From owner-freebsd-security@FreeBSD.ORG Wed Feb 16 21:24:40 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 231571065670 for ; Wed, 16 Feb 2011 21:24:40 +0000 (UTC) (envelope-from dougb@dougbarton.us) Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by mx1.freebsd.org (Postfix) with ESMTP id C1ECD8FC15 for ; Wed, 16 Feb 2011 21:24:39 +0000 (UTC) Received: (qmail 6877 invoked by uid 399); 16 Feb 2011 20:57:58 -0000 Received: from router.ka9q.net (HELO doug-optiplex.ka9q.net) (dougb@dougbarton.us@75.60.237.91) by mail2.fluidhosting.com with ESMTPAM; 16 Feb 2011 20:57:58 -0000 X-Originating-IP: 75.60.237.91 X-Sender: dougb@dougbarton.us Message-ID: <4D5C3A55.9030702@dougbarton.us> Date: Wed, 16 Feb 2011 12:57:57 -0800 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.13) Gecko/20110129 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <35F3A97D5BAF454C84582219ABFAE3EC010AD9A7FB59@AMERDALEXMB1.corp.nai.org> In-Reply-To: <35F3A97D5BAF454C84582219ABFAE3EC010AD9A7FB59@AMERDALEXMB1.corp.nai.org> X-Enigmail-Version: 1.1.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 16 Feb 2011 21:56:27 +0000 Cc: Eric_vanGyzen@McAfee.com Subject: Re: BIND 9.7.3 -- TCP DoS in SO_ACCEPTFILTER X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Feb 2011 21:24:40 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/16/2011 06:07, Eric_vanGyzen@McAfee.com wrote: | The release notes for BIND 9.7.3 contain this: | | * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled | allows for a TCP DoS attack. Until there is a kernel fix, ISC is | disabling SO_ACCEPTFILTER support in BIND. [RT #22589] | | The CHANGES file also says: | | 2996. [security] Temporarily disable SO_ACCEPTFILTER support. | [RT #22589] | | Can anyone tell me more? What releases are affected? Is a kernel patch in the works? The SO_ACCEPTFILTER feature is off by default for DNS in FreeBSD, so if you have not enabled it specifically, you're all set. :) If you have it enabled my suggestion is that you disable it. That said, the details of the issue are in the capable hands of the security officer team, so I will defer to them for further comment at the appropriate time. Meanwhile, you can safely deduce from the fact that we have not been blaring the trumpets from the rooftops about this issue that it is a fairly minor one. hope this helps, Doug - -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) iQEcBAEBCAAGBQJNXDpVAAoJEFzGhvEaGryE8CYH/AyW1tJNhFNS3alUFGiux8u3 6jxX74qNzM5xcB1Z+0Nq9ydAXWBl36WJJRnQ+SunQSeD2dKPt79OmaHAf2oNC4P6 DaCE+dbJ7tTLH6XlGSEPawmcSY28uhKvbi39G9sz74GamZOxB2+GuUOlH4lXXF7x EvNV/0KCCeZ2jCvquZEPFG7fDOYhjHtpAeGKSjYysxhsxSHCKoscklGRG9prGu3t kF/aEGeGPTva5G/IlHZqppdSjeaRgMUIpfFgmOtUeBvkmn9wAF2BVKrc+d+pK31y hPFBCWtHEJ4MMoAPyQezgCkliCUx7ufw+ns/TQANE9fRhrmh6OClQZW8NE8Zoew= =IXOE -----END PGP SIGNATURE-----