From owner-freebsd-security  Sat Jun 29 14:48:23 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7CDF837B405
	for <security@FreeBSD.ORG>; Sat, 29 Jun 2002 14:48:20 -0700 (PDT)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B2C5E43E1A
	for <security@FreeBSD.ORG>; Sat, 29 Jun 2002 14:48:19 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id PAA13986;
	Sat, 29 Jun 2002 15:48:08 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020629154457.02fafb00@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Sat, 29 Jun 2002 15:47:56 -0600
To: Pete Ehlke <pde@rfc822.net>, security@FreeBSD.ORG
From: Brett Glass <brett@lariat.org>
Subject: Re: libc flaw: BIND 9 closes most holes but also opens one
In-Reply-To: <20020629214312.GA20882@rfc822.net>
References: <4.3.2.7.2.20020629153253.02e88ef0@localhost>
 <200206282259.QAA03790@lariat.org>
 <4.3.2.7.2.20020629123101.02ed2df0@localhost>
 <4.3.2.7.2.20020629153253.02e88ef0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 03:43 PM 6/29/2002, Pete Ehlke wrote:

>Please, Brett. Don't embarass yourself further on this.
>
>http://marc.theaimsgroup.com/?l=bind-announce&m=102527571007047&w=2
>http://marc.theaimsgroup.com/?l=bind-announce&m=102527570707030&w=2

Embarrass? The page you cite actually proves that I'm correct! It 
says:

>Highlights vs. 8.3.2
>        Security Fix libbind. All applications linked against libbind
>        need to re-linked.

What this means is that the only safe version of libbind is 8.3.3. 
BIND 9.2.1 includes an older version of libbind, and so while its 
named is not vulnerable (and in fact can be used to shield other
machines), its libbind is.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message