Date: Sun, 30 Jun 2002 13:47:51 -0700 From: Doug Barton <DougB@FreeBSD.org> To: John Long <fbsd1@sstec.com> Cc: security@FreeBSD.ORG Subject: Re: named 8.3.2-T1B vulnerable? Message-ID: <3D1F6E77.2C842E5B@FreeBSD.org> References: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com> <5.1.0.14.2.20020629173206.021c88e0@mail.sstec.com>
next in thread | previous in thread | raw e-mail | index | archive | help
John Long wrote: > Hello Doug, thanks for the very quick response, Glad to help. > Yes I run 2 primary dns servers > I would rather overwrite the base however is there any downside to this, > now or in the future with the next build world... ? Downside to it? I hope not, I've done it at Yahoo! for almost a year now. :) You should also put 'NO_BIND= true' in your /etc/make.conf to avoid spamming bind on your next buildworld. I left that part out of my previous message, sorry. > With 8.3.2-T1B being so icky, should this subject not be mentioned on the > stable > list and is it not a security problem/potential root hole ( I am sure black > hats are > very busy right now) therefore should it not go into RELENG_4_6 as a -p2? Well, let's be clear. The exploitable parts of the problem are in libc (fixed already) and in libbind from the BIND sources. The latter is seldom, if ever used. I'll leave it up to the SO team to decide, I have no objection to doing the import. However, the main ickiness of that code is performance wise. In fixing some old bugs in 8.3.1, they introduced a few "quirks" that were subsequently fixed before 8.3.2-release. I had some servers testing 8.3.2-prior-to-release code, and they all fell over in various interesting ways. The bugs were fixed before I got around to reporting them though. My personal belief is that people who are actually running name servers should be keeping up with such things, and therefore my saying, "Hey, the code in the base isn't the latest, and isn't recommended, so you should use the port to upgrade" really SHOULD be redundant.... but in the real world, you're probably right. > Finally thanks to all the people/coders involved with open source and > FreeBSD :-) You're welcome. :) Thanks for the kind words... it's actually quite nice to hear once in a while. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D1F6E77.2C842E5B>