From owner-freebsd-security  Sat Jun 29 21:12: 4 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5206637B400
	for <security@FreeBSD.ORG>; Sat, 29 Jun 2002 21:11:59 -0700 (PDT)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5381043E40
	for <security@FreeBSD.ORG>; Sat, 29 Jun 2002 21:11:56 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id WAA16798;
	Sat, 29 Jun 2002 22:11:40 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020629220046.02bed9a0@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Sat, 29 Jun 2002 22:10:05 -0600
To: Pete Ehlke <pde@rfc822.net>, security@FreeBSD.ORG
From: Brett Glass <brett@lariat.org>
Subject: Re: libc flaw: BIND 9 closes most holes but also opens one
In-Reply-To: <20020630011804.GA24509@rfc822.net>
References: <4.3.2.7.2.20020629191122.02c948b0@localhost>
 <4.3.2.7.2.20020629180311.02b5b2d0@localhost>
 <4.3.2.7.2.20020629191122.02c948b0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 07:18 PM 6/29/2002, Pete Ehlke wrote:

>You are aware, Brett, that you are lecturing one of the BIND authors on
>the subtleties of the BIND source? 
>
>Once and for all: there is a fixed 8.3.x. There is a fixed 8.2.x. There
>is even a fixed v4.

In short, you've gone back and created fixed versions of these
"ancient" bloodlines?

If so, that's good, but it doesn't help the majority of us.

In particular, it doesn't help people who install FreeBSD now,
or who maintain it and need to make sure that everything's fixed.
We need BIND 9 (required to shield other systems, including Solaris
and Windows boxes, which are likely vulnerable) and a fixed 
libbind. Oh, and a fixed Sendmail, which right now can only
be had if one risks installing a -STABLE snapshot. (4.6-RELEASE-p1,
for some reasond, does not have it.) And you can't install
binary packages if they contain statically linked binaries.

In short, right now, it's damnably difficult to secure existing
FreeBSD systems or to create new ones (for which I have clients
waiting). So, pardon me if I seem frustrated. I'm responsible
for plugging all the holes in the dikes and for building several
systems that I cannot, right now, build with confidence.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message