From owner-freebsd-security  Sat Jun 29 17:29:55 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3B61037B400; Sat, 29 Jun 2002 17:29:52 -0700 (PDT)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 033C643E06; Sat, 29 Jun 2002 17:29:51 -0700 (PDT)
	(envelope-from marka@drugs.dv.isc.org)
Received: from drugs.dv.isc.org (localhost.dv.isc.org [127.0.0.1])
	by drugs.dv.isc.org (8.12.3/8.12.3) with ESMTP id g5U0Tmm0062703;
	Sun, 30 Jun 2002 10:29:48 +1000 (EST)
	(envelope-from marka@drugs.dv.isc.org)
Message-Id: <200206300029.g5U0Tmm0062703@drugs.dv.isc.org>
To: Brett Glass <brett@lariat.org>
Cc: Doug Barton <DougB@FreeBSD.ORG>, Pete Ehlke <pde@rfc822.net>,
	security@FreeBSD.ORG
From: Mark.Andrews@isc.org
Subject: Re: libc flaw: BIND 9 closes most holes but also opens one 
In-reply-to: Your message of "Sat, 29 Jun 2002 18:06:58 CST."
             <4.3.2.7.2.20020629180311.02b5b2d0@localhost> 
Date: Sun, 30 Jun 2002 10:29:48 +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


> At 03:56 PM 6/29/2002, Doug Barton wrote:
> 
> >You quoted the second page. The URL I left in the quotation above is the
> >announcement for 8.2.6, which says:
> >
> >Highlights vs. 8.2.5
> >        Security Fix libbind.  All applications linked against libbind
> >        need to relinked.
> 
> So? That's not the version of libbind that's in 9.2.1. The version
> in 9.2.1 is vulnerable; I've checked the source.

	No one is denying that the version in 9.2.1 is vulerable.

	You stated that 8.2.6 was vulnerable when it is not.  Stop
	complaining when people correct your mis-statement.

	The "fix" for 9.2.1 is to use libbind from 8.2.6 or 8.3.3
	until we (ISC) make a new bind release (9.2.2/9.3.0/snapshot).
	You can also just take the diff and patch the copy in
	9.2.0/9.2.1.  It should work though I haven't tested it.

	Mark
> 
> --Brett
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message