[34116] in North American Network Operators' Group
Re: sorry to ruin several of your evenings...
daemon@ATHENA.MIT.EDU (Paul A Vixie)
Sun Jan 28 13:05:55 2001
Message-Id: <200101281802.KAA84194@redpaul.mfnx.net>
To: nanog@merit.edu
In-Reply-To: Message from Charles Sprickman <spork@inch.com>
of "Sun, 28 Jan 2001 02:24:20 EST." <Pine.BSF.4.30.0101280217430.24361-100000@shell.inch.com>
Date: Sun, 28 Jan 2001 10:02:46 -0800
From: Paul A Vixie <vixie@mfnx.net>
Errors-To: owner-nanog-outgoing@merit.edu
> Without being aware of what your disclosure policies are, I'll go ahead
> and ask... what are the flaws, and are they also in 8.2.2-p7?
if 8.2.2-P7 were safe, you can bet that the warning ("don't run anything
earlier") would have come with 8.2.2-P7.
> I don't see anything at:
>
> http://www.isc.org/products/BIND/bind-security.html
>
> that mentions p7. Sure, I could diff a bunch of stuff...
you can bet that dozens of kiddies all over the world are diffing stuff.
maybe you'll be faster than them, find the specific problem, develop a patch
that's different from "install 8.2.3", and deploy it before you're hit.
> Sorry to bring this to NANOG, but it's a bit more appropriate than gabbing
> about what a root server is. Also, note that Bugtraq is gone until
> Monday, so there'll be no talk of this there.
there are several major announcements planned for monday. ISC wanted to get
the new code on the street soon enough to give people a running head start at
upgrading. (the root name servers were all done last week, for example.)
