From owner-freebsd-security@FreeBSD.ORG Mon Jan 29 08:18:16 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D846216A401 for ; Mon, 29 Jan 2007 08:18:16 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.233]) by mx1.freebsd.org (Postfix) with ESMTP id 9FB1E13C47E for ; Mon, 29 Jan 2007 08:18:16 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: by wr-out-0506.google.com with SMTP id 68so841621wri for ; Mon, 29 Jan 2007 00:18:16 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=WC0/oKi7RiOcnCqW0h9q48e85HHRuyDJ1n03gZIDANgE+X2AroK79ICB8EZZeDDYfcmcNxVz7neVEv1Gw8Ub/Hc0KFhMv9ZaG7Hpn7nTfC5/8sWdhV6pXWabUjZ8GHGrlM40nMa0NST0sIOMSa7rBFMA5F6uU6U/FVxCwnFcptI= Received: by 10.90.100.2 with SMTP id x2mr6252075agb.1170057219296; Sun, 28 Jan 2007 23:53:39 -0800 (PST) Received: by 10.90.114.10 with HTTP; Sun, 28 Jan 2007 23:53:39 -0800 (PST) Message-ID: <8e96a0b90701282353h769f2d8cjef1964e0cc30884a@mail.gmail.com> Date: Mon, 29 Jan 2007 07:53:39 +0000 From: "mal content" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: FreeBSD update MAC support? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jan 2007 08:18:16 -0000 Hi. Any chance of getting a binary distribution compiled with "options MAC"? I seem to remember some talk of enabling MAC by default in late 2005 but I'm not sure it went anywhere. cheers, MC From owner-freebsd-security@FreeBSD.ORG Mon Jan 29 14:02:40 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F254E16A401 for ; Mon, 29 Jan 2007 14:02:40 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.238]) by mx1.freebsd.org (Postfix) with ESMTP id B686E13C48E for ; Mon, 29 Jan 2007 14:02:40 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: by wx-out-0506.google.com with SMTP id s18so1624248wxc for ; Mon, 29 Jan 2007 06:02:40 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=J3kNmSKkF9tF5u7WSDh8SLJPz6YFBxxtRuNxKBYFr4AKtBJnqDRo0u8AI6TTIGeNUUF2uf/Z99rxU8RQduRgYa6BY+59HP12A+NteAmFb48Hxxdp+ox6PjOTsJOWT1kDuLiUGAqlcZjYQnjDY3y7QYTz7fKjXl33BqwYZO/9q1U= Received: by 10.90.55.19 with SMTP id d19mr6616399aga.1170079359816; Mon, 29 Jan 2007 06:02:39 -0800 (PST) Received: by 10.90.114.10 with HTTP; Mon, 29 Jan 2007 06:02:39 -0800 (PST) Message-ID: <8e96a0b90701290602w32c18025s1b8a9abf3501e0ce@mail.gmail.com> Date: Mon, 29 Jan 2007 14:02:39 +0000 From: "mal content" To: freebsd-security@freebsd.org In-Reply-To: <8e96a0b90701282353h769f2d8cjef1964e0cc30884a@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8e96a0b90701282353h769f2d8cjef1964e0cc30884a@mail.gmail.com> Subject: Re: FreeBSD update MAC support? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jan 2007 14:02:41 -0000 On 29/01/07, mal content wrote: > Hi. > > Any chance of getting a binary distribution compiled with "options MAC"? > > I seem to remember some talk of enabling MAC by default in late 2005 > but I'm not sure it went anywhere. > > cheers, > MC > Actually, just a binary distribution to be used with freebsd-update would be sufficient. A system could be installed from a release CD and quickly updated to the MAC distribution. MC From owner-freebsd-security@FreeBSD.ORG Tue Jan 30 05:04:53 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 67AAB16A400 for ; Tue, 30 Jan 2007 05:04:53 +0000 (UTC) (envelope-from odip@bionet.nsc.ru) Received: from manticore.bionet.nsc.ru (manticore.bionet.nsc.ru [84.237.118.164]) by mx1.freebsd.org (Postfix) with SMTP id 0CB1813C442 for ; Tue, 30 Jan 2007 05:04:41 +0000 (UTC) (envelope-from odip@bionet.nsc.ru) Received: by manticore.bionet.nsc.ru (Postfix, from userid 426) id 612B8218D6; Tue, 30 Jan 2007 10:42:08 +0600 (NOVT) Received: from odipw (odipw.bionet.nsc.ru [84.237.118.171]) by manticore.bionet.nsc.ru (Postfix) with ESMTP id 23508218D4 for ; Tue, 30 Jan 2007 10:42:07 +0600 (NOVT) From: "Dmitry A Grigorovich" To: Date: Tue, 30 Jan 2007 10:42:07 +0600 Message-ID: <001601c74428$ff9d54b0$ab76ed54@odipw> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Thread-Index: AcdEKP2Jg7ICYIyBSRKafWv7WmeYIQ== Subject: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jan 2007 05:04:53 -0000 http://www.isc.org/sw/bind/view/?release=9.3.4 SECURITY ADVISORIES * CVE-2006-4095 CERT Vulnerability Note VU#915404 NISCC 172003 * CVE-2006-4096 CERT Vulnerability Note VU#697164 NISCC 172003 * CAN-2005-0034 NISCC-UNIRAS 20050125-00059 CERT Vulnerability Note VU#938617 [ODiP] == Dmitry Grigorovich From owner-freebsd-security@FreeBSD.ORG Tue Jan 30 06:42:09 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 612B316A400 for ; Tue, 30 Jan 2007 06:42:09 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with SMTP id 009B513C46B for ; Tue, 30 Jan 2007 06:42:08 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 30059 invoked by uid 399); 30 Jan 2007 06:15:26 -0000 Received: from localhost (HELO ?192.168.0.7?) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 30 Jan 2007 06:15:26 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <45BEE27D.1050804@FreeBSD.org> Date: Mon, 29 Jan 2007 22:15:25 -0800 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 1.5.0.9 (X11/20070115) MIME-Version: 1.0 To: Dmitry A Grigorovich References: <001601c74428$ff9d54b0$ab76ed54@odipw> In-Reply-To: <001601c74428$ff9d54b0$ab76ed54@odipw> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jan 2007 06:42:09 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The bind9 port was updated the same day that the code and security advisory were released, so users who are actually vulnerable to these issues can update immediately. I imported 9.3.4 into HEAD today, and plan to MFC it after 4 or 5 days. I am actually considering only MFC'ing it to RELENG_6 to help provide some incentive for those on 5.x to upgrade. Of the 3 advisories, 2 are only problems for those that run with DNSSEC validation. The other is only a problem for those that allow untrusted users access to named configured as a recursive resolver, and is a DoS vulnerability, not a remote exploit. As always, if secteam@ asks me to accelerate the MFC schedule I will, but they haven't said anything to me yet. hth, Doug - -- This .signature sanitized for your protection -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.1 (FreeBSD) iD8DBQFFvuJ8yIakK9Wy8PsRAkcRAKD4+mN+gUHZzr1QLmIVmcbP7z4UgQCdFqiZ WUZWQ1WKITsF5ISHV6EXVaA= =4T7Y -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Jan 30 20:18:13 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 40EBA16A587 for ; Tue, 30 Jan 2007 20:18:13 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: from core.rxsec.com (core.rxsec.com [64.132.46.102]) by mx1.freebsd.org (Postfix) with SMTP id CF39913C4B2 for ; Tue, 30 Jan 2007 20:18:12 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: (qmail 35964 invoked by uid 2009); 30 Jan 2007 19:48:43 -0000 Received: from 10.1.0.101 by core.rxsec.com (envelope-from , uid 2008) with qmail-scanner-1.25-st-qms (clamdscan: 0.86.2/1102. spamassassin: 3.0.4. perlscan: 1.25-st-qms. Clear:RC:0(10.1.0.101):SA:0(-4.4/5.0):. Processed in 1.69967 secs); 30 Jan 2007 19:48:43 -0000 X-Spam-Status: No, hits=-4.4 required=5.0 X-Antivirus-RXSEC-Mail-From: cmarlatt@rxsec.com via core.rxsec.com X-Antivirus-RXSEC: 1.25-st-qms (Clear:RC:0(10.1.0.101):SA:0(-4.4/5.0):. Processed in 1.69967 secs Process 35955) Received: from unknown (HELO ?10.1.0.101?) (cmarlatt@rxsec.com@10.1.0.101) by core.rxsec.com with SMTP; 30 Jan 2007 19:48:41 -0000 Message-ID: <45BFA1B3.9040000@rxsec.com> Date: Tue, 30 Jan 2007 14:51:15 -0500 From: Chris Marlatt Organization: Receive Security