Subject: Re: The recent bind security issue and MetBSD?
To: Geert Hendrickx <ghen@telenet.be>
From: Adrian Portelli <adrianp@stindustries.net>
List: netbsd-users
Date: 08/05/2007 17:40:07
Geert Hendrickx wrote:
> On Sat, Aug 04, 2007 at 04:11:32PM +0100, Dieter wrote:
>> Perhaps I've missed it but I haven't seen any mention of the recent bind
>> security issue.  Is it a problem for NetBSD?
>>
>> http://lists.freebsd.org/pipermail/freebsd-announce/2007-August/001143.html
> 
> This has been fixed on NetBSD-current, 4.0_BETA2 and pkgsrc.  NetBSD 2.x
> and 3.x are not vulnerable.  Since the problem does not exist in any
> NetBSD *release*, an SA is usually not published (unless the problem is
> really bad).
> 
> 	Geert

Actually there were two advisories recently release by the ISC:

http://www.isc.org/sw/bind/bind-security.php

One (CVE-2007-2925) only impacts the BIND 9.4.x and 9.5.x branches,
whereas the second (CVE-2007-2926) looks like it impacts most (if not
all) of the 9.x branch.  This of course means that HEAD, 4.x and 3.x are
all vulnerable to the second issue.

In HEAD and 4.x BIND has been updated to 9.4.1-P1 which contains fixes
for both issues.  We are currently working on a fix for 3.x and will
release and advisory as soon as the pullups hit the tree.  A current
work-around can be to use BIND from pkgsrc which has been updated to
9.4.1-P1.

2.x is not vulnerable to any of the issues listed above as that's
running BIND 8.x

regards,

adrian.