Date: Sat, 29 Jun 2002 17:15:42 -0700 (PDT) From: Doug Barton <DougB@FreeBSD.org> To: John Long <fbsd1@sstec.com> Cc: security@FreeBSD.org Subject: Re: named 8.3.2-T1B vulnerable? Message-ID: <20020629170827.K5428-100000@master.gorean.org> In-Reply-To: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 29 Jun 2002, John Long wrote: > Running tag=RELENG_4_6 > FreeBSD 4.6-RELEASE-p1 #2: Thu Jun 27 23:35:36 PDT 2002 > 4 boxes, 8 rebuilds, libc now this libbind thing. > > My named 8.3.2-T1B Thu Jun 27 22:17:53 PDT 2002 appears to be vulnerable. Note, there are three seperate problems here. First, there is a libc resolver vulnerability. This is fixed in the base by the security team already. If your machines have a fixed libc, or if they are behind a BIND 9.2.1 resolver, they are safe; as long as they don't make any resolver calls that don't go through the actual 9.2.1 resolver. Next, libbind has the same resolver bug as our libc did. BUT, if you don't link against libbind (and you'd know if you did) then you don't need to worry about it. Finally, if you are actually running named on any of these machines, you should be using 8.3.3 if you're using BIND 8. You can build the bind8 port with: make clean ; make -DPORT_REPLACES_BASE_BIND8 install and it will update the version of BIND on your system. You could also leave off the flag if you'd rather have the new bind in /usr/local, but 8.3.2-T1B had some icky bugs so I recommend just writing over it to be safe. > Any ideas on when/if the new bind will be getting to 4_6 ? I will be importing it into -current this weekend, if -current isn't too terribly broken. I'll give that a week or so to shake out before importing to RELENG_4. I doubt that the security officer team will want to import BIND 8.3.3 into any of the RELENG_4_x branches. The port will do the same work now, and will require less finagling. Hope this helps, Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020629170827.K5428-100000>