User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: Doug Barton References: <001601c74428$ff9d54b0$ab76ed54@odipw> <45BEE27D.1050804@FreeBSD.org> In-Reply-To: <45BEE27D.1050804@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jan 2007 20:18:13 -0000 Doug Barton wrote: > > plan to MFC it after 4 or 5 days. I am actually considering only > MFC'ing it to RELENG_6 to help provide some incentive for those on 5.x > to upgrade. > One would assume that the release would be supported up until the EOL provided on freebsd.org of May 31, 2008. From owner-freebsd-security@FreeBSD.ORG Tue Jan 30 22:30:29 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ABC3C16A4FA for ; Tue, 30 Jan 2007 22:30:29 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: from core.rxsec.com (core.rxsec.com [64.132.46.102]) by mx1.freebsd.org (Postfix) with SMTP id 4662B13C428 for ; Tue, 30 Jan 2007 22:30:28 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: (qmail 40189 invoked by uid 2009); 30 Jan 2007 22:27:39 -0000 Received: from 10.1.0.101 by core.rxsec.com (envelope-from , uid 2008) with qmail-scanner-1.25-st-qms (clamdscan: 0.86.2/1102. spamassassin: 3.0.4. perlscan: 1.25-st-qms. Clear:RC:0(10.1.0.101):SA:0(-4.4/5.0):. Processed in 1.681661 secs); 30 Jan 2007 22:27:39 -0000 X-Spam-Status: No, hits=-4.4 required=5.0 X-Antivirus-RXSEC-Mail-From: cmarlatt@rxsec.com via core.rxsec.com X-Antivirus-RXSEC: 1.25-st-qms (Clear:RC:0(10.1.0.101):SA:0(-4.4/5.0):. Processed in 1.681661 secs Process 40181) Received: from unknown (HELO ?10.1.0.101?) (cmarlatt@rxsec.com@10.1.0.101) by core.rxsec.com with SMTP; 30 Jan 2007 22:27:37 -0000 Message-ID: <45BFC6F3.2060907@rxsec.com> Date: Tue, 30 Jan 2007 17:30:11 -0500 From: Chris Marlatt Organization: Receive Security User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: Peter Jeremy References: <001601c74428$ff9d54b0$ab76ed54@odipw> <45BEE27D.1050804@FreeBSD.org> <45BFA1B3.9040000@rxsec.com> <20070130221333.GP892@turion.vk2pj.dyndns.org> In-Reply-To: <20070130221333.GP892@turion.vk2pj.dyndns.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jan 2007 22:30:29 -0000 Peter Jeremy wrote: > On Tue, 2007-Jan-30 14:51:15 -0500, Chris Marlatt wrote: >> Doug Barton wrote: >>> plan to MFC it after 4 or 5 days. I am actually considering only >>> MFC'ing it to RELENG_6 to help provide some incentive for those on 5.x >>> to upgrade. >> One would assume that the release would be supported up until the EOL >> provided on freebsd.org of May 31, 2008. > > "Support" does not mean that new features and upgrades are automatically > back-ported. Security fixes and some bug-fixes will be provided. If you > want new features, you may need to upgrade (hence Doug's suggestion that > not MFCing bind 9.3.4 to RELENG_5 is an incentive to upgrade to 6.x). > Quite true, but as recent as the release of 5.5 (as well as all past 5 series releases) BIND was updated. http://www.freebsd.org/releases/5.5R/relnotes-i386.html#CONTRIB Is it unfair to assume this would continue to happen, if at the very least to RELENG_5? From owner-freebsd-security@FreeBSD.ORG Tue Jan 30 22:47:00 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A426416A401 for ; Tue, 30 Jan 2007 22:47:00 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from turion.vk2pj.dyndns.org (c220-239-3-125.belrs4.nsw.optusnet.com.au [220.239.3.125]) by mx1.freebsd.org (Postfix) with ESMTP id 713CE13C428 for ; Tue, 30 Jan 2007 22:46:59 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from turion.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by turion.vk2pj.dyndns.org (8.13.8/8.13.8) with ESMTP id l0UMDaLY003959; Wed, 31 Jan 2007 09:13:36 +1100 (EST) (envelope-from peter@turion.vk2pj.dyndns.org) Received: (from peter@localhost) by turion.vk2pj.dyndns.org (8.13.8/8.13.8/Submit) id l0UMDXYF003958; Wed, 31 Jan 2007 09:13:33 +1100 (EST) (envelope-from peter) Date: Wed, 31 Jan 2007 09:13:33 +1100 From: Peter Jeremy To: Chris Marlatt Message-ID: <20070130221333.GP892@turion.vk2pj.dyndns.org> References: <001601c74428$ff9d54b0$ab76ed54@odipw> <45BEE27D.1050804@FreeBSD.org> <45BFA1B3.9040000@rxsec.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AbQceqfdZEv+FvjW" Content-Disposition: inline In-Reply-To: <45BFA1B3.9040000@rxsec.com> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-security@freebsd.org Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jan 2007 22:47:00 -0000 --AbQceqfdZEv+FvjW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, 2007-Jan-30 14:51:15 -0500, Chris Marlatt wrote: >Doug Barton wrote: >>plan to MFC it after 4 or 5 days. I am actually considering only >>MFC'ing it to RELENG_6 to help provide some incentive for those on 5.x >>to upgrade. > >One would assume that the release would be supported up until the EOL=20 >provided on freebsd.org of May 31, 2008. "Support" does not mean that new features and upgrades are automatically back-ported. Security fixes and some bug-fixes will be provided. If you want new features, you may need to upgrade (hence Doug's suggestion that not MFCing bind 9.3.4 to RELENG_5 is an incentive to upgrade to 6.x). --=20 Peter Jeremy --AbQceqfdZEv+FvjW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFv8MN/opHv/APuIcRAldOAJ4tMVRtqJKWKNabqNi+YtjBd6gJwgCeIOOE mhuE9Hc3qnB1KIGgWfzcVBI= =C6lZ -----END PGP SIGNATURE----- --AbQceqfdZEv+FvjW-- From owner-freebsd-security@FreeBSD.ORG Thu Feb 1 19:21:16 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7383216A401 for ; Thu, 1 Feb 2007 19:21:16 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with SMTP id 1384613C494 for ; Thu, 1 Feb 2007 19:21:15 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 15862 invoked by uid 399); 1 Feb 2007 19:21:15 -0000 Received: from pool-71-160-74-191.lsanca.dsl-w.verizon.net (HELO lap.dougb.net) (dougb@dougbarton.us@71.160.74.191) by mail2.fluidhosting.com with SMTP; 1 Feb 2007 19:21:15 -0000 X-Originating-IP: 71.160.74.191 Message-ID: <45C23DAA.9040108@FreeBSD.org> Date: Thu, 01 Feb 2007 11:21:14 -0800 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (X11/20070116) MIME-Version: 1.0 To: Chris Marlatt References: <001601c74428$ff9d54b0$ab76ed54@odipw> <45BEE27D.1050804@FreeBSD.org> <45BFA1B3.9040000@rxsec.com> In-Reply-To: <45BFA1B3.9040000@rxsec.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Feb 2007 19:21:16 -0000 Chris Marlatt wrote: > Doug Barton wrote: >> >> plan to MFC it after 4 or 5 days. I am actually considering only >> MFC'ing it to RELENG_6 to help provide some incentive for those on 5.x >> to upgrade. >> > > One would assume that the release would be supported up until the EOL > provided on freebsd.org of May 31, 2008. Yes, but whether a full upgrade is needed for "support" or not depends on your definition. Given that FreeBSD is not vulnerable to these issues in its default configuration, one could easily argue that an upgrade for RELENG_5 isn't necessary. