Date: Sun, 30 Jun 2002 22:58:43 +0200 From: Alessandro de Manzano <adm@unixmania.net> To: Doug Barton <DougB@FreeBSD.org> Cc: John Long <fbsd1@sstec.com>, security@FreeBSD.org Subject: Re: named 8.3.2-T1B vulnerable? Message-ID: <20020630225843.A20498@libero.sunshine.ale> In-Reply-To: <3D1F6BEF.582E44D9@FreeBSD.org>; from DougB@FreeBSD.org on Sun, Jun 30, 2002 at 01:37:03PM -0700 References: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com> <20020629170827.K5428-100000@master.gorean.org> <20020630192440.A18140@libero.sunshine.ale> <3D1F6BEF.582E44D9@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jun 30, 2002 at 01:37:03PM -0700, Doug Barton wrote: > Correct. There is currently a make.conf option for NO_BIND. In yes, I knew it but I totally forgot about it ;) > addition, some of us are working on a more thorough solution which will > add some magic to the bsd.*.mk files so that you can put > PORT_REPLACES_BASE_FOO in your /etc/make.conf, and it will automatically > imply NO_FOO as well. Currently I'm testing a final buildworld for the yup, should be useful :-) > > More, I'll get an entry in the installed packages database for BIND > > 8.3.3 that is "dangerous", since if I'll ever pkg_delete it I'll lost > > the real/overwritten BIND... > > Yep. One of the things I'm adding to my little patch is to change the > name of the port from foo-version to foo-system-version when installing > to give you a clue as to what's about to happen. BUT, you are absolutely IMHO the current system of -DSOMETHING is good, maybe just a couple of suggestions: use a standard name (PORT_REPLACES_BASE_xxx as you said), maybe it's already this way, I don't know :)) and/or a dialog(1) menu to choose whether overwrite base components or not :) Sometimes people 'forgot' to read into Makefiles to look for every possible -D symbols.. > right in saying that this option is dangerous. However, there are lots > of ways to shoot yourself in the foot here... it's up to you to find a > better target. :) Also, the system will still run without BIND, unless yes, of course :) you're right > of course you're using that particular system as a name server. I have a couple boxes of mine are actually public name servers, so I'll absolutely upgrade them to 8.3.3 tomorrow morning. This evening I upgraded my home box in this way to learn :) > been using the "port overwrites base" stuff at Yahoo! for almost a year, > and we haven't had any catastrophes yet. > > Hope this helps, Yes, defintely! Thanks a lot ! :-) -- bye! Ale To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020630225843.A20498>