From owner-freebsd-security Sun Jun 30 19: 8:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1BDE37B400 for ; Sun, 30 Jun 2002 19:08:49 -0700 (PDT) Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BF4743E13 for ; Sun, 30 Jun 2002 19:08:48 -0700 (PDT) (envelope-from marka@drugs.dv.isc.org) Received: from drugs.dv.isc.org (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.12.3/8.12.3) with ESMTP id g6128hm0066820; Mon, 1 Jul 2002 12:08:43 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200207010208.g6128hm0066820@drugs.dv.isc.org> To: Brett Glass Cc: Pete Ehlke , security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: libc flaw: BIND 9 closes most holes but also opens one In-reply-to: Your message of "Sat, 29 Jun 2002 22:10:05 CST." <4.3.2.7.2.20020629220046.02bed9a0@localhost> Date: Mon, 01 Jul 2002 12:08:43 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > At 07:18 PM 6/29/2002, Pete Ehlke wrote: > > >You are aware, Brett, that you are lecturing one of the BIND authors on > >the subtleties of the BIND source? > > > >Once and for all: there is a fixed 8.3.x. There is a fixed 8.2.x. There > >is even a fixed v4. > > In short, you've gone back and created fixed versions of these > "ancient" bloodlines? > > If so, that's good, but it doesn't help the majority of us. You have been told how to fix the problem. Install libbind from BIND 8 (that implies the include files). BIND9: don't call configure with --enable-libbind (this is the default) BIND8: remove "bin" from "SUBDIRS= include port lib bin" in the top level Makefile Install both BIND 8 and BIND 9. "--enable-libbind" effectively does just that. Mark > In particular, it doesn't help people who install FreeBSD now, > or who maintain it and need to make sure that everything's fixed. > We need BIND 9 (required to shield other systems, including Solaris > and Windows boxes, which are likely vulnerable) and a fixed > libbind. Oh, and a fixed Sendmail, which right now can only > be had if one risks installing a -STABLE snapshot. (4.6-RELEASE-p1, > for some reasond, does not have it.) And you can't install > binary packages if they contain statically linked binaries. > > In short, right now, it's damnably difficult to secure existing > FreeBSD systems or to create new ones (for which I have clients > waiting). So, pardon me if I seem frustrated. I'm responsible > for plugging all the holes in the dikes and for building several > systems that I cannot, right now, build with confidence. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message