On Wed, Jul 30, 2008 at 2:43 PM, skogzort <[EMAIL PROTECTED]> wrote: > Hello, > Ib m trying to protect our DNS server from the vulnerability referred to in: > CVE -2008-1447 and US-Cert Vulnerability Note VU#800113. I see that there is a > patch for BIND in 4.2 and 4.3 that addresses this vulnerability, but not for > 3.8. > I have inherited an Open BSD DNS server that provides external DNS for our web > server and serves NTP for our infrastructure. I donb t know UNIX or Open BSD. > Ib m reading through the Open BSD website and asking questions on the mailing > lists to try and get an overview of what I need to do to upgrade/update/patch > this server.B > It was suggested to me that I may have to b manually merge the patchb , but > I canb t find any instructions for that. I know that if I could upgrade our > release to 4.2 or 4.3 then I could follow the instructions in the patch > itself, but I wonder if that would be more work and potential for mistakes > then necessary.
No, do it that way. Upgrade your system cleanly. As a bonus, any other bugs/security holes that got fixed along the way will also be fixed for you. Since your system is so old, the best route for you is to just do a fresh install and then paste in the NTP and DNS config files (and turn named and ntpd back on in /etc/rc.conf). > I was also told to use b portsb , but I read that using > ports was only for people who have experience with Open BSD and beginners were > not allowed to ask questions in mailing lists about using ports. > What do you think: manually merge the patch, upgrade to 4.2 or 4.3 and apply, > or use "ports"? named is a part of the base system, so it is not in ports. ports are all the other programs you can install on the systems > My inexperience is a factor, I am looking for the shortest steps (so there > will be less chance for error) that will still allow for a quick revert, > should the b fixb fail. BACKUP, do you has it? Why don't you create the system in a virtual machine first and test it there? Once its working copy it out to a fresh disk, replace the disk in the box with that disk, make it work there, and -only then- do you wipe the old server disk and put it back on your extras rack. That's way safer than trying to do this to your live system. Good luck, I know that the initial learning curve is very steep, and doing this on a deadline must be a lot of stress. -Nick
