Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
STeve Andre' said: You know what I expect? I expect the OpenBSD response will be excellent, and out on its own timeframe. Rushing a fix into place can be worse than not doing anything at all. I have no idea what they're doing, have no idea with whom they may be talking. But I know that it is being worked on, and will be a reasoned response to the problem. More than expect, I trust OpenBSD. My thoughts exactly. Steve -- fivetrees ltd - for the complete music service www: http://www.fivetrees.com --
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
looks like there is some work in progress to update the in-tree BIND to 9.4.2-P1 + local tweaking, for example: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/bind/lib/dns/dispatch.c?r1=1.8 As Theo points out, patience is a virtue, and it's the + local tweaking above that is the reason I gratefully use OpenBSD. /Pete On 9 Jul 2008, at 16:45, Zamri Besar wrote: Good morning, Today, I'm received alert from one of my friends regarding to Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning. http://www.kb.cert.org/vuls/id/800113 I checked the above site, and found that most of the *BSD status are unknown. Is this bug affected OpenBSD default bind dns? I'm don't know either the above bug is similar to this thread or not. http://marc.info/?l=openbsd-miscm=118539211412877w=2 -- Thank you. Yours truly, Zamri Besar
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
Pete Vickers [EMAIL PROTECTED] writes: looks like there is some work in progress to update the in-tree BIND to 9.4.2-P1 + local tweaking, for example: reading tea leaves^H^H^H^H^H^H^H^H^H^Hsource-changes has me thinking the BIND bug has spurred some activity in other parts of the tree, too (as in, bugs are never unique, in OpenBSD we look for patterns or whole classes of bugs and fix them). As Theo points out, patience is a virtue, and it's the + local tweaking above that is the reason I gratefully use OpenBSD. AOL! -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
Good morning, Today, I'm received alert from one of my friends regarding to Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning. http://www.kb.cert.org/vuls/id/800113 I checked the above site, and found that most of the *BSD status are unknown. Is this bug affected OpenBSD default bind dns? I'm don't know either the above bug is similar to this thread or not. http://marc.info/?l=openbsd-miscm=118539211412877w=2 -- Thank you. Yours truly, Zamri Besar
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
Vous m'avez dit ricemment : Good morning, Today, I'm received alert from one of my friends regarding to Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning. http://www.kb.cert.org/vuls/id/800113 I checked the above site, and found that most of the *BSD status are unknown. Is this bug affected OpenBSD default bind dns? OpenBSD's named is affected. It is a flow in the DNS protocol, which means potentially *all* implementations are affected... -- Mathieu
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
On Wed, Jul 09, 2008 at 10:45:09PM +0800, Zamri Besar wrote: Good morning, Today, I'm received alert from one of my friends regarding to Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning. http://www.kb.cert.org/vuls/id/800113 I checked the above site, and found that most of the *BSD status are unknown. Is this bug affected OpenBSD default bind dns? I'm don't know either the above bug is similar to this thread or not. http://marc.info/?l=openbsd-miscm=118539211412877w=2 I think named on OpenBSD 4.3 is affected too. See http://www.nabble.com/Actual-BIND-error---Patching-OpenBSD-4.3-named---td18357465.html So long, Andreas. -- Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of an 8-bit operating system written for a 4-bit processor by a 2-bit company who cannot stand 1 bit of competition.
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
On Wed, Jul 09, 2008 at 04:52:39PM +0200, Mathieu SEGAUD wrote: Vous m'avez dit ricemment : Good morning, Today, I'm received alert from one of my friends regarding to Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning. http://www.kb.cert.org/vuls/id/800113 I checked the above site, and found that most of the *BSD status are unknown. Is this bug affected OpenBSD default bind dns? OpenBSD's named is affected. It is a flow in the DNS protocol, which means potentially *all* implementations are affected... Credit where credit is due: djbdns isn't. Without specifics on the issue, I can't tell if OpenBSD's bind is truly vulnerable, but it certainly does use a fixed source port. -- David Terrell [EMAIL PROTECTED] ((meatspace)) http://meat.net/
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
Why haven't the developers posted a formal annoncement clearifing if the distributed BIND is vulnerable? If so, where the hell is the patch? -Nix Fan.
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
Why haven't the developers posted a formal annoncement clearifing if the distributed BIND is vulnerable? If so, where the hell is the patch? You really should adjust your extremely pathetic attitude.
