tech-security: Re: ISC BIND / NAMED CVE-2007-2926 (Another ISC BIND Pullup)

Subject: Re: ISC BIND / NAMED CVE-2007-2926 (Another ISC BIND Pullup)
To: None <tech-security@netbsd.org>
From: Brian A. Seklecki <lavalamp@spiritual-machines.org>
List: tech-security
Date: 08/09/2007 13:40:14

The FreeBSD patch applies and builds cleanly with an adjusted relatitive 
patch name :%s/contrib\/bind9\//dist\/bind\//g

~BAS

On Thu, 9 Aug 2007, Brian A. Seklecki wrote:

>
> All:
>
> Another global version bug has been out since July 24th:
>
>  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2926
>  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
>
> The ISC recommended solution is to upgrade 9.3.4-P1 -- We (And FreeBSD 
> RELENG_6_2) are at 9.3.2 + Local Patches.
>
> ISC's official recommendation is 9.3.4-P1?2?.  All versions prior to BIND 
> 9.3.3 are EOL by ISC.  FreeBSD pulled the patch in manually:
>
> http://security.freebsd.org/advisories/FreeBSD-SA-07:07.bind.asc
>
> We need to do the same, just like we did back in March:
>
> ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2007-003.txt.asc
>
> I'm testing it now.
>
> l8*
> 	-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
> 	       http://www.spiritual-machines.org/
>
>    "Guilty? Yeah. But he knows it. I mean, you're guilty.
>    You just don't know it. So who's really in jail?"
>    ~Maynard James Keenan
>
>

l8*
 	-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
 	       http://www.spiritual-machines.org/

     "Guilty? Yeah. But he knows it. I mean, you're guilty.
     You just don't know it. So who's really in jail?"
     ~Maynard James Keenan