[27896] in bugtraq
Re: Bind 8 bug experience
daemon@ATHENA.MIT.EDU (Matthew Dixon Cowles)
Sat Nov 16 10:30:02 2002
From: Matthew Dixon Cowles <matt@mondoinfo.com>
In-reply-to: <Pine.OSX.4.43.0211121801570.337-100000@localhost.fni.com>
Message-ID: <1037209569.01.864@sake.mondoinfo.com>
To: bugtraq@securityfocus.com
Date: Wed, 13 Nov 2002 14:36:12 -0600 (CST)
Mime-version: 1.0
> Three bugs in bind 4 and 8 were announced this morning, November 12.
> At least one has the possibility of arbitrary code execution
[. . .]
> I don't know of a similar incident when the known patches to such a
> serious problem were withheld by a software provider.
Speaking for myself, I never expected anything different. In my
experience, when security information is restricted, the people who
have it aren't particularly concerned about getting it to the people
who don't. More than a year and a half ago, when I saw ISC's message
indicating that security information about BIND would be withheld
from the public, I removed BIND from all my systems and installed
djbdns.
Particularly ironic in light of ISC's apparent delay in releasing
patches is this from the BIND Member Forum FAQ:
Q: So the bind-members Forum programme does not restrict or delay any
access to which the industry has become accustomed?
A: Right.
The documents referred to are archived at:
http://marc.theaimsgroup.com/?l=bind-announce&m=98097021832397
http://marc.theaimsgroup.com/?l=bind-announce&m=98126980802945
Regards,
Matt
