BIND update?

[Mark Boolootian]

I hope I can distance myself from Josh in terms of tone.  I think he's
completely out of line with his snotty posts.  That said, I think there
is a legitimate question here.

I'm interested in this issue, because it sounds as if FreeBSD folk
didn't become aware of this problem until the announcement.  I would
have expected ISC to notify you ahead of the announcement.  The
patched code has been available to some for several weeks (at least).
I was anticipating seeing everyone pushing patched code out on the same
day.

> That means 11 out of 81 entries were able to determine the status of
> their product/code before the advisory went public.  Here's that list,
> please note I trimmed the vulnerable/not vulnerable status:

Of course, any vendor running vanilla BIND would be vulnerable.  

> What's more important is that we not panic, especially since _public_
> details are very sparse.  There are mitigations that are mentioned in
> that report, along with elsewhere.  Putting these mitigations in place,
> if necessary, is your best option while those entrusted to do the work
> are doing said work to make sure we have a co-ordinated and accurate
> response.

There really aren't any effective mitigations for folks running resolvers.  
Patched code to implement source port randomization is our only hope.
Of course, that code exists and is available from ISC, and it will work
fine under FreeBSD, so there is clearly a path forward.  

I think it might have been helpful (and still might be) if the security 
officer had pushed out a notification of 'work underway' with some possible 
indication as to when a fix might be available.  I realize that providing a 
date might be extraordinarily difficult, but it helps inform planning for
FreeBSD users (and, of course, gives us something to kvetch about when
the date slips :-)

I appreciate the FreeBSD security team efforts and will happily buy you 
guys beer (or other beverage of choice) any time we're in the same room 
together.

mark