Date: Sun, 30 Jun 2002 19:00:01 -0700 From: Michael Han <mikehan+^$#&*@mikehan.com> To: Brett Glass <brett@lariat.org> Cc: security@FreeBSD.ORG Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Message-ID: <20020630190001.L31022@giles.mikehan.com> In-Reply-To: <4.3.2.7.2.20020629180311.02b5b2d0@localhost>; from brett@lariat.org on Sat, Jun 29, 2002 at 06:06:58PM -0600 References: <4.3.2.7.2.20020629153253.02e88ef0@localhost> <200206282259.QAA03790@lariat.org> <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> <4.3.2.7.2.20020629154457.02fafb00@localhost> <3D1E2D22.EBCE8199@FreeBSD.org> <4.3.2.7.2.20020629180311.02b5b2d0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 29, 2002 at 06:06:58PM -0600, Brett Glass wrote: > At 03:56 PM 6/29/2002, Doug Barton wrote: > > >You quoted the second page. The URL I left in the quotation above is the > >announcement for 8.2.6, which says: > > > >Highlights vs. 8.2.5 > > Security Fix libbind. All applications linked against libbind > > need to relinked. > > So? That's not the version of libbind that's in 9.2.1. The version > in 9.2.1 is vulnerable; I've checked the source. Brett, your postings suggest that you don't understand the nature of the bug and libbind. libbind is an optional component which the vast majority of FreeBSD users would not have installed on their systems. Bind itself does not link to it in the default installation, and under no circumstances is the Bind named server a vector for risk. Only by installing the vulnerable libbind and linking software against it (this would not be the default behavior of any normally ported/portable software) can an installation of Bind introduce risk. libbind is a *replacement* library (or it's possible that it could serve as the only implementation on a truly ancient and backwards system) providing name service resolution to applications that need that. Normally these services are gotten from the native C library, libc. It takes some serious doing to cause any software on your system to be at risk because of a Bind installation, hence several rather patient people trying to explain that you're greatly exaggerating the risk and causing needless confusion. -- mikehan+^$#&*@mikehan.com http://www.mikehan.com/ coffee achiever San Francisco, California "Notice how I blame my own mistakes on the lack of rules?" - Dan Espen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020630190001.L31022>