Date: Thu, 01 Feb 2007 16:55:33 -0500 From: Chuck Swiger <cswiger@mac.com> To: Colin Percival <cperciva@freebsd.org>, freebsd-security@freebsd.org Subject: Re: What about BIND 9.3.4 in FreeBSD in base system ? Message-ID: <45C261D5.60201@mac.com> In-Reply-To: <45C257DA.7010205@freebsd.org> References: <001601c74428$ff9d54b0$ab76ed54@odipw> <45BEE27D.1050804@FreeBSD.org> <45BFA1B3.9040000@rxsec.com> <45C23DAA.9040108@FreeBSD.org> <45C24D57.3000704@mac.com> <45C257DA.7010205@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Colin Percival wrote: > Chuck Swiger wrote: >> I've been bitten by CVE-2006-4096, and have applied the workaround to >> limit the # of outstanding queries. I've got two nameservers tracking >> 5-STABLE which were vulnerable to CVE-2006-4095 > > You realize that these two issues were addressed in FreeBSD-SA-06:20.bind > on September 6th, right? Yes-- although it's not entirely clear that the problem of named terminating when exposed to high query rates has been entirely fixed, which is why I mentioned the additional 2007 CVE and am using "adnslogres -c 50" rather than 200 or 1000. % grep Id /usr/src/contrib/bind9/bin/named/query.c /* $Id: query.c,v 1.198.2.13.4.43 2006/08/31 03:57:11 marka Exp $ */ % named -v BIND 9.3.2 % head /etc/stable-supfile *default host=cvsup9.FreeBSD.org *default base=/usr *default prefix=/usr *default release=cvs tag=RELENG_5 *default delete use-rel-suffix -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45C261D5.60201>