Date: Sun, 30 Jun 2002 20:37:52 -0600 From: Brett Glass <brett@lariat.org> To: Michael Han <mikehan+^$#&*@mikehan.com> Cc: security@FreeBSD.ORG Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Message-ID: <4.3.2.7.2.20020630203234.00c65d60@localhost> In-Reply-To: <20020630190001.L31022@giles.mikehan.com> References: <4.3.2.7.2.20020629180311.02b5b2d0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> <200206282259.QAA03790@lariat.org> <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> <4.3.2.7.2.20020629154457.02fafb00@localhost> <3D1E2D22.EBCE8199@FreeBSD.org> <4.3.2.7.2.20020629180311.02b5b2d0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 08:00 PM 6/30/2002, Michael Han wrote: >Brett, your postings suggest that you don't understand the nature of >the bug and libbind. libbind is an optional component which the vast >majority of FreeBSD users would not have installed on their systems. This is good. >Bind itself does not link to it in the default installation, and under >no circumstances is the Bind named server a vector for risk. Yes, that's what the CERT advisory said. >Only by installing the vulnerable libbind and linking software against it >(this would not be the default behavior of any normally >ported/portable software) can an installation of Bind introduce risk. That's what I'm concerned about. I want to make sure that I install a version that's not vulnerable, in case I do bring in something that links to it. ISC's description of the library suggests that it's useful and that apps do link to it. >libbind is a *replacement* library (or it's possible that it could >serve as the only implementation on a truly ancient and backwards >system) providing name service resolution to applications that need >that. Normally these services are gotten from the native C library, >libc. Which is another problem. I've got some machines dating back to FreeBSD 2.2.7 and 2.2.8 here, some of which I cannot just upgrade because they're running embedded systems or custom code. I've got to find a way to patch them. Hence the concern. The latest gaggle of bugs is so pervasive that it's difficult to create new machines in which one can be confident, much less patch the older ones. I really hope that there will be a 4.6.1. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20020630203234.00c65d60>