Subject: Re: Bind 8.2.2p5 pulled up to -release?
To: None <email@example.com>
From: Greg A. Woods <firstname.lastname@example.org>
Date: 11/29/1999 14:25:36
[ On Sunday, November 28, 1999 at 14:01:07 (-0500), Jim Wise wrote: ]
> Subject: Re: Bind 8.2.2p5 pulled up to -release?
> I agree that it would be nice to pull this up to -release --
> at this
> point, no one should be running a pre-8.2.2p5 bind for _any_ reason.
Well, that's not entirely agreed upon. I don't think there are any
publicly known remote access exploits in the pre-8.2.0 versions of
BIND-8 -- only denial of service attacks and perhaps some good old
fashioned cache pollution "issues" that we've all been living with for a
very long time, like it or not.
(The "nxt" bug, the only publicly known remote exploit bug, did not
appear until 8.2 and was squashed in 8.2.2. NetBSD has never shipped
with this bug so far as I know.)
[[ I qualify my statement as "publicly known" because of course there
may as yet be unsquashed bugs and *someone* may know about such a bug. ]]
[[ I do agree that running any BIND-4 anywhere is rather unnecessary,
though I've still got one old clunker running it! ;-) ]]
> In the mean time, note that the net/bind8 package in pkgsrc has been
> updated to 8.2.2p5, so you at least have an easy, standard way to do
> this install...
... and if you set LOCALBASE=/usr in /etc/mk.conf before building it you
can effectively replace the system instance of BIND.
(Personally I think the "pkg" system's tracking abilities are now
sufficiently advanced that I do recommend LOCALBASE=/usr for production
systems, and indeed I use it that way myself on several systems. Now if
only we could harmonize the hier(7) definitions for /, /usr, /usr/local,
Greg A. Woods
+1 416 218-0098 VE3TCP <email@example.com> <robohack!woods>
Planix, Inc. <firstname.lastname@example.org>; Secrets of the Weird <email@example.com>