Date: Sat, 29 Jun 2002 16:58:37 -0500 From: Pete Ehlke <pde@rfc822.net> To: security@FreeBSD.ORG Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Message-ID: <20020629215837.GA21060@rfc822.net> In-Reply-To: <4.3.2.7.2.20020629154457.02fafb00@localhost> References: <4.3.2.7.2.20020629153253.02e88ef0@localhost> <200206282259.QAA03790@lariat.org> <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> <4.3.2.7.2.20020629154457.02fafb00@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 29, 2002 at 03:47:56PM -0600, Brett Glass wrote: > At 03:43 PM 6/29/2002, Pete Ehlke wrote: > > >Please, Brett. Don't embarass yourself further on this. > > > >http://marc.theaimsgroup.com/?l=bind-announce&m=102527571007047&w=2 > >http://marc.theaimsgroup.com/?l=bind-announce&m=102527570707030&w=2 > > Embarrass? The page you cite actually proves that I'm correct! It > says: > > >Highlights vs. 8.3.2 > > Security Fix libbind. All applications linked against libbind > > need to re-linked. > > What this means is that the only safe version of libbind is 8.3.3. For gods sake, man. Read both of them. You are patently, provably, empirically *wrong*. 8.2.6, 8.3.3, and, though heaven only knows why anyone would still want it, 4.9.9 were all fixed against this particular problem. > BIND 9.2.1 includes an older version of libbind, and so while its > named is not vulnerable (and in fact can be used to shield other > machines), its libbind is. > This is true. But why are you tempesting in this teapot? What exactly do you have that's linked against libbind? And don't say "I don't know." Building libbind and linking against it is something that takes direct, willful action on your part. furrfu. -P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020629215837.GA21060>