Slashdot Mirror
Bind 4 and 8 Vulnerabilities
eecue writes "The world's most popular DNS package is once again vulnerable. Even the advisory says it's only a matter of time before worms are written.... just like a couple years ago. I guess this is why i run tinydns."
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
The potential for a passive worm is actually fairly high, given that the exploit needs to come in response to a DNS query: The worm infects a DNS server, and waits for queries. It responds to those queries from other DNS servers by attempting to infect them.
The nasty parts: Enough people dual-use their DNS servers (serving as both authoritative master for outside and for their own lookups) that you could get lots of authoritative masters. It also does NOT scan.
It could be made even stealtier if the exploit, on failure, would still function. On success, it of course functions normally. This might be harder, but, if so, it would be really REALLY hard to detect such a worm.
It would take a bit of writing to get right, so there is a good window in which to patch your machines. So patch SOON.
Test your net with Netalyzr
It was mentioned on the FreeBSD-Security list this morning that ISS had informed vendors that they were going to go public with this advisory tomorrow and not today. So in answer to your question, Yes, the vendors have apparently been notified.
This however appears to be yet another situation where ISS has gone ahead and released an advisory before the vendors have actually had a chance to make patches available to the public.
This is supposed to be a security firm that is trying to assist the public in keeping their boxen secure? If so, I'm really scared of the firms that are out there really trying to do damage.
For me, it is not really an option to use a tinydns or any other DNS solution other than BIND. Upgrading to BIND9 is not really an option for me either. I work for a large multinational, and we have a lot of UNIX servers (Sun, IBM, and HP in terms of numbers). I get hardware and software support direct from the manufacturer, and if I install an application, or a version of an application that my vendor does not support, I am on my own. These 24-7 support contracts are important to us in being able to sell our services and maintaining our SLA's and availability targets. Those issues aside, I do not want to have to explain to the PHBs that we cannot get support on a particular problem because the application in question is not supported by Sun, or that IBM only supports version 3.4 and we run version 4.0.
So, it is all well and good if someone out there has the choice to install some other software, but keep in mind that it is not necessarily an option for everyone...
*** Where are we going? And what's with this handbasket?
Waddayamean, free ?
DJB has been quite clear on this. DJBDNS has his name on it, his guarantee against remote exploits, and his own petty little rant about where things should be installed, and why they should be the same on different systems. As far as he is concerned, you may NOT distribute binaries unless you guarantee they build exactly like the source would build them on the machine in which they are used.
However, he is also QUITE clear. Source patches are fine. Of any sort. This is not any more the original djbdns package, and his guarantee goes out the window. Debian does this with qmail, for example.
I use djbdns, but I REALLY like free software. WHY? Well, BIND is buggy as hell. It is probably the worst possible server software ever written with respect to remote exploits. And, even after the BIND 8 rewrite, it is still buggy as hell. It is also a pain in the ass to configure.
In contrast, djbdns is pretty easy to configure and install. I installed it exactly once per machine (mostly caching servers for local machines only, but also domain servers). It never stopped working. EVER. It never needed restarting. It never needed attention. I sometimes forget it is even running. There has never been an exploit.
So I ask you - if something works like this, why do you need to be able to redistribute anything more than patches? You install the dern thing once and it just keeps going like the Energizer bunny.
So, go ahead, laugh if you want. Install buggy BIND, or some other DNS package. DJBDNS keeps my machines working, free from exploits of dns origin, and it never breaks down or needs attention. And if it ever does, I still have the source and permission to alter it for my own use, and to distribute patches that alter it to others.
That pretty much covers the freedoms I want from my DNS software. Granted, it would be cooler yet if distros could package it and distribute as THEY see fit (placing the trust in the distro and not in DJB), but DJB is kinda quirky, so I live with the next best thing.
That's assuming you ever find one. qmail's withstood the security guarantee since 1998. djb tends to write fairly good software... Besides, people are allowed to release unofficial patches to djb projects and quite a community has grown up around additional features. See qmail.org and tinydns.org.
Oh come on. If something works well and implements the standards, why should you bother to add more gimmicks? "If it ain't broke, don't fix it."
You are being very naive. Please read this comment of mine, I don't want to repeat myself. The point is, that basically a "security guarantee backed by a cash reward" doesn't mean anything. I'm really surprised that people, sometimes even educated people, are still trusting in such poor marketing tools as "cracking contests."
You shouldn't trust the software because of the cash guarantee. You should trust it because it is secure.
Some people will audit the software in hopes of claiming the reward, either for the monetary or ego value. It also means that the author has faith in his software. How many other people will put a cash guarantee behind their code? Dan doesn't have any commercial reasons to offer this guarantee. He does it because he knows his code is secure. Why won't the BIND authors guarantee their code? Because they know that they can't.
Look at it from another perspective. How many people here dislike Dan for one reason or another? How many of those people would love to find a hole in his software to discredit him? How many of those people have found one?
djbdns is secure in the same way that qmail is secure. Read the code for yourself. You will see how different it is from other software. It is quite easy to see how Dan can guarantee that it is secure.
It wasn't long ago that a forged 'trusted' mime type would allow an
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant