From owner-freebsd-security Sat Jun 29 14:28: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6F3837B400 for ; Sat, 29 Jun 2002 14:27:55 -0700 (PDT) Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48C3943E06 for ; Sat, 29 Jun 2002 14:27:55 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from FreeBSD.org (12-234-90-219.client.attbi.com [12.234.90.219]) by mail-relay1.yahoo.com (Postfix) with ESMTP id EE0108B5DE; Sat, 29 Jun 2002 14:27:38 -0700 (PDT) Message-ID: <3D1E264A.5463BA96@FreeBSD.org> Date: Sat, 29 Jun 2002 14:27:38 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.6-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: Mark.Andrews@isc.org, security@FreeBSD.ORG Subject: Re: libc flaw: BIND 9 closes most holes but also opens one References: <4.3.2.7.2.20020629123101.02ed2df0@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass wrote: > > At 09:35 PM 6/28/2002, Mark.Andrews@isc.org wrote: > > > Firstly lib/bind is *not* built by default. You have to > > explictly build it with "configure --enable-libbind". > > If that's so, you may still have an old libbind on your system > which is vulnerable. ONLY the libbind from 8.3.3 is immune. > > > "libbind" is a *copy* of BIND 8's libbind which *is* fixed > > in 8.2.6 and 8.3.3. > > Only in 8.3.3, according to ISC. BIND 9.2.1's libbind is not fixed. Brett, The libbind bug is fixed in both 8.2.6, and 8.3.3. Please be more careful to read what is posted before responding. That said, if you are going to run a BIND 8 server, I think you're a lot better off with 8.3.3. But the fix is available for those who can't upgrade, for whatever reason. Thanks, Doug ftp://ftp.isc.org/isc/bind/src/8.2.6/825-826.diff -- "We have known freedom's price. We have shown freedom's power. And in this great conflict, ... we will see freedom's victory." - George W. Bush, President of the United States State of the Union, January 28, 2002 Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message