From owner-freebsd-security  Thu Jun 27  2:21:40 2002
Delivered-To: freebsd-security@freebsd.org
Received: from relay.ie-online.it (dns.ie-online.it [212.110.22.137])
	by hub.freebsd.org (Postfix) with ESMTP id C6F8937B408
	for <security@FreeBSD.ORG>; Thu, 27 Jun 2002 02:21:06 -0700 (PDT)
Received: from 127.0.0.1 (localhost.ie-online.it [127.0.0.1])
	by dummy.domain.name (Postfix) with SMTP
	id D38D947B8E; Thu, 27 Jun 2002 11:21:04 +0200 (CEST)
Message-Id: <3.0.5.32.20020627112059.00a3f100@civetta.gufi.org>
X-Sender: riva@civetta.gufi.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Thu, 27 Jun 2002 11:20:59 +0200
To: Mark.Andrews@isc.org, Brett Glass <brett@lariat.org>
From: Stefano Riva <sriva@gufi.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv 
Cc: security@FreeBSD.ORG
In-Reply-To: <200206270118.g5R1Iom0030235@drugs.dv.isc.org>
References: <Your message of "Wed, 26 Jun 2002 18:55:37 CST."             <4.3.2.7.2.20020626185228.00e8ad60@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 11.18 27/06/02 +1000, Mark.Andrews@isc.org wrote:
>> >        Provided you are behind a nameserver you trust that reconstructs
>> >        the answer you should be fine.
>> >        BIND 9 reconstucts all answers (excluding forwarded UPDATES).
>> >        BIND 8 forwards some and reconstructs others.
>> Could an exploit be set up as a forwarded UPDATE?
>	No.
>> (Forgive me if
>> this is a naive question; I know that I need to become more familiar 
>> with DDNS.) If not, then installing BIND 9 and/or forcing clients 
>> to consult a BIND 9 server may be an acceptable workaround.

  OK, the Right Thing (TM) is to update the world + any extra binary
statically linked with libc which uses the resolver... but I for one manage
about 30 FreeBSD servers with lots of potentially "vulnerable" applications
and reading that such a simple workaround exists is... oxygen for my lungs!
So many firewalled networks have at least one caching DNS already used by
all clients. This workaround had not been mentioned by the announcement;
maybe an updated security advisory should be released. Just my opinion, of
course.

  I'll do the Right Thing ASAP; meanwhile thanks for the info, guys.

---

Stefano Riva
sriva@gufi.org
Gruppo Utenti FreeBSD Italia
http://www.gufi.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message