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
Vous m'avez dit ricemment : On Wed, Jul 09, 2008 at 04:52:39PM +0200, Mathieu SEGAUD wrote: Vous m'avez dit ricemment : Good morning, Today, I'm received alert from one of my friends regarding to Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning. http://www.kb.cert.org/vuls/id/800113 I checked the above site, and found that most of the *BSD status are unknown. Is this bug affected OpenBSD default bind dns? OpenBSD's named is affected. It is a flow in the DNS protocol, which means potentially *all* implementations are affected... Credit where credit is due: djbdns isn't. good to know. thanks. thus potentially Without specifics on the issue, I can't tell if OpenBSD's bind is truly vulnerable, but it certainly does use a fixed source port. Stuart Henderson already answered this question on misc@ (12:10 UTC, today). Named is vulnerable. The resolver is not :) -- Mathieu
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
Love your gimme gimme attitude. If you spent half a second thinking about this: 1). They didn't contact openbsd about this 2). Took them months to put the fix in 3). Takes time to figure out what the issue is, figure out how to fix it, test, and deploy 4). Time that is not spend responding to gimme idiots, that is 5). Are you even running a caching server? On 9 Jul 2008 08:48:24 -0700, Unix Fan [EMAIL PROTECTED] wrote: Why haven't the developers posted a formal annoncement clearifing if the distributed BIND is vulnerable? If so, where the hell is the patch? -Nix Fan. -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
On Wednesday July 9 2008 10:48, you wrote: Why haven't the developers posted a formal annoncement clearifing if the distributed BIND is vulnerable? If so, where the hell is the patch? Just curious, how much did you pay for your support contract? Clearly if you feel you are so entitled to a quick patch you must have paid a substantial sum in order to be so upset. Though i've given a few meager donations to OpenBSD, i have not paid for a support contract of any sort. Thus i am not entitled to any level of service and will have to wait patiently and without complaint just like everyone else. Dan RamaleyDial Center 118, Drake University Network Programmer/Analyst 2407 Carpenter Ave +1 515 271-4540Des Moines IA 50311 USA
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
Unix Fan escreveu: Why haven't the developers posted a formal annoncement clearifing if the distributed BIND is vulnerable? If so, where the hell is the patch? -Nix Fan. Pal, i believe you won't even BE affected by this issue. If so, it will take time. Time enough for developers to correct it. There's having all this fuss in the security community about this today. Didn't see any saying they were affected. So why don't you cool down and let the dev's do what they LIKE to do, they aren't paid for it, and must of people who uses openbsd doesn't even thank them, not to mention support in any kind. So take easy and watch very carefully what you write on this mailing list, cause people won't be very happy with messages like this. My 2 cents, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD Stable Ubuntu 8.04 Hardy Herom 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
On Thu, Jul 10, 2008 at 12:14 AM, Mathieu SEGAUD [EMAIL PROTECTED] wrote: Vous m'avez dit ricemment : On Wed, Jul 09, 2008 at 04:52:39PM +0200, Mathieu SEGAUD wrote: Vous m'avez dit ricemment : Good morning, Today, I'm received alert from one of my friends regarding to Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning. http://www.kb.cert.org/vuls/id/800113 I checked the above site, and found that most of the *BSD status are unknown. Is this bug affected OpenBSD default bind dns? OpenBSD's named is affected. It is a flow in the DNS protocol, which means potentially *all* implementations are affected... Credit where credit is due: djbdns isn't. good to know. thanks. thus potentially Without specifics on the issue, I can't tell if OpenBSD's bind is truly vulnerable, but it certainly does use a fixed source port. Stuart Henderson already answered this question on misc@ (12:10 UTC, today). Named is vulnerable. The resolver is not :) -- Mathieu I'm just finish re-read it right now. Thank you for the input and I agree that at this moment, we will waiting for the latest official update from OpenBSD developers. And probably a minor update for those who are deploying it over Debian. Looks like it is time to patch it. http://www.debian.org/security/2008/dsa-1603 Have a nice day! -zamri-
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
On Wed, Jul 09, 2008 at 12:22:17PM -0400, bofh wrote: Love your gimme gimme attitude. If you spent half a second thinking about this: Hehehe ;) Furthermore you can see in the US-CERT that this VULN was: Date First Published07/08/2008 02:46:15 PM As you know some developers may live outside .us in a different timezone (and developers in .us/.ca have to work at this time). So in e.g. Europe this was yesterdays evening. You can accelerate proceedings by a) donating to OpenBSD and b) - if you need this patch REALLY FAST - hire a paid conslutant to develope the patch and send it to the list. And OpenBSD doesn't have a SLA ... So long, Andreas. -- Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of an 8-bit operating system written for a 4-bit processor by a 2-bit company who cannot stand 1 bit of competition.
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
bofh wrote: 1). They didn't contact openbsd about this The Cert Advisory document (the MS Word doc file) claims that OpenBSD was notified on 2008-5-5 11:24:02. Obviously I have no idea if this is true. Since it seems almost everyone was caught without a patch on disclosure day, the notification list seems suspect. The notification timeline in the document is somewhat interesting. Microsoft was notified first (okay, I understand the guy works there). A bunch of large corporations were notified on April 21, then ISC was notified on April 29. On May 5, it looks like they finally decided to notify everyone else. I'm guessing they don't like Nixu, NetApp and Dragonfly, since they were notified on Thursday, July 3 (the day before a long weekend in the US), with public release on Tuesday July 8.
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
I'm not one to condone shitty attitudes. However, I think in this case it's unfair to claim that one can have no expectations of OpenBSD with regards to security patches. If I could have no such expectations, I would not use OpenBSD in the first place. I have these expectations based on a very impressive security history for which the OpenBSD developers deserve much in the way of praise. Additionally, loyal OpenBSD users may be interested in the details of the vulnerability disclosure. There very well maybe loyal OpenBSD users who wish to very politely inform ISC that there are large numbers of BIND users who would appreciate the same level of cooperation between ISC and OpenBSD as ISC affords others. On Wed, Jul 9, 2008 at 11:17 AM, Andreas Maus [EMAIL PROTECTED] wrote: On Wed, Jul 09, 2008 at 12:22:17PM -0400, bofh wrote: Love your gimme gimme attitude. If you spent half a second thinking about this: Hehehe ;) Furthermore you can see in the US-CERT that this VULN was: Date First Published07/08/2008 02:46:15 PM As you know some developers may live outside .us in a different timezone (and developers in .us/.ca have to work at this time). So in e.g. Europe this was yesterdays evening. You can accelerate proceedings by a) donating to OpenBSD and b) - if you need this patch REALLY FAST - hire a paid conslutant to develope the patch and send it to the list. And OpenBSD doesn't have a SLA ... So long, Andreas. -- Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of an 8-bit operating system written for a 4-bit processor by a 2-bit company who cannot stand 1 bit of competition.
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
I'm not one to condone shitty attitudes. However, I think in this case it's unfair to claim that one can have no expectations of OpenBSD with regards to security patches. If I could have no such expectations, I would not use OpenBSD in the first place. Then don't. I have these expectations based on a very impressive security history for which the OpenBSD developers deserve much in the way of praise. And we will continue to try to stay ahead of the curve. But please, bear with me, because I see you want to talk about expectations. Sure, let's talk about them. First off, in this case just like in some other cases, you can _expect_ to wait for a proper OpenBSD patch, since we are not solving this by using the ISC solution. There are reasons, and they are our private reasons. Meanwhile, I _expect_ that our developers will do a proper job, on their own time schedule. I also _expect_ that it will be the best solution to the problem. I don't _expect_ that any pressure from our users will change their process at all. I don't _expect_ that any of this will change any of the attitudes of people out there who are natural assholes, through and through, living lives of vocal _expectation_ without anything else to back them up. I don't _expect_ that any of them will go run some other operating system, either. I don't _expect_ that I would care if they did. I _expect_ they will remain assholes tomorrow, and next week, and next year too. I don't _expect_ that any of those whiners have the skills to simply go and get the stock bind from ISC themselves, install it on their openbsd systems, and undo all the other hard work we've done in this area. I _expect_ that these people have difficulty running make. I _expect_ that our developers will do the best job. And I don't _expect_ all of the people on our mailing lists to understand that. Additionally, loyal OpenBSD users may be interested in the details of the vulnerability disclosure. There very well maybe loyal OpenBSD users who wish to very politely inform ISC that there are large numbers of BIND users who would appreciate the same level of cooperation between ISC and OpenBSD as ISC affords others. Again, I don't see how you can _expect_ the developers to care anything about this thing which you _expect_. If we have private discussions with ISC, then those are our private discussions. If you have reservations about some communications not being public or such, then I can see that you _expect_ way too much. Watch out -- having _expectations_ can lead to developing a shitty attidude really quickly. When you get to that point, you can _expect_ us to not give a shit.
