From owner-freebsd-stable@FreeBSD.ORG Mon Jul 21 19:14:27 2008 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D72E51065692 for ; Mon, 21 Jul 2008 19:14:27 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id 5AB618FC1C for ; Mon, 21 Jul 2008 19:14:27 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 1632 invoked by uid 399); 21 Jul 2008 19:14:24 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 21 Jul 2008 19:14:24 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4884E00E.1090009@FreeBSD.org> Date: Mon, 21 Jul 2008 12:14:22 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.14 (X11/20080606) MIME-Version: 1.0 To: Brett Glass References: <200807200230.UAA17164@lariat.net> In-Reply-To: <200807200230.UAA17164@lariat.net> X-Enigmail-Version: 0.95.6 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 19:14:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Brett Glass wrote: | Everyone: | | Will FreeBSD 7.1 be released in time to use it as an upgrade to | close the BIND cache poisoning hole? Brett, et al, I'll make this simple for you. If you have a server that is running BIND, update BIND now. If you need to use the ports, that's fine, just do it now. Make sure that you are not specifying a port via any query-source* options in named.conf, and that any firewall between your named process and the outside world does keep-state on outgoing UDP packets. If you have a system with BIND installed (as it is by default) but you are NOT running named, you don't need to worry about updating now, but you should do it "soonish" just in case someone gets a wild hair and starts up named on that box. As for the meta-question, FreeBSD is currently operating on a time-based release schedule, not a feature-based one. And to your actual question, the answer is no. hope this helps, Doug - -- ~ This .signature sanitized for your protection -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEAREDAAYFAkiE4A0ACgkQyIakK9Wy8PtSWACeN+lmId1jdMF9zGt3v905XEgy bT8AoJtmWCWRjyXSktaeJ6IHiwJas7Fk =vtRp -----END PGP SIGNATURE-----