From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:30:40 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5C29106567E; Wed, 9 Jul 2008 18:30:40 +0000 (UTC) (envelope-from booloo@ucsc.edu) Received: from root.ucsc.edu (root.ucsc.edu [128.114.2.68]) by mx1.freebsd.org (Postfix) with ESMTP id 9B2138FC1A; Wed, 9 Jul 2008 18:30:40 +0000 (UTC) (envelope-from booloo@ucsc.edu) Received: from root.ucsc.edu (localhost [127.0.0.1]) by root.ucsc.edu (8.13.8/8.13.8) with ESMTP id m69IFJvi067750; Wed, 9 Jul 2008 11:15:19 -0700 (PDT) (envelope-from booloo@root.ucsc.edu) Received: (from booloo@localhost) by root.ucsc.edu (8.13.8/8.13.8/Submit) id m69IFJQw067749; Wed, 9 Jul 2008 11:15:19 -0700 (PDT) (envelope-from booloo) Date: Wed, 9 Jul 2008 11:15:19 -0700 From: Mark Boolootian To: Wesley Shields Message-ID: <20080709181519.GA67356@root.ucsc.edu> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <4874DD4B.5020608@yahoo.com> <17cd1fbe0807090926g21ef35e7l10e4a6e38ad3d10@mail.gmail.com> <20080709174341.GF92109@atarininja.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080709174341.GF92109@atarininja.org> User-Agent: Mutt/1.5.15 (2007-04-06) X-Spam-Status: No, score=-1.4 required=20.0 tests=ALL_TRUSTED, DKIM_POLICY_SIGNSOME, DK_POLICY_SIGNSOME autolearn=failed version=3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on root.ucsc.edu Cc: freebsd-security@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: booloo@ucsc.edu List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:30:40 -0000 I hope I can distance myself from Josh in terms of tone. I think he's completely out of line with his snotty posts. That said, I think there is a legitimate question here. I'm interested in this issue, because it sounds as if FreeBSD folk didn't become aware of this problem until the announcement. I would have expected ISC to notify you ahead of the announcement. The patched code has been available to some for several weeks (at least). I was anticipating seeing everyone pushing patched code out on the same day. > That means 11 out of 81 entries were able to determine the status of > their product/code before the advisory went public. Here's that list, > please note I trimmed the vulnerable/not vulnerable status: Of course, any vendor running vanilla BIND would be vulnerable. > What's more important is that we not panic, especially since _public_ > details are very sparse. There are mitigations that are mentioned in > that report, along with elsewhere. Putting these mitigations in place, > if necessary, is your best option while those entrusted to do the work > are doing said work to make sure we have a co-ordinated and accurate > response. There really aren't any effective mitigations for folks running resolvers. Patched code to implement source port randomization is our only hope. Of course, that code exists and is available from ISC, and it will work fine under FreeBSD, so there is clearly a path forward. I think it might have been helpful (and still might be) if the security officer had pushed out a notification of 'work underway' with some possible indication as to when a fix might be available. I realize that providing a date might be extraordinarily difficult, but it helps inform planning for FreeBSD users (and, of course, gives us something to kvetch about when the date slips :-) I appreciate the FreeBSD security team efforts and will happily buy you guys beer (or other beverage of choice) any time we're in the same room together. mark