Re: BIND Operational Notification: Enabling the new BIND option "stale-answer-client-timeout" can result in unexpected server termination

[Ondřej Surý <ondrej () isc org>]

Hi Hanno,

by the time Michael was writing the message, we were still reviewing
the fix for the issue.

The fix has been made public now:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4714

FTR we are not treating this as a security issue as this is a newly
introduced option and disabled by default. Same reason why not
make a new release in a haste. There’s a whole QA machinery
around the release which means that we would be able to speed
up the release only by a week or so, and that doesn’t make much
sense.

Cheers,
Ondrej
--
Ondřej Surý (He/Him)
ondrej () isc org

> On 19. 2. 2021, at 9:17, Hanno Böck <hanno () hboeck de> wrote:
>
> On Thu, 18 Feb 2021 20:09:47 -0900
> ISC Security Officer <security-officer () isc org> wrote:
>
> > 2)  If you already have packages based on 9.16.12, we expect to have
> > a patch ready well before the next maintenance release.  A candidate
> > patch is under review now and can be delivered after review and
> > quality assurance testing.  If you wish to receive updates on the
> > progress of this patch, please e-mail your request to
> > security-officer () isc org
>
> I am confused by your actions here.
>
> You warn people about a messed up release (can happen, no problem), you
> say you have a preliminary patch, but you make it extra complicated to
> get that patch? Why not just post the patch?
>
> Also I read into your words that you don't plan to publish a quick
> followup release, which would be the right thing to do ("we expect to
> have a patch ready well before the next maintenance release" - I read
> that as you don't plan to make a new maintenance release as soon as
> the patch is ready, which would be the right thing to do).
>
>
> --
> Hanno Böck
> https://hboeck.de/

Attachment: signature.asc
Description: Message signed with OpenPGP