Date: Mon, 01 Jul 2002 12:08:43 +1000 From: Mark.Andrews@isc.org To: Brett Glass <brett@lariat.org> Cc: Pete Ehlke <pde@rfc822.net>, security@FreeBSD.ORG Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Message-ID: <200207010208.g6128hm0066820@drugs.dv.isc.org> In-Reply-To: Your message of "Sat, 29 Jun 2002 22:10:05 CST." <4.3.2.7.2.20020629220046.02bed9a0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
> At 07:18 PM 6/29/2002, Pete Ehlke wrote: > > >You are aware, Brett, that you are lecturing one of the BIND authors on > >the subtleties of the BIND source? > > > >Once and for all: there is a fixed 8.3.x. There is a fixed 8.2.x. There > >is even a fixed v4. > > In short, you've gone back and created fixed versions of these > "ancient" bloodlines? > > If so, that's good, but it doesn't help the majority of us. You have been told how to fix the problem. Install libbind from BIND 8 (that implies the include files). BIND9: don't call configure with --enable-libbind (this is the default) BIND8: remove "bin" from "SUBDIRS= include port lib bin" in the top level Makefile Install both BIND 8 and BIND 9. "--enable-libbind" effectively does just that. Mark > In particular, it doesn't help people who install FreeBSD now, > or who maintain it and need to make sure that everything's fixed. > We need BIND 9 (required to shield other systems, including Solaris > and Windows boxes, which are likely vulnerable) and a fixed > libbind. Oh, and a fixed Sendmail, which right now can only > be had if one risks installing a -STABLE snapshot. (4.6-RELEASE-p1, > for some reasond, does not have it.) And you can't install > binary packages if they contain statically linked binaries. > > In short, right now, it's damnably difficult to secure existing > FreeBSD systems or to create new ones (for which I have clients > waiting). So, pardon me if I seem frustrated. I'm responsible > for plugging all the holes in the dikes and for building several > systems that I cannot, right now, build with confidence. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207010208.g6128hm0066820>