From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 16:26:30 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA65F106566B for ; Wed, 9 Jul 2008 16:26:30 +0000 (UTC) (envelope-from wtf.matters@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.230]) by mx1.freebsd.org (Postfix) with ESMTP id 8B3038FC17 for ; Wed, 9 Jul 2008 16:26:30 +0000 (UTC) (envelope-from wtf.matters@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so3783044rvf.43 for ; Wed, 09 Jul 2008 09:26:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=euZ8tCFlAtaorCi/e9GS4CmN2+9susbdt186W3hoFrY=; b=b7lk9aCFQIf5piZkbbwXBLyu3wTsqi9m1kWu3XeYCY4r5mfcrFPTVSImdH2gnO3ckv NwHKaTrKC3LEZe+Q7ckFva7sZTHjTQFNYw2vTIn2iIo7sBNKuEC+d51oRpqUVcnJc6CL CYiH29sDvIKwbnaUhvL9+zPCxONGBlNnzOK9o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=MIb8gysJwXFtPtboleJ8wwMSfcMUkRtnpsPcN820jtTpD050+TdkuoQnBlNwH6YHWy DP5gHVPX7cnMYcB40pA1dp1qQjZ7E90zA+zjshTT/83J9p5yqJrNDRfiUc3ewsaENxhS cyLmLwHJaEIyij8lBAwUziWUbAFi5WlonI2a8= Received: by 10.141.23.7 with SMTP id a7mr4102674rvj.58.1215620789480; Wed, 09 Jul 2008 09:26:29 -0700 (PDT) Received: by 10.141.153.20 with HTTP; Wed, 9 Jul 2008 09:26:29 -0700 (PDT) Message-ID: <17cd1fbe0807090926g21ef35e7l10e4a6e38ad3d10@mail.gmail.com> Date: Wed, 9 Jul 2008 12:26:29 -0400 From: "Josh Mason" To: "Peter Thoenen" In-Reply-To: <4874DD4B.5020608@yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <4874DD4B.5020608@yahoo.com> X-Mailman-Approved-At: Wed, 09 Jul 2008 16:35:22 +0000 Cc: freebsd-security@freebsd.org, remko@elvandar.org, astorms@ncircle.com Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 16:26:30 -0000 On 7/9/08, Peter Thoenen wrote: > > > > > > Right, lets not act swiftly. That would be too much to ask. Is there any > > > reason why FreeBSD is one of the last vendors to release patches for the > > > vulnerability? > > > > > > > Actually IIRC all the press releases from the *alliance* stated 30 days and as this is a fundamental flaw that has known for the past 6 months and doesn't provide any sort of elevated privileges (or effect those smart enough to run DNSSEC like you should be IIRC) its really not a CRITICAL patch .. its more of a when you get around to it seriously. Let the Security Team do their job and quit pestering them on your now now now next day patch wants for a trivial issue. > Somehow this totally unimportant vulnerability caught the attention of all major vendors to issue a synchronized release of the fix. Yet, it's not worth our time to implement expeditiously... ? Sure. I agree, I should definitely enable DNSSEC. If for nothing other than the fact that it was vulnerable ~6 months ago - let me give myself yet another thing to wait for a fix on. Hurm,.. turn off DNSSEC while you wait for a patch,.. turn on DNSSEC while you wait for a patch. And lastly - you're absolutely correct. My servers won't be compromised directly by this bug so I shouldn't care when I implement the fix. Thanks for your input. Josh P.S. It almost seemed as though you were saying that because something has been known for months but the fix was just released means that there's little importance to implement it swiftly. I like your logic - or did I miss understand you somehow?