Re: Bind 8 bug experience

["Glen Bishop" <glen () glenbishop com>]

bind 4 and 8 patches are now available which appeared late last night

http://www.isc.org/products/BIND/patches/

-glen

> Three bugs in bind 4 and 8 were announced this morning, November 12. At
> least one has the possibility of arbitrary code execution, and
> the ISC web site lists it as 'Serious'.
>
> At 13:02 CST this afternoon per the ISC announcement, about an hour
> after receiving the bug announcement, I requested bind 8 patches
> from Lynda McGinley, Executive Director of ISC.  I received a
> response from her roughly 8 hours later this evening that I had been
> added to the patch announce list.  My thanks to Lynda for that, but she
> did not give direct information on where to get the patches, and I have
> received nothing from the patch announce list.  I don't know when I can
> expect to receive anything -- tonight, next week, or next month?
>
> Earlier today I asked Lynda a question: why were patches not made
> available at the time of the announcement?  Paraphrasing her
> response, since I have not asked her permission to forward verbatim what
> she wrote, she indicated that those in the bind forum that had
> subscribed to the early security notification had the patches
> readily available.  She indicated that ISC wanted to make sure that the
> right audience had the patches first.
>
> I clarified to her that my understanding is that the early
> notification subscription was for the purpose of vendors being
> notified before public announcement so they could get software
> packages updated and available prior to announcement.  Lynda
> affirmed this.
>
> My response to her was that the right audience should change in
> relation to announcement.
>
> Those that paid to be notified early had that expectation fulfilled.
> Before announcement, per current ISC practice, they are the right
> audience, and they got bind 4 and 8 patches.
>
> As of the moment of announcement, the right audience should be
> expanded to include all those placed at risk because they use the
> software.  Failure to make the patches available suddenly puts many
> systems at rapidly increasing risk.
>
> I have not yet heard a satisfactory answer why were patches not
> publicly available when this announcement was made.  More troubling, why
> has ISC not released the patches yet?  As of 23:44 CST, about 12 hours
> after the first announcement, nothing beyond 8.3.3 is
> available in the normal directories on ftp.isc.org, yet updates
> clearly exist.
>
> Per the ISS announcement, to the best of their knowledge no crackers
> knew of these bugs, nor were there exploits available.  From the
> moment of the announcement, that is no longer true.  If these were truly
> unknown bugs, there was time to do this right, to fix the bugs and get
> the updates available.  That time advantage is eroding very rapidly.
>
> I had held off upgrading to bind 9 because of its newness. Observing its
> release history, in my assessment it has not been any better
> than bind 8.  There have been too many beta, release candidate and
> security fixes to be considered stable.  Meanwhile, ISC's policies left
> me with no real choice.  I've dropped everything else this
> evening and have upgraded to bind 9.
>
> I don't know of a similar incident when the known patches to such a
> serious problem were withheld by a software provider.  This is
> particularly true in the case of software of which its security and
> stability are the most crucial to the operation of the Internet.
>
> This raises troubling questions about the future management of bind.
> What will happen when the next bind 9 bug hits?
>
>    -- Michael