Date: Wed, 9 Jul 2008 11:29:06 -0700 From: Mark Boolootian <booloo@ucsc.edu> To: freebsd-security@freebsd.org Subject: Re: BIND update? Message-ID: <20080709182906.GA67970@root.ucsc.edu>
next in thread | raw e-mail | index | archive | help
I hope I can distance myself from Josh in terms of tone. I think he's completely out of line with his snotty posts. That said, I think there is a legitimate question here. I'm interested in this issue, because it sounds as if FreeBSD folk didn't become aware of this problem until the announcement. I would have expected ISC to notify you ahead of the announcement. The patched code has been available to some for several weeks (at least). I was anticipating seeing everyone pushing patched code out on the same day. > That means 11 out of 81 entries were able to determine the status of > their product/code before the advisory went public. Here's that list, > please note I trimmed the vulnerable/not vulnerable status: Of course, any vendor running vanilla BIND would be vulnerable. > What's more important is that we not panic, especially since _public_ > details are very sparse. There are mitigations that are mentioned in > that report, along with elsewhere. Putting these mitigations in place, > if necessary, is your best option while those entrusted to do the work > are doing said work to make sure we have a co-ordinated and accurate > response. There really aren't any effective mitigations for folks running resolvers. Patched code to implement source port randomization is our only hope. Of course, that code exists and is available from ISC, and it will work fine under FreeBSD, so there is clearly a path forward. I think it might have been helpful (and still might be) if the security officer had pushed out a notification of 'work underway' with some possible indication as to when a fix might be available. I realize that providing a date might be extraordinarily difficult, but it helps inform planning for FreeBSD users (and, of course, gives us something to kvetch about when the date slips :-) I appreciate the FreeBSD security team efforts and will happily buy you guys beer (or other beverage of choice) any time we're in the same room together. mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080709182906.GA67970>