Latest bind advisory
Xin LI
delphij at gmail.com
Fri Nov 18 09:38:10 UTC 2011
On Thu, Nov 17, 2011 at 11:40 PM, Matthew Seaman
<m.seaman at infracaninophile.co.uk> wrote:
> On 18/11/2011 04:22, sys Admin wrote:
>> On Thursday, November 17, 2011, Mike Tancsa <mike at sentex.net> wrote:
>>> On 11/17/2011 9:29 PM, sys Admin wrote:
>>>> Hi
>>>> Any plans to apply these patches to the bind version shipped with
>> FreeBSD ?
>>>>
>>>> http://www.isc.org/software/bind/advisories/cve-2011-tbd
>>>
>>> Hi,
>>> They were committed already to RELENG_7,8 and 9
>>>
>>> eg
>>>
>> http://lists.freebsd.org/pipermail/svn-src-stable-8/2011-November/006315.html
>>>
>>>
>>>
>>> ---Mike
>>>
>>
>> Not sure how I missed but thanks !
>
> Actually, it was patched in stable/7, stable/8, HEAD and ports --
> stable/9 is notably missing from that list. Presumably stable/9 will be
> patched eventually, but as it's in the process of forking of the
> release/9.0 branch right now, the bind patches will have to wait.
stable/{7,8} and HEAD have the "best known fix" but we are still
waiting for a final one (or decide if the existing solution had solved
the problem completely, ISC is still working on investigation). We
(secteam@) will issue a security advisory once we are sure that the
fix is finalized and yes, all supported branches would be patched at
that time and update would made available through freebsd-update, etc.
At this time it's advisable that users use the BIND version from
ports, or use an alternative (e.g. dns/unbound), if resolving DNS
server functionality is desired; it seems that authoritive-only DNS
servers are NOT affected by the problem as far as we know.
Cheers,
--
Xin LI <delphij at delphij.net> https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
More information about the freebsd-security
mailing list