Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 16 Feb 2011 12:57:57 -0800
From:      Doug Barton <dougb@dougbarton.us>
To:        freebsd-security@freebsd.org
Cc:        Eric_vanGyzen@McAfee.com
Subject:   Re: BIND 9.7.3 -- TCP DoS in SO_ACCEPTFILTER
Message-ID:  <4D5C3A55.9030702@dougbarton.us>
In-Reply-To: <35F3A97D5BAF454C84582219ABFAE3EC010AD9A7FB59@AMERDALEXMB1.corp.nai.org>
References:  <35F3A97D5BAF454C84582219ABFAE3EC010AD9A7FB59@AMERDALEXMB1.corp.nai.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/16/2011 06:07, Eric_vanGyzen@McAfee.com wrote:
| The release notes for BIND 9.7.3 contain this:
|
|       * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
|         allows for a TCP DoS attack. Until there is a kernel fix, ISC is
|         disabling SO_ACCEPTFILTER support in BIND. [RT #22589]
|
| The CHANGES file also says:
|
|      2996.   [security]      Temporarily disable SO_ACCEPTFILTER support.
|                              [RT #22589]
|
| Can anyone tell me more?  What releases are affected?  Is a kernel
patch in the works?

The SO_ACCEPTFILTER feature is off by default for DNS in FreeBSD, so if
you have not enabled it specifically, you're all set. :)  If you have it
enabled my suggestion is that you disable it.

That said, the details of the issue are in the capable hands of the
security officer team, so I will defer to them for further comment at
the appropriate time. Meanwhile, you can safely deduce from the fact
that we have not been blaring the trumpets from the rooftops about this
issue that it is a fairly minor one.


hope this helps,

Doug


- -- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (FreeBSD)

iQEcBAEBCAAGBQJNXDpVAAoJEFzGhvEaGryE8CYH/AyW1tJNhFNS3alUFGiux8u3
6jxX74qNzM5xcB1Z+0Nq9ydAXWBl36WJJRnQ+SunQSeD2dKPt79OmaHAf2oNC4P6
DaCE+dbJ7tTLH6XlGSEPawmcSY28uhKvbi39G9sz74GamZOxB2+GuUOlH4lXXF7x
EvNV/0KCCeZ2jCvquZEPFG7fDOYhjHtpAeGKSjYysxhsxSHCKoscklGRG9prGu3t
kF/aEGeGPTva5G/IlHZqppdSjeaRgMUIpfFgmOtUeBvkmn9wAF2BVKrc+d+pK31y
hPFBCWtHEJ4MMoAPyQezgCkliCUx7ufw+ns/TQANE9fRhrmh6OClQZW8NE8Zoew=
=IXOE
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D5C3A55.9030702>