From owner-freebsd-security  Sat Jun 29 14:35:27 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1C1E337B401; Sat, 29 Jun 2002 14:35:24 -0700 (PDT)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 02E0143E13; Sat, 29 Jun 2002 14:35:23 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id PAA13863;
	Sat, 29 Jun 2002 15:35:12 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020629153253.02e88ef0@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Sat, 29 Jun 2002 15:35:02 -0600
To: Doug Barton <DougB@FreeBSD.org>
From: Brett Glass <brett@lariat.org>
Subject: Re: libc flaw: BIND 9 closes most holes but also opens one
Cc: Mark.Andrews@isc.org, security@FreeBSD.org
In-Reply-To: <3D1E264A.5463BA96@FreeBSD.org>
References: <Your message of "Fri, 28 Jun 2002 16:59:25 CST." <200206282259.QAA03790@lariat.org>
 <4.3.2.7.2.20020629123101.02ed2df0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 03:27 PM 6/29/2002, Doug Barton wrote:

>        The libbind bug is fixed in both 8.2.6, and 8.3.3. Please be more
>careful to read what is posted before responding. 

I know that there were earlier fixes to prevent buffer overrruns.
My impression, based on ISC's statements, is that more were required
after that time. Have you done a diff between 8.2.6 and 8.3.3?

>That said, if you are
>going to run a BIND 8 server, I think you're a lot better off with
>8.3.3. 

I want to run a BIND 9 server, because it will protect vulnerable
machines and apps behind it. But it looks as if I'll need to get
libbind out of 8.3.3, too, unless there's a new release of BIND 9
that includes it.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message