Does bind8.2.3 enough?

Nate Campi nate at campin.net
Mon Mar 4 19:09:57 UTC 2002


On Mon, Mar 04, 2002 at 05:20:57PM +0000, Jim Reid wrote:
> >>>>> "Barry" == Barry Margolin <barmar at genuity.net> writes:
>     >>  The ISC web page makes it perfectly clear which known security
>     >> vulnerabilities exist in which old versions of BIND. Obviously
>     >> no-one can provide that information about unknown
>     >> vulnerabilities which may or may not exist. This does not mean
>     >> it's OK to run old code that has known security holes plugged.
> 
>     Barry> But supposedly none of the fixes between 8.2.3 and 8.2.5
>     Barry> were known security holes.
> 
> Correct. The web site and CHANGES file says so. But that *still*
> doesn't mean it's OK to run old code. I gave some of the reasons for
> that already. And how many times have we seen questions here about old
> bugs in old code that have been fixed in the BIND current release?
> It's a pity you seem to want to encourage even more of those sorts of
> questions.

Barry was simply stating that if you're already doing the work of three
people, putting off upgrading BIND from 8.2.3 to the latest won't get
you rooted. You can upgrade your vulnerable snmp agents or something.

I appreciate such a frank answer, as I'm sure others do as well.
-- 
Nate

Computer /nm./: a device designed to speed and automate errors.
   - From the Jargon File. 



More information about the bind-users mailing list