From owner-freebsd-security Fri Jun 28 16: 4:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 917D937B408 for ; Fri, 28 Jun 2002 16:03:58 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C474743E09 for ; Fri, 28 Jun 2002 15:59:31 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from root@localhost) by lariat.org (8.9.3/8.9.3) id QAA03790 for security@freebsd.org; Fri, 28 Jun 2002 16:59:25 -0600 (MDT) Date: Fri, 28 Jun 2002 16:59:25 -0600 (MDT) From: Brett Glass Message-Id: <200206282259.QAA03790@lariat.org> To: security@freebsd.org Subject: libc flaw: BIND 9 closes most holes but also opens one Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've installed BIND 9 on our main domain name server to shield systems (including Windows boxes, which may be vulnerable) from the libc hole. Unfortunately, according to ISC, BIND 9 comes with a version of libbind that's vulnerable. (See http://www.cert.org/advisories/CA-2002-19.html.) So, if you load up BIND 9 and an app that uses it (such as Sendmail) links to the vulnerable libbind, you're still exposed. This problem may take even longer to mop up than I first thought (and I was pessimistic to start with). I was slated to build a new server today, but since 4.6-RELEASE-p1 isn't yet up on the Japanese snapshot server yet, I think I'll wait. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message