Date: Fri, 18 Nov 2011 01:13:03 -0800 From: Xin LI <delphij@gmail.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-security@freebsd.org Subject: Re: Latest bind advisory Message-ID: <CAGMYy3uj4KZbwv%2BfuktRp0oJ7emLdOZXWm0uV=EDtsY7iwLzjA@mail.gmail.com> In-Reply-To: <4EC60C00.30001@infracaninophile.co.uk> References: <CABR9mUCSrLq2kPP_j81WCGtfp%2BFPy3xBGq5U18a6VVVb9uTGZQ@mail.gmail.com> <4EC5CB06.4090302@sentex.net> <CABR9mUDthv7tbhZs%2B%2BxKNuEZQ2BCWUUJbTV_sTvDub1U4ie_8w@mail.gmail.com> <4EC60C00.30001@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 17, 2011 at 11:40 PM, Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote: > On 18/11/2011 04:22, sys Admin wrote: >> On Thursday, November 17, 2011, Mike Tancsa <mike@sentex.net> wrote: >>> On 11/17/2011 9:29 PM, sys Admin wrote: >>>> Hi >>>> Any plans to apply these patches to the bind version shipped with >> FreeBSD ? >>>> >>>> http://www.isc.org/software/bind/advisories/cve-2011-tbd >>> >>> Hi, >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0They were committed already to RELENG_7,8 an= d 9 >>> >>> eg >>> >> http://lists.freebsd.org/pipermail/svn-src-stable-8/2011-November/006315= .html >>> >>> >>> >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0---Mike >>> >> >> Not sure how I missed but thanks ! > > Actually, it was patched in stable/7, stable/8, HEAD and ports -- > stable/9 is notably missing from that list. =C2=A0Presumably stable/9 wil= l be > patched eventually, but as it's in the process of forking of the > release/9.0 branch right now, the bind patches will have to wait. stable/{7,8} and HEAD have the "best known fix" but we are still waiting for a final one (or decide if the existing solution had solved the problem completely, ISC is still working on investigation). We (secteam@) will issue a security advisory once we are sure that the fix is finalized and yes, all supported branches would be patched at that time and update would made available through freebsd-update, etc. At this time it's advisable that users use the BIND version from ports, or use an alternative (e.g. dns/unbound), if resolving DNS server functionality is desired; it seems that authoritive-only DNS servers are NOT affected by the problem as far as we know. Cheers, --=20 Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGMYy3uj4KZbwv%2BfuktRp0oJ7emLdOZXWm0uV=EDtsY7iwLzjA>