[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bind 8 bug experience



> Three bugs in bind 4 and 8 were announced this morning, November 12.
> At least one has the possibility of arbitrary code execution

[. . .]

> I don't know of a similar incident when the known patches to such a
> serious problem were withheld by a software provider.

Speaking for myself, I never expected anything different. In my
experience, when security information is restricted, the people who
have it aren't particularly concerned about getting it to the people
who don't. More than a year and a half ago, when I saw ISC's message
indicating that security information about BIND would be withheld
from the public, I removed BIND from all my systems and installed
djbdns.

Particularly ironic in light of ISC's apparent delay in releasing
patches is this from the BIND Member Forum FAQ:

Q: So the bind-members Forum programme does not restrict or delay any 
   access to which the industry has become accustomed?
A: Right.

The documents referred to are archived at:

http://marc.theaimsgroup.com/?l=bind-announce&m=98097021832397
http://marc.theaimsgroup.com/?l=bind-announce&m=98126980802945

Regards,
Matt