Date: Sat, 29 Jun 2002 17:42:08 -0700 From: John Long <fbsd1@sstec.com> To: Doug Barton <DougB@FreeBSD.ORG>, John Long <fbsd1@sstec.com> Cc: security@FreeBSD.ORG Subject: Re: named 8.3.2-T1B vulnerable? Message-ID: <5.1.0.14.2.20020629173206.021c88e0@mail.sstec.com> In-Reply-To: <20020629170827.K5428-100000@master.gorean.org> References: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 05:15 PM 6/29/2002, Doug Barton wrote: >On Sat, 29 Jun 2002, John Long wrote: > >> Running tag=RELENG_4_6 >> FreeBSD 4.6-RELEASE-p1 #2: Thu Jun 27 23:35:36 PDT 2002 >> 4 boxes, 8 rebuilds, libc now this libbind thing. >> >> My named 8.3.2-T1B Thu Jun 27 22:17:53 PDT 2002 appears to be vulnerable. > >Note, there are three seperate problems here. First, there is a libc >resolver vulnerability. This is fixed in the base by the security team >already. If your machines have a fixed libc, or if they are behind a BIND >9.2.1 resolver, they are safe; as long as they don't make any resolver >calls that don't go through the actual 9.2.1 resolver. > >Next, libbind has the same resolver bug as our libc did. BUT, if you don't >link against libbind (and you'd know if you did) then you don't need to >worry about it. > Hello Doug, thanks for the very quick response, Yes I run 2 primary dns servers that second for each other and about 600 domains. I do not trust the safety of the domains to anyone else. I would rather overwrite the base however is there any downside to this, now or in the future with the next build world... ? >Finally, if you are actually running named on any of these machines, you >should be using 8.3.3 if you're using BIND 8. You can build the bind8 port >with: > >make clean ; make -DPORT_REPLACES_BASE_BIND8 install > >and it will update the version of BIND on your system. You could also >leave off the flag if you'd rather have the new bind in /usr/local, but >8.3.2-T1B had some icky bugs so I recommend just writing over it to be >safe. > >> Any ideas on when/if the new bind will be getting to 4_6 ? > >I will be importing it into -current this weekend, if -current isn't too >terribly broken. I'll give that a week or so to shake out before importing >to RELENG_4. I doubt that the security officer team will want to import >BIND 8.3.3 into any of the RELENG_4_x branches. The port will do the same >work now, and will require less finagling. > >Hope this helps, > >Doug > With 8.3.2-T1B being so icky, should this subject not be mentioned on the stable list and is it not a security problem/potential root hole ( I am sure black hats are very busy right now) therefore should it not go into RELENG_4_6 as a -p2? And thank you very much for bringing this up Brett. I was fully under the impression that the sup and build for RELENG_4_6-p1 fixed all possibilities of this libc thing. Now I wonder just what else is there that has not been disclosed or thought of thus far? Finally thanks to all the people/coders involved with open source and FreeBSD :-) John R. Long Star Systems 818-344-9330 http://SSTec.com Be sure to check out Aesop's Fables, over 660 of them. http://AesopFables.com Yahoo, Yahooligans and many others "Site of the week" Over 35 million page views in 4.5years. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.2.20020629173206.021c88e0>