From owner-freebsd-security Sat Jun 29 14:58:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B729E37B400 for ; Sat, 29 Jun 2002 14:58:34 -0700 (PDT) Received: from bastet.rfc822.net (bastet.rfc822.net [64.81.113.233]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26CB843E13 for ; Sat, 29 Jun 2002 14:58:34 -0700 (PDT) (envelope-from pde@bastet.rfc822.net) Received: by bastet.rfc822.net (Postfix, from userid 1001) id 7A08E9FD21; Sat, 29 Jun 2002 16:58:37 -0500 (CDT) Date: Sat, 29 Jun 2002 16:58:37 -0500 From: Pete Ehlke To: security@FreeBSD.ORG Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Message-ID: <20020629215837.GA21060@rfc822.net> References: <4.3.2.7.2.20020629153253.02e88ef0@localhost> <200206282259.QAA03790@lariat.org> <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> <4.3.2.7.2.20020629154457.02fafb00@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020629154457.02fafb00@localhost> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 29, 2002 at 03:47:56PM -0600, Brett Glass wrote: > At 03:43 PM 6/29/2002, Pete Ehlke wrote: > > >Please, Brett. Don't embarass yourself further on this. > > > >http://marc.theaimsgroup.com/?l=bind-announce&m=102527571007047&w=2 > >http://marc.theaimsgroup.com/?l=bind-announce&m=102527570707030&w=2 > > Embarrass? The page you cite actually proves that I'm correct! It > says: > > >Highlights vs. 8.3.2 > > Security Fix libbind. All applications linked against libbind > > need to re-linked. > > What this means is that the only safe version of libbind is 8.3.3. For gods sake, man. Read both of them. You are patently, provably, empirically *wrong*. 8.2.6, 8.3.3, and, though heaven only knows why anyone would still want it, 4.9.9 were all fixed against this particular problem. > BIND 9.2.1 includes an older version of libbind, and so while its > named is not vulnerable (and in fact can be used to shield other > machines), its libbind is. > This is true. But why are you tempesting in this teapot? What exactly do you have that's linked against libbind? And don't say "I don't know." Building libbind and linking against it is something that takes direct, willful action on your part. furrfu. -P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message