Re: Waiting for BIND security announcement
Just bumping this question of mine. I tried a "freebsd-update fetch" just now, but I still have no updates! And my system is still on 6.2-RELEASE-p4. Is that normal or should I be concerned? $ freebsd-update fetch Looking up update.FreeBSD.org mirrors... 1 mirrors found. Fetching metadata signature from update1.FreeBSD.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 6.2-RELEASE-p7. $ uname -a FreeBSD obelix.home.rakhesh.com 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Thu Apr 26 17:40:53 UTC 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 Rakhesh Sasidharan wrote: On Wed, 1 Aug 2007, Josh Carroll wrote: You need wait no longer...the security advisory just went out with a patch: http://security.freebsd.org/advisories/FreeBSD-SA-07:07.bind.asc I'm on FreeBSD 6.2-RELEASE-p4. If I do a freebsd-update shouldn't I get this? Or will there be a delay coz binary patches have to be prepared for freebsd-update? # freebsd-update fetch Looking up update.FreeBSD.org mirrors... 1 mirrors found. Fetching metadata signature from update1.FreeBSD.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 6.2-RELEASE-p7. Regards, Rakhesh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
Jeffrey Goldberg wrote: But since I'm masochistic, I figure that I should inflict problems on myself like remembering to update the serial numbers myself. (Big shouting reminder comments at both ends of the zone files seem to do the trick) emacs zone-mode will do it automatically for you. Still helps to have the reminders for the times you don't use emacs :-) --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
On Wed, 1 Aug 2007, Josh Carroll wrote: You need wait no longer...the security advisory just went out with a patch: http://security.freebsd.org/advisories/FreeBSD-SA-07:07.bind.asc I'm on FreeBSD 6.2-RELEASE-p4. If I do a freebsd-update shouldn't I get this? Or will there be a delay coz binary patches have to be prepared for freebsd-update? # freebsd-update fetch Looking up update.FreeBSD.org mirrors... 1 mirrors found. Fetching metadata signature from update1.FreeBSD.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 6.2-RELEASE-p7. Regards, Rakhesh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
This has probably been asked before, Heh, no, never. :) That's a relief. :) but if BIND is available in ports then why is it also available in contrib? Couple of reasons, of relatively equal importance depending on who you speak to. BSD systems have "always" (I haven't verified this, but people who should know have told me) shipped with dns stuff on board, so there is resistance to the idea of stripping it out for that reason. The other thing that is a concern to a lot of people is that BIND is more than just named. Take a look at the WITHOUT_BIND* knobs in src.conf(1) in 7-current or make.conf(1) in 6-stable to get an idea of how things break down. I have a standing offer to either remove BIND from the base, or flip the defaults for some of those knobs to "NO" if the community wants it that way. Makes sense. So to summarize the answer to my question: * BIND is there in contrib coz lot of stuff depends on it and so its best left there. * BIND is also there in ports coz the one there offers you a lot more build time options, is newer, gets updates faster, and is also easier to get up and running with out of the box (in some situations atleast). Neat! :) Are there any benefits in choosing the one in contrib over the one in ports? Advantage to the one in contrib is that it's right there, and the new default named.conf (and associated files) makes it possible to start up a local resolver "out of the box." If you want a greater degree of freedom in build-time configuration, or you want a version other than what is in your base (for example, you want to use 9.4.x but you're on a 6-stable machine), then you can use the ports. The ports also have an option to overwrite the files in the base if that makes things easier in your environment. hth, Thanks! Rakhesh Doug -- This .signature sanitized for your protection ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
Rakhesh Sasidharan wrote: > This has probably been asked before, Heh, no, never. :) > but if BIND is available in ports then why is it also available in > contrib? Couple of reasons, of relatively equal importance depending on who you speak to. BSD systems have "always" (I haven't verified this, but people who should know have told me) shipped with dns stuff on board, so there is resistance to the idea of stripping it out for that reason. The other thing that is a concern to a lot of people is that BIND is more than just named. Take a look at the WITHOUT_BIND* knobs in src.conf(1) in 7-current or make.conf(1) in 6-stable to get an idea of how things break down. I have a standing offer to either remove BIND from the base, or flip the defaults for some of those knobs to "NO" if the community wants it that way. > Are there any benefits in choosing the one in contrib over the one > in ports? Advantage to the one in contrib is that it's right there, and the new default named.conf (and associated files) makes it possible to start up a local resolver "out of the box." If you want a greater degree of freedom in build-time configuration, or you want a version other than what is in your base (for example, you want to use 9.4.x but you're on a 6-stable machine), then you can use the ports. The ports also have an option to overwrite the files in the base if that makes things easier in your environment. hth, Doug -- This .signature sanitized for your protection ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
