From owner-freebsd-security@FreeBSD.ORG Thu Feb 1 21:07:42 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7951016A400 for ; Thu, 1 Feb 2007 21:07:42 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with SMTP id DDDED13C481 for ; Thu, 1 Feb 2007 21:07:41 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 24575 invoked by uid 399); 1 Feb 2007 21:07:35 -0000 Received: from pool-71-160-74-191.lsanca.dsl-w.verizon.net (HELO lap.dougb.net) (dougb@dougbarton.us@71.160.74.191) by mail2.fluidhosting.com with SMTP; 1 Feb 2007 21:07:35 -0000 X-Originating-IP: 71.160.74.191 Message-ID: <45C25696.10806@FreeBSD.org> Date: Thu, 01 Feb 2007 13:07:34 -0800 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (X11/20070116) MIME-Version: 1.0 To: Chuck Swiger References: <001601c74428$ff9d54b0$ab76ed54@odipw> <45BEE27D.1050804@FreeBSD.org> <45BFA1B3.9040000@rxsec.com> <45C23DAA.9040108@FreeBSD.org> <45C24D57.3000704@mac.com> In-Reply-To: <45C24D57.3000704@mac.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Chris Marlatt Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Feb 2007 21:07:42 -0000 Chuck Swiger wrote: > Doug Barton wrote: >> Chris Marlatt wrote: > [ ... ] >> Yes, but whether a full upgrade is needed for "support" or not depends >> on your definition. Given that FreeBSD is not vulnerable to these >> issues in its default configuration, one could easily argue that an >> upgrade for RELENG_5 isn't necessary. > > I've been bitten by CVE-2006-4096, and have applied the workaround to > limit the # of outstanding queries. I have no doubt that users who have active name servers in a production environment _will_ need to update their name servers to the latest and greatest versions. The ports exist in part to facilitate using the latest BIND on older versions of FreeBSD that will not be updated. You can even use the option to have the ports overwrite what is in your base system if that is important to you. (I developed that capability precisely because at the time I was using the ports to upgrade BIND on older systems.) > I've got two nameservers tracking 5-STABLE I am not sure how to respond to that. Many people much more knowledgeable than I have said that production services should be migrated to RELENG_6. I personally don't have any RELENG_5 systems anymore, and don't plan to get any, which means that the build will be untested on those platforms. It's unlikely that there will be any problems, but not impossible. That said, let me reiterate the point above. The ports exist for users who need to run specific versions of BIND on older FreeBSD systems. The way named is installed and configured _by default_ on FreeBSD, it is not vulnerable to any of these issues unless you allow untrusted users to access the local machine. > I'm starting to feel thankful that my important domains include off-site > secondaries which are running djbdns. EGRATUITOUSBINDBASHING > Does the FreeBSD security team have a position with regard to whether > the above DoS vulnerabilities ought to be fixed in the 5-STABLE branch? They are actually reviewing the issue as we speak. As I've said, I'll abide by the secteam's request either way, I am simply stating a preference. Doug -- This .signature sanitized for your protection