thr3ads.net - freebsd security - [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] [Jul 2008]

If this information is useful, please help other people find it:
Share via:

Remko Lodder

2008-Jul-09 19:42 UTC

[Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

Dear all,

Doug just updated the ports tree with the updated BIND ports. If you 
urgently want to upgrade and really cannot wait for the advisory. Please 
use the ports system to get up to speed.

Thanks Doug for working on this on such short notice!

Cheers,
remko

-------- Original Message --------
Subject: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 
Makefile distinfo ports/dns/bind95 Makefile distinfo
Date: Wed, 9 Jul 2008 19:02:01 +0000 (UTC)
From: Doug Barton <dougb@FreeBSD.org>
To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org

dougb       2008-07-09 19:02:01 UTC

   FreeBSD ports repository

   Modified files:
     dns/bind9            Makefile distinfo
     dns/bind94           Makefile distinfo
     dns/bind95           Makefile distinfo
   Log:
   Upgrade to the -P1 versions of each port, which add stronger 
randomization
   of the UDP query-source ports. The server will still use the same query
   port for the life of the process, so users for whom the issue of cache
   poisoning is highly significant may wish to periodically restart their
   server using /etc/rc.d/named restart, or other suitable method.

   In order to take advantage of this randomization users MUST have an
   appropriate firewall configuration to allow UDP queries to be sent and
   answers to be received on random ports; and users MUST NOT specify a
   port number using the query-source[-v6] option.

   The avoid-v[46]-udp-ports options exist for users who wish to eliminate
   certain port numbers from being chosen by named for this purpose. See
   the ARM Chatper 6 for more information.

   Also please note, this issue applies only to UDP query ports. A random
   ephemeral port is always chosen for TCP queries.

   This issue applies primarily to name servers whose main purpose is to
   resolve random queries (sometimes referred to as "caching" servers,
or
   more properly as "resolving" servers), although even an
"authoritative"
   name server will make some queries, primarily at startup time.

   This update addresses issues raised in:
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
   http://www.kb.cert.org/vuls/id/800113
   http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience

   Revision  Changes    Path
   1.82      +2 -2      ports/dns/bind9/Makefile
   1.44      +6 -6      ports/dns/bind9/distinfo
   1.85      +2 -3      ports/dns/bind94/Makefile
   1.47      +6 -6      ports/dns/bind94/distinfo
   1.87      +2 -2      ports/dns/bind95/Makefile
   1.49      +6 -6      ports/dns/bind95/distinfo
_______________________________________________
cvs-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-ports
To unsubscribe, send any mail to "cvs-ports-unsubscribe@freebsd.org"

-- 

/"\   Best regards,                      | remko@FreeBSD.org
\ /   Remko Lodder                       | remko@EFnet
  X    http://www.evilcoder.org/          |
/ \   ASCII Ribbon Campaign              | Against HTML Mail and News

Andrew Storms

2008-Jul-09 20:04 UTC

head link

[Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

Nice. Thanks Doug!


On 7/9/08 12:05 PM, "Remko Lodder" <remko@freebsd.org> wrote:
> Dear all,
> 
> Doug just updated the ports tree with the updated BIND ports. If you
> urgently want to upgrade and really cannot wait for the advisory. Please
> use the ports system to get up to speed.
> 
> Thanks Doug for working on this on such short notice!
> 
> Cheers,
> remko

Artis Caune

2008-Jul-11 05:36 UTC

head link

[Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

On Wed, Jul 9, 2008 at 10:05 PM, Remko Lodder <remko@freebsd.org>
wrote:> Dear all,
>
> Doug just updated the ports tree with the updated BIND ports. If you
> urgently want to upgrade and really cannot wait for the advisory. Please
use
> the ports system to get up to speed.
Has anyone tried to run bind95?

I updated bind94-9.4.2_1 to bind95-9.5.0.1 and after couple of hours
it eated all 2G of ram and 1G of swap and was killed.
max-cache-size was set to 1500M, same problem with 64M. Looks like
bind95 is leaking memory.
FreeBSD-7.0/amd64, 2K queries/sec

bind94-4.2.1 works just fine.

thanks,
Artis

Doug Barton

2008-Jul-11 18:17 UTC

head link

[Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

Artis Caune wrote:
> I updated bind94-9.4.2_1 to bind95-9.5.0.1 and after couple of hours
> it eated all 2G of ram and 1G of swap and was killed.
The best place to report these issues is bind-users@isc.org.

Good luck,

Doug

-- 

     This .signature sanitized for your protection

freebsd security - Jul 2008 - [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

[Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

[Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

[Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

[Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]