Hi! Was going through this slightly old thread and wanted to clear somethings up for myself. If you want to stay as close as possible to 6.2-RELEASE but also include the fixes that the security officer deems important enough to release widely, use the tag RELENG_6_2 (usually in your supfile for cvsup or csup). If you want the latest code for 6-stable, which will eventually become 6.3-RELEASE, use just RELENG_6. I use 'freebsd-update' to keep my 6.2 installation up-to-date. So that means I would be following the RELENG_6_2 tag, right? In addition to security issues, the ports give you a greater degree of flexibility in how BIND is configured. If you're going to be offering a public name server (and by that I hope you mean authoritative, not recursive) on 6-stable you're probably better off using 9.4.x anyway, with the threading option disabled. Are there other things in /usr/src/contrib that follow this pattern? Sure, lots. Too many for me to list without having to think hard about it and potentially leave something out. This has probably been asked before, but if BIND is available in ports then why is it also available in contrib? Are there any benefits in choosing the one in contrib over the one in ports? Regards, Rakhesh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
Jeffrey Goldberg wrote: > Yes, I do mean a (low volume) authoritative name server for a small > handful of low traffic vanity domains. My intention is to set it up as > a master which will transfer zone information to a professional DNS > hosting service (dnspark.net whom I'm very happy with). That's a great way to learn more about how DNS works, good luck! Doug -- This .signature sanitized for your protection ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
On Aug 1, 2007, at 3:47 PM, Doug Barton wrote:
I can't speak for the security team, but I'm pretty sure that this
change is forthcoming.
As someone has already noted in this thread, the wait is over.
When it comes to BIND stuff in particular, I always update the ports
first, so anyone with a mission critical DNS operation can get fixes
ASAP. There is even an option in the port to overwrite the base BIND
if you so desire.
Ah-ha. That makes a big difference. OK. If I'm going to expose my
name server to the big bad world while tracking RELENG_N_M ("release
with patches") I'll use bind from ports.
In addition to security issues, the ports give you a greater degree of
flexibility in how BIND is configured. If you're going to be offering
a public name server (and by that I hope you mean authoritative, not
recursive) on 6-stable you're probably better off using 9.4.x anyway,
with the threading option disabled.
Yes, I do mean a (low volume) authoritative name server for a small
handful of low traffic vanity domains. My intention is to set it up
as a master which will transfer zone information to a professional
DNS hosting service (dnspark.net whom I'm very happy with).
Currently I have to modify my zone information through DNSPark's web
interface (which is very good and seems to allow everything except
"generate" rules). But since I'm masochistic, I figure that I should
inflict problems on myself like remembering to update the serial
numbers myself. (Big shouting reminder comments at both ends of the
zone files seem to do the trick)
Also, while I'm extremely happy with dnspark.net, having one instance
of the authoritative zone data fully under my control makes me feel
better.
-j
--
Jeffrey Goldberghttp://www.goldmark.org/jeff/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
You need wait no longer...the security advisory just went out with a patch: http://security.freebsd.org/advisories/FreeBSD-SA-07:07.bind.asc Josh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
Jeffrey Goldberg wrote:
> On Aug 1, 2007, at 2:13 PM, Doug Barton wrote:
>
>> If you want to stay as close as possible to 6.2-RELEASE but also
>> include the fixes that the security officer deems important enough to
>> release widely, use the tag RELENG_6_2 (usually in your supfile for
>> cvsup or csup). If you want the latest code for 6-stable, which will
>> eventually become 6.3-RELEASE, use just RELENG_6.
>
> Thank you. I wasn't clear in my original message. I meant to talk
> about RELENG_6_2 which is what I meant when I said "6.2 Release with
> patches". But I fully acknowledge that while I've used RCS for ages, I
> still don't fully grok branches and trunks (or HEADs in CVS), so I do
> state things badly and can always use the reminder of how things work.
I had a feeling that was what you meant, but I wanted to be sure it
was clear for other readers, and for the archives.
> Anyway, I was disappointed that the BIND fix didn't make it into
> RELENG_6_2.
