nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reasons why BIND isn't being upgraded

From: Valdis.Kletnieks () vt edu
Date: Sun, 04 Feb 2001 22:40:29 -0500

On Sat, 03 Feb 2001 18:34:36 EST, jlewis () lewis org said:

It seems we already have the beginnings of this system.  The [currently
known] holes in <8.2.3 were found and fixed.  The root-servers all got
upgraded.  Then we got a message posted around midnight EST friday night
on nanog (not bugtraq) with alot less detail than the average bugtraq post
basically saying, "there's holes...you better upgrade".  At that point,
it's off to the races.  You can bet people downloaded source for 8.2.3 and
compared its code to previous versions looking for the holes.  Did you
upgrade before the first cracker found a hole and wrote an exploit?


Umm.. to be honest, I was upgraded about 2 hours after Paul's *Sunday*
note (the one that made clear that the security holes affected 8.2.2-P7).
I interpreted his Friday night note as "Here's 8.2.3, if you're on 8.2.2
there's security patches" with "security patches" meaning "the stuff
we've fixed in -P7 but you've missed if you don't do the -P?  releases".

I'm positive I'm not the only person who missed the "-P7 is vulnerable"
implication in the Friday night note - although I'm also sure that
Paul was being intentionally obscure there...

                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech
Previous By Date Next
Previous By Thread Next

Current thread: