Re: Waiting for BIND security announcement

2007-08-07 Thread Alex Zbyslaw

Jeffrey Goldberg wrote:

  But since I'm masochistic, I figure that I should  inflict problems 
on myself like remembering to update the serial  numbers myself.  (Big 
shouting reminder comments at both ends of the  zone files seem to do 
the trick)


emacs zone-mode will do it automatically for you.  Still helps to have 
the reminders for the times you don't use emacs :-)


--Alex

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-08-07 Thread Rakhesh Sasidharan


Just bumping this question of mine. I tried a freebsd-update fetch just 
now, but I still have no updates! And my system is still on 
6.2-RELEASE-p4. Is that normal or should I be concerned?


$ freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 1 mirrors found.
Fetching metadata signature from update1.FreeBSD.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 6.2-RELEASE-p7.

$ uname -a
FreeBSD obelix.home.rakhesh.com 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: 
Thu Apr 26 17:40:53 UTC 2007 
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC  i386



Rakhesh Sasidharan wrote:



On Wed, 1 Aug 2007, Josh Carroll wrote:


You need wait no longer...the security advisory just went out with a patch:

http://security.freebsd.org/advisories/FreeBSD-SA-07:07.bind.asc


I'm on FreeBSD 6.2-RELEASE-p4. If I do a freebsd-update shouldn't I get this? 
Or will there be a delay coz binary patches have to be prepared for 
freebsd-update?


# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 1 mirrors found.
Fetching metadata signature from update1.FreeBSD.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 6.2-RELEASE-p7.

Regards,
Rakhesh

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-08-06 Thread Rakhesh Sasidharan


On Wed, 1 Aug 2007, Josh Carroll wrote:


You need wait no longer...the security advisory just went out with a patch:

http://security.freebsd.org/advisories/FreeBSD-SA-07:07.bind.asc


I'm on FreeBSD 6.2-RELEASE-p4. If I do a freebsd-update shouldn't I get 
this? Or will there be a delay coz binary patches have to be prepared for 
freebsd-update?


# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 1 mirrors found.
Fetching metadata signature from update1.FreeBSD.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 6.2-RELEASE-p7.

Regards,
Rakhesh
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-08-05 Thread Doug Barton
Rakhesh Sasidharan wrote:

 This has probably been asked before,

Heh, no, never. :)

 but if BIND is available in ports then why is it also available in
 contrib?

Couple of reasons, of relatively equal importance depending on who you
speak to. BSD systems have always (I haven't verified this, but
people who should know have told me) shipped with dns stuff on board,
so there is resistance to the idea of stripping it out for that
reason. The other thing that is a concern to a lot of people is that
BIND is more than just named. Take a look at the WITHOUT_BIND* knobs
in src.conf(1) in 7-current or make.conf(1) in 6-stable to get an idea
of how things break down. I have a standing offer to either remove
BIND from the base, or flip the defaults for some of those knobs to
NO if the community wants it that way.

 Are there any benefits in choosing the one in contrib over the one 
 in ports?

Advantage to the one in contrib is that it's right there, and the new
default named.conf (and associated files) makes it possible to start
up a local resolver out of the box.

If you want a greater degree of freedom in build-time configuration,
or you want a version other than what is in your base (for example,
you want to use 9.4.x but you're on a 6-stable machine), then you can
use the ports. The ports also have an option to overwrite the files in
the base if that makes things easier in your environment.

hth,

Doug

-- 

This .signature sanitized for your protection

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-08-05 Thread Rakhesh Sasidharan



This has probably been asked before,


Heh, no, never. :)


That's a relief. :)


but if BIND is available in ports then why is it also available in
contrib?


Couple of reasons, of relatively equal importance depending on who you
speak to. BSD systems have always (I haven't verified this, but
people who should know have told me) shipped with dns stuff on board,
so there is resistance to the idea of stripping it out for that
reason. The other thing that is a concern to a lot of people is that
BIND is more than just named. Take a look at the WITHOUT_BIND* knobs
in src.conf(1) in 7-current or make.conf(1) in 6-stable to get an idea
of how things break down. I have a standing offer to either remove
BIND from the base, or flip the defaults for some of those knobs to
NO if the community wants it that way.


Makes sense. So to summarize the answer to my question:

* BIND is there in contrib coz lot of stuff depends on it and so its best 
left there.


* BIND is also there in ports coz the one there offers you a lot more 
build time options, is newer, gets updates faster, and is also easier to 
get up and running with out of the box (in some situations atleast).


Neat! :)


Are there any benefits in choosing the one in contrib over the one
in ports?


