Why haven't the developers posted a formal annoncement clearifing
if the distributed BIND is vulnerable?

If so, where the hell is the patch?

-Nix Fan.

Just curious, how much did you pay for your support contract? Clearly if
you feel you are so entitled to a quick patch you must have paid a
substantial sum in order to be so upset.

Though i've given a few meager donations to OpenBSD, i have not paid for
a support contract of any sort. Thus i am not entitled to any level of
service and will have to wait patiently and without complaint just like
everyone else.

------------------------------------------------------------------------
Dan Rama...

Hehehe ;)

Furthermore you can see in the US-CERT that this VULN was:

Date First Published 07/08/2008 02:46:15 PM

As you know some developers may live outside .us in a different
timezone (and developers in .us/.ca have to work at this time).
So in e.g. Europe this was yesterdays evening.

You can accelerate proceedings by a) donating to OpenBSD
and b) - if you need this patch REALLY FAST - hire a paid
conslutant to develope the patch and send it to the list.

And OpenBSD doesn't have a SLA ....

You know what I expect?

I expect the OpenBSD response will be excellent, and out on its own
timeframe. Rushing a fix into place can be worse than not doing
anything at all. I have no idea what they're doing, have no idea
with whom they may be talking. But I know that it is being worked
on, and will be a reasoned response to the problem.

More than "expect", I trust OpenBSD.

--STeve Andre'

easy, Theo. I actually very much agree with you, and had not intended
to stir anything up here. If users wish to get involved in an attempt
(regardless of how hopeless) to encourage third parties to cooperate
with OpenBSD developers, then you can certainly abstain from enabling
that kind of help if you so choose. However, I wouldn't assign any
malice to those seeking information that might enable them to do so.

I think perhaps you have an inflated impression of my expectations of
OpenBSD and its...

You really should adjust your extremely pathetic attitude.

I think named on OpenBSD 4.3 is affected too.
See
http://www.nabble.com/Actual-BIND-error---Patching-OpenBSD-4.3-named---t...

So long,

Andreas.

--
Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of
an 8-bit operating system written for a 4-bit processor by a 2-bit
company who cannot stand 1 bit of competition.

Credit where credit is due: djbdns isn't.

Without specifics on the issue, I can't tell if OpenBSD's bind is truly
vulnerable, but it certainly does use a fixed source port.

--
David Terrell
dbt@meat.net
((meatspace)) http://meat.net/

On Thu, Jul 10, 2008 at 12:14 AM, Mathieu SEGAUD

I'm just finish re-read it right now. Thank you for the input and I
agree that at this moment, we will waiting for the latest official
update from OpenBSD developers.

And probably a minor update for those who are deploying it over
Debian. Looks like it is time to patch it.
http://www.debian.org/security/2008/dsa-1603

Have a nice day!

-zamri-

it's not a server, it's a sensor.

named is. the stub resolver isn't.

mcbride@ pointed out that you can give named some more protection
by natting outbound udp traffic destined for port 53 (even just on
the box running the resolver, it doesn't have to be on a firewall
in front). something like,

nat on egress proto udp from (self) to any port 53 -> (self)

there - if you need to tell people you're doing something
while you wait for a better solution, you have an option.
check this with tcpdump and requests from multiple NS, ...

But does it allow a poisoned reply from the spoofed address?

As I understand the threat, based on the limited information:

1. Attacker sends valid user a www.badman.com link to click on
2. Resolver queries to badman.com NS from port 55555 for
www.badman.com, which is a CNAME to www.ebay.com
3. New query for www.ebay.com to ebay.com NS originates from udp port
54321
4. A spoofed UDP packet from the badman.com NS using 55555 shouldn't
match the ebay query, and the poisoning shouldn't work....

http://cr.yp.to/djbdns/run-cache.html
http://www.ro.kde.org/djbdns/mywork/jumbo/index.html

I never understood the mix of authoritive server and resolver ... Use dnscache
as resolver and you you're (AFAIK) save.

Regards

I want my OpenBSD 4.3 to get clock from my serial GPS device.