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Thu Feb 1 20:58:55 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3E33016A400 for ; Thu, 1 Feb 2007 20:58:55 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.freebsd.org (Postfix) with ESMTP id 1182513C4AA for ; Thu, 1 Feb 2007 20:58:54 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id B547360CB; Thu, 1 Feb 2007 15:28:11 -0500 (EST) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uW4Y4MkOsVPG; Thu, 1 Feb 2007 15:28:09 -0500 (EST) Received: from [192.168.1.251] (pool-68-161-114-230.ny325.east.verizon.net [68.161.114.230]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id E437A5DBD; Thu, 1 Feb 2007 15:28:08 -0500 (EST) Message-ID: <45C24D57.3000704@mac.com> Date: Thu, 01 Feb 2007 15:28:07 -0500 From: Chuck Swiger User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Doug Barton References: <001601c74428$ff9d54b0$ab76ed54@odipw> <45BEE27D.1050804@FreeBSD.org> <45BFA1B3.9040000@rxsec.com> <45C23DAA.9040108@FreeBSD.org> In-Reply-To: <45C23DAA.9040108@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Chris Marlatt Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Feb 2007 20:58:55 -0000 Doug Barton wrote: > Chris Marlatt wrote: [ ... ] > Yes, but whether a full upgrade is needed for "support" or not depends > on your definition. Given that FreeBSD is not vulnerable to these issues > in its default configuration, one could easily argue that an upgrade for > RELENG_5 isn't necessary. I've been bitten by CVE-2006-4096, and have applied the workaround to limit the # of outstanding queries. I've got two nameservers tracking 5-STABLE which were vulnerable to CVE-2006-4095, and I have no doubt that there are other people besides me who will be affected by CVE-2007-0493. I'm starting to feel thankful that my important domains include off-site secondaries which are running djbdns. Does the FreeBSD security team have a position with regard to whether the above DoS vulnerabilities ought to be fixed in the 5-STABLE branch? -- -Chuck From owner-freebsd-security@FreeBSD.ORG Thu Feb 1 21:07:42 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7951016A400 for ; Thu, 1 Feb 2007 21:07:42 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with SMTP id DDDED13C481 for ; Thu, 1 Feb 2007 21:07:41 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 24575 invoked by uid 399); 1 Feb 2007 21:07:35 -0000 Received: from pool-71-160-74-191.lsanca.dsl-w.verizon.net (HELO lap.dougb.net) (dougb@dougbarton.us@71.160.74.191) by mail2.fluidhosting.com with SMTP; 1 Feb 2007 21:07:35 -0000 X-Originating-IP: 71.160.74.191 Message-ID: <45C25696.10806@FreeBSD.org> Date: Thu, 01 Feb 2007 13:07:34 -0800 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (X11/20070116) MIME-Version: 1.0 To: Chuck Swiger References: <001601c74428$ff9d54b0$ab76ed54@odipw> <45BEE27D.1050804@FreeBSD.org> <45BFA1B3.9040000@rxsec.com> <45C23DAA.9040108@FreeBSD.org> <45C24D57.3000704@mac.com> In-Reply-To: <45C24D57.3000704@mac.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Chris Marlatt Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Feb 2007 21:07:42 -0000 Chuck Swiger wrote: > Doug Barton wrote: >> Chris Marlatt wrote: > [ ... ] >> Yes, but whether a full upgrade is needed for "support" or not depends >> on your definition. Given that FreeBSD is not vulnerable to these >> issues in its default configuration, one could easily argue that an >> upgrade for RELENG_5 isn't necessary. > > I've been bitten by CVE-2006-4096, and have applied the workaround to > limit the # of outstanding queries. I have no doubt that users who have active name servers in a production environment _will_ need to update their name servers to the latest and greatest versions. The ports exist in part to facilitate using the latest BIND on older versions of FreeBSD that will not be updated. You can even use the option to have the ports overwrite what is in your base system if that is important to you. (I developed that capability precisely because at the time I was using the ports to upgrade BIND on older systems.) > I've got two nameservers tracking 5-STABLE I am not sure how to respond to that. Many people much more knowledgeable than I have said that production services should be migrated to RELENG_6. I personally don't have any RELENG_5 systems anymore, and don't plan to get any, which means that the build will be untested on those platforms. It's unlikely that there will be any problems, but not impossible. That said, let me reiterate the point above. The ports exist for users who need to run specific versions of BIND on older FreeBSD systems. The way named is installed and configured _by default_ on FreeBSD, it is not vulnerable to any of these issues unless you allow untrusted users to access the local machine. > I'm starting to feel thankful that my important domains include off-site > secondaries which are running djbdns. EGRATUITOUSBINDBASHING > Does the FreeBSD security team have a position with regard to whether > the above DoS vulnerabilities ought to be fixed in the 5-STABLE branch? They are actually reviewing the issue as we speak. As I've said, I'll abide by the secteam's request either way, I am simply stating a preference. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Thu Feb 1 21:20:55 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1158A16A400 for ; Thu, 1 Feb 2007 21:20:55 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd4mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id DF57313C441 for ; Thu, 1 Feb 2007 21:20:54 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd5mr3so.prod.shaw.ca (pd5mr3so-qfe3.prod.shaw.ca [10.0.141.144]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JCS00J2BZAVU2G0@l-daemon> for freebsd-security@freebsd.org; Thu, 01 Feb 2007 14:20:55 -0700 (MST) Received: from pn2ml4so.prod.shaw.ca ([10.0.121.148]) by pd5mr3so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JCS008TBZ4KT4D0@pd5mr3so.prod.shaw.ca> for freebsd-security@freebsd.org; Thu, 01 Feb 2007 14:17:09 -0700 (MST) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JCS004PLYXNW911@l-daemon> for freebsd-security@freebsd.org; Thu, 01 Feb 2007 14:13:00 -0700 (MST) Received: (qmail 63375 invoked from network); Thu, 01 Feb 2007 21:12:58 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Thu, 01 Feb 2007 21:12:58 +0000 Date: Thu, 01 Feb 2007 13:12:58 -0800 From: Colin Percival In-reply-to: <45C24D57.3000704@mac.com> To: Chuck Swiger Message-id: <45C257DA.7010205@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <001601c74428$ff9d54b0$ab76ed54@odipw> <45BEE27D.1050804@FreeBSD.org> <45BFA1B3.9040000@rxsec.com> <45C23DAA.9040108@FreeBSD.org> <45C24D57.3000704@mac.com> User-Agent: Thunderbird 1.5.0.9 (X11/20061227) Cc: freebsd-security@freebsd.org, Chris Marlatt Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Feb 2007 21:20:55 -0000 Chuck Swiger wrote: > I've been bitten by CVE-2006-4096, and have applied the workaround to > limit the # of outstanding queries. I've got two nameservers tracking > 5-STABLE which were vulnerable to CVE-2006-4095 You realize that these two issues were addressed in FreeBSD-SA-06:20.bind on September 6th, right? Colin Percival From owner-freebsd-security@FreeBSD.ORG Thu Feb 1 21:55:37 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A370916A407; Thu, 1 Feb 2007 21:55:37 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.freebsd.org (Postfix) with ESMTP id 73A2313C48E; Thu, 1 Feb 2007 21:55:37 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id DA9D660CB; Thu, 1 Feb 2007 16:55:36 -0500 (EST) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WAgqFrRppqIl; Thu, 1 Feb 2007 16:55:34 -0500 (EST) Received: from [192.168.1.251] (pool-68-161-114-230.ny325.east.verizon.net [68.161.114.230]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 3A92460B8; Thu, 1 Feb 2007 16:55:34 -0500 (EST) Message-ID: <45C261D5.60201@mac.com> Date: Thu, 01 Feb 2007 16:55:33 -0500 From: Chuck Swiger User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Colin Percival , freebsd-security@freebsd.org References: <001601c74428$ff9d54b0$ab76ed54@odipw> <45BEE27D.1050804@FreeBSD.org> <45BFA1B3.9040000@rxsec.com> <45C23DAA.9040108@FreeBSD.org> <45C24D57.3000704@mac.com> <45C257DA.7010205@freebsd.org> In-Reply-To: <45C257DA.7010205@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Feb 2007 21:55:37 -0000 Colin Percival wrote: > Chuck Swiger wrote: >> I've been bitten by CVE-2006-4096, and have applied the workaround to >> limit the # of outstanding queries. I've got two nameservers tracking >> 5-STABLE which were vulnerable to CVE-2006-4095 > > You realize that these two issues were addressed in FreeBSD-SA-06:20.bind > on September 6th, right? Yes-- although it's not entirely clear that the problem of named terminating when exposed to high query rates has been entirely fixed, which is why I mentioned the additional 2007 CVE and am using "adnslogres -c 50" rather than 200 or 1000. % grep Id /usr/src/contrib/bind9/bin/named/query.c /* $Id: query.c,v 1.198.2.13.4.43 2006/08/31 03:57:11 marka Exp $ */ % named -v BIND 9.3.2 % head /etc/stable-supfile *default host=cvsup9.FreeBSD.org *default base=/usr *default prefix=/usr *default release=cvs tag=RELENG_5 *default delete use-rel-suffix -- -Chuck From owner-freebsd-security@FreeBSD.ORG Thu Feb 1 22:20:13 2007 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D2DFF16A403 for ; Thu, 1 Feb 2007 22:20:13 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id A3E2413C461 for ; Thu, 1 Feb 2007 22:20:13 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd5mr4so.prod.shaw.ca (pd5mr4so-qfe3.prod.shaw.ca [10.0.141.168]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JCT00KK021Q4E00@l-daemon> for freebsd-security@FreeBSD.org; Thu, 01 Feb 2007 15:20:14 -0700 (MST) Received: from pn2ml7so.prod.shaw.ca ([10.0.121.151]) by pd5mr4so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JCT00C1421OSIA0@pd5mr4so.prod.shaw.ca> for freebsd-security@FreeBSD.org; Thu, 01 Feb 2007 15:20:14 -0700 (MST) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JCT009XU1W5S3L0@l-daemon> for freebsd-security@FreeBSD.org; Thu, 01 Feb 2007 15:16:54 -0700 (MST) Received: (qmail 63605 invoked from network); Thu, 01 Feb 2007 22:16:52 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Thu, 01 Feb 2007 22:16:52 +0000 Date: Thu, 01 Feb 2007 14:16:51 -0800 From: FreeBSD Security Officer To: freebsd-security@FreeBSD.org, freebsd-stable@FreeBSD.org Message-id: <45C266D3.5080000@freebsd.org> Organization: FreeBSD Project MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 User-Agent: Thunderbird 1.5.0.9 (X11/20061227) Cc: Subject: Security Officer-supported branches update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Feb 2007 22:20:14 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect recent EoL (end-of-life) events. The new list is below and at . FreeBSD 4.11 and FreeBSD 6.0 have `expired' and are no longer supported effective February 1, 2007. Discussions concerning FreeBSD releases which are no longer supported should take place on the freebsd-eol@freebsd.org mailing list. This marks the end of support by the FreeBSD Security Team for the FreeBSD 4-STABLE branch, two years after FreeBSD 4.11-RELEASE and almost seven years after FreeBSD 4.0-RELEASE. For an explanation of the rationale behind the EoL of FreeBSD 4.11 (and the 4-STABLE branch), please see my earlier mailing list post on this subject: http://lists.freebsd.org/pipermail/freebsd-security/2006-October/004111.html At this point, support for running software from the ports tree on FreeBSD 4.x is ceasing: Packages for binary installations will no longer be built for FreeBSD 4.11, building ports from source on FreeBSD 4.x will no longer be supported, and the ports INDEX will no longer be built and made available via portsnap or the 'make fetchindex' target. Patches for individual ports specific for their functioning on FreeBSD 4.11 may still be accepted at the discretion of the port maintainer. [Excerpt from http://security.freebsd.org/ follows] FreeBSD Security Advisories The FreeBSD Security Officer provides security advisories for several branches of FreeBSD development. These are the -STABLE Branches and the Security Branches. (Advisories are not issued for the -CURRENT Branch.) * There is usually only a single -STABLE branch, although during the transition from one major development line to another (such as from FreeBSD 5.x to 6.x), there is a time span in which there are two -STABLE branches. The -STABLE branch tags have names like RELENG_6. The corresponding builds have names like FreeBSD 6.1-STABLE. * Each FreeBSD Release has an associated Security Branch. The Security Branch tags have names like RELENG_6_1. The corresponding builds have names like FreeBSD 6.1-RELEASE-p1. Isses affecting the FreeBSD Ports Collection are covered in the FreeBSD VuXML document. Each branch is supported by the Security Officer for a limited time only, and is designated as one of `Early adopter', `Normal', or `Extended'. The designation is used as a guideline for determining the lifetime of the branch as follows. Early adopter Releases which are published from the -CURRENT branch will be supported by the Security Officer for a minimum of 6 months after the release. Normal Releases which are published from a -STABLE branch will be supported by the Security Officer for a minimum of 12 months after the release. Extended Selected releases will be supported by the Security Officer for a minimum of 24 months after the release. The current designation and estimated lifetimes of the currently supported branches are given below. The Estimated EoL (end-of-life) column gives the earliest date on which that branch is likely to be dropped. Please note that these dates may be extended into the future, but only extenuating circumstances would lead to a branch's support being dropped earlier than the date listed. +--------------------------------------------------------------------+ | Branch | Release | Type | Release date | Estimated EoL | |-----------+------------+--------+----------------+-----------------| |RELENG_5 |n/a |n/a |n/a |May 31, 2008 | |-----------+------------+--------+----------------+-----------------| |RELENG_5_5 |5.5-RELEASE |Extended|May 25, 2006 |May 31, 2008 | |-----------+------------+--------+----------------+-----------------| |RELENG_6 |n/a |n/a |n/a |last release + 2y| |-----------+------------+--------+----------------+-----------------| |RELENG_6_1 |6.1-RELEASE |Extended|May 9, 2006 |May 31, 2008 | |-----------+------------+--------+----------------+-----------------| |RELENG_6_2 |6.2-RELEASE |Normal |January 15, 2007|January 31, 2008 | +--------------------------------------------------------------------+ [End excerpt] Colin Percival FreeBSD Security Officer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFwmbSFdaIBMps37IRAgR4AJ9zXOq0HWZoi4s0WnLTmNid6E0PQwCfSrdZ YjuUnWhcU6W2NzW5jpFzWBQ= =YQgc -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Feb 1 22:33:53 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9CC1316A401; Thu, 1 Feb 2007 22:33:53 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.freebsd.org (Postfix) with ESMTP id 72DC413C4A6; Thu, 1 Feb 2007 22:33:53 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id D653660CB; Thu, 1 Feb 2007 17:33:52 -0500 (EST) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ClbNhJL1DWE; Thu, 1 Feb 2007 17:33:49 -0500 (EST) Received: from [192.168.1.251] (pool-68-161-114-230.ny325.east.verizon.net [68.161.114.230]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 4AE495F31; Thu, 1 Feb 2007 17:33:49 -0500 (EST) Message-ID: <45C26ACC.9020702@mac.com> Date: Thu, 01 Feb 2007 17:33:48 -0500 From: Chuck Swiger User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Doug Barton References: <001601c74428$ff9d54b0$ab76ed54@odipw> <45BEE27D.1050804@FreeBSD.org> <45BFA1B3.9040000@rxsec.com> <45C23DAA.9040108@FreeBSD.org> <45C24D57.3000704@mac.com> <45C25696.10806@FreeBSD.org> In-Reply-To: <45C25696.10806@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Feb 2007 22:33:53 -0000 Doug Barton wrote: > Chuck Swiger wrote: >> Doug Barton wrote: >> [ ... ] >> I've been bitten by CVE-2006-4096, and have applied the workaround to >> limit the # of outstanding queries. > > I have no doubt that users who have active name servers in a production > environment _will_ need to update their name servers to the latest and > greatest versions. The ports exist in part to facilitate using the > latest BIND on older versions of FreeBSD that will not be updated. I see. Well, thanks for the information. >> I've got two nameservers tracking 5-STABLE > > I am not sure how to respond to that. [ ...comments about moving to 6 snipped for brevity... ] That's OK, I wasn't soliciting advice on which platform or OS version a given set of machines ought to run. When the number of machines one deals with in a given environment changes from single-digit, to dozens, to hundreds, to tens of thousands, keeping machines updated to a bug-free, stable environment is more important than chasing features off the latest branch. As always, your mileage may vary. >> I'm starting to feel thankful that my important domains include >> off-site secondaries which are running djbdns. > > EGRATUITOUSBINDBASHING You seem to be disposed to believe it so, but regardless of opinions, I've had named crash under moderate loads and it concerns me enough to evaluate switching to a heterogenous nameserver environment to gain more stability from a critical service. If I wanted to indulge in gratuitous bashing of BIND, I wouldn't do so on a FreeBSD mailing list, nor would I make an effort to be tactful even when it seems that a bug report or any criticism (direct or implied) would be misinterpreted as "gratuitous bashing" regardless of whether it concerns a legitimate problem. >> Does the FreeBSD security team have a position with regard to whether >> the above DoS vulnerabilities ought to be fixed in the 5-STABLE branch? > > They are actually reviewing the issue as we speak. As I've said, I'll > abide by the secteam's request either way, I am simply stating a > preference. Very good. -- -Chuck From owner-freebsd-security@FreeBSD.ORG Thu Feb 1 23:19:44 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 814E816A403 for ; Thu, 1 Feb 2007 23:19:44 +0000 (UTC) (envelope-from Mark_Andrews@isc.org) Received: from mx.isc.org (mx.isc.org [204.152.184.167]) by mx1.freebsd.org (Postfix) with ESMTP id 6E07713C428 for ; Thu, 1 Feb 2007 23:19:44 +0000 (UTC) (envelope-from Mark_Andrews@isc.org) Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.isc.org (Postfix) with ESMTP id 5A6E21140AD; Thu, 1 Feb 2007 23:19:44 +0000 (UTC) (envelope-from Mark_Andrews@isc.org) Received: from drugs.dv.isc.org (localhost.isc.org [IPv6:::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (verified OK)) by farside.isc.org (Postfix) with ESMTP id 17641E601F; Thu, 1 Feb 2007 23:19:41 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.13.8/8.13.8) with ESMTP id l11NJJ7r065204; Fri, 2 Feb 2007 10:19:22 +1100 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200702012319.l11NJJ7r065204@drugs.dv.isc.org> To: Doug Barton From: Mark Andrews In-reply-to: Your message of "Thu, 01 Feb 2007 11:21:14 -0800." <45C23DAA.9040108@FreeBSD.org> Date: Fri, 02 Feb 2007 10:19:19 +1100 Sender: Mark_Andrews@isc.org X-Mailman-Approved-At: Fri, 02 Feb 2007 03:31:00 +0000 Cc: freebsd-security@freebsd.org, Chris Marlatt Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Feb 2007 23:19:44 -0000 > Chris Marlatt wrote: > > Doug Barton wrote: > >> > >> plan to MFC it after 4 or 5 days. I am actually considering only > >> MFC'ing it to RELENG_6 to help provide some incentive for those on 5.x > >> to upgrade. > >> > > > > One would assume that the release would be supported up until the EOL > > provided on freebsd.org of May 31, 2008. > > Yes, but whether a full upgrade is needed for "support" or not depends > on your definition. Given that FreeBSD is not vulnerable to these > issues in its default configuration, one could easily argue that an > upgrade for RELENG_5 isn't necessary. > > Doug The subject here is 9.3.4. All the issues raised in this thread so far were addressed as of 9.3.2-P2 / 9.3.3. To the best of my knowledge these have already been addresed. There are two new issue for 9.3.4. CVE-2007-0494 which is only a problem if you are doing DNSEC validation. CVE-2007-0493 which any recursive 9.3.x (x<4) named is vulnerable. Mark > -- > > This .signature sanitized for your protection > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org From owner-freebsd-security@FreeBSD.ORG Fri Feb 2 07:19:49 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 728A216A403 for ; Fri, 2 Feb 2007 07:19:49 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with SMTP id 1F35B13C48E for ; Fri, 2 Feb 2007 07:19:48 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 28230 invoked by uid 399); 2 Feb 2007 07:19:48 -0000 Received: from pool-71-107-56-242.lsanca.dsl-w.verizon.net (HELO lap.dougb.net) (dougb@dougbarton.us@71.107.56.242) by mail2.fluidhosting.com with SMTP; 2 Feb 2007 07:19:48 -0000 X-Originating-IP: 71.107.56.242 Message-ID: <45C2E612.5080002@FreeBSD.org> Date: Thu, 01 Feb 2007 23:19:46 -0800 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (X11/20070116) MIME-Version: 1.0 To: Mark Andrews References: <200702012319.l11NJJ7r065204@drugs.dv.isc.org> In-Reply-To: <200702012319.l11NJJ7r065204@drugs.dv.isc.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Chris Marlatt Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Feb 2007 07:19:49 -0000 Mark Andrews wrote: >> Chris Marlatt wrote: >>> Doug Barton wrote: >>>> plan to MFC it after 4 or 5 days. I am actually considering only >>>> MFC'ing it to RELENG_6 to help provide some incentive for those on 5.x >>>> to upgrade. >>>> >>> One would assume that the release would be supported up until the EOL >>> provided on freebsd.org of May 31, 2008. >> Yes, but whether a full upgrade is needed for "support" or not depends >> on your definition. Given that FreeBSD is not vulnerable to these >> issues in its default configuration, one could easily argue that an >> upgrade for RELENG_5 isn't necessary. >> >> Doug > > The subject here is 9.3.4. All the issues raised > in this thread so far were addressed as of 9.3.2-P2 > / 9.3.3. To the best of my knowledge these have > already been addresed. > > There are two new issue for 9.3.4. > > CVE-2007-0494 which is only a problem if you are > doing DNSEC validation. > > CVE-2007-0493 which any recursive 9.3.x (x<4) named > is vulnerable. Both of these are problems if you allow untrusted users access to the name server (likely if you're in a production environment). The way FreeBSD ships, named is off, and the example configuration files are set up to create a recursive resolver that only listens on 127.0.0.1. I would expect that users who rely on BIND in a production setting to either have upgraded to FreeBSD 6-stable, be using the port, or some other custom configuration, or both. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Fri Feb 2 07:30:06 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 23E5716A59F for ; Fri, 2 Feb 2007 07:30:05 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with SMTP id 259A113C49D for ; Fri, 2 Feb 2007 07:30:04 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 5862 invoked by uid 399); 2 Feb 2007 07:29:54 -0000 Received: from pool-71-107-56-242.lsanca.dsl-w.verizon.net (HELO lap.dougb.net) (dougb@dougbarton.us@71.107.56.242) by mail2.fluidhosting.com with SMTP; 2 Feb 2007 07:29:54 -0000 X-Originating-IP: 71.107.56.242 Message-ID: <45C2E870.5000000@FreeBSD.org> Date: Thu, 01 Feb 2007 23:29:52 -0800 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (X11/20070116) MIME-Version: 1.0 To: Chuck Swiger References: <001601c74428$ff9d54b0$ab76ed54@odipw> <45BEE27D.1050804@FreeBSD.org> <45BFA1B3.9040000@rxsec.com> <45C23DAA.9040108@FreeBSD.org> <45C24D57.3000704@mac.com> <45C25696.10806@FreeBSD.org> <45C26ACC.9020702@mac.com> In-Reply-To: <45C26ACC.9020702@mac.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Feb 2007 07:30:06 -0000 Chuck Swiger wrote: > Doug Barton wrote: >> Chuck Swiger wrote: >>> Doug Barton wrote: >>> I've got two nameservers tracking 5-STABLE >> >> I am not sure how to respond to that. > [ ...comments about moving to 6 snipped for brevity... ] > > That's OK, I wasn't soliciting advice on which platform or OS version a > given set of machines ought to run. Right. As I understood it, you were arguing in favor of MFC'ing a fix to RELENG_5 because you have machines from that branch in a production setting. If I misunderstood your point, I apologize. > When the number of machines one > deals with in a given environment changes from single-digit, to dozens, > to hundreds, to tens of thousands, keeping machines updated to a > bug-free, stable environment is more important than chasing features off > the latest branch. Yes, I understand those issues quite well. I used to manage hundreds of name servers for a company that had many 10s of thousands of machines. And I think that you are basically making my point, which is that users in a serious production environment are probably not using the BIND that comes with FreeBSD in an off the shelf configuration. >>> I'm starting to feel thankful that my important domains include >>> off-site secondaries which are running djbdns. >> >> EGRATUITOUSBINDBASHING > > You seem to be disposed to believe it so, but regardless of opinions, > I've had named crash under moderate loads ... This thread isn't about what's the best brand of name server to use, it's about whether to MFC an update. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Fri Feb 2 08:17:58 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B789F16A403 for ; Fri, 2 Feb 2007 08:17:58 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from turion.vk2pj.dyndns.org (c220-239-3-125.belrs4.nsw.optusnet.com.au [220.239.3.125]) by mx1.freebsd.org (Postfix) with ESMTP id 22F8513C481 for ; Fri, 2 Feb 2007 08:17:57 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from turion.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by turion.vk2pj.dyndns.org (8.13.8/8.13.8) with ESMTP id l128Huhb001355; Fri, 2 Feb 2007 19:17:56 +1100 (EST) (envelope-from peter@turion.vk2pj.dyndns.org) Received: (from peter@localhost) by turion.vk2pj.dyndns.org (8.13.8/8.13.8/Submit) id l128HuTh001354; Fri, 2 Feb 2007 19:17:56 +1100 (EST) (envelope-from peter) Date: Fri, 2 Feb 2007 19:17:56 +1100 From: Peter Jeremy To: Chuck Swiger Message-ID: <20070202081756.GE909@turion.vk2pj.dyndns.org> References: <001601c74428$ff9d54b0$ab76ed54@odipw> <45BEE27D.1050804@FreeBSD.org> <45BFA1B3.9040000@rxsec.com> <45C23DAA.9040108@FreeBSD.org> <45C24D57.3000704@mac.com> <45C25696.10806@FreeBSD.org> <45C26ACC.9020702@mac.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3lcZGd9BuhuYXNfi" Content-Disposition: inline In-Reply-To: <45C26ACC.9020702@mac.com> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-security@freebsd.org Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Feb 2007 08:17:58 -0000 --3lcZGd9BuhuYXNfi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, 2007-Feb-01 17:33:48 -0500, Chuck Swiger wrote: >That's OK, I wasn't soliciting advice on which platform or OS version a=20 >given set of machines ought to run. When the number of machines one deals= =20 >with in a given environment changes from single-digit, to dozens, to=20 >hundreds, to tens of thousands, keeping machines updated to a bug-free,=20 >stable environment is more important than chasing features off the latest= =20 >branch. This is a perfectly valid decision. At work, I have systems running software (not FreeBSD) that is getting close to 10 years old for similar reasons. In general, support of your systems will comprise some combination of in-house support, vendor (eg FreeBSD Project) support and 3rd-party (eg consultant) support. Over time, this mix will change as the vendor reduces the level of support they provide for a given software version. You need to take this into account when making a decision to stay at some version X: As vendor support is reduced then your in- house and 3rd-party support effort will increase. At some point, the cost/effort involved in staying at version X outweighs the cost of migrating to a newer "supported" version of the software. The FreeBSD SO has advised that 5.x will receive security updates until 31 May 2008. This gives you 15 months to either migrate to 6.x (or 7.x) or arrange alternative security support. --=20 Peter Jeremy --3lcZGd9BuhuYXNfi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFwvO0/opHv/APuIcRAhhbAJ9pQ2e1HwmpvT4RC9ESQaAuPGdk1wCgg7tN L1/1C3Kri4F3KoVu4ATv3D8= =hcc0 -----END PGP SIGNATURE----- --3lcZGd9BuhuYXNfi-- From owner-freebsd-security@FreeBSD.ORG Fri Feb 2 18:27:33 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C756816A406; Fri, 2 Feb 2007 18:27:33 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.freebsd.org (Postfix) with ESMTP id 92FA313C49D; Fri, 2 Feb 2007 18:27:33 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id ECA195DBD; Fri, 2 Feb 2007 13:27:32 -0500 (EST) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lfxoK2TNGsLL; Fri, 2 Feb 2007 13:27:28 -0500 (EST) Received: from [192.168.1.251] (pool-68-161-114-230.ny325.east.verizon.net [68.161.114.230]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 23F235C74; Fri, 2 Feb 2007 13:27:28 -0500 (EST) Message-ID: <45C3828D.8010900@mac.com> Date: Fri, 02 Feb 2007 13:27:25 -0500 From: Chuck Swiger User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Doug Barton References: <001601c74428$ff9d54b0$ab76ed54@odipw> <45BEE27D.1050804@FreeBSD.org> <45BFA1B3.9040000@rxsec.com> <45C23DAA.9040108@FreeBSD.org> <45C24D57.3000704@mac.com> <45C25696.10806@FreeBSD.org> <45C26ACC.9020702@mac.com> <45C2E870.5000000@FreeBSD.org> In-Reply-To: <45C2E870.5000000@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Feb 2007 18:27:33 -0000 Doug Barton wrote: > Chuck Swiger wrote: >> Doug Barton wrote: [ ... ] > Right. As I understood it, you were arguing in favor of MFC'ing a fix to > RELENG_5 because you have machines from that branch in a production > setting. If I misunderstood your point, I apologize. I would like CVE-2007-0493 fixed in RELENG_5 and RELENG_5_5, specifically, yes please. More generally, I would like BIND to deal with hundreds (or-- preferably but not required-- thousands) of outstanding recursive queries without dumping core or becoming non-responsive. Have you attempted to reproduce the issue via the adns port or anything else which