I can't speak for the security team, but I'm pretty sure that this
change is forthcoming.
>> When it comes to BIND stuff in particular, I always update the ports
>> first, so anyone with a mission critical DNS operation can get fixes
>> ASAP. There is even an option in the port to overwrite the base BIND
>> if you so desire.
>
> Ah-ha. That makes a big difference. OK. If I'm going to expose my
> name server to the big bad world while tracking RELENG_N_M ("release
> with patches") I'll use bind from ports.
In addition to security issues, the ports give you a greater degree of
flexibility in how BIND is configured. If you're going to be offering
a public name server (and by that I hope you mean authoritative, not
recursive) on 6-stable you're probably better off using 9.4.x anyway,
with the threading option disabled.
If you're going to be doing a high-capacity authoritative server (or a
high load resolver for an internal network) your BEST bet is to
evaluate FreeBSD 7 (soon to be release) and BIND 9.4.x with threading
_enabled_. You'll get better performance by far in a high load situation.
> Are there other things in /usr/src/contrib that follow this pattern?
Sure, lots. Too many for me to list without having to think hard about
it and potentially leave something out.
>> hth,
>
> Yes, it helps a great deal. Thank you very much for your work on this
> and your patience with me.
My pleasure. :)
Doug
--
This .signature sanitized for your protection
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
Jeffrey Goldberg wrote: > Are there other things in /usr/src/contrib that follow this pattern? /usr/ports/mail/sendmail /usr/src/usr.sbin/sendmail Its very common to install /usr/ports/security/cyrus-sasl2-saslauthd add # SASL (cyrus-sasl v2) sendmail build flags... SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 ## Adding to enable alternate port (smtps) for sendmail... SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL to /etc/make.conf and recompile /usr/src/usr.sbin/sendmail -- Philip M. Gollucci ([EMAIL PROTECTED]) 323.219.4708 Senior System Admin - Riderway, Inc. http://riderway.com 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB B89E 1324 9B4F EC88 A0BF Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
Jeffrey Goldberg wrote: > Anyway, I was disappointed that the BIND fix didn't make it into > RELENG_6_2. Give us a little time. Unless an issue is exceptionally urgent, it usually takes us about a week to confirm that we're affected, to get a patch from upstream or create our own, to make sure the patch fixes the issue and doesn't create any new problems (there have been several issues lately where the upstream patches were broken), to confirm that the patch applies cleanly to all of our supported branches, and to write our advisory. Usually the FreeBSD Security Team hears about issues in major "contrib" code (e.g., sendmail, bind, openssl, openssh) ahead of time and is able to prepare before the issues become public, but this time we didn't get any advance warning. Colin Percival ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
On Aug 1, 2007, at 2:13 PM, Doug Barton wrote:
If you want to stay as close as possible to 6.2-RELEASE but also
include the fixes that the security officer deems important enough to
release widely, use the tag RELENG_6_2 (usually in your supfile for
cvsup or csup). If you want the latest code for 6-stable, which will
eventually become 6.3-RELEASE, use just RELENG_6.
Thank you. I wasn't clear in my original message. I meant to talk
about RELENG_6_2 which is what I meant when I said "6.2 Release with
patches". But I fully acknowledge that while I've used RCS for ages,
I still don't fully grok branches and trunks (or HEADs in CVS), so I
do state things badly and can always use the reminder of how things
work.
Anyway, I was disappointed that the BIND fix didn't make it into
RELENG_6_2.
But ...
When it comes to BIND stuff in particular, I always update the ports
first, so anyone with a mission critical DNS operation can get fixes
ASAP. There is even an option in the port to overwrite the base BIND
if you so desire.
Ah-ha. That makes a big difference. OK. If I'm going to expose my
name server to the big bad world while tracking RELENG_N_M ("release
with patches") I'll use bind from ports.
Are there other things in /usr/src/contrib that follow this pattern?
hth,
Yes, it helps a great deal. Thank you very much for your work on
this and your patience with me.
