From owner-freebsd-security Sat Jun 29 17:18:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0302537B400 for ; Sat, 29 Jun 2002 17:18:32 -0700 (PDT) Received: from 12-234-90-219.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67EF543E2F for ; Sat, 29 Jun 2002 17:16:49 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from master.gorean.org (master.gorean.org [10.0.0.2]) by 12-234-90-219.client.attbi.com (8.12.3/8.12.3) with ESMTP id g5U0FhBu094804; Sat, 29 Jun 2002 17:15:44 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from localhost (doug@localhost) by master.gorean.org (8.12.4/8.12.4/Submit) with ESMTP id g5U0Fh8s005523; Sat, 29 Jun 2002 17:15:43 -0700 (PDT) Date: Sat, 29 Jun 2002 17:15:42 -0700 (PDT) From: Doug Barton To: John Long Cc: security@FreeBSD.org Subject: Re: named 8.3.2-T1B vulnerable? In-Reply-To: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com> Message-ID: <20020629170827.K5428-100000@master.gorean.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 29 Jun 2002, John Long wrote: > Running tag=RELENG_4_6 > FreeBSD 4.6-RELEASE-p1 #2: Thu Jun 27 23:35:36 PDT 2002 > 4 boxes, 8 rebuilds, libc now this libbind thing. > > My named 8.3.2-T1B Thu Jun 27 22:17:53 PDT 2002 appears to be vulnerable. Note, there are three seperate problems here. First, there is a libc resolver vulnerability. This is fixed in the base by the security team already. If your machines have a fixed libc, or if they are behind a BIND 9.2.1 resolver, they are safe; as long as they don't make any resolver calls that don't go through the actual 9.2.1 resolver. Next, libbind has the same resolver bug as our libc did. BUT, if you don't link against libbind (and you'd know if you did) then you don't need to worry about it. Finally, if you are actually running named on any of these machines, you should be using 8.3.3 if you're using BIND 8. You can build the bind8 port with: make clean ; make -DPORT_REPLACES_BASE_BIND8 install and it will update the version of BIND on your system. You could also leave off the flag if you'd rather have the new bind in /usr/local, but 8.3.2-T1B had some icky bugs so I recommend just writing over it to be safe. > Any ideas on when/if the new bind will be getting to 4_6 ? I will be importing it into -current this weekend, if -current isn't too terribly broken. I'll give that a week or so to shake out before importing to RELENG_4. I doubt that the security officer team will want to import BIND 8.3.3 into any of the RELENG_4_x branches. The port will do the same work now, and will require less finagling. Hope this helps, Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message