generates lots of queries? >> When the number of machines one deals with in a given environment >> changes from single-digit, to dozens, to hundreds, to tens of >> thousands, keeping machines updated to a bug-free, stable environment >> is more important than chasing features off the latest branch. > > Yes, I understand those issues quite well. I used to manage hundreds of > name servers for a company that had many 10s of thousands of machines. > And I think that you are basically making my point, which is that users > in a serious production environment are probably not using the BIND that > comes with FreeBSD in an off the shelf configuration. It would be safe to say that almost all people using BIND are not using a completely off-the-shelf configuration, unless you count the few only running as "caching-only". -- -Chuck From owner-freebsd-security@FreeBSD.ORG Fri Feb 2 22:05:15 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BC88516A402 for ; Fri, 2 Feb 2007 22:05:15 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: from core.rxsec.com (core.rxsec.com [64.132.46.102]) by mx1.freebsd.org (Postfix) with SMTP id 6D7F713C47E for ; Fri, 2 Feb 2007 22:05:15 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: (qmail 62272 invoked by uid 2009); 2 Feb 2007 22:02:23 -0000 Received: from 10.1.0.101 by core.rxsec.com (envelope-from , uid 2008) with qmail-scanner-1.25-st-qms (clamdscan: 0.86.2/1102. spamassassin: 3.0.4. perlscan: 1.25-st-qms. Clear:RC:0(10.1.0.101):SA:0(-4.4/5.0):. Processed in 2.481496 secs); 02 Feb 2007 22:02:23 -0000 X-Spam-Status: No, hits=-4.4 required=5.0 X-Antivirus-RXSEC-Mail-From: cmarlatt@rxsec.com via core.rxsec.com X-Antivirus-RXSEC: 1.25-st-qms (Clear:RC:0(10.1.0.101):SA:0(-4.4/5.0):. Processed in 2.481496 secs Process 62264) Received: from unknown (HELO ?10.1.0.101?) (cmarlatt@rxsec.com@10.1.0.101) by core.rxsec.com with SMTP; 2 Feb 2007 22:02:20 -0000 Message-ID: <45C3B56E.3060706@rxsec.com> Date: Fri, 02 Feb 2007 17:04:30 -0500 From: Chris Marlatt Organization: Receive Security User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: Doug Barton References: <200702012319.l11NJJ7r065204@drugs.dv.isc.org> <45C2E612.5080002@FreeBSD.org> In-Reply-To: <45C2E612.5080002@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Mark Andrews Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Feb 2007 22:05:15 -0000 Doug Barton wrote: > up to create a recursive resolver that only listens on 127.0.0.1. I > would expect that users who rely on BIND in a production setting to > either have upgraded to FreeBSD 6-stable, be using the port, or some > other custom configuration, or both. > > Doug > Again, why would you expect someone to have already upgraded when they have more than a year of advertised support left on a production release? I personally have very few 5.x systems left, primarily because I've been trying to heed the warnings, but seeing how 5 series is being fast tracked into retirement makes me extremely suspicious of what is to happen to 6 series when 7 is released and considered production. I'm sure many other people wonder the same thing and look at the lengthy support for 4 series which lasted 7,... 8 years and have come to expect something similar for future releases. Whereas I'm certainly not going to say progress is evil I will admit that the FreeBSD I see today is not the same one from yesteryear. Now, I can clearly understand and appreciate the burden that, as of yesterday, 3 active versions can impose on the development team but why pass part of that burden onto a user base that's done nothing but embraced the products produced by its efforts? Chris From owner-freebsd-security@FreeBSD.ORG Sat Feb 3 03:38:34 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3D6BA16A400 for ; Sat, 3 Feb 2007 03:38:34 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by mx1.freebsd.org (Postfix) with SMTP id E3F3713C467 for ; Sat, 3 Feb 2007 03:38:33 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 1062 invoked by uid 399); 3 Feb 2007 00:51:50 -0000 Received: from pool-71-160-100-235.lsanca.dsl-w.verizon.net (HELO lap.dougb.net) (dougb@dougbarton.us@71.160.100.235) by mail2.fluidhosting.com with SMTP; 3 Feb 2007 00:51:50 -0000 X-Originating-IP: 71.160.100.235 Message-ID: <45C3DCA5.3070908@FreeBSD.org> Date: Fri, 02 Feb 2007 16:51:49 -0800 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (X11/20070116) MIME-Version: 1.0 To: Chris Marlatt References: <200702012319.l11NJJ7r065204@drugs.dv.isc.org> <45C2E612.5080002@FreeBSD.org> <45C3B56E.3060706@rxsec.com> In-Reply-To: <45C3B56E.3060706@rxsec.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Support for 5.x (Was: Re: What about BIND 9.3.4 in FreeBSD in base system ?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Feb 2007 03:38:34 -0000 Chris Marlatt wrote: > Again, why would you expect someone to have already upgraded when they > have more than a year of advertised support left on a production release? I think that there is a misunderstanding here about what "support" means. This discussion has been had in detail on several other lists of late, so let me give you the highlights. There are three main issues. 1. Support for security issues. The secteam has pledged to support the 5.5-RELEASE through 31 May 2008. 2. Ports. The ports team generally pledges to support a release as long as the security team does, but the idea of dropping support early for RELENG_5 has been discussed. 3. New development, performance, features, etc. It is a virtual certainty that none of this will happen in RELENG_5. It is certain (by definition) that no new features will be backported that require ABI breakage, which severely limits what can come back into this branch already. > I personally have very few 5.x systems left, primarily because I've been > trying to heed the warnings, but seeing how 5 series is being fast > tracked into retirement makes me extremely suspicious of what is to > happen to 6 series when 7 is released and considered production. I can't make any iron clad assurances here, but I can say that this is unlikely to happen, because of why a lot of us want to drop support for 5.x. Namely that it has a lot of issues that cannot be fixed without breaking the ABI. In many key areas, 6.x is light years ahead, and is going to stay that way. There are some incremental improvements in 7-current right now that will make it attractive to some users, but if you're looking for something to install and keep supported for a longer time period, 6.x is going to be it. > I'm > sure many other people wonder the same thing and look at the lengthy > support for 4 series which lasted 7,... 