From owner-freebsd-security  Fri Jun 28 20:35:39 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 06C9237B400
	for <security@FreeBSD.ORG>; Fri, 28 Jun 2002 20:35:35 -0700 (PDT)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2B83743E06
	for <security@FreeBSD.ORG>; Fri, 28 Jun 2002 20:35:33 -0700 (PDT)
	(envelope-from marka@drugs.dv.isc.org)
Received: from drugs.dv.isc.org (localhost.dv.isc.org [127.0.0.1])
	by drugs.dv.isc.org (8.12.3/8.12.3) with ESMTP id g5T3ZUm0059814;
	Sat, 29 Jun 2002 13:35:30 +1000 (EST)
	(envelope-from marka@drugs.dv.isc.org)
Message-Id: <200206290335.g5T3ZUm0059814@drugs.dv.isc.org>
To: Brett Glass <brett@lariat.org>
Cc: security@FreeBSD.ORG
From: Mark.Andrews@isc.org
Subject: Re: libc flaw: BIND 9 closes most holes but also opens one 
In-reply-to: Your message of "Fri, 28 Jun 2002 16:59:25 CST."
             <200206282259.QAA03790@lariat.org> 
Date: Sat, 29 Jun 2002 13:35:30 +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


> I've installed BIND 9 on our main domain name server to shield systems
> (including Windows boxes, which may be vulnerable) from the libc hole.
> Unfortunately, according to ISC, BIND 9 comes with a version of
> libbind that's vulnerable. (See http://www.cert.org/advisories/CA-2002-19.htm
> l.)
> So, if you load up BIND 9 and an app that uses it (such as Sendmail) links
> to the vulnerable libbind, you're still exposed.
> 
> This problem may take even longer to mop up than I first thought (and I was
> pessimistic to start with). I was slated to build a new server today, but
> since 4.6-RELEASE-p1 isn't yet up on the Japanese snapshot server yet,
> I think I'll wait.
> 
> --Brett
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

	Firstly lib/bind is *not* built by default.  You have to
	explictly build it with "configure --enable-libbind".

	"libbind" is a *copy* of BIND 8's libbind which *is* fixed
	in 8.2.6 and 8.3.3.

	So don't enable libbind and if you have installed libbind from
	BIND 9, get one of the above BIND 8 releases and install there
	libbind.

	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message