From owner-freebsd-security  Wed Jun 26 16:50:30 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [63.229.157.2])
	by hub.freebsd.org (Postfix) with ESMTP id 346CC37BB2F
	for <freebsd-security@freebsd.org>; Wed, 26 Jun 2002 16:10:22 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id OAA15049;
	Wed, 26 Jun 2002 14:37:46 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020626143023.022716c0@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Wed, 26 Jun 2002 14:37:27 -0600
To: "H. Wade Minter" <minter@lunenburg.org>,
	freebsd-security@freebsd.org
From: Brett Glass <brett@lariat.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv
In-Reply-To: <20020626152504.Q45972-100000@bunning.skiltech.com>
References: <200206261908.g5QJ8MOE035394@freefall.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 01:26 PM 6/26/2002, H. Wade Minter wrote:

>So am I correct in assuming that this fix requires a complete system
>rebuild (make buildworld) as opposed to just rebuilding a particular
>module?

Worse than that. Every package or port must be reinstalled
or rebuilt too. Ditto everything you've built from source.
Basically, the entire system must be ripped up by the roots. 

This is scary. 

There may be one mitigating factor, though. Suppose you 
block direct DNS to and from the outside world, allowing
your systems to resolve names only through a DNS server 
on your own network that you know is safely patched.
Will this hold off the hordes at the gates? Or is there
a way for a malicious response to sneak through anyway
(as with DNS cache poisoning)?

Also, is the DNS cache in Squid vulnerable?

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message