From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:22:17 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D93B91065675 for ; Wed, 9 Jul 2008 18:22:16 +0000 (UTC) (envelope-from tedm@ipinc.net) Received: from mail.ipinc.net (mail.ipinc.net [65.75.192.11]) by mx1.freebsd.org (Postfix) with ESMTP id 8C55E8FC16 for ; Wed, 9 Jul 2008 18:22:16 +0000 (UTC) (envelope-from tedm@ipinc.net) Received: from tedsdesk (tedsdesk.ipinc.net [65.75.206.111]) by mail.ipinc.net (8.13.8/8.13.8) with ESMTP id m69HwYcX051964 for ; Wed, 9 Jul 2008 10:58:34 -0700 (PDT) (envelope-from tedm@ipinc.net) From: "Ted Mittelstaedt" To: Date: Wed, 9 Jul 2008 10:58:34 -0700 Organization: Internet Partners, Inc. Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6838 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512 Thread-Index: Acjh7WekkmgXzC9LTyeyreSPA+DaBQ== Importance: Normal X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.ipinc.net [65.75.192.11]); Wed, 09 Jul 2008 10:58:34 -0700 (PDT) X-Virus-Scanned: ClamAV 0.91.2/7676/Wed Jul 9 07:56:10 2008 on mail.ipinc.net X-Virus-Status: Clean X-Spam-Status: No, score=-101.4 required=4.1 tests=ALL_TRUSTED, USER_IN_WHITELIST autolearn=disabled version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.ipinc.net X-Mailman-Approved-At: Wed, 09 Jul 2008 18:29:46 +0000 Subject: Here is how to fix your nameserver - was Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:22:17 -0000 Hi All, First, knock off the goddam posturing. Second, named is statically linked, so there is NO BIG FRAGGING DEAL with upgrading your nameserver. Here is how you do it: System: FreeBSD 6.3-RELEASE used as a nameserver Login and su to root cd /usr/ports/distfiles mkdir manual-build cd manual-build fetch http://ftp.isc.org/isc/bind9/9.3.5-P1/bind-9.3.5-P1.tar.gz gunzip bind-9.3.5-P1.tar tar xf bind-9.3.5-P1.tar cd bind-9.3.5-P1 ./configure --disable-openssl-version-check (NOTE: The OpenSSL included with FreeBSD 6.3-RELEASE is vulnerable to 4 security notifications, you should have patched it already) make rndc stop cd ./bin/named chmod u-w named mv /usr/sbin/named /usr/sbin/named.original mv named /usr/sbin/named cd .. cd rndc mv /usr/sbin/rndc /usr/sbin/rndc.original mv rndc /usr/sbin/rndc /usr/sbin/named -4 -c /etc/namedb/named.conf -t /var/named -u root tail /var/log/messages make sure messages has: starting BIND 9.3.5-P1 -4 -c /etc/namedb/named.conf -t /var/named -u root in it nslookup www.freebsd.org (tests) your done! named and rndc are both compiled with static libraries: liblwres.a libdns.a libbind9.a libisccfg.a libisccc.a libisc.a so there is no need to go replacing all of the resolver libraries and recompiling all the applications. The bug DOES NOT affect client applications that use the resolver libraries. This will get you going until FBSD 6.4 is out. Ted Mittelstaedt Author: The FreeBSD Corporate Networker's Guide