Advantage to the one in contrib is that it's right there, and the new
default named.conf (and associated files) makes it possible to start
up a local resolver out of the box.

If you want a greater degree of freedom in build-time configuration,
or you want a version other than what is in your base (for example,
you want to use 9.4.x but you're on a 6-stable machine), then you can
use the ports. The ports also have an option to overwrite the files in
the base if that makes things easier in your environment.

hth,


Thanks!

Rakhesh



Doug

--

   This .signature sanitized for your protection



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-08-04 Thread Rakhesh Sasidharan


Hi!

Was going through this slightly old thread and wanted to clear somethings 
up for myself.





If you want to stay as close as possible to 6.2-RELEASE but also
include the fixes that the security officer deems important enough to
release widely, use the tag RELENG_6_2 (usually in your supfile for
cvsup or csup). If you want the latest code for 6-stable, which will
eventually become 6.3-RELEASE, use just RELENG_6.


I use 'freebsd-update' to keep my 6.2 installation up-to-date. So that 
means I would be following the RELENG_6_2 tag, right?



In addition to security issues, the ports give you a greater degree of
flexibility in how BIND is configured. If you're going to be offering
a public name server (and by that I hope you mean authoritative, not
recursive) on 6-stable you're probably better off using 9.4.x anyway,
with the threading option disabled.


Are there other things in /usr/src/contrib that follow this pattern?


Sure, lots. Too many for me to list without having to think hard about
it and potentially leave something out.


This has probably been asked before, but if BIND is available in ports 
then why is it also available in contrib? Are there any benefits in 
choosing the one in contrib over the one in ports?


Regards,
Rakhesh
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-08-02 Thread Jeffrey Goldberg

On Aug 1, 2007, at 3:47 PM, Doug Barton wrote:


I can't speak for the security team, but I'm pretty sure that this
change is forthcoming.


As someone has already noted in this thread, the wait is over.


When it comes to BIND stuff in particular, I always update the ports
first, so anyone with a mission critical DNS operation can get fixes
ASAP. There is even an option in the port to overwrite the base BIND
if you so desire.


Ah-ha.  That makes a big difference.  OK.  If I'm going to expose my
name server to the big bad world while tracking RELENG_N_M (release
with patches) I'll use bind from ports.


In addition to security issues, the ports give you a greater degree of
flexibility in how BIND is configured. If you're going to be offering
a public name server (and by that I hope you mean authoritative, not
recursive) on 6-stable you're probably better off using 9.4.x anyway,
with the threading option disabled.


Yes, I do mean a (low volume) authoritative name server for a small  
handful of low traffic vanity domains.  My intention is to set it up  
as a master which will transfer zone information to a professional  
DNS hosting service (dnspark.net whom I'm very happy with).


Currently I have to modify my zone information through DNSPark's web  
interface (which is very good and seems to allow everything except  
generate rules).  But since I'm masochistic, I figure that I should  
inflict problems on myself like remembering to update the serial  
numbers myself.  (Big shouting reminder comments at both ends of the  
zone files seem to do the trick)


Also, while I'm extremely happy with dnspark.net, having one instance  
of the authoritative zone data fully under my control makes me feel  
better.


-j


--
Jeffrey Goldberghttp://www.goldmark.org/jeff/

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-08-02 Thread Doug Barton
Jeffrey Goldberg wrote:

 Yes, I do mean a (low volume) authoritative name server for a small
 handful of low traffic vanity domains.  My intention is to set it up as
 a master which will transfer zone information to a professional DNS
 hosting service (dnspark.net whom I'm very happy with).

That's a great way to learn more about how DNS works, good luck!

Doug

-- 

This .signature sanitized for your protection
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-08-01 Thread Jeffrey Goldberg

On Jul 31, 2007, at 10:05 PM, A.G. Russell IV wrote:


On Thu, Jul 26, 2007 at 10:48:10AM +0200, Zbigniew Szalbot wrote:

On 7/25/07, Doug Barton [EMAIL PROTECTED] wrote:


RELENG_6 was updated shortly after the release of 9.3.4. I'll be
updating RELENG_[56] with the new 9.3.4-P1 version after I'm done
regression testing it, which should be some time tonight. Same for
updating HEAD with 9.4.1-P1.


I am running FreeBSD 6.2-RELEASE-p6 and BIND 9.3.3 (not from  
ports but
installed with the system. At least when I do pgk_info -Ix bind I  
am told
there is no such package installed). Where can I find information  
on BIND
upgrade? I tried freebsd-update but it did not think I needed any  
updates

:)




 mine, which was updated a few minutes ago, is still at bind 9.3.3


It appears that BIND has only been fixed in -STABLE and -CURRENT, but  
not in -RELEASE.  Does anyone know if there are plans to get this  
patched in 6.2?


