Re: Bind 8 bug experience

["Jeremy C. Reed" <reed () reedmedia net>]

On Wed, 13 Nov 2002, Michael Brennen wrote:

> I have received nothing from the patch announce list.  I don't know
> when I can expect to receive anything -- tonight, next week, or next
> month?

I received the patches from rc.isc.org at 2002-11-12 22:29:41 PST.
(I do not have any commercial arrangement with them.)

> As of the moment of announcement, the right audience should be
> expanded to include all those placed at risk because they use the
> software.  Failure to make the patches available suddenly puts many
> systems at rapidly increasing risk.

I assume they are hoping that vendors can provide the updates quickly
before an exploit is public.

For example, Puget Sound Technology was able to use these patches to
provide new BIND binaries for their customers of the Binary Updates for
NetBSD service around midnight (PST).
http://www.pugetsoundtechnology.com/services/netbsd/updates/

> Per the ISS announcement, to the best of their knowledge no crackers
> knew of these bugs, nor were there exploits available.  From the
> moment of the announcement, that is no longer true.  If these were

Does that mean there is an exploit?

> I don't know of a similar incident when the known patches to such a
> serious problem were withheld by a software provider.  This is

This has happened a few times already this year. (See discussions about
OpenSSH security release for example.)

But I see the patches were made October 30 (if the dates are reliable).

Thirteen days is a long delay.

   Jeremy C. Reed
   http://www.isp-faq.com/