8 years and have come to expect > something similar for future releases. Which is why we're working so hard to disabuse people of that notion. > Whereas I'm certainly not going > to say progress is evil I will admit that the FreeBSD I see today is not > the same one from yesteryear. Nor will it be the same tomorrow. Such is life in a volunteer project. > Now, I can clearly understand and appreciate the burden that, as of > yesterday, 3 active versions Actually it was 4 active versions, including 7-current. > can impose on the development team but why > pass part of that burden onto a user base that's done nothing but > embraced the products produced by its efforts? This is where that whole "volunteer project" thing comes in again. With a finite set of resources, we have to be realistic in terms of how thin we can spread them. Right now the rough order of priority is 6-stable, 7-current, 5-stable. It is of course up to you to decide how to manage your own resources, but please don't expect magical things to happen in 5-stable just because you'd like them to. :) Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Sat Feb 3 11:47:48 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EAEFA16A402 for ; Sat, 3 Feb 2007 11:47:48 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4]) by mx1.freebsd.org (Postfix) with ESMTP id 82E3713C48D for ; Sat, 3 Feb 2007 11:47:48 +0000 (UTC) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from [10.11.0.2] (kulesh.obluda.cz [213.29.48.25]) by smtp1.kolej.mff.cuni.cz (8.13.6/8.13.6) with ESMTP id l13BFroe045622 for ; Sat, 3 Feb 2007 12:15:54 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <45C46EE5.4060404@obluda.cz> Date: Sat, 03 Feb 2007 12:15:49 +0100 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.0.9) Gecko/20070112 SeaMonkey/1.0.7 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200702012319.l11NJJ7r065204@drugs.dv.isc.org> <45C2E612.5080002@FreeBSD.org> <45C3B56E.3060706@rxsec.com> <45C3DCA5.3070908@FreeBSD.org> In-Reply-To: <45C3DCA5.3070908@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Support for 5.x (Was: Re: What about BIND 9.3.4 in FreeBSD in base system ?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Feb 2007 11:47:49 -0000 Doug Barton napsal/wrote, On 02/03/07 01:51: > This is where that whole "volunteer project" thing comes in again. With > a finite set of resources, ^^^^^^^^^^^^^^^^^^^^^^^ True, but I'm not sure the resources needs to be limited as much as is. As a active member of national list of FreeBSD user I several times answered the question '{I founded an uncritical bug}|{I developped a improvement } should I send it ?'. The best answer I know is - "yes, you can send PR, but don't wait a response. Response for non-critical bugs often takes several years, improvements remains unanswered forever mostly. In the fact, the probability you will waste your time trying to help to project is high - it have no resource to process your help." Note, I'm not speaking about critical bugs (system doesn't boot on standard hardware or "I can login despite I forged password" or so) nor about ports. It seems to me, the one reason for limited resources is - project has no resources to accept resources. I can't tell why the project lack volunteers processing community inputs. May be, there are no such volunteers. May be, this type of work is not considered to be important, so volunteers of such type are not accept to be part of comitter's team - of course - processing PR is not 'true programming'. Yes, I understand we need to maintain stability, we don't need to allow any dirty hack to go to source base and so on. But tenths months required for processing help from someone (processing it's PR) claim there IS something wrong. In the fact, project miss the resource of large group of people trying to donate it's time and experience to project. At the same time - we are short on resources ... As I don't know what's wrong nor how to correct it, this message is not complaint in any way. It's just a note related to Doug's notice ... Dan -- Dan Lukes SISAL MFF UK AKA: dan@obluda.cz, dan@freebsd.cz,dan@kolej.mff.cuni.cz From owner-freebsd-security@FreeBSD.ORG Sat Feb 3 18:20:53 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F2AA016A405; Sat, 3 Feb 2007 18:20:52 +0000 (UTC) (envelope-from jhs@flat.berklix.net) Received: from thin.berklix.org (thin.berklix.org [194.246.123.68]) by mx1.freebsd.org (Postfix) with ESMTP id 0BEFB13C4A5; Sat, 3 Feb 2007 18:20:43 +0000 (UTC) (envelope-from jhs@flat.berklix.net) Received: from js.berklix.net (p549A7506.dip.t-dialin.net [84.154.117.6]) (authenticated bits=128) by thin.berklix.org (8.12.11/8.12.11) with ESMTP id l13I20Z9021528; Sat, 3 Feb 2007 19:02:01 +0100 (CET) (envelope-from jhs@flat.berklix.net) Received: from fire.jhs.private (fire.jhs.private [192.168.91.41]) by js.berklix.net (8.13.6/8.13.6) with ESMTP id l13I1wwg023990; Sat, 3 Feb 2007 19:01:59 +0100 (CET) (envelope-from jhs@flat.berklix.net) Received: from fire.jhs.private (localhost.jhs.private [127.0.0.1]) by fire.jhs.private (8.13.6/8.13.6) with ESMTP id l13I1w2p096068; Sat, 3 Feb 2007 19:01:58 +0100 (CET) (envelope-from jhs@fire.jhs.private) Message-Id: <200702031801.l13I1w2p096068@fire.jhs.private> To: Dan Lukes In-reply-to: <45C46EE5.4060404@obluda.cz> References: <200702012319.l11NJJ7r065204@drugs.dv.isc.org> <45C2E612.5080002@FreeBSD.org> <45C3B56E.3060706@rxsec.com> <45C3DCA5.3070908@FreeBSD.org> <45C46EE5.4060404@obluda.cz> Comments: In-reply-to Dan Lukes message dated "Sat, 03 Feb 2007 12:15:49 +0100." Date: Sat, 03 Feb 2007 19:01:58 +0100 From: "Julian H. Stacey" Cc: freebsd-security@freebsd.org, Deb Goodkin Subject: Re: Support for 5.x (Was: Re: What about BIND 9.3.4 in FreeBSD in base system ?) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Feb 2007 18:20:53 -0000 > It seems to me, the one reason for limited resources is - project has > no resources to accept resources. I can't tell why the project lack > volunteers processing community inputs. May be, there are no such > As I don't know what's wrong nor how to correct it, this message is not > complaint in any way. It's just a note related to Doug's notice ... [ I wonder if for the thread, per http://docs.freebsd.org/mail/archive/2007/ bugs@ or bugbusters@ might be better ? Not on those though .. ] Nice definition: "No resources to accept resources" :-) Handling other people's send-pr bug input would be boring compared with writing own code, or debugging. Hence unactioned send-prs. I've filed some send-pr diffs years back & not seen action, others have been actioned occasionaly & I've been guilty of not responding in time (Mea Culpa, even own bug reports are boring, especially since once my auto diff applier works for me, there's less incentive to persuade send-pr team to apply diff). Probably a common phenomena. Dealing with boring bugs surely approaches paid work in needing motivation, so if the FreeBSD Foundation (a member cc'd) ever has spare money, it may be wise to have a few people paid something to action the oldest=most boring send-prs ? Oldest often would mean "So boring no one has touched it, (Or so intractable/ insoluble/ major dev. effort required)". If we used any other criteria than oldest first, it would need someone to spend time judging what should be paid as most boring & what not, & then we'd be in a recursive "Woulndn't that be a boring job too?" so who would do That ? So oldest bug first, unless reason to skip, eg intractables. If companies ever want to sponsor a little, we could suggest to companies: please sponsor one of you own staff members (or some freelance FreeBSD commiter), perhaps eg one day a week or just Friday afternoons or whenever panic requirements are lesss likely), to work the oldest = most boring send-prs that have been _so_ boring for years no one has processed them. The method of oldest most boring first would not destroy the incentive of the code bug-a-thon people to periodically attack the parts of the send-pr backlog they consider newer & interesting enough to work on unpaid. Disclaimer: Yes I'm a freelance. But no commit privs, so not eligable. -- Julian Stacey. BSD Unix C Net Consultancy, Munich/Muenchen http://berklix.com Mail Ascii, not HTML. Ihr Rauch = mein allergischer Kopfschmerz. Vista of a Bill from Redmond ? http://berklix.com/free-talk-on-free-software/