Are going to expect a update for BIND today? http://www.isc.org/index.pl?/sw/bind/bind-security.php
I agree Remko. I meant this more as of a timing and planning question than a "the sky is falling!". Was curious to know if/when an update might be available so schedules could be set. Thanks. On 7/8/08 2:19 PM, "Remko Lodder" <remko@elvandar.org> wrote:> > On Tue, July 8, 2008 8:34 pm, Andrew Storms wrote: >> Are going to expect a update for BIND today? >> >> http://www.isc.org/index.pl?/sw/bind/bind-security.php >> >> _______________________________________________ > > Hello, > > I think it's important that we do not overstretch things instantly. The > FreeBSD Security Team is aware of this situation and will investigate how > to do plan and act upon this. > > Thanks, > Remko
On Tue, July 8, 2008 8:34 pm, Andrew Storms wrote:> Are going to expect a update for BIND today? > > http://www.isc.org/index.pl?/sw/bind/bind-security.php > > _______________________________________________Hello, I think it's important that we do not overstretch things instantly. The FreeBSD Security Team is aware of this situation and will investigate how to do plan and act upon this. Thanks, Remko -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News
Andrew Storms wrote: > http://www.isc.org/index.pl?/sw/bind/bind-security.php I'm just wondering ... ISC's patches cause source ports to be randomized, thus making it more difficult to spoof response packets. But doesn't FreeBSD already randomize source ports by default? So, do FreeBSD systems require to be patched at all? Best regards Oliver PS: $ sysctl net.inet.ip.portrange.randomized net.inet.ip.portrange.randomized: 1 $ sysctl -d net.inet.ip.portrange.randomized net.inet.ip.portrange.randomized: Enable random port allocation -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Gesch?ftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M?n- chen, HRB 125758, Gesch?ftsf?hrer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd It's trivial to make fun of Microsoft products, but it takes a real man to make them work, and a God to make them do anything useful.
On Wed, July 9, 2008 5:19 pm, Josh Mason wrote:> Remko Lodder wrote: >> On Tue, July 8, 2008 8:34 pm, Andrew Storms wrote: >>> Are going to expect a update for BIND today? >>> >>> http://www.isc.org/index.pl?/sw/bind/bind-security.php >>> >>> _______________________________________________ >> >> Hello, >> >> I think it's important that we do not overstretch things instantly. The >> FreeBSD Security Team is aware of this situation and will investigate >> how >> to do plan and act upon this. >> >> Thanks, >> Remko >>Hello Josh,> Right, lets not act swiftly. That would be too much to ask. Is there any > reason why FreeBSD is one of the last vendors to release patches for the > vulnerability?Thanks for taking the time to reply to the thread. Sadly the tone you are using makes me feel a bit sad. There is a deeper reply in the reply you send, and I do not like it. We as the Security Team do our best to act as soon as possible on things. Items like these tend to take up a lot of time and resources, we need to test things properly, make sure all the bits and bytes are OK, so that we don't make people grumpy about things we overlook. I am sure you can understand that and leave away the attitude.> > I apologize, perhaps I should simply do it myself as has been the common > response as of late, or perhaps install from source retrieved from > isc.orgshould be the expected answer?If you want to do that, no one will be stopping you. We as the security team will be working as hard as possible to try and understand the problem, wrap up the correct response and make sure it gets fixed where needed, these things just take time.> > Most other vendors seem to have taken this seriously, yet FreeBSD seems to > be sitting on their hands for some unknown reason while its users remain > vulnerable.We also take this seriously, I think you are short-visioned by telling something like this. There is a mitigation strategy for the BIND issue as already reported on the list. Given your response you must be clever enough to find it.> > Thanks for all the hard work,Thanks for the deeper attitude and the email. I hope you can understand that we are a volunteer organisation which does not have paid people working on items 24/7 which other vendors might have. If you want to have that, I am sure we can get some people so far for getting payed for their normal wages so that we can do that as well. Till that time you should understand volunteer organisations better, or come up with a better proposal you simply don't know how much is involved here.> > Your incredibly loyal follower >Sarcastic. -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News