The device is working
# cu -l /dev/cua00 -s 4800
Connected
$GPRMC,113516.000,A,0608.4965,S,10651.2976,E,0.07,229.06,090708,,,A*75
$GPRMC,113517.000,A,0608.4964,S,10651.2975,E,0.04,193.07,090708,,,A*76
$GPRMC,113518.000,A,0608.4963,S,10651.2974,E,0.07,144.19,090708,,,A*79
$GPRMC,113519.000,A,0608.4962,S,10651.2974,E,0.06,159.34,090708,,,A*7B
$GPRMC,113520.000,A,0608.4962,S,10651.2974,E,0.08,246.72,090708,,,A*70
$GPRMC,113521.000,A,0608....

Hi,
setup: 4.2 with tun0 being a pppoe(8) int and tun1 being a ssh-vpn
over tun0. altq is running on tun0.

I know that altq doesn't support interface groups (and that support is
not planned (see
http://marc.info/?l=openbsd-misc&m=112431574118264&w=2)) but is there
a way around this? Currently altq sees all traffic on tun1 on tun0 as
default instead of ssh, which it is.

Best
Martin

Hi.

I guess OpenBSDs named is affected by the actual issue:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113

So I hope a patch is in progress ?
Or is OpenBSD not affected by this issue?

So long,

Andreas.
--
Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of
an 8-bit operating system written for a 4-bit processor by a 2-bit
company who cannot stand 1 bit of competition.

I get a different result using the external interface of my caching
name server, and mine looks vulnerable.

frank# tcpdump -nettti em1 dst port 53
tcpdump: listening on em1, link-type EN10MB
Jul 09 05:54:23.291421 00:0f:1f:04:8c:36 00:02:b9:38:23:f0 0800 82:
xx.xx.9.35505 > 205.177.95.83.53: 27972 A? a1397.g.akamaitech.net. (40)
Jul 09 05:54:25.814869 00:0f:1f:04:8c:36 00:02:b9:38:23:f0 0800 86:
xx.xx.95.9.35505 > 75.126.144.219.53: 58999% [1au] A? www.virg9lio.it.
(44)
Jul 09 05:...

Hi Andreas,

Aren't you dumping on the wrong interface here?
Should it not be your $ext_if where the alleged poisoning will come from?

Hi all

I have an OBSD4.3 VPN gateway that authenticates users based on their
certificate and an isakmpd.policy, which works just fine. Now a user had
to renew his certificate: same CA, same CA certificate, same Subject DN,
same EVERYTHING. I'd have expected that he'd just need to close the VPN
tunnel, install the new certificate, authenticate again and that'd be
it. But not so. isakmpd logs and sends back: isakmpd[26674]: dropped
message from aaa.bbb.ccc.ddd port 500 due to notification type ...

you have libiconv.so.5.0 installed, but you are trying to install
something that wants libiconv.so.4.0.

libiconv.so.5.0 is from -current (since May 28, 2008), but you appear
to be pointing at a 4.3-release package repository, and you said you
installed 4.3.

looks like you are experiencing confusion with -release and snapshots.

http://www.openbsd.org/faq/faq5.html#Flavors

--
jakemsr@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

Hello,

can someone recommend me a good way to quickly determine who on the
network is using up most the Bandwith, and preferrably, what are the
using it for?

I have a 4.3 Machine, which is the Firewall and Router for a Network
with about 100 Machines. Every once in a while, i see the Traffic
picking up consideribly when using bwm-ng to check. During normal
Operation, i know the average Kilobytes per second is around 100kbps ,
but when bwm-ng shows me the traffic is going up 750kbps, and th...

Brad in Toronto needs a PCI-e system (he prefers a desktop, i386 or
amd64) as soon as possible for some driver development he's doing.

If anyone can get him one soon, please drop him a note.

Thanks.

Hi,

I am having some problems while trying to run spamd in greylisting
mode in a bridge.

For some reason, spamd is not greylisting, and the all the connections
(even the initial ones) seem to timeout. I see no added GREY entry with
spamdb. If I try to connect (say, using telnet ipaddr smtp) to the smtp
server from outside, I only see the first '220 hostname ESMTP spamd ...'
message. After that, everything hangs. If I type helo myhostname, I get
no answer. From what I understand, I should get som...

Thanks for that, I had not come across the Barix range of devices before.
Indeed, it does appear more expensive per unit!
But it should be simpler to query (http) than the Phidgets...