From owner-freebsd-questions@FreeBSD.ORG Wed Aug 1 19:13:38 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA3AC16A418 for ; Wed, 1 Aug 2007 19:13:38 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by mx1.freebsd.org (Postfix) with SMTP id 658AE13C468 for ; Wed, 1 Aug 2007 19:13:38 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 10821 invoked by uid 399); 1 Aug 2007 19:13:37 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTP; 1 Aug 2007 19:13:37 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <46B0DB5F.4020401@FreeBSD.org> Date: Wed, 01 Aug 2007 12:13:35 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.5 (X11/20070723) MIME-Version: 1.0 To: Jeffrey Goldberg References: <499c70c0707260136hea82f27s87dfa53432d0e409@mail.gmail.com> <94c6ae7ae570814564d364bfe9aad8ea@szalbot.homedns.org> <20070801030504.GA3773@bifrost.agrussell.com> <426DE541-FB51-44FF-B7F4-B34E0F9A7861@goldmark.org> In-Reply-To: <426DE541-FB51-44FF-B7F4-B34E0F9A7861@goldmark.org> X-Enigmail-Version: 0.95.1 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Zbigniew Szalbot , "A.G. Russell IV" , Freebsd questions Subject: Re: Waiting for BIND security announcement X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 19:13:38 -0000 Jeffrey Goldberg wrote: > It appears that BIND has only been fixed in -STABLE and -CURRENT, but > not in -RELEASE. Does anyone know if there are plans to get this > patched in 6.2? > > For me it makes little difference since I am not (yet) running named in > a publicly accessible way. But my medium term plans for my DNS do > involve me running a public nameserver on the latest RELEASE with all > patches. > > It does worry me if this kind of thing doesn't get patched in the latest > RELEASE. Um, it doesn't work that way. "6.2-RELEASE" is just a symbolic name that is related to the files that have the RELENG_6_2_0_RELEASE flag. If you want to stay as close as possible to 6.2-RELEASE but also include the fixes that the security officer deems important enough to release widely, use the tag RELENG_6_2 (usually in your supfile for cvsup or csup). If you want the latest code for 6-stable, which will eventually become 6.3-RELEASE, use just RELENG_6. When it comes to BIND stuff in particular, I always update the ports first, so anyone with a mission critical DNS operation can get fixes ASAP. There is even an option in the port to overwrite the base BIND if you so desire. hth, Doug -- This .signature sanitized for your protection