[34411] in North American Network Operators' Group
Re: Reasons why BIND isn't being upgraded
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Sun Feb 4 22:42:31 2001
Message-Id: <200102050340.f153eTV15748@foo-bar-baz.cc.vt.edu>
To: nanog@merit.edu
In-reply-to: Your message of "Sat, 03 Feb 2001 18:34:36 EST."
<Pine.LNX.4.30.0102031803020.6400-100000@redhat1.mmaero.com>
From: Valdis.Kletnieks@vt.edu
Date: Sun, 04 Feb 2001 22:40:29 -0500
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, 03 Feb 2001 18:34:36 EST, jlewis@lewis.org said:
> It seems we already have the beginnings of this system. The [currently
> known] holes in <8.2.3 were found and fixed. The root-servers all got
> upgraded. Then we got a message posted around midnight EST friday night
> on nanog (not bugtraq) with alot less detail than the average bugtraq post
> basically saying, "there's holes...you better upgrade". At that point,
> it's off to the races. You can bet people downloaded source for 8.2.3 and
> compared its code to previous versions looking for the holes. Did you
> upgrade before the first cracker found a hole and wrote an exploit?
Umm.. to be honest, I was upgraded about 2 hours after Paul's *Sunday*
note (the one that made clear that the security holes affected 8.2.2-P7).
I interpreted his Friday night note as "Here's 8.2.3, if you're on 8.2.2
there's security patches" with "security patches" meaning "the stuff
we've fixed in -P7 but you've missed if you don't do the -P? releases".
I'm positive I'm not the only person who missed the "-P7 is vulnerable"
implication in the Friday night note - although I'm also sure that
Paul was being intentionally obscure there...
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
