DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th July 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default CoOrdinated DNS Vulnerablility Patch.

An error in the DNS specifications has been discovered, and all DNS vendors have released patches.

I am doing a cvsup right now on my system, but I haven't seen the bind patches come through yet. My Ubuntu notebook is installing an updated bind now.

If someone who is tracking the FreeBSD security advisories RSS could give this forum a heads-up when it hits the tree, it would be helpful.

Details:

http://it.slashdot.org/article.pl?sid=08/07/08/195225

http://securosis.com/2008/07/08/dan-...atch-released/
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
  #2   (View Single Post)  
Old 9th July 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

The person who found the problem has published a small test script on his website that determine if your ISP is vulnerable.

Curiously, the OpenBSD team haven't said a word about it.. nor have they done a patch, odd.
Reply With Quote
  #3   (View Single Post)  
Old 9th July 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,198
Thanked 182 Times in 149 Posts
Default

By default OpenBSD randomizes the ports used. The same randomization is done by djbdns.

The CERT advisory http://www.kb.cert.org/vuls/id/800113 contains three links to Daniel J. Bernstein web pages about DJBDNS and he is credited for the original idea of using randomized source ports.

BTW according to http://cr.yp.to/djbdns/forgery.html Bernstein predicted this issue already in 2001
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 9th July 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

I wonder how long it has been since something of this magatude has happened on the net :\


On a lighter note,

Quote:
Originally Posted by http://www.doxpara.com/
I’m pretty proud of what we accomplished here. We got Windows. We got Cisco IOS. We got Nominum. We got BIND 9, and when we couldn’t get BIND 8, _we got Yahoo, the biggest BIND 8 deployment we knew of, to publicly commit to abandoning it_ entirely.
!!!
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #5   (View Single Post)  
Old 10th July 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

Good thing it's not going to his head
__________________
Network Firefighter
Reply With Quote
  #6   (View Single Post)  
Old 14th July 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

Quote:
Originally Posted by robbak View Post
... If someone who is tracking the FreeBSD security advisories RSS could give this forum a heads-up when it hits the tree, it would be helpful ...
Almost forgot, the changes have hit.

http://security.freebsd.org/advisori...08:06.bind.asc
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #7   (View Single Post)  
Old 14th July 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

thanks for the heads up
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #8   (View Single Post)  
Old 14th July 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,080
Thanked 198 Times in 156 Posts
Default

You should really subscribe to security@...
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #9   (View Single Post)  
Old 14th July 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

I am but I check my personal e-mail like, once every two months :\


There's a commercial on American TV for insurance that says

"My inbox is exploding and I haven't had a day off since the third grade"

that really comes to my mind about now +S
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
Old 14th July 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Seen that commercial (Peachtree TV?).. some guy is laying on her, partially.
Reply With Quote
Old 15th July 2008
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 806
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post
The person who found the problem has published a small test script on his website that determine if your ISP is vulnerable.

Curiously, the OpenBSD team haven't said a word about it.. nor have they done a patch, odd.
Actually you are VERY WRONG. There was a long discussion on misc@open
about vulnerability found in BIND last week and I would do a disservice to OpenBSD project if I try to repeat it or give a summery here.

You are welcome to go through archive and see what lead developers had to say about it. OpenBSD would not be OpenBSD if they were relaying on some hasty patches to fix the problem. Problem is most likely not isolated and represents whole class of new bugs.

If you can not wait for proper fix you should switch from BIND to djbdns as
it seems for now that djbdns is bullet proof.
Reply With Quote
Old 15th July 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

I made that post the day after it was published... fear & confusion led me there.

My apologies, but I'm only human.
Reply With Quote
Old 15th July 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,080
Thanked 198 Times in 156 Posts
Default

Quote:
If you can not wait for proper fix you should switch from BIND to djbdns as
it seems for now that djbdns is bullet proof.
That may be, but djbdns is unmaintained since 2001, Bernstein is a great guy, but it just sucks how he releases software, you'll have to search the net in search of patches, often encountering dead links QMail is even worse...
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Old 15th July 2008
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 806
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by Carpetsmoker View Post
That may be, but djbdns is unmaintained since 2001, Bernstein is a great guy, but it just sucks how he releases software, you'll have to search the net in search of patches, often encountering dead links QMail is even worse...
We had a discussion about Bernstein's software as well in the past couple of weeks on misc@open.

Again you could inform yourself by reading archives. I agree about QMail and your post in general. Actually due to lack of licenses his software was removed from the OpenBSD ports three many years ago. Now when his software is released into public domain it is ported again (so you do not have to seek any patches and do anything manually) but the ports are not committed to the port three. So I can send you zip files or look ports@open to find them.

Best,
OKO

Last edited by Oko; 15th July 2008 at 01:56 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FreeBSD 7.2 X Server 1.6 Patch dialeight FreeBSD Installation and Upgrading 1 4th August 2009 04:25 PM
Following Stable. Why uname does NOT show patch #6. Greg_Morgan OpenBSD Installation and Upgrading 4 20th May 2009 06:21 AM
patch application for usb mouse? aesop FreeBSD Installation and Upgrading 1 17th January 2009 11:15 PM
problem applying patch sam-i-am OpenBSD General 4 25th July 2008 12:54 AM
PATCH errors during portupgrade shinjii FreeBSD Installation and Upgrading 4 23rd June 2008 02:47 AM


All times are GMT. The time now is 06:43 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick