Should BIND be upgraded on Solaris 8?

Jim Reid jim at rfc1035.com
Tue Aug 1 20:26:36 UTC 2000


>>>>> "Wil" == Wil Willis <wwillis at scmtd.com> writes:

    Wil> Folks, the CERT advisory and the advise of ISC is to upgrade
    Wil> to 8.2.2 P5.  I'm running 8.2.1 on Solaris 8.  Sun says that
    Wil> BIND on Solaris 8 is not affected by the six security issues
    Wil> identified by the CERT advisory.  So....is it prudent to
    Wil> upgrade to 8.2.2 P5 or wait for 9 a little later on

Well according to the ISC's information about BIND security holes -
see http://www.isc.org/products/BIND/bind-security-19991108.html -
8.2.1 is vulnerable to ALL of the bugs in last year's CERT advisory.
So either Sun are misinformed or else Solaris 8 doesn't ship with
8.2.1. Or you have scrambled some of the facts. The information you
said you got from Mr. Sun directly contradicts the information on the
ISC's web site. Which of these two is likely to be more authoritative
about BIND security holes, the vendor or the organisation that writes
and distributes the code?

As for prudence, I recommend you install 8.2.2P5 RIGHT NOW. This plugs
the known security holes. Code already exists to exploit some of those
holes and is in the hands of the script kiddies. If you want to remain
vulnerable to those attacks, just sit on your hands and wait for the
next (last?) BIND8 release or BIND9. OTOH, if you want to plug those
holes, upgrade to 8.2.2P5. That would be the prudent thing to do.



More information about the bind-users mailing list