From owner-freebsd-security  Mon Jan 29 17:34:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from delivery.insweb.com (delivery.insweb.com [12.16.212.64])
	by hub.freebsd.org (Postfix) with ESMTP id BC9C937B402
	for <freebsd-security@FreeBSD.ORG>; Mon, 29 Jan 2001 17:34:31 -0800 (PST)
Received: from ursine.com (dhcp4-202.secure.insweb.com [192.168.4.202])
	by delivery.insweb.com (8.9.2/8.9.3) with ESMTP id RAA29555;
	Mon, 29 Jan 2001 17:34:30 -0800 (PST)
	(envelope-from fbsd-secure@ursine.com)
Message-ID: <3A761A26.4F520934@ursine.com>
Date: Mon, 29 Jan 2001 17:34:30 -0800
From: Michael Bryan <fbsd-secure@ursine.com>
X-Mailer: Mozilla 4.76 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-security@FreeBSD.ORG
Cc: Matt Dillon <dillon@earth.backplane.com>
Subject: Re: [COVERT-2001-01] Multiple Vulnerabilities in BIND - 
 FreeBSDImplications ?
References: <Pine.BSF.4.21.0101291957200.18160-100000@andromeda.frogtongue.com> <200101300108.f0U18MO81199@earth.backplane.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org



Matt Dillon wrote:
> 
>     Ok, I'm really confused now.  I am currently running 8.2.3-T6B.
> 
>     Do I need to upgrade or am I ok?

You need to upgrade.  The ISC web site has a good list of all known
BIND vulnerabilities and which versions are affected for each one:

http://www.isc.org/products/BIND/bind-security.html

In particular, the info on the "TSIG" vulnerability says that all beta
versions of 8.2.3 are vulnerable.  Since 8.2.3-T6B is a beta version, it
is therefore vulnerable.

>  If I need to upgrade, is the patch
>  in the tree now or do I need to wait?

I believe the latest message from Kris was that 4.x-STABLE has the updated
BIND integrated, and 3.x-STABLE should be updated by tomorrow.  If you update
via the bind8 port instead, it has also been updated for 8.2.3.  The bind8
port puts files in a different location than the BIND files from the base
system install, so be careful if you do that, especially making sure your
/etc/rc.conf will start the correct version.

The prebuilt packages directory at freebsd.org still had just 8.2.2-p7, as far
as I could tell, but that will presumably change over the next day or two.

Or you -could- just download 8.2.3 directly from ISC (www.isc.org), and install
it that way.  Some files might end up in slightly different directories, but
I believe that's the only impact you'll see (although somebody is sure to pipe
up if I'm wrong on that one.)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message