From owner-freebsd-security Sun Jun 30 19: 0: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCE2037B400 for ; Sun, 30 Jun 2002 19:00:02 -0700 (PDT) Received: from mikehan.com (giles.mikehan.com [67.113.132.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AE4143E0A for ; Sun, 30 Jun 2002 19:00:02 -0700 (PDT) (envelope-from mikehan@giles.mikehan.com) Received: from giles.mikehan.com (localhost [127.0.0.1]) by mikehan.com (8.12.3/8.12.3) with ESMTP id g61201h8062347; Sun, 30 Jun 2002 19:00:01 -0700 (PDT) (envelope-from mikehan@giles.mikehan.com) Received: (from mikehan@localhost) by giles.mikehan.com (8.12.3/8.12.3/Submit) id g612015Z062346; Sun, 30 Jun 2002 19:00:01 -0700 (PDT) Date: Sun, 30 Jun 2002 19:00:01 -0700 From: Michael Han To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Message-ID: <20020630190001.L31022@giles.mikehan.com> References: <4.3.2.7.2.20020629153253.02e88ef0@localhost> <200206282259.QAA03790@lariat.org> <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> <4.3.2.7.2.20020629154457.02fafb00@localhost> <3D1E2D22.EBCE8199@FreeBSD.org> <4.3.2.7.2.20020629180311.02b5b2d0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4.3.2.7.2.20020629180311.02b5b2d0@localhost>; from brett@lariat.org on Sat, Jun 29, 2002 at 06:06:58PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 29, 2002 at 06:06:58PM -0600, Brett Glass wrote: > At 03:56 PM 6/29/2002, Doug Barton wrote: > > >You quoted the second page. The URL I left in the quotation above is the > >announcement for 8.2.6, which says: > > > >Highlights vs. 8.2.5 > > Security Fix libbind. All applications linked against libbind > > need to relinked. > > So? That's not the version of libbind that's in 9.2.1. The version > in 9.2.1 is vulnerable; I've checked the source. Brett, your postings suggest that you don't understand the nature of the bug and libbind. libbind is an optional component which the vast majority of FreeBSD users would not have installed on their systems. Bind itself does not link to it in the default installation, and under no circumstances is the Bind named server a vector for risk. Only by installing the vulnerable libbind and linking software against it (this would not be the default behavior of any normally ported/portable software) can an installation of Bind introduce risk. libbind is a *replacement* library (or it's possible that it could serve as the only implementation on a truly ancient and backwards system) providing name service resolution to applications that need that. Normally these services are gotten from the native C library, libc. It takes some serious doing to cause any software on your system to be at risk because of a Bind installation, hence several rather patient people trying to explain that you're greatly exaggerating the risk and causing needless confusion. -- mikehan+^$#&*@mikehan.com http://www.mikehan.com/ coffee achiever San Francisco, California "Notice how I blame my own mistakes on the lack of rules?" - Dan Espen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message