From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 19:46:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0078C16A4B3 for ; Thu, 23 Oct 2003 19:46:48 -0700 (PDT) Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3783643FDF for ; Thu, 23 Oct 2003 19:46:47 -0700 (PDT) (envelope-from danderse@flux.utah.edu) Received: from bas.flux.utah.edu (localhost [127.0.0.1]) by bas.flux.utah.edu (8.12.9/8.12.5) with ESMTP id h9O2kkLj062740; Thu, 23 Oct 2003 20:46:46 -0600 (MDT) (envelope-from danderse@bas.flux.utah.edu) Received: (from danderse@localhost) by bas.flux.utah.edu (8.12.9/8.12.5/Submit) id h9O2kkDU062739; Thu, 23 Oct 2003 20:46:46 -0600 (MDT) Date: Thu, 23 Oct 2003 20:46:46 -0600 From: "David G. Andersen" To: Garance A Drosihn Message-ID: <20031023204646.A61063@cs.utah.edu> References: <6.0.0.22.2.20031023162326.04c1e008@localhost> <6.0.0.22.2.20031023183427.04e18d10@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from drosih@rpi.edu on Thu, Oct 23, 2003 at 09:38:11PM -0400 cc: security@freebsd.org Subject: Re: /var partition overflow (due to spyware?) in FreeBSD default install X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 02:46:48 -0000 Garance A Drosihn just mooed: > newsyslog for the past year. I am pretty familiar with it. > > What I meant was that in circumstances where "once per hour" > is not fast enough, then I do not believe the right solution > is to rotate files every five minutes. Just MO. the problem is very obviously an excess of messages from bind. This bug report should go to the ISC folks. No daemon should be spewing out log messages at the _incredible_ rate that bind does when it decides it doesn't like what it's getting in this context. The same bug can be triggered by using a forwarding nameserver that bind doesn't like. The immediate question to ask is, "is this fixed in bind9?" If it is, you're not likely to get an answer other than "please upgrade." ... which seems like a pretty reasonable thing to do, if that's the case. Bret, try upgrading to bind9 and see if it still happens. If it does, then reduce it to the simplest test case you can and report it to the bind people. If it doesn't, then call yourself happy and let the rest of us know that it's a good way to avoid the problem. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.