From owner-freebsd-security Sat Jun 29 14:45: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3684437B401 for ; Sat, 29 Jun 2002 14:45:00 -0700 (PDT) Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8EA743E09 for ; Sat, 29 Jun 2002 14:44:59 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from FreeBSD.org (12-234-90-219.client.attbi.com [12.234.90.219]) by mail-relay1.yahoo.com (Postfix) with ESMTP id 4486E8B5A4; Sat, 29 Jun 2002 14:44:59 -0700 (PDT) Message-ID: <3D1E2A5A.522E53C7@FreeBSD.org> Date: Sat, 29 Jun 2002 14:44:58 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.6-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: Mark.Andrews@isc.org, security@FreeBSD.org Subject: Re: libc flaw: BIND 9 closes most holes but also opens one References: <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass wrote: > > At 03:27 PM 6/29/2002, Doug Barton wrote: > > > The libbind bug is fixed in both 8.2.6, and 8.3.3. Please be more > >careful to read what is posted before responding. > > I know that there were earlier fixes to prevent buffer overrruns. > My impression, based on ISC's statements, is that more were required > after that time. Have you done a diff between 8.2.6 and 8.3.3? Non sequitur. I was responding to your claim that libbind was fixed only in 8.3.3. You are categorically wrong on that point. I already said that if you're running BIND 8, you're better off with the 8.3.3 version. > >That said, if you are > >going to run a BIND 8 server, I think you're a lot better off with > >8.3.3. > > I want to run a BIND 9 server, because it will protect vulnerable > machines and apps behind it. But it looks as if I'll need to get > libbind out of 8.3.3, too Only if you're using something that links against it. IMO you're better off just not having it around. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message