cve-2011-2464 affected the 9.4-ESV-R4-P1?

Mark Andrews marka at isc.org
Wed Jul 6 00:15:46 UTC 2011


In message <20110705200619.GB99648 at isc.org>, Evan Hunt writes:
> > on the ISC website i don't see that the 9.4-ESV-R4-P1 is affected by the
> > CVE-2011-2464 is it because it's not really affected? or it's affected
> > but i don't see it on "versions affected" because the 9.4-ESV-R4-P1 has
> > it's EOL date to jun2011.
> 
> To be very precise with my language:  It is not *exposed*.
> 
> The issue has two layers.  First, there's an underlying bug that's been
> dormant in our code for a very long time, but there was no way to trigger
> it... and, second, there's the trigger.  Actually, there are two separate
> triggers: one was introduced in 9.6 and another in 9.7.  Neither of
> them is in any version of 9.4.
> 
> So, we *will* be releasing 9.4-ESV-R5 soon, and it contains a fix for the
> underlying bug.  But we didn't release a patch today because there's no
> trigger.

Additionally we report if EoL code contains a security vulnerability
even if the only fix is to upgrade to a more recent version.  It
is not in ISC's, nor the public's interest, to leave vulnerable code
out there running.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list