Date: Mon, 21 Jul 2008 21:38:46 +0200 From: Max Laier <max@love2party.net> To: freebsd-stable@freebsd.org Cc: Brett Glass <brett@lariat.net>, stable@freebsd.org, Doug Barton <dougb@freebsd.org> Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <200807212138.46703.max@love2party.net> In-Reply-To: <4884E00E.1090009@FreeBSD.org> References: <200807200230.UAA17164@lariat.net> <4884E00E.1090009@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 21 July 2008 21:14:22 Doug Barton wrote: > Brett Glass wrote: > | Everyone: > | > | Will FreeBSD 7.1 be released in time to use it as an upgrade to > | close the BIND cache poisoning hole? > > Brett, et al, > > I'll make this simple for you. If you have a server that is running > BIND, update BIND now. If you need to use the ports, that's fine, just > do it now. Make sure that you are not specifying a port via any > query-source* options in named.conf, and that any firewall between > your named process and the outside world does keep-state on outgoing > UDP packets. ... and that any NAT device employs at least a somewhat random port allocation mechanism - pf provides this. > If you have a system with BIND installed (as it is by default) but you > are NOT running named, you don't need to worry about updating now, but > you should do it "soonish" just in case someone gets a wild hair and > starts up named on that box. > > As for the meta-question, FreeBSD is currently operating on a > time-based release schedule, not a feature-based one. And to your > actual question, the answer is no. > > > hope this helps, > > Doug -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807212138.46703.max>