From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 17:41:15 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E15401065688 for ; Wed, 9 Jul 2008 17:41:15 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.60.158]) by mx1.freebsd.org (Postfix) with ESMTP id B8BD58FC25 for ; Wed, 9 Jul 2008 17:41:15 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: by syn.atarininja.org (Postfix, from userid 1001) id 300205C66; Wed, 9 Jul 2008 13:43:41 -0400 (EDT) Date: Wed, 9 Jul 2008 13:43:41 -0400 From: Wesley Shields To: Josh Mason Message-ID: <20080709174341.GF92109@atarininja.org> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <4874DD4B.5020608@yahoo.com> <17cd1fbe0807090926g21ef35e7l10e4a6e38ad3d10@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <17cd1fbe0807090926g21ef35e7l10e4a6e38ad3d10@mail.gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-security@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 17:41:16 -0000 On Wed, Jul 09, 2008 at 12:26:29PM -0400, Josh Mason wrote: > On 7/9/08, Peter Thoenen wrote: > > > > > > > > > Right, lets not act swiftly. That would be too much to ask. Is > > > > there any reason why FreeBSD is one of the last vendors to > > > > release patches for the vulnerability? > > > > > > > > > > > Actually IIRC all the press releases from the *alliance* stated 30 > > days and as this is a fundamental flaw that has known for the past 6 > > months and doesn't provide any sort of elevated privileges (or > > effect those smart enough to run DNSSEC like you should be IIRC) its > > really not a CRITICAL patch .. its more of a when you get around to > > it seriously. Let the Security Team do their job and quit pestering > > them on your now now now next day patch wants for a trivial issue. > > > > Somehow this totally unimportant vulnerability caught the attention of > all major vendors to issue a synchronized release of the fix. Yet, > it's not worth our time to implement expeditiously... ? Sure. Given the tone of your words, it seems you are fixated on getting people to work _against_ you rather than _with_ you on this issue. I'd like to point out the list of vendors/projects (as someone has pointed out the difference between the two later in this thread) is available at http://www.kb.cert.org/vuls/id/800113. Total entries on that list: 81 Total entries marked as "unknown": 70 That means 11 out of 81 entries were able to determine the status of their product/code before the advisory went public. Here's that list, please note I trimmed the vulnerable/not vulnerable status: Cisco Systems, Inc. Debian GNU/Linux Foundry Networks, Inc. Infoblox Internet Software Consortium Juniper Networks, Inc. Microsoft Corporation Nominum PowerDNS Red Hat, Inc. Sun Microsystems, Inc. With the (possible?) exception of Debian, every one of the 11 listed there have people who are paid to do these things. I think people have jumped on you enough about that fact so I'll leave it alone. What's more important is that we not panic, especially since _public_ details are very sparse. There are mitigations that are mentioned in that report, along with elsewhere. Putting these mitigations in place, if necessary, is your best option while those entrusted to do the work are doing said work to make sure we have a co-ordinated and accurate response. Please, find a way to contribute in a meaningful manner since the tone of your statements is only serving to harm your cause. -- WXS