[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bind 8 bug experience
On Wed, Nov 13, 2002 at 12:04:31PM -0800, Jeremy C. Reed wrote:
> But I see the patches were made October 30 (if the dates are reliable).
In fact I believe ISC have been sitting on this for almost a month.
The CVE IDs were assigned October 16, and I have reason to believe that
they learned of this no later than October 23.
Members of BIND Forum were notified last week, from what I'm told.
In my opinion, the main reason for ISC to use this method of distributing
the patches rather than going through established channels (such as
CERT) was to be able to convince software vendors and other bodies
using/distributing BIND to become a member of BIND forum. I don't
know if that worked out, but I have my doubts.
>From my experience of the past two days, I believe they did not expect there
to be such a demand for the patches. I know that most Linux distributors,
as well as some BSD folks, tried to reach someone at ISC for 36 hours,
without success (we were notified of the issue on Tuesday, approx
14 hours ahead of the publication of ISC's and ISS's announcements).
Some of that may be blamed on technical issues (I found it curious that
PGP-signed messages never got through, while unsigned messages did),
but probably not all of it.
The whole thing was a mess. Timelines for the publication of _anything_,
from advisories to patches to updates, were either non-existing or
shifting all the time.
I don't have very fond memories of the OpenSSH update of a few months
ago, but it is worth noting that the SSH folks gave everyone a chance to
cover their bases first, and then went on to disclose details of the bug.
We all have our little complaints about CERT now and then, and I also
think that CERT could improve in this way or that. But incidents like this
one also serve to remind that independent (and financially independently)
bodies do make a very valuable contribution to the security community
as a whole. Things could be so much worse...
Olaf Kirch | Anyone who has had to work with X.509 has probably
okir@xxxxxxx | experienced what can best be described as
---------------+ ISO water torture. -- Peter Gutmann