Date: Thu, 27 Jun 2002 11:20:59 +0200 From: Stefano Riva <sriva@gufi.org> To: Mark.Andrews@isc.org, Brett Glass <brett@lariat.org> Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <3.0.5.32.20020627112059.00a3f100@civetta.gufi.org> In-Reply-To: <200206270118.g5R1Iom0030235@drugs.dv.isc.org> References: <Your message of "Wed, 26 Jun 2002 18:55:37 CST." <4.3.2.7.2.20020626185228.00e8ad60@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11.18 27/06/02 +1000, Mark.Andrews@isc.org wrote: >> > Provided you are behind a nameserver you trust that reconstructs >> > the answer you should be fine. >> > BIND 9 reconstucts all answers (excluding forwarded UPDATES). >> > BIND 8 forwards some and reconstructs others. >> Could an exploit be set up as a forwarded UPDATE? > No. >> (Forgive me if >> this is a naive question; I know that I need to become more familiar >> with DDNS.) If not, then installing BIND 9 and/or forcing clients >> to consult a BIND 9 server may be an acceptable workaround. OK, the Right Thing (TM) is to update the world + any extra binary statically linked with libc which uses the resolver... but I for one manage about 30 FreeBSD servers with lots of potentially "vulnerable" applications and reading that such a simple workaround exists is... oxygen for my lungs! So many firewalled networks have at least one caching DNS already used by all clients. This workaround had not been mentioned by the announcement; maybe an updated security advisory should be released. Just my opinion, of course. I'll do the Right Thing ASAP; meanwhile thanks for the info, guys. --- Stefano Riva sriva@gufi.org Gruppo Utenti FreeBSD Italia http://www.gufi.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20020627112059.00a3f100>