For me it makes little difference since I am not (yet) running named  
in a publicly accessible way.  But my medium term plans for my DNS do  
involve me running a public nameserver on the latest RELEASE with all  
patches.


It does worry me if this kind of thing doesn't get patched in the  
latest RELEASE.


-j



--
Jeffrey Goldberghttp://www.goldmark.org/jeff/

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-08-01 Thread Doug Barton
Jeffrey Goldberg wrote:

 It appears that BIND has only been fixed in -STABLE and -CURRENT, but
 not in -RELEASE.  Does anyone know if there are plans to get this
 patched in 6.2?
 
 For me it makes little difference since I am not (yet) running named in
 a publicly accessible way.  But my medium term plans for my DNS do
 involve me running a public nameserver on the latest RELEASE with all
 patches.
 
 It does worry me if this kind of thing doesn't get patched in the latest
 RELEASE.

Um, it doesn't work that way. 6.2-RELEASE is just a symbolic name
that is related to the files that have the RELENG_6_2_0_RELEASE flag.

If you want to stay as close as possible to 6.2-RELEASE but also
include the fixes that the security officer deems important enough to
release widely, use the tag RELENG_6_2 (usually in your supfile for
cvsup or csup). If you want the latest code for 6-stable, which will
eventually become 6.3-RELEASE, use just RELENG_6.

When it comes to BIND stuff in particular, I always update the ports
first, so anyone with a mission critical DNS operation can get fixes
ASAP. There is even an option in the port to overwrite the base BIND
if you so desire.

hth,

Doug

-- 

This .signature sanitized for your protection

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-08-01 Thread Jeffrey Goldberg

On Aug 1, 2007, at 2:13 PM, Doug Barton wrote:


If you want to stay as close as possible to 6.2-RELEASE but also
include the fixes that the security officer deems important enough to
release widely, use the tag RELENG_6_2 (usually in your supfile for
cvsup or csup). If you want the latest code for 6-stable, which will
eventually become 6.3-RELEASE, use just RELENG_6.


Thank you.  I wasn't clear in my original message.  I meant to talk  
about RELENG_6_2 which is what I meant when I said 6.2 Release with  
patches.  But I fully acknowledge that while I've used RCS for ages,  
I still don't fully grok branches and trunks (or HEADs in CVS), so I  
do state things badly and can always use the reminder of how things  
work.


Anyway, I was disappointed that the BIND fix didn't make it into  
RELENG_6_2.

But ...


When it comes to BIND stuff in particular, I always update the ports
first, so anyone with a mission critical DNS operation can get fixes
ASAP. There is even an option in the port to overwrite the base BIND
if you so desire.


Ah-ha.  That makes a big difference.  OK.  If I'm going to expose my  
name server to the big bad world while tracking RELENG_N_M (release  
with patches) I'll use bind from ports.


Are there other things in /usr/src/contrib that follow this pattern?


hth,


Yes, it helps a great deal.  Thank you very much for your work on  
this and your patience with me.


-j


--
Jeffrey Goldberghttp://www.goldmark.org/jeff/

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-08-01 Thread Philip M. Gollucci
Jeffrey Goldberg wrote:
 Are there other things in /usr/src/contrib that follow this pattern?
/usr/ports/mail/sendmail
/usr/src/usr.sbin/sendmail

Its very common to install
/usr/ports/security/cyrus-sasl2-saslauthd
add
# SASL (cyrus-sasl v2) sendmail build flags...
SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2
## Adding to enable alternate port (smtps) for sendmail...
SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL

to /etc/make.conf and recompile
/usr/src/usr.sbin/sendmail



-- 

Philip M. Gollucci ([EMAIL PROTECTED]) 323.219.4708
Senior System Admin - Riderway, Inc. http://riderway.com
1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB  B89E 1324 9B4F EC88 A0BF

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-08-01 Thread Colin Percival
Jeffrey Goldberg wrote:
 Anyway, I was disappointed that the BIND fix didn't make it into
 RELENG_6_2.

Give us a little time.  Unless an issue is exceptionally urgent, it
usually takes us about a week to confirm that we're affected, to get
a patch from upstream or create our own, to make sure the patch fixes
the issue and doesn't create any new problems (there have been several
issues lately where the upstream patches were broken), to confirm that
the patch applies cleanly to all of our supported branches, and to
write our advisory.

Usually the FreeBSD Security Team hears about issues in major contrib
code (e.g., sendmail, bind, openssl, openssh) ahead of time and is able
to prepare before the issues become public, but this time we didn't get
any advance warning.