Remko Lodder wrote:> On Tue, July 8, 2008 8:34 pm, Andrew Storms wrote: >> Are going to expect a update for BIND today? >> >> http://www.isc.org/index.pl?/sw/bind/bind-security.php >> >> _______________________________________________ > > Hello, > > I think it's important that we do not overstretch things instantly. The > FreeBSD Security Team is aware of this situation and will investigate how > to do plan and act upon this. > > Thanks, > Remko >Right, lets not act swiftly. That would be too much to ask. Is there any reason why FreeBSD is one of the last vendors to release patches for the vulnerability? I apologize, perhaps I should simply do it myself as has been the common response as of late, or perhaps install from source retrieved from isc.orgshould be the expected answer? Most other vendors seem to have taken this seriously, yet FreeBSD seems to be sitting on their hands for some unknown reason while its users remain vulnerable. Thanks for all the hard work, Your incredibly loyal follower
Remko Lodder wrote:> Josh Mason wrote: > > Thanks, you really showed how you are by sending these replies. I wish > you goodluck with your quest, perhaps someday someone can help you. > > Goodbye. >Hi, I am sorry for this reply, it was an expression of my frustation towards you. The frustation is just easily generated by people demanding support from volunteers, that are trying to service you and others in their own spare time. Time that they can also spend on different items, yet we crazy people decide to work on a Free Operating System, getting nothing payed for it, only happy users (Where possible) around us. I think you can understand my frustration, because I think you would reply the same if someone demanded even more free time from you. I hope you can understand this. //Remko
I hope I can distance myself from Josh in terms of tone. I think he's completely out of line with his snotty posts. That said, I think there is a legitimate question here. I'm interested in this issue, because it sounds as if FreeBSD folk didn't become aware of this problem until the announcement. I would have expected ISC to notify you ahead of the announcement. The patched code has been available to some for several weeks (at least). I was anticipating seeing everyone pushing patched code out on the same day.> That means 11 out of 81 entries were able to determine the status of > their product/code before the advisory went public. Here's that list, > please note I trimmed the vulnerable/not vulnerable status:Of course, any vendor running vanilla BIND would be vulnerable.> What's more important is that we not panic, especially since _public_ > details are very sparse. There are mitigations that are mentioned in > that report, along with elsewhere. Putting these mitigations in place, > if necessary, is your best option while those entrusted to do the work > are doing said work to make sure we have a co-ordinated and accurate > response.There really aren't any effective mitigations for folks running resolvers. Patched code to implement source port randomization is our only hope. Of course, that code exists and is available from ISC, and it will work fine under FreeBSD, so there is clearly a path forward. I think it might have been helpful (and still might be) if the security officer had pushed out a notification of 'work underway' with some possible indication as to when a fix might be available. I realize that providing a date might be extraordinarily difficult, but it helps inform planning for FreeBSD users (and, of course, gives us something to kvetch about when the date slips :-) I appreciate the FreeBSD security team efforts and will happily buy you guys beer (or other beverage of choice) any time we're in the same room together. mark
Jason Stone wrote:>I don't agree with the criticism of the security team; it takes a lot of >time to test things and make sure that changes and patches work within the >larger context of a complete system.There's that, but you also have to consider ISC's role. They certainly put a lot into testing named on all the common platforms. I'm pretty sure FreeBSD is still one of their test platforms. Not so sure it will continue to be though, given the resources our polished OS seems to be limited to.> And what I like about FreeBSD is that it's a complete system, > not just a collection of disjoint parts like some other popular > unix-like systems out there....Don't know if I agree given the way dozens of port versions were unnecessarily incremented recently. http://unix.derkeiler.com/Newsgroups/comp.unix.bsd.freebsd.misc/2008-06/msg00231.html At least we _can_ easily update bind ports, I mean without waiting for maintainers or QA. <http://unix.derkeiler.com/Newsgroups/comp.unix.bsd.freebsd.misc/2008-07/msg00058.html> But the real issue here is FreeBSD's response in comparison with other Unix/Linux operating systems. This is a critical time for FreeBSD. If we can't keep up, response-time-wise, patch-wise, finance-wise, or otherwise, our OS won't last long. The competition has gotten too good. Question is, OT but very relevant, how can FreeBSD get some decent corporate sponsorship? Roger Marquis
