From owner-freebsd-stable@FreeBSD.ORG Mon Jul 21 19:51:23 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9BCB6106566B for ; Mon, 21 Jul 2008 19:51:23 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 24A278FC1B for ; Mon, 21 Jul 2008 19:51:23 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-048-174.pools.arcor-ip.net [88.66.48.174]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1KL1Db298w-0000SD; Mon, 21 Jul 2008 21:38:47 +0200 Received: (qmail 57899 invoked from network); 21 Jul 2008 19:38:46 -0000 Received: from myhost.laiers.local (192.168.4.151) by ns1.laiers.local with SMTP; 21 Jul 2008 19:38:46 -0000 From: Max Laier Organization: FreeBSD To: freebsd-stable@freebsd.org Date: Mon, 21 Jul 2008 21:38:46 +0200 User-Agent: KMail/1.9.9 References: <200807200230.UAA17164@lariat.net> <4884E00E.1090009@FreeBSD.org> In-Reply-To: <4884E00E.1090009@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200807212138.46703.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19nMQ//1BBy//i21n0fJbdbRz/v/sT6ewU4rNW xdlVlwbT66sqYyUP3COVgCmOiuGaufUY9Q82Gd0zkN55wZ/5CH zWmLJrdkNdxLoONNK45YQ== Cc: Brett Glass , stable@freebsd.org, Doug Barton Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 19:51:23 -0000 On Monday 21 July 2008 21:14:22 Doug Barton wrote: > Brett Glass wrote: > | Everyone: > | > | Will FreeBSD 7.1 be released in time to use it as an upgrade to > | close the BIND cache poisoning hole? > > Brett, et al, > > I'll make this simple for you. If you have a server that is running > BIND, update BIND now. If you need to use the ports, that's fine, just > do it now. Make sure that you are not specifying a port via any > query-source* options in named.conf, and that any firewall between > your named process and the outside world does keep-state on outgoing > UDP packets. ... and that any NAT device employs at least a somewhat random port allocation mechanism - pf provides this. > If you have a system with BIND installed (as it is by default) but you > are NOT running named, you don't need to worry about updating now, but > you should do it "soonish" just in case someone gets a wild hair and > starts up named on that box. > > As for the meta-question, FreeBSD is currently operating on a > time-based release schedule, not a feature-based one. And to your > actual question, the answer is no. > > > hope this helps, > > Doug -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News