North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Reasons why BIND isn't being upgraded
On Sat, 03 Feb 2001 18:34:36 EST, [email protected] said: > It seems we already have the beginnings of this system. The [currently > known] holes in <8.2.3 were found and fixed. The root-servers all got > upgraded. Then we got a message posted around midnight EST friday night > on nanog (not bugtraq) with alot less detail than the average bugtraq post > basically saying, "there's holes...you better upgrade". At that point, > it's off to the races. You can bet people downloaded source for 8.2.3 and > compared its code to previous versions looking for the holes. Did you > upgrade before the first cracker found a hole and wrote an exploit? Umm.. to be honest, I was upgraded about 2 hours after Paul's *Sunday* note (the one that made clear that the security holes affected 8.2.2-P7). I interpreted his Friday night note as "Here's 8.2.3, if you're on 8.2.2 there's security patches" with "security patches" meaning "the stuff we've fixed in -P7 but you've missed if you don't do the -P? releases". I'm positive I'm not the only person who missed the "-P7 is vulnerable" implication in the Friday night note - although I'm also sure that Paul was being intentionally obscure there... Valdis Kletnieks Operating Systems Analyst Virginia Tech
|