From owner-freebsd-security@FreeBSD.ORG Tue Jan 30 06:42:09 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 612B316A400 for ; Tue, 30 Jan 2007 06:42:09 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with SMTP id 009B513C46B for ; Tue, 30 Jan 2007 06:42:08 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 30059 invoked by uid 399); 30 Jan 2007 06:15:26 -0000 Received: from localhost (HELO ?192.168.0.7?) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 30 Jan 2007 06:15:26 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <45BEE27D.1050804@FreeBSD.org> Date: Mon, 29 Jan 2007 22:15:25 -0800 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 1.5.0.9 (X11/20070115) MIME-Version: 1.0 To: Dmitry A Grigorovich References: <001601c74428$ff9d54b0$ab76ed54@odipw> In-Reply-To: <001601c74428$ff9d54b0$ab76ed54@odipw> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jan 2007 06:42:09 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The bind9 port was updated the same day that the code and security advisory were released, so users who are actually vulnerable to these issues can update immediately. I imported 9.3.4 into HEAD today, and plan to MFC it after 4 or 5 days. I am actually considering only MFC'ing it to RELENG_6 to help provide some incentive for those on 5.x to upgrade. Of the 3 advisories, 2 are only problems for those that run with DNSSEC validation. The other is only a problem for those that allow untrusted users access to named configured as a recursive resolver, and is a DoS vulnerability, not a remote exploit. As always, if secteam@ asks me to accelerate the MFC schedule I will, but they haven't said anything to me yet. hth, Doug - -- This .signature sanitized for your protection -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.1 (FreeBSD) iD8DBQFFvuJ8yIakK9Wy8PsRAkcRAKD4+mN+gUHZzr1QLmIVmcbP7z4UgQCdFqiZ WUZWQ1WKITsF5ISHV6EXVaA= =4T7Y -----END PGP SIGNATURE-----