Date: Sat, 4 May 2002 18:25:38 -0700 From: "Philip J. Koenig" <pjklist@ekahuna.com> To: stable@FreeBSD.ORG Cc: Doug Barton <DougB@FreeBSD.org> Subject: Re: BIND in -stable Message-ID: <20020505012539021.AAA911@empty1.ekahuna.com@pc02.ekahuna.com> In-Reply-To: <20020504162912.M88188-100000@master.gorean.org> References: <20020504232627100.AAA911@empty1.ekahuna.com@pc02.ekahuna.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4 May 2002, at 16:34, Doug Barton boldly uttered: > On Sat, 4 May 2002, Philip J. Koenig wrote: > > > > Date: Sat, 4 May 2002 14:16:07 -0700 (PDT) > > > From: Doug Barton <DougB@FreeBSD.org> > > > > > > On Wed, 1 May 2002, Joe Abley wrote: > > > > > > > I think 8.3.1 should be rolled into RELENG_4_5, since it specifically > > > > contains security fixes over 8.2.4. > > > > > > Users who depend on BIND can install a newer version from the > > > ports. Users who don't are not affected by the problems in 8.2.4. > > > > > > This interesting - because there was no FreeBSD advisory released > > recently about any Bind vulnerabilities that I can recall, and even > > though on ISC's Bind homepage it suggests there is a security problem > > with 8.2.4 (or pre 8.3.1 versions), on the security page (linked > > right from the text suggesting you to upgrade) it implies that there > > isn't any problem with 8.2.4: > > You have made some rather absurd non sequiturs here. However, I > have clearly said on numerous occasions that BIND 8 users should be using > 8.3.1. A quick look at the CHANGES file should convince you of that. If > you want to quibble about what the ISC web page does or doesn't say, > that's up to you. Caveat: I just went back over the last few days of -stable, and see that some of these issues had already been mentioned. (ie the issue of ISC's own security page possibly not being up to date) However, with all due respect, I expect to hear about security- related issues (especially pertaining to code shipped with the base system) on the -security list and particularly via security announcements, and looking at my archives and the FreeBSD homepage I see that there haven't been any advisories this year pertaining to BIND. (whereas I've gotten security advisories for obscure little ports [Cyrus-SASL?] that few people probably run) I don't CVSup constantly on most of my boxes, generally only when there are major security issues that have no easy workaround or when I need some new feature.. much less read CHANGES on every piece of contributed code that comes with the base system. Certainly I would never have expected to have to read /usr/src/ contrib/bind/CHANGES weekly to find out about BIND vulnerabilities.. maybe it's just a personal quirk. -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020505012539021.AAA911>