Colin Percival
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-08-01 Thread Doug Barton
Jeffrey Goldberg wrote:
 On Aug 1, 2007, at 2:13 PM, Doug Barton wrote:
 
 If you want to stay as close as possible to 6.2-RELEASE but also
 include the fixes that the security officer deems important enough to
 release widely, use the tag RELENG_6_2 (usually in your supfile for
 cvsup or csup). If you want the latest code for 6-stable, which will
 eventually become 6.3-RELEASE, use just RELENG_6.
 
 Thank you.  I wasn't clear in my original message.  I meant to talk
 about RELENG_6_2 which is what I meant when I said 6.2 Release with
 patches.  But I fully acknowledge that while I've used RCS for ages, I
 still don't fully grok branches and trunks (or HEADs in CVS), so I do
 state things badly and can always use the reminder of how things work.

I had a feeling that was what you meant, but I wanted to be sure it
was clear for other readers, and for the archives.

 Anyway, I was disappointed that the BIND fix didn't make it into
 RELENG_6_2.

I can't speak for the security team, but I'm pretty sure that this
change is forthcoming.

 When it comes to BIND stuff in particular, I always update the ports
 first, so anyone with a mission critical DNS operation can get fixes
 ASAP. There is even an option in the port to overwrite the base BIND
 if you so desire.
 
 Ah-ha.  That makes a big difference.  OK.  If I'm going to expose my
 name server to the big bad world while tracking RELENG_N_M (release
 with patches) I'll use bind from ports.

In addition to security issues, the ports give you a greater degree of
flexibility in how BIND is configured. If you're going to be offering
a public name server (and by that I hope you mean authoritative, not
recursive) on 6-stable you're probably better off using 9.4.x anyway,
with the threading option disabled.

If you're going to be doing a high-capacity authoritative server (or a
high load resolver for an internal network) your BEST bet is to
evaluate FreeBSD 7 (soon to be release) and BIND 9.4.x with threading
_enabled_. You'll get better performance by far in a high load situation.

 Are there other things in /usr/src/contrib that follow this pattern?

Sure, lots. Too many for me to list without having to think hard about
it and potentially leave something out.

 hth,
 
 Yes, it helps a great deal.  Thank you very much for your work on this
 and your patience with me.

My pleasure. :)

Doug

-- 

This .signature sanitized for your protection

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-08-01 Thread Josh Carroll
You need wait no longer...the security advisory just went out with a patch:

http://security.freebsd.org/advisories/FreeBSD-SA-07:07.bind.asc

Josh
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-07-31 Thread A.G. Russell IV
if you will look at /usr/src/contrib/bind9/version

your contents will look something like this:

# This file must follow /bin/sh rules.  It is imported directly via
# configure.
#
MAJORVER=9
MINORVER=3
PATCHVER=3
RELEASETYPE=
RELEASEVER=

Meaning mine, which was updated a few minutes ago, is still at bind 9.3.3 

A.G.

On Thu, Jul 26, 2007 at 10:48:10AM +0200, Zbigniew Szalbot wrote:
 
 Hello,
 
 On Thu, 26 Jul 2007 11:36:27 +0300, Abdullah Ibn Hamad Al-Marri
 [EMAIL PROTECTED] wrote:
  On 7/25/07, Doug Barton [EMAIL PROTECTED] wrote:
  
  RELENG_6 was updated shortly after the release of 9.3.4. I'll be
  updating RELENG_[56] with the new 9.3.4-P1 version after I'm done
  regression testing it, which should be some time tonight. Same for
  updating HEAD with 9.4.1-P1.
 
  The ports for bind9 and bind94 are already updated, so those with
  urgent needs can use that route to upgrade immediately.
 
 
  hope this helps,
 
  Doug
 
  --
 
  This .signature sanitized for your protection
 
  
  Thank you Doug for the hard work, I have updated my 3 boxes which runs
  BIND 9 }:)
 
 I am running FreeBSD 6.2-RELEASE-p6 and BIND 9.3.3 (not from ports but
 installed with the system. At least when I do pgk_info -Ix bind I am told
 there is no such package installed). Where can I find information on BIND
 upgrade? I tried freebsd-update but it did not think I needed any updates
 :)
 
 Thank you in advance!
 
