From owner-freebsd-security Sun Feb 20 8:19: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 3239037BCAD for ; Sun, 20 Feb 2000 08:19:02 -0800 (PST) (envelope-from sthaug@nethelp.no) Received: (qmail 42903 invoked by uid 1001); 20 Feb 2000 16:18:56 +0000 (GMT) To: zaks@prioris.im.pw.edu.pl, S.Zak@altkom.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Why should I upgrade from 2.2.8 to 3.4 From: sthaug@nethelp.no In-Reply-To: Your message of "20 Feb 2000 12:16:20 +0100" References: <87g0uo5dkr-cos-mos@localhost.localnet> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 20 Feb 2000 17:18:56 +0100 Message-ID: <42901.951063536@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Yes but BIND 4 has even more security holes than BIND 8. If I had to > > run 2.2.8 and BIND, I'd install BIND 8 and run it in a jail under a > > non-privileged account. > > Noone did serious security audit of BIND 8, so where do you get this > "news" from ?? BIND 4 was audited by the OpenBSD team and is shipped > with OpenBSD. I believe it does proper bound checking at least. There are enough *other* known errors in BIND 4.9.x (functional, may or may not be security related) that I certainly wouldn't want to return to using 4.9.x. Also, proper bounds checking alone (even if it certainly helps!) isn't enough for good security. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message