From owner-freebsd-security@FreeBSD.ORG Fri Nov 18 09:38:10 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6341D106566C for ; Fri, 18 Nov 2011 09:38:10 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 245888FC0C for ; Fri, 18 Nov 2011 09:38:09 +0000 (UTC) Received: by ywe9 with SMTP id 9so3321347ywe.13 for ; Fri, 18 Nov 2011 01:38:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=S6CZkMc/n8WBuEdy6fln8hlWRdm/H8KCa3yIITU/+zc=; b=FZkAtGHthQAhmKSDIcpdOOkgK53D5/OGvIDiPUCEUDB9YQ+qbpL24W7wiHqQ1BcO3l hsEEoNVpknV2Mo1Qlfx/Iv83efvoDB1QbZrBMbp9tDpypIPH0JsvtWtp4GMh88aoGqjJ wqmxYp3MK8/5lkgjf4y/hWSep9tx/Q+y23RV4= MIME-Version: 1.0 Received: by 10.224.185.205 with SMTP id cp13mr875092qab.34.1321607583935; Fri, 18 Nov 2011 01:13:03 -0800 (PST) Received: by 10.229.212.4 with HTTP; Fri, 18 Nov 2011 01:13:03 -0800 (PST) In-Reply-To: <4EC60C00.30001@infracaninophile.co.uk> References: <4EC5CB06.4090302@sentex.net> <4EC60C00.30001@infracaninophile.co.uk> Date: Fri, 18 Nov 2011 01:13:03 -0800 Message-ID: From: Xin LI To: Matthew Seaman Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Latest bind advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Nov 2011 09:38:10 -0000 On Thu, Nov 17, 2011 at 11:40 PM, Matthew Seaman wrote: > On 18/11/2011 04:22, sys Admin wrote: >> On Thursday, November 17, 2011, Mike Tancsa wrote: >>> On 11/17/2011 9:29 PM, sys Admin wrote: >>>> Hi >>>> Any plans to apply these patches to the bind version shipped with >> FreeBSD ? >>>> >>>> http://www.isc.org/software/bind/advisories/cve-2011-tbd >>> >>> Hi, >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0They were committed already to RELENG_7,8 an= d 9 >>> >>> eg >>> >> http://lists.freebsd.org/pipermail/svn-src-stable-8/2011-November/006315= .html >>> >>> >>> >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0---Mike >>> >> >> Not sure how I missed but thanks ! > > Actually, it was patched in stable/7, stable/8, HEAD and ports -- > stable/9 is notably missing from that list. =C2=A0Presumably stable/9 wil= l be > patched eventually, but as it's in the process of forking of the > release/9.0 branch right now, the bind patches will have to wait. stable/{7,8} and HEAD have the "best known fix" but we are still waiting for a final one (or decide if the existing solution had solved the problem completely, ISC is still working on investigation). We (secteam@) will issue a security advisory once we are sure that the fix is finalized and yes, all supported branches would be patched at that time and update would made available through freebsd-update, etc. At this time it's advisable that users use the BIND version from ports, or use an alternative (e.g. dns/unbound), if resolving DNS server functionality is desired; it seems that authoritive-only DNS servers are NOT affected by the problem as far as we know. Cheers, --=20 Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die