From owner-freebsd-security Sat Jun 29 18:42:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 065BF37B400; Sat, 29 Jun 2002 18:42:07 -0700 (PDT) Received: from star.sstec.com (adsl-216-102-148-67.dsl.lsan03.pacbell.net [216.102.148.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9E0943E0A; Sat, 29 Jun 2002 18:42:05 -0700 (PDT) (envelope-from fbsd1@sstec.com) Received: from comm.sstec.com (comm.sstec.com [192.168.74.10]) by star.sstec.com (8.12.3/8.12.3) with ESMTP id g5U1g2iO012313; Sat, 29 Jun 2002 18:42:05 -0700 (PDT) (envelope-from fbsd1@sstec.com) Message-Id: <5.1.0.14.2.20020629173206.021c88e0@mail.sstec.com> X-Sender: X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 29 Jun 2002 17:42:08 -0700 To: Doug Barton , John Long From: John Long Subject: Re: named 8.3.2-T1B vulnerable? Cc: security@FreeBSD.ORG In-Reply-To: <20020629170827.K5428-100000@master.gorean.org> References: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 05:15 PM 6/29/2002, Doug Barton wrote: >On Sat, 29 Jun 2002, John Long wrote: > >> Running tag=RELENG_4_6 >> FreeBSD 4.6-RELEASE-p1 #2: Thu Jun 27 23:35:36 PDT 2002 >> 4 boxes, 8 rebuilds, libc now this libbind thing. >> >> My named 8.3.2-T1B Thu Jun 27 22:17:53 PDT 2002 appears to be vulnerable. > >Note, there are three seperate problems here. First, there is a libc >resolver vulnerability. This is fixed in the base by the security team >already. If your machines have a fixed libc, or if they are behind a BIND >9.2.1 resolver, they are safe; as long as they don't make any resolver >calls that don't go through the actual 9.2.1 resolver. > >Next, libbind has the same resolver bug as our libc did. BUT, if you don't >link against libbind (and you'd know if you did) then you don't need to >worry about it. > Hello Doug, thanks for the very quick response, Yes I run 2 primary dns servers that second for each other and about 600 domains. I do not trust the safety of the domains to anyone else. I would rather overwrite the base however is there any downside to this, now or in the future with the next build world... ? >Finally, if you are actually running named on any of these machines, you >should be using 8.3.3 if you're using BIND 8. You can build the bind8 port >with: > >make clean ; make -DPORT_REPLACES_BASE_BIND8 install > >and it will update the version of BIND on your system. You could also >leave off the flag if you'd rather have the new bind in /usr/local, but >8.3.2-T1B had some icky bugs so I recommend just writing over it to be >safe. > >> Any ideas on when/if the new bind will be getting to 4_6 ? > >I will be importing it into -current this weekend, if -current isn't too >terribly broken. I'll give that a week or so to shake out before importing >to RELENG_4. I doubt that the security officer team will want to import >BIND 8.3.3 into any of the RELENG_4_x branches. The port will do the same >work now, and will require less finagling. > >Hope this helps, > >Doug > With 8.3.2-T1B being so icky, should this subject not be mentioned on the stable list and is it not a security problem/potential root hole ( I am sure black hats are very busy right now) therefore should it not go into RELENG_4_6 as a -p2? And thank you very much for bringing this up Brett. I was fully under the impression that the sup and build for RELENG_4_6-p1 fixed all possibilities of this libc thing. Now I wonder just what else is there that has not been disclosed or thought of thus far? Finally thanks to all the people/coders involved with open source and FreeBSD :-) John R. Long Star Systems 818-344-9330 http://SSTec.com Be sure to check out Aesop's Fables, over 660 of them. http://AesopFables.com Yahoo, Yahooligans and many others "Site of the week" Over 35 million page views in 4.5years. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message