On 2008-07-30, Jason Crawford <[EMAIL PROTECTED]> wrote: >> Ib m trying to protect our DNS server from the vulnerability referred to in: >> CVE -2008-1447 and US-Cert Vulnerability Note VU#800113. I see that there is >> a >> patch for BIND in 4.2 and 4.3 that addresses this vulnerability, but not for >> 3.8.
Take a look through these: http://openbsd.org/errata38.html http://openbsd.org/errata39.html http://openbsd.org/errata40.html http://openbsd.org/errata41.html http://openbsd.org/errata42.html http://openbsd.org/errata43.html You should make a clean installation of 4.3 or a -current snapshot and reconfigure (named.root moved so don't just copy the old config from /var/named/etc/named.conf, you need to merge the relevant sections). > It might be possible to backport the > patches, but that is not something for the inexperienced/lighthearted. It's not something for anyone, the experienced won't be patching BIND on a 3.8 system either, they'd take the ~30 minutes to build a new system. For someone who knows other unix-like OS but not OpenBSD, maybe that's an hour or a bit more. For someone who doesn't know any unix-like OS it's going to take longer, but this sort of task is something people should be able to do for any OS they're using on a name server.