From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 18:46:10 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8F29F1065675 for ; Wed, 9 Jul 2008 18:46:10 +0000 (UTC) (envelope-from tedm@ipinc.net) Received: from mail.ipinc.net (mail.ipinc.net [65.75.192.11]) by mx1.freebsd.org (Postfix) with ESMTP id 4E8D28FC1E for ; Wed, 9 Jul 2008 18:46:10 +0000 (UTC) (envelope-from tedm@ipinc.net) Received: from tedsdesk (tedsdesk.ipinc.net [65.75.206.111]) by mail.ipinc.net (8.13.8/8.13.8) with ESMTP id m69Ik7wI076797 for ; Wed, 9 Jul 2008 11:46:07 -0700 (PDT) (envelope-from tedm@ipinc.net) From: "Ted Mittelstaedt" To: Date: Wed, 9 Jul 2008 11:46:07 -0700 Organization: Internet Partners, Inc. Message-ID: <26A784931556478F8BB9615AA6408FFA@tedsdesk> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6838 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512 Thread-Index: Acjh7WekkmgXzC9LTyeyreSPA+DaBQABm3zg Importance: Normal In-Reply-To: X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.ipinc.net [65.75.192.11]); Wed, 09 Jul 2008 11:46:07 -0700 (PDT) X-Virus-Scanned: ClamAV 0.91.2/7678/Wed Jul 9 10:00:05 2008 on mail.ipinc.net X-Virus-Status: Clean X-Spam-Status: No, score=-101.4 required=4.1 tests=ALL_TRUSTED, USER_IN_WHITELIST autolearn=disabled version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.ipinc.net X-Mailman-Approved-At: Wed, 09 Jul 2008 18:52:18 +0000 Subject: RE: Here is how to fix your nameserver - was Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:46:10 -0000 Hi All, OK, slight addition to this: > -----Original Message----- > From: Ted Mittelstaedt [mailto:tedm@ipinc.net] > Sent: Wednesday, July 09, 2008 10:59 AM > To: 'freebsd-security@freebsd.org' > Subject: Here is how to fix your nameserver - was Re: BIND update? > > > > > System: FreeBSD 6.3-RELEASE used as a nameserver > > Login and su to root > > cd /usr/ports/distfiles > > mkdir manual-build > > cd manual-build > > fetch http://ftp.isc.org/isc/bind9/9.3.5-P1/bind-9.3.5-P1.tar.gz > > gunzip bind-9.3.5-P1.tar > > tar xf bind-9.3.5-P1.tar > > cd bind-9.3.5-P1 > > ./configure --disable-openssl-version-check (NOTE: The > OpenSSL included with FreeBSD 6.3-RELEASE is vulnerable to 4 > security notifications, you should have patched it already) > > make > > rndc stop > > cd ./bin/named > > chmod u-w named > > mv /usr/sbin/named /usr/sbin/named.original > > mv named /usr/sbin/named > > cd .. > > cd rndc > > mv /usr/sbin/rndc /usr/sbin/rndc.original > mv rndc /usr/sbin/rndc > cd /var/named/etc cp /var/named/etc/namedb/rndc.key . > /usr/sbin/named -4 -c /etc/namedb/named.conf -t /var/named -u root > > tail /var/log/messages > > make sure messages has: > starting BIND 9.3.5-P1 -4 -c /etc/namedb/named.conf -t > /var/named -u root in it > > nslookup www.freebsd.org > (tests) > > your done! > > named and rndc are both compiled with static libraries: > liblwres.a libdns.a libbind9.a libisccfg.a libisccc.a libisc.a > > so there is no need to go replacing all of the resolver > libraries and recompiling all the applications. The bug DOES > NOT affect client applications that use the resolver libraries. > > This will get you going until FBSD 6.4 is out. > > > Ted Mittelstaedt > Author: The FreeBSD Corporate Networker's Guide > >