cve-2011-2464 affected the 9.4-ESV-R4-P1?
each at isc.org
Tue Jul 5 20:06:19 UTC 2011
> on the ISC website i don't see that the 9.4-ESV-R4-P1 is affected by the
> CVE-2011-2464 is it because it's not really affected? or it's affected
> but i don't see it on "versions affected" because the 9.4-ESV-R4-P1 has
> it's EOL date to jun2011.
To be very precise with my language: It is not *exposed*.
The issue has two layers. First, there's an underlying bug that's been
dormant in our code for a very long time, but there was no way to trigger
it... and, second, there's the trigger. Actually, there are two separate
triggers: one was introduced in 9.6 and another in 9.7. Neither of
them is in any version of 9.4.
So, we *will* be releasing 9.4-ESV-R5 soon, and it contains a fix for the
underlying bug. But we didn't release a patch today because there's no
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users