tech-security: Re: NetBSD Security Advisory 2002-028: Buffer overrun in

Subject: Re: NetBSD Security Advisory 2002-028: Buffer overrun in
To: NetBSD Security Officer <security-officer@netbsd.org>
From: Paul Hoffman <phoffman@proper.com>
List: tech-security
Date: 11/19/2002 17:57:24

At 2:22 AM +0900 11/20/02, NetBSD Security Officer wrote:
>Since the issue is in libc, all statically-linked binaries have to be rebuilt.
>
>Any binary that is statically linked against a vulnerable version of libc
>must be rebuilt.  This includes binaries built by the pkgsrc system.
>

. . .

>* NetBSD 1.6:
>
>	Systems running NetBSD 1.6 dated from before 2002-11-16 should
>	be upgraded to NetBSD 1.6 dated 2002-11-16 or later.
>
>	The following directories need to be updated from the
>	netbsd-1-6 CVS branch:
>		lib/libc/net/getnetnamadr.c
>
>	To update from CVS, re-build, and re-install libc and statically-linked
>	binaries:
>		# cd src
>		# cvs update -d -P -r netbsd-1-6 lib/libc/net/getnetnamadr.c
>
>		# cd lib/libc
>		# make obj dependall
>		# make install
>
>		# cd ../../bin
>		# make obj dependall
>		# make install
>		# cd ../sbin
>		# make obj dependall
>		# make install

Doing 'cd /usr/libexec; file * | grep static' yields:

named-xfer:      ELF 32-bit LSB executable, Intel 80386, version 1 
(SYSV), for NetBSD, statically linked, stripped

Shouldn't the above advice include ./dist/bind/bin/named-xfer?