cve-2011-2464 affected the 9.4-ESV-R4-P1?
marka at isc.org
Wed Jul 6 00:15:46 UTC 2011
In message <20110705200619.GB99648 at isc.org>, Evan Hunt writes:
> > on the ISC website i don't see that the 9.4-ESV-R4-P1 is affected by the
> > CVE-2011-2464 is it because it's not really affected? or it's affected
> > but i don't see it on "versions affected" because the 9.4-ESV-R4-P1 has
> > it's EOL date to jun2011.
> To be very precise with my language: It is not *exposed*.
> The issue has two layers. First, there's an underlying bug that's been
> dormant in our code for a very long time, but there was no way to trigger
> it... and, second, there's the trigger. Actually, there are two separate
> triggers: one was introduced in 9.6 and another in 9.7. Neither of
> them is in any version of 9.4.
> So, we *will* be releasing 9.4-ESV-R5 soon, and it contains a fix for the
> underlying bug. But we didn't release a patch today because there's no
Additionally we report if EoL code contains a security vulnerability
even if the only fix is to upgrade to a more recent version. It
is not in ISC's, nor the public's interest, to leave vulnerable code
out there running.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users