-j
--
Jeffrey Goldberghttp://www.goldmark.org/jeff/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
Jeffrey Goldberg wrote: > It appears that BIND has only been fixed in -STABLE and -CURRENT, but > not in -RELEASE. Does anyone know if there are plans to get this > patched in 6.2? > > For me it makes little difference since I am not (yet) running named in > a publicly accessible way. But my medium term plans for my DNS do > involve me running a public nameserver on the latest RELEASE with all > patches. > > It does worry me if this kind of thing doesn't get patched in the latest > RELEASE. Um, it doesn't work that way. "6.2-RELEASE" is just a symbolic name that is related to the files that have the RELENG_6_2_0_RELEASE flag. If you want to stay as close as possible to 6.2-RELEASE but also include the fixes that the security officer deems important enough to release widely, use the tag RELENG_6_2 (usually in your supfile for cvsup or csup). If you want the latest code for 6-stable, which will eventually become 6.3-RELEASE, use just RELENG_6. When it comes to BIND stuff in particular, I always update the ports first, so anyone with a mission critical DNS operation can get fixes ASAP. There is even an option in the port to overwrite the base BIND if you so desire. hth, Doug -- This .signature sanitized for your protection ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
On Jul 31, 2007, at 10:05 PM, A.G. Russell IV wrote: On Thu, Jul 26, 2007 at 10:48:10AM +0200, Zbigniew Szalbot wrote: On 7/25/07, Doug Barton <[EMAIL PROTECTED]> wrote: RELENG_6 was updated shortly after the release of 9.3.4. I'll be updating RELENG_[56] with the new 9.3.4-P1 version after I'm done regression testing it, which should be some time tonight. Same for updating HEAD with 9.4.1-P1. I am running FreeBSD 6.2-RELEASE-p6 and BIND 9.3.3 (not from ports but installed with the system. At least when I do pgk_info -Ix bind I am told there is no such package installed). Where can I find information on BIND upgrade? I tried freebsd-update but it did not think I needed any updates :) mine, which was updated a few minutes ago, is still at bind 9.3.3 It appears that BIND has only been fixed in -STABLE and -CURRENT, but not in -RELEASE. Does anyone know if there are plans to get this patched in 6.2? For me it makes little difference since I am not (yet) running named in a publicly accessible way. But my medium term plans for my DNS do involve me running a public nameserver on the latest RELEASE with all patches. It does worry me if this kind of thing doesn't get patched in the latest RELEASE. -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
if you will look at /usr/src/contrib/bind9/version your contents will look something like this: # This file must follow /bin/sh rules. It is imported directly via # configure. # MAJORVER=9 MINORVER=3 PATCHVER=3 RELEASETYPE= RELEASEVER= Meaning mine, which was updated a few minutes ago, is still at bind 9.3.3 A.G. On Thu, Jul 26, 2007 at 10:48:10AM +0200, Zbigniew Szalbot wrote: > > Hello, > > On Thu, 26 Jul 2007 11:36:27 +0300, "Abdullah Ibn Hamad Al-Marri" > <[EMAIL PROTECTED]> wrote: > > On 7/25/07, Doug Barton <[EMAIL PROTECTED]> wrote: > > > >> RELENG_6 was updated shortly after the release of 9.3.4. I'll be > >> updating RELENG_[56] with the new 9.3.4-P1 version after I'm done > >> regression testing it, which should be some time tonight. Same for > >> updating HEAD with 9.4.1-P1. > >> > >> The ports for bind9 and bind94 are already updated, so those with > >> urgent needs can use that route to upgrade immediately. > >> > >> > >> hope this helps, > >> > >> Doug > >> > >> -- > >> > >> This .signature sanitized for your protection > >> > > > > Thank you Doug for the hard work, I have updated my 3 boxes which runs > > BIND 9 }:) > > I am running FreeBSD 6.2-RELEASE-p6 and BIND 9.3.3 (not from ports but > installed with the system. At least when I do pgk_info -Ix bind I am told > there is no such package installed). Where can I find information on BIND > upgrade? I tried freebsd-update but it did not think I needed any updates > :) > > Thank you in advance! > > -- > Zbigniew Szalbot > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- ___ A.G. Russell IV KC5KFDThe Knife Company e-mail: [EMAIL PROTECTED] Phone 479-631-0055 FAX 479-631-8734 Old Klingon Saying -- 'oH majQa' yIn je bang, Qo' bang --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
