From owner-freebsd-questions Wed Nov 24 17:54:30 1999 Delivered-To: freebsd-questions@freebsd.org Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36]) by hub.freebsd.org (Postfix) with ESMTP id 4D150150F7; Wed, 24 Nov 1999 17:54:26 -0800 (PST) (envelope-from k.stevenson@louisville.edu) Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114]) by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP id 2DB6A24D07; Wed, 24 Nov 1999 20:54:25 -0500 (EST) Received: by osaka.louisville.edu (Postfix, from userid 15) id D9CA318605; Wed, 24 Nov 1999 20:54:24 -0500 (EST) Date: Wed, 24 Nov 1999 20:54:24 -0500 From: Keith Stevenson To: Dave H Cc: freebsd-questions@freebsd.org, freebsd-stable@freebsd.org, security-officer@freebsd.org Subject: Re: Security status of BIND8 in stable Message-ID: <19991124205424.C54601@osaka.louisville.edu> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Nov 24, 1999 at 05:18:22PM -0500, Dave H wrote: > Hi, > > I'll keep this brief. I basically have three questions about bind8 in > stable: > > 1) The version in stable is still 8.1.2 - is there any reason to believe > that the current well-known vulnerabilities in bind are not present for > some reason in our bind 8.1.2? The consensus seems to be that we only have the denial of service attacks to contend with. The remote root vulnerability didn't appear until 8.2 > > 2) Why hasn't FreeBSD made a statement is response to Cert Advisory > CA-99-14? I'll defer that to the Security Officer. > > 3) How soon will the bind version be updated in stable? I'd prefer to > stick with source instead of ports for ease of maintenance accross > multiple machines. If building bind from ports is (and will continue to > be) the best way of maintaining bind, so be it - I will make the change > across all machines - I'd just rather not do it if it is not necessary. Considering that -CURRENT still includes 8.1.2 and that the 3.4 and 4.0 feature freezes are fast approaching (as is BIND9), I think that the ports version is your best bet. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message