oss-sec mailing list archives
Re: BIND Operational Notification: Enabling the new BIND option "stale-answer-client-timeout" can result in unexpected server termination
From: Ondřej Surý <ondrej () isc org>
Date: Fri, 19 Feb 2021 11:27:27 +0100
Hi Hanno, by the time Michael was writing the message, we were still reviewing the fix for the issue. The fix has been made public now: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4714 FTR we are not treating this as a security issue as this is a newly introduced option and disabled by default. Same reason why not make a new release in a haste. There’s a whole QA machinery around the release which means that we would be able to speed up the release only by a week or so, and that doesn’t make much sense. Cheers, Ondrej -- Ondřej Surý (He/Him) ondrej () isc org
On 19. 2. 2021, at 9:17, Hanno Böck <hanno () hboeck de> wrote: On Thu, 18 Feb 2021 20:09:47 -0900 ISC Security Officer <security-officer () isc org> wrote:2) If you already have packages based on 9.16.12, we expect to have a patch ready well before the next maintenance release. A candidate patch is under review now and can be delivered after review and quality assurance testing. If you wish to receive updates on the progress of this patch, please e-mail your request to security-officer () isc orgI am confused by your actions here. You warn people about a messed up release (can happen, no problem), you say you have a preliminary patch, but you make it extra complicated to get that patch? Why not just post the patch? Also I read into your words that you don't plan to publish a quick followup release, which would be the right thing to do ("we expect to have a patch ready well before the next maintenance release" - I read that as you don't plan to make a new maintenance release as soon as the patch is ready, which would be the right thing to do). -- Hanno Böck https://hboeck.de/
Attachment:
signature.asc
Description: Message signed with OpenPGP
Current thread:
- BIND Operational Notification: Enabling the new BIND option "stale-answer-client-timeout" can result in unexpected server termination ISC Security Officer (Feb 19)
- Re: BIND Operational Notification: Enabling the new BIND option "stale-answer-client-timeout" can result in unexpected server termination Hanno Böck (Feb 19)
- Re: BIND Operational Notification: Enabling the new BIND option "stale-answer-client-timeout" can result in unexpected server termination Michael McNally (Feb 19)
- Re: BIND Operational Notification: Enabling the new BIND option "stale-answer-client-timeout" can result in unexpected server termination Ondřej Surý (Feb 19)
- Re: BIND Operational Notification: Enabling the new BIND option "stale-answer-client-timeout" can result in unexpected server termination Hanno Böck (Feb 19)