From owner-freebsd-security Sun Jun 30 13:37:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A249B37B400 for ; Sun, 30 Jun 2002 13:37:06 -0700 (PDT) Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 411C143E1D for ; Sun, 30 Jun 2002 13:37:06 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from FreeBSD.org (12-234-90-219.client.attbi.com [12.234.90.219]) by mail-relay1.yahoo.com (Postfix) with ESMTP id 810B18B5D6; Sun, 30 Jun 2002 13:37:04 -0700 (PDT) Message-ID: <3D1F6BEF.582E44D9@FreeBSD.org> Date: Sun, 30 Jun 2002 13:37:03 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.6-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Alessandro de Manzano Cc: John Long , security@FreeBSD.org Subject: Re: named 8.3.2-T1B vulnerable? References: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com> <20020629170827.K5428-100000@master.gorean.org> <20020630192440.A18140@libero.sunshine.ale> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alessandro de Manzano wrote: > I've a question about replacing with PORT_REPLACES_BASE_BIND8. > > If today I install BIND 8.3.3 from the port with that option it will > overwrite the system one but next time I'll do a buildworld / > installworld I'll get again 8.3.2-T1B or whatever RELENG_4(_6) will > have that time.. right ? Correct. There is currently a make.conf option for NO_BIND. In addition, some of us are working on a more thorough solution which will add some magic to the bsd.*.mk files so that you can put PORT_REPLACES_BASE_FOO in your /etc/make.conf, and it will automatically imply NO_FOO as well. Currently I'm testing a final buildworld for the bind 8.3.3 import on -current. Once that's done, I'll be sending some patches and more info on this topic to the freebsd-arch mailing list. > More, I'll get an entry in the installed packages database for BIND > 8.3.3 that is "dangerous", since if I'll ever pkg_delete it I'll lost > the real/overwritten BIND... Yep. One of the things I'm adding to my little patch is to change the name of the port from foo-version to foo-system-version when installing to give you a clue as to what's about to happen. BUT, you are absolutely right in saying that this option is dangerous. However, there are lots of ways to shoot yourself in the foot here... it's up to you to find a better target. :) Also, the system will still run without BIND, unless of course you're using that particular system as a name server. I have been using the "port overwrites base" stuff at Yahoo! for almost a year, and we haven't had any catastrophes yet. Hope this helps, Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message