From owner-freebsd-security@FreeBSD.ORG Fri Feb 2 07:19:49 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 728A216A403 for ; Fri, 2 Feb 2007 07:19:49 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with SMTP id 1F35B13C48E for ; Fri, 2 Feb 2007 07:19:48 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 28230 invoked by uid 399); 2 Feb 2007 07:19:48 -0000 Received: from pool-71-107-56-242.lsanca.dsl-w.verizon.net (HELO lap.dougb.net) (dougb@dougbarton.us@71.107.56.242) by mail2.fluidhosting.com with SMTP; 2 Feb 2007 07:19:48 -0000 X-Originating-IP: 71.107.56.242 Message-ID: <45C2E612.5080002@FreeBSD.org> Date: Thu, 01 Feb 2007 23:19:46 -0800 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (X11/20070116) MIME-Version: 1.0 To: Mark Andrews References: <200702012319.l11NJJ7r065204@drugs.dv.isc.org> In-Reply-To: <200702012319.l11NJJ7r065204@drugs.dv.isc.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Chris Marlatt Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Feb 2007 07:19:49 -0000 Mark Andrews wrote: >> Chris Marlatt wrote: >>> Doug Barton wrote: >>>> plan to MFC it after 4 or 5 days. I am actually considering only >>>> MFC'ing it to RELENG_6 to help provide some incentive for those on 5.x >>>> to upgrade. >>>> >>> One would assume that the release would be supported up until the EOL >>> provided on freebsd.org of May 31, 2008. >> Yes, but whether a full upgrade is needed for "support" or not depends >> on your definition. Given that FreeBSD is not vulnerable to these >> issues in its default configuration, one could easily argue that an >> upgrade for RELENG_5 isn't necessary. >> >> Doug > > The subject here is 9.3.4. All the issues raised > in this thread so far were addressed as of 9.3.2-P2 > / 9.3.3. To the best of my knowledge these have > already been addresed. > > There are two new issue for 9.3.4. > > CVE-2007-0494 which is only a problem if you are > doing DNSEC validation. > > CVE-2007-0493 which any recursive 9.3.x (x<4) named > is vulnerable. Both of these are problems if you allow untrusted users access to the name server (likely if you're in a production environment). The way FreeBSD ships, named is off, and the example configuration files are set up to create a recursive resolver that only listens on 127.0.0.1. I would expect that users who rely on BIND in a production setting to either have upgraded to FreeBSD 6-stable, be using the port, or some other custom configuration, or both. Doug -- This .signature sanitized for your protection