North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Reasons why BIND isn't being upgraded

  • From: Valdis.Kletnieks
  • Date: Sun Feb 04 22:43:38 2001

On Sat, 03 Feb 2001 18:34:36 EST, [email protected] said:
> It seems we already have the beginnings of this system.  The [currently
> known] holes in <8.2.3 were found and fixed.  The root-servers all got
> upgraded.  Then we got a message posted around midnight EST friday night
> on nanog (not bugtraq) with alot less detail than the average bugtraq post
> basically saying, "there's holes...you better upgrade".  At that point,
> it's off to the races.  You can bet people downloaded source for 8.2.3 and
> compared its code to previous versions looking for the holes.  Did you
> upgrade before the first cracker found a hole and wrote an exploit?

Umm.. to be honest, I was upgraded about 2 hours after Paul's *Sunday*
note (the one that made clear that the security holes affected 8.2.2-P7).
I interpreted his Friday night note as "Here's 8.2.3, if you're on 8.2.2
there's security patches" with "security patches" meaning "the stuff
we've fixed in -P7 but you've missed if you don't do the -P?  releases".

I'm positive I'm not the only person who missed the "-P7 is vulnerable"
implication in the Friday night note - although I'm also sure that
Paul was being intentionally obscure there...

				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech