referred to as "caching" servers, or
more properly as "resolving" servers), although even an "authoritative"
name server will make some queries, primarily at startup time.

This update addresses issues raised in:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113
http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience

Revision Changes Path
1.82 +2 -2 ports/dns/bind9/Makefile
1.44 +6 -6 ports/dns/bind9/distinfo
1.85 +2 -3 ports/dns/bind94/Makefile
1.47 +6 -6 ports/dns/bind94/distinfo
1.87 +2 -2 ports/dns/bind95/Makefile
1.49 +6 -6 ports/dns/bind95/distinfo
_______________________________________________
cvs-ports@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-ports
To unsubscribe, send any mail to "cvs-ports-unsubscribe@xxxxxxxxxxx"

--

/"\ Best regards, | remko@xxxxxxxxxxx
\ / Remko Lodder | remko@EFnet
X http://www.evilcoder.org/ |
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: safest way to upgrade a production server
    ... If I need to build world (I have a custom kernel) I can do it ... and take the server to single user and install world and kernel etc ... I have installed all my software from ports, ... how many things are affected by this upgrade. ...
    (freebsd-questions)
  • Re: Whats a decent modem/router for tech savy user?
    ... It is not possible to route or deny traffic to specific ports based on the source IP address. ... But it wont route back inside the LAN - needs internal DNS server spoofing. ... Normally, this option should be Enabled, so that an Internet connection will be made automatically, whenever Internet-bound traffic is detected. ... Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined. ...
    (uk.telecom.broadband)
  • Re: Cannot connect to RWW from home PC
    ... That would be the address you need a DNS record for. ... You say "And in the router you need to forward to your external nic IP" ... Still can't telnet to any of your ports at your public ip address. ... Heres' the info for our server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Netopia 3347NWG with Remote Desktop and Remote Web Workplace
    ... Glad you're back in business Greg! ... Ports Closed ... Despite this, Remote Web Workplace DOES WORK now, and Connect to Server ... Exchange BPA updates), ...
    (microsoft.public.windows.server.sbs)
  • Solution -> Re: SSH tunnel question.
    ... change IPS and ports around but that is not a big deal. ... telnet/ftp/rsh open on a server including on the Internet facing ports! ... I will go from the corp desktop to a hop ... through the firewall to the hop ...
    (SSH)