Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 27 Jun 2002 11:20:59 +0200
From:      Stefano Riva <sriva@gufi.org>
To:        Mark.Andrews@isc.org, Brett Glass <brett@lariat.org>
Cc:        security@FreeBSD.ORG
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv 
Message-ID:  <3.0.5.32.20020627112059.00a3f100@civetta.gufi.org>
In-Reply-To: <200206270118.g5R1Iom0030235@drugs.dv.isc.org>
References:  <Your message of "Wed, 26 Jun 2002 18:55:37 CST."             <4.3.2.7.2.20020626185228.00e8ad60@localhost>

next in thread | previous in thread | raw e-mail | index | archive | help
At 11.18 27/06/02 +1000, Mark.Andrews@isc.org wrote:
>> >        Provided you are behind a nameserver you trust that reconstructs
>> >        the answer you should be fine.
>> >        BIND 9 reconstucts all answers (excluding forwarded UPDATES).
>> >        BIND 8 forwards some and reconstructs others.
>> Could an exploit be set up as a forwarded UPDATE?
>	No.
>> (Forgive me if
>> this is a naive question; I know that I need to become more familiar 
>> with DDNS.) If not, then installing BIND 9 and/or forcing clients 
>> to consult a BIND 9 server may be an acceptable workaround.

  OK, the Right Thing (TM) is to update the world + any extra binary
statically linked with libc which uses the resolver... but I for one manage
about 30 FreeBSD servers with lots of potentially "vulnerable" applications
and reading that such a simple workaround exists is... oxygen for my lungs!
So many firewalled networks have at least one caching DNS already used by
all clients. This workaround had not been mentioned by the announcement;
maybe an updated security advisory should be released. Just my opinion, of
course.

  I'll do the Right Thing ASAP; meanwhile thanks for the info, guys.

---

Stefano Riva
sriva@gufi.org
Gruppo Utenti FreeBSD Italia
http://www.gufi.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20020627112059.00a3f100>