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 This is an interesting thread, so I'm going to try to respond to what I think are the reasonable points all in one post so as not to single anyone out. Again, thanks to those who chose to give thanks, encouragement, or criticism with a positive approach. This issue is complicated because it both is, and is not a "serious" security issue. As others stated rather eloquently, the fact that DNS is an "insecure" service is (or certainly should be) well known. What is also (or certainly should be) well known is that almost all of the other services on the Internet are also insecure, even those with "secure" in the name. :) The problem with this particular vulnerability is that it grabbed the media's attention, and since they think they understand it they are banging the drum pretty loudly. This creates FUD in normally rational people, and hilarity ensues. There are a large number of steps that network operators can and should already have been taking to mitigate damage from this attack. Ingress/egress filtering (ala BCP 38), secure ACLs on your name servers and/or firewalls, splitting authoritative and resolving name services to separate instances, restricting availability of recursive services to only those users who should have them, etc. The danger (and this is a BIG danger in the DNS world) is that most networks are not taking the basic steps that they should be taking to secure their name service (it works, why touch it?), and this upcoming exploit is going to hit them right between the eyes. Changing topics, the BIND installation in the base is not intended to be an out of the box solution to those for whom DNS is part of their critical infrastructure. The BIND bits, along with the sample named.conf file, are set up to run by default as a fairly secure local resolver (and by local I mean really local: only listening on the loopback address). The fact that for many purposes (for instance a "medium" sized ISP, etc.) it works well out of the box is not totally accidental, but like any other service if it's important to your business you need to invest the time and effort to make sure it's working the way you need it to, not rely on others to do that work for you. Jeremy asked why the ports are updated before the BIND in the base. Someone else gave part of the answer, that a lot more QA is involved in dealing with stuff in the base. There are patches to create, security advisories (including instructions, etc.) to write, FreeBSD update stuff to prep, etc. By contrast updating the ports is easy, and gives users for whom a given security issue is critical a simple path to upgrade, and just as importantly, to back out from when/if they deem what's in the base suitable for their needs. However, there is a more fundamental reason that goes to the heart of my philosophy as BIND maintainer. When I was the DNS admen at Yahoo! I _never_ used the BIND that came with the base system. There were a variety of reasons for this, the two most important being that I had a lot of custom tweaks/patches for our version of BIND, and the fact that I needed to update stuff more often than the boxes were updated. This lead to the "replace the base" option in the ports way back when. There is another meta-issue that seems to be coming up a lot lately, which is users who seem to be paralyzed, unable to take any action to help themselves, totally dependent on the FreeBSD developers to make things happen for them. I'm not going to get dragged into that topic again, but I will say that Mark was right, the BIND ports are pretty easy to update if you ever have to do it yourself. And, you don't even have to go out of your way to check the PGP signature, there is a 'make verify' target that will do that for you. :) Seriously though, one user wrote to me (and others) privately and said in so many words, "The things I run on FreeBSD are critically important to me, therefore making them run smoothly must be critically important to you." If you have that mindset, you really, really need to take a reality check. (Go ahead, we'll wait for you.) The vast majority of people who work on FreeBSD do it for FUN, as VOLUNTEERS. If you need a commercial level of support, you're going to have to pay for it, it's that simple. And NO, please do not go off into the woods on this topic. I believe that there is a market for commercial FreeBSD support, but unfortunately it hasn't reached critical mass yet. (Chicken, meet egg. Why don't you two go off and talk for a while?) So, the short version is, "Don't Panic." Well, wok, panic a little, but don't let it distract you from actually getting something useful done, like upgrading your servers, firewall rules, etc. And, if anyone has a business that relies heavily on DNS and needs a good DNS consultant, I know where to find one. :) hope this helps, Doug - -- ~ This .signature sanitized for your protection -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEAREDAAYFAkh5ffcACgkQyIakK9Wy8Ps9YwCgtl80hRIuMkMqcRf9gWLP2dwA fUIAoOsWRsXAYIMotlgC/yS1RQdp2g6E =TLjy -----END PGP SIGNATURE-----