 -- 
 Zbigniew Szalbot
 
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to [EMAIL PROTECTED]

-- 
___
A.G. Russell IV  KC5KFDThe Knife Company   e-mail:  [EMAIL PROTECTED]
Phone 479-631-0055 FAX 479-631-8734
Old Klingon Saying --  'oH  majQa' yIn je bang, Qo' bang
---
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-07-26 Thread Zbigniew Szalbot

Hello,

On Thu, 26 Jul 2007 11:36:27 +0300, Abdullah Ibn Hamad Al-Marri
[EMAIL PROTECTED] wrote:
 On 7/25/07, Doug Barton [EMAIL PROTECTED] wrote:
 
 RELENG_6 was updated shortly after the release of 9.3.4. I'll be
 updating RELENG_[56] with the new 9.3.4-P1 version after I'm done
 regression testing it, which should be some time tonight. Same for
 updating HEAD with 9.4.1-P1.

 The ports for bind9 and bind94 are already updated, so those with
 urgent needs can use that route to upgrade immediately.


 hope this helps,

 Doug

 --

 This .signature sanitized for your protection

 
 Thank you Doug for the hard work, I have updated my 3 boxes which runs
 BIND 9 }:)

I am running FreeBSD 6.2-RELEASE-p6 and BIND 9.3.3 (not from ports but
installed with the system. At least when I do pgk_info -Ix bind I am told
there is no such package installed). Where can I find information on BIND
upgrade? I tried freebsd-update but it did not think I needed any updates
:)

Thank you in advance!

-- 
Zbigniew Szalbot

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-07-26 Thread Abdullah Ibn Hamad Al-Marri

On 7/25/07, Doug Barton [EMAIL PROTECTED] wrote:


RELENG_6 was updated shortly after the release of 9.3.4. I'll be
updating RELENG_[56] with the new 9.3.4-P1 version after I'm done
regression testing it, which should be some time tonight. Same for
updating HEAD with 9.4.1-P1.

The ports for bind9 and bind94 are already updated, so those with
urgent needs can use that route to upgrade immediately.


hope this helps,

Doug

--

This .signature sanitized for your protection



Thank you Doug for the hard work, I have updated my 3 boxes which runs
BIND 9 }:)
--
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: Waiting for BIND security announcement

2007-07-24 Thread Simon L. Nielsen
[freebsd-security@ CC'ed to avoid answering the same there again
shorly :) - if following up, please drop either freebsd-questions or
freebsd-securiy to avoid spamming both lists]

On 2007.07.24 18:15:43 -0500, Jeffrey Goldberg wrote:

 As I'm sure many people know there is a newly discovered BIND vulnerability 
 allowing cache injection (pharming).  See
 
   http://www.isc.org/index.pl?/sw/bind/bind-security.php
 
 for details.
 
 The version of bind on 6.2, 9.3.3, looks like it is vulnerable (along with 
 many other versions).  It's not particularly an issue for me since my name 
 servers aren't publicly queryable, but I am curios about how things like 
 security problems in
 src/contrib get handled in FreeBSD.

Yes, the FreeBSD Security Team and the FreeBSD BIND maintainer are
aware of the issue and are working on fixing it in FreeBSD as soon as
possible.

More details about the issue can be found at:
http://www.isc.org/sw/bind/bind-security.php .

Our general security handling policies can be found at:
http://security.FreeBSD.org/ .

-- 
Simon L. Nielsen
FreeBSD Deputy Security Officer


pgpfLpC7zupwl.pgp
Description: PGP signature


Re: Waiting for BIND security announcement

2007-07-24 Thread Doug Barton
Simon L. Nielsen wrote:
 [freebsd-security@ CC'ed to avoid answering the same there again
 shorly :) - if following up, please drop either freebsd-questions or
 freebsd-securiy to avoid spamming both lists]
 
 On 2007.07.24 18:15:43 -0500, Jeffrey Goldberg wrote:
 
 As I'm sure many people know there is a newly discovered BIND vulnerability 
 allowing cache injection (pharming).  See

I think it's worth pointing out that cache injection and pharming are
not the same thing, although cache injection can be used as part of a
pharming attack.

I also think it's worth noting that this isn't an all your queries
are belong to us type of attack. The attack involves _predicting_
query id numbers which at _best_ will be successful only once in 16
tries. Then you have to actually time it right so that you can use
your guess.

Still, it is worth upgrading to avoid this issue.

   http://www.isc.org/index.pl?/sw/bind/bind-security.php

 for details.

 The version of bind on 6.2, 9.3.3,

RELENG_6 was updated shortly after the release of 9.3.4. I'll be
updating RELENG_[56] with the new 9.3.4-P1 version after I'm done
regression testing it, which should be some time tonight. Same for
updating HEAD with 9.4.1-P1.

The ports for bind9 and bind94 are already updated, so those with
urgent needs can use that route to upgrade immediately.


hope this helps,

Doug

-- 

This .signature sanitized for your protection

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]