From owner-freebsd-stable Sat May 4 18:25:44 2002 Delivered-To: freebsd-stable@freebsd.org Received: from empty1.ekahuna.com (empty1.ekahuna.com [198.144.200.196]) by hub.freebsd.org (Postfix) with ESMTP id E4FC437B416; Sat, 4 May 2002 18:25:39 -0700 (PDT) Received: from pc-02 (pc02.ekahuna.com [198.144.200.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com; Sat, 4 May 2002 18:25:39 -0700 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: stable@FreeBSD.ORG Date: Sat, 4 May 2002 18:25:38 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: BIND in -stable Reply-To: pjklist@ekahuna.com Cc: Doug Barton References: <20020504232627100.AAA911@empty1.ekahuna.com@pc02.ekahuna.com> In-reply-to: <20020504162912.M88188-100000@master.gorean.org> X-mailer: Pegasus Mail for Win32 (v3.12c) Message-ID: <20020505012539021.AAA911@empty1.ekahuna.com@pc02.ekahuna.com> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 4 May 2002, at 16:34, Doug Barton boldly uttered: > On Sat, 4 May 2002, Philip J. Koenig wrote: > > > > Date: Sat, 4 May 2002 14:16:07 -0700 (PDT) > > > From: Doug Barton > > > > > > On Wed, 1 May 2002, Joe Abley wrote: > > > > > > > I think 8.3.1 should be rolled into RELENG_4_5, since it specifically > > > > contains security fixes over 8.2.4. > > > > > > Users who depend on BIND can install a newer version from the > > > ports. Users who don't are not affected by the problems in 8.2.4. > > > > > > This interesting - because there was no FreeBSD advisory released > > recently about any Bind vulnerabilities that I can recall, and even > > though on ISC's Bind homepage it suggests there is a security problem > > with 8.2.4 (or pre 8.3.1 versions), on the security page (linked > > right from the text suggesting you to upgrade) it implies that there > > isn't any problem with 8.2.4: > > You have made some rather absurd non sequiturs here. However, I > have clearly said on numerous occasions that BIND 8 users should be using > 8.3.1. A quick look at the CHANGES file should convince you of that. If > you want to quibble about what the ISC web page does or doesn't say, > that's up to you. Caveat: I just went back over the last few days of -stable, and see that some of these issues had already been mentioned. (ie the issue of ISC's own security page possibly not being up to date) However, with all due respect, I expect to hear about security- related issues (especially pertaining to code shipped with the base system) on the -security list and particularly via security announcements, and looking at my archives and the FreeBSD homepage I see that there haven't been any advisories this year pertaining to BIND. (whereas I've gotten security advisories for obscure little ports [Cyrus-SASL?] that few people probably run) I don't CVSup constantly on most of my boxes, generally only when there are major security issues that have no easy workaround or when I need some new feature.. much less read CHANGES on every piece of contributed code that comes with the base system. Certainly I would never have expected to have to read /usr/src/ contrib/bind/CHANGES weekly to find out about BIND vulnerabilities.. maybe it's just a personal quirk. -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message