Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 9 Jul 2008 12:26:29 -0400
From:      "Josh Mason" <wtf.matters@gmail.com>
To:        "Peter Thoenen" <peter.thoenen@yahoo.com>
Cc:        freebsd-security@freebsd.org, remko@elvandar.org, astorms@ncircle.com
Subject:   Re: BIND update?
Message-ID:  <17cd1fbe0807090926g21ef35e7l10e4a6e38ad3d10@mail.gmail.com>
In-Reply-To: <4874DD4B.5020608@yahoo.com>
References:  <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <4874DD4B.5020608@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 7/9/08, Peter Thoenen <peter.thoenen@yahoo.com> wrote:
>
> >
> > >  Right, lets not act swiftly. That would be too much to ask. Is there any
> > > reason why FreeBSD is one of the last vendors to release patches for the
> > > vulnerability?
> > >
> >
>
> Actually IIRC all the press releases from the *alliance* stated 30 days and as this is a fundamental flaw that has known for the past 6 months and doesn't provide any sort of elevated privileges (or effect those smart enough to run DNSSEC like you should be IIRC) its really not a CRITICAL patch .. its more of a when you get around to it seriously. Let the Security Team do their job and quit pestering them on your now now now next day patch wants for a trivial issue.
>

Somehow this totally unimportant vulnerability caught the attention of
all major vendors to issue a synchronized release of the fix. Yet,
it's not worth our time to implement expeditiously... ? Sure.

I agree, I should definitely enable DNSSEC. If for nothing other than
the fact that it was vulnerable ~6 months ago - let me give myself yet
another thing to wait for a fix on. Hurm,.. turn off DNSSEC while you
wait for a patch,.. turn on DNSSEC while you wait for a patch.

And lastly - you're absolutely correct. My servers won't be
compromised directly by this bug so I shouldn't care when I implement
the fix. Thanks for your input.

    Josh

P.S. It almost seemed as though you were saying that because something
has been known for months but the fix was just released means that
there's little importance to implement it swiftly. I like your logic -
or did I miss understand you somehow?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17cd1fbe0807090926g21ef35e7l10e4a6e38ad3d10>