Reasons why BIND isn't being upgraded
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Mon Feb 5 03:40:29 UTC 2001
On Sat, 03 Feb 2001 18:34:36 EST, jlewis at lewis.org said:
> It seems we already have the beginnings of this system. The [currently
> known] holes in <8.2.3 were found and fixed. The root-servers all got
> upgraded. Then we got a message posted around midnight EST friday night
> on nanog (not bugtraq) with alot less detail than the average bugtraq post
> basically saying, "there's holes...you better upgrade". At that point,
> it's off to the races. You can bet people downloaded source for 8.2.3 and
> compared its code to previous versions looking for the holes. Did you
> upgrade before the first cracker found a hole and wrote an exploit?
Umm.. to be honest, I was upgraded about 2 hours after Paul's *Sunday*
note (the one that made clear that the security holes affected 8.2.2-P7).
I interpreted his Friday night note as "Here's 8.2.3, if you're on 8.2.2
there's security patches" with "security patches" meaning "the stuff
we've fixed in -P7 but you've missed if you don't do the -P? releases".
I'm positive I'm not the only person who missed the "-P7 is vulnerable"
implication in the Friday night note - although I'm also sure that
Paul was being intentionally obscure there...
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
More information about the NANOG
mailing list