From owner-freebsd-security Mon Jan 29 17:34:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from delivery.insweb.com (delivery.insweb.com [12.16.212.64]) by hub.freebsd.org (Postfix) with ESMTP id BC9C937B402 for ; Mon, 29 Jan 2001 17:34:31 -0800 (PST) Received: from ursine.com (dhcp4-202.secure.insweb.com [192.168.4.202]) by delivery.insweb.com (8.9.2/8.9.3) with ESMTP id RAA29555; Mon, 29 Jan 2001 17:34:30 -0800 (PST) (envelope-from fbsd-secure@ursine.com) Message-ID: <3A761A26.4F520934@ursine.com> Date: Mon, 29 Jan 2001 17:34:30 -0800 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Cc: Matt Dillon Subject: Re: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSDImplications ? References: <200101300108.f0U18MO81199@earth.backplane.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matt Dillon wrote: > > Ok, I'm really confused now. I am currently running 8.2.3-T6B. > > Do I need to upgrade or am I ok? You need to upgrade. The ISC web site has a good list of all known BIND vulnerabilities and which versions are affected for each one: http://www.isc.org/products/BIND/bind-security.html In particular, the info on the "TSIG" vulnerability says that all beta versions of 8.2.3 are vulnerable. Since 8.2.3-T6B is a beta version, it is therefore vulnerable. > If I need to upgrade, is the patch > in the tree now or do I need to wait? I believe the latest message from Kris was that 4.x-STABLE has the updated BIND integrated, and 3.x-STABLE should be updated by tomorrow. If you update via the bind8 port instead, it has also been updated for 8.2.3. The bind8 port puts files in a different location than the BIND files from the base system install, so be careful if you do that, especially making sure your /etc/rc.conf will start the correct version. The prebuilt packages directory at freebsd.org still had just 8.2.2-p7, as far as I could tell, but that will presumably change over the next day or two. Or you -could- just download 8.2.3 directly from ISC (www.isc.org), and install it that way. Some files might end up in slightly different directories, but I believe that's the only impact you'll see (although somebody is sure to pipe up if I'm wrong on that one.) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message