Hello, On Thu, 26 Jul 2007 11:36:27 +0300, "Abdullah Ibn Hamad Al-Marri" <[EMAIL PROTECTED]> wrote: > On 7/25/07, Doug Barton <[EMAIL PROTECTED]> wrote: > >> RELENG_6 was updated shortly after the release of 9.3.4. I'll be >> updating RELENG_[56] with the new 9.3.4-P1 version after I'm done >> regression testing it, which should be some time tonight. Same for >> updating HEAD with 9.4.1-P1. >> >> The ports for bind9 and bind94 are already updated, so those with >> urgent needs can use that route to upgrade immediately. >> >> >> hope this helps, >> >> Doug >> >> -- >> >> This .signature sanitized for your protection >> > > Thank you Doug for the hard work, I have updated my 3 boxes which runs > BIND 9 }:) I am running FreeBSD 6.2-RELEASE-p6 and BIND 9.3.3 (not from ports but installed with the system. At least when I do pgk_info -Ix bind I am told there is no such package installed). Where can I find information on BIND upgrade? I tried freebsd-update but it did not think I needed any updates :) Thank you in advance! -- Zbigniew Szalbot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
On 7/25/07, Doug Barton <[EMAIL PROTECTED]> wrote: RELENG_6 was updated shortly after the release of 9.3.4. I'll be updating RELENG_[56] with the new 9.3.4-P1 version after I'm done regression testing it, which should be some time tonight. Same for updating HEAD with 9.4.1-P1. The ports for bind9 and bind94 are already updated, so those with urgent needs can use that route to upgrade immediately. hope this helps, Doug -- This .signature sanitized for your protection Thank you Doug for the hard work, I have updated my 3 boxes which runs BIND 9 }:) -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
Simon L. Nielsen wrote: > [freebsd-security@ CC'ed to avoid answering the same there again > shorly :) - if following up, please drop either freebsd-questions or > freebsd-securiy to avoid "spamming" both lists] > > On 2007.07.24 18:15:43 -0500, Jeffrey Goldberg wrote: > >> As I'm sure many people know there is a newly discovered BIND vulnerability >> allowing cache injection (pharming). See I think it's worth pointing out that cache injection and pharming are not the same thing, although cache injection can be used as part of a pharming attack. I also think it's worth noting that this isn't an "all your queries are belong to us" type of attack. The attack involves _predicting_ query id numbers which at _best_ will be successful only once in 16 tries. Then you have to actually time it right so that you can use your guess. Still, it is worth upgrading to avoid this issue. >> http://www.isc.org/index.pl?/sw/bind/bind-security.php >> >> for details. >> >> The version of bind on 6.2, 9.3.3, RELENG_6 was updated shortly after the release of 9.3.4. I'll be updating RELENG_[56] with the new 9.3.4-P1 version after I'm done regression testing it, which should be some time tonight. Same for updating HEAD with 9.4.1-P1. The ports for bind9 and bind94 are already updated, so those with urgent needs can use that route to upgrade immediately. hope this helps, Doug -- This .signature sanitized for your protection ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Waiting for BIND security announcement
[freebsd-security@ CC'ed to avoid answering the same there again shorly :) - if following up, please drop either freebsd-questions or freebsd-securiy to avoid "spamming" both lists] On 2007.07.24 18:15:43 -0500, Jeffrey Goldberg wrote: > As I'm sure many people know there is a newly discovered BIND vulnerability > allowing cache injection (pharming). See > > http://www.isc.org/index.pl?/sw/bind/bind-security.php > > for details. > > The version of bind on 6.2, 9.3.3, looks like it is vulnerable (along with > many other versions). It's not particularly an issue for me since my name > servers aren't publicly queryable, but I am curios about how things like > security problems in > src/contrib get handled in FreeBSD. Yes, the FreeBSD Security Team and the FreeBSD BIND maintainer are aware of the issue and are working on fixing it in FreeBSD as soon as possible. More details about the issue can be found at: http://www.isc.org/sw/bind/bind-security.php . Our general security handling policies can be found at: http://security.FreeBSD.org/ . -- Simon L. Nielsen FreeBSD Deputy Security Officer pgpfLpC7zupwl.pgp Description: PGP signature
Waiting for BIND security announcement
[I'm cc'ing this to [EMAIL PROTECTED], but they are probably already aware of things. I don't require a response from them, but if they do, a posting to the questions are announcement lists would be great. I don't need a personal response.] As I'm sure many people know there is a newly discovered BIND vulnerability allowing cache injection (pharming). See http://www.isc.org/index.pl?/sw/bind/bind-security.php for details. The version of bind on 6.2, 9.3.3, looks like it is vulnerable (along with many other versions). It's not particularly an issue for me since my name servers aren't publicly queryable, but I am curios about how things like security problems in src/contrib get handled in FreeBSD. Cheers, -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/