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
On Wednesday 09 July 2008 13:58:33 David Wilk wrote: I'm not one to condone shitty attitudes. However, I think in this case it's unfair to claim that one can have no expectations of OpenBSD with regards to security patches. If I could have no such expectations, I would not use OpenBSD in the first place. I have these expectations based on a very impressive security history for which the OpenBSD developers deserve much in the way of praise. Additionally, loyal OpenBSD users may be interested in the details of the vulnerability disclosure. There very well maybe loyal OpenBSD users who wish to very politely inform ISC that there are large numbers of BIND users who would appreciate the same level of cooperation between ISC and OpenBSD as ISC affords others. You know what I expect? I expect the OpenBSD response will be excellent, and out on its own timeframe. Rushing a fix into place can be worse than not doing anything at all. I have no idea what they're doing, have no idea with whom they may be talking. But I know that it is being worked on, and will be a reasoned response to the problem. More than expect, I trust OpenBSD. --STeve Andre'
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
easy, Theo. I actually very much agree with you, and had not intended to stir anything up here. If users wish to get involved in an attempt (regardless of how hopeless) to encourage third parties to cooperate with OpenBSD developers, then you can certainly abstain from enabling that kind of help if you so choose. However, I wouldn't assign any malice to those seeking information that might enable them to do so. I think perhaps you have an inflated impression of my expectations of OpenBSD and its dev team. So far, *my* expectations have always been met, and even if they were not, I wouldn't hold it against you or your team anyway. I understand the design philosophy behind we make it for ourselves, and if you find it useful, go ahead and use it. However, if the users who buy the hardware pressure the hardware manufacturers to cooperate with OpenBSD devs, they can be quite helpful to the process. On Wed, Jul 9, 2008 at 12:19 PM, Theo de Raadt [EMAIL PROTECTED] wrote: I'm not one to condone shitty attitudes. However, I think in this case it's unfair to claim that one can have no expectations of OpenBSD with regards to security patches. If I could have no such expectations, I would not use OpenBSD in the first place. Then don't. I have these expectations based on a very impressive security history for which the OpenBSD developers deserve much in the way of praise. And we will continue to try to stay ahead of the curve. But please, bear with me, because I see you want to talk about expectations. Sure, let's talk about them. First off, in this case just like in some other cases, you can _expect_ to wait for a proper OpenBSD patch, since we are not solving this by using the ISC solution. There are reasons, and they are our private reasons. Meanwhile, I _expect_ that our developers will do a proper job, on their own time schedule. I also _expect_ that it will be the best solution to the problem. I don't _expect_ that any pressure from our users will change their process at all. I don't _expect_ that any of this will change any of the attitudes of people out there who are natural assholes, through and through, living lives of vocal _expectation_ without anything else to back them up. I don't _expect_ that any of them will go run some other operating system, either. I don't _expect_ that I would care if they did. I _expect_ they will remain assholes tomorrow, and next week, and next year too. I don't _expect_ that any of those whiners have the skills to simply go and get the stock bind from ISC themselves, install it on their openbsd systems, and undo all the other hard work we've done in this area. I _expect_ that these people have difficulty running make. I _expect_ that our developers will do the best job. And I don't _expect_ all of the people on our mailing lists to understand that. Additionally, loyal OpenBSD users may be interested in the details of the vulnerability disclosure. There very well maybe loyal OpenBSD users who wish to very politely inform ISC that there are large numbers of BIND users who would appreciate the same level of cooperation between ISC and OpenBSD as ISC affords others. Again, I don't see how you can _expect_ the developers to care anything about this thing which you _expect_. If we have private discussions with ISC, then those are our private discussions. If you have reservations about some communications not being public or such, then I can see that you _expect_ way too much. Watch out -- having _expectations_ can lead to developing a shitty attidude really quickly. When you get to that point, you can _expect_ us to not give a shit.
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
--- On Wed, 7/9/08, STeve Andre' [EMAIL PROTECTED] wrote: I expect the OpenBSD response will be excellent, and out on its own timeframe. I have to agree with this guy. The openBSD team all ways goes above and beyond what we see other vendors do. The solutions have lasting value, rather then quick fixes that break a year later. Anybody else remember the nvidia close driver issue that Theo had foreseen years before it happened? Trust these guys. They will deliver. Brian