On Wed, Jul 30, 2008 at 2:43 PM, skogzort <[EMAIL PROTECTED]> wrote: > Hello, > Ib m trying to protect our DNS server from the vulnerability referred to in: > CVE -2008-1447 and US-Cert Vulnerability Note VU#800113. I see that there is a > patch for BIND in 4.2 and 4.3 that addresses this vulnerability, but not for > 3.8. > I have inherited an Open BSD DNS server that provides external DNS for our web > server and serves NTP for our infrastructure. I donb t know UNIX or Open BSD. > Ib m reading through the Open BSD website and asking questions on the mailing > lists to try and get an overview of what I need to do to upgrade/update/patch > this server.B > It was suggested to me that I may have to b manually merge the patchb , but > I canb t find any instructions for that. I know that if I could upgrade our > release to 4.2 or 4.3 then I could follow the instructions in the patch > itself, but I wonder if that would be more work and potential for mistakes > then necessary. I was also told to use b portsb , but I read that using > ports was only for people who have experience with Open BSD and beginners were > not allowed to ask questions in mailing lists about using ports. > What do you think: manually merge the patch, upgrade to 4.2 or 4.3 and apply, > or use "ports"? > My inexperience is a factor, I am looking for the shortest steps (so there > will be less chance for error) that will still allow for a quick revert, > should the b fixb fail. > Thanks again to everyone who helped with my last question and who may help > with this. I really appreciate your time and opinions. B B B > Kyle >
The shortest step that is officially supported by OpenBSD would be upgrade to 4.3, then recompile /usr/src/usr.sbin/bind after patching/cvs'ing the source code. It might be possible to backport the patches, but that is not something for the inexperienced/lighthearted. -- Jason