Geert Jan de Groot
GeertJan.deGroot at xs4all.nl
Mon Jun 13 22:41:38 UTC 2011
On Mon, 13 Jun 2011 22:20:48 +0000 Paul Vixie wrote:
> > BIND ostensibly knows its major, minor and even fix revision right?
> you're right, or you should be right, and you may yet be right. it's
> not always possible given our currently somewhat hairy version numbering
> scheme to compute "greater than or lesser than" for two version numbers.
> also, it's not necessarily the case that a vulnerability in some version
> is also present in other versions whose numbers are "greater than" that
Some vulnerabilities only apply in certain configurations.
If the configuration is different, the vulnerability may not exist,
even though the version information suggests it does.
Given that it's not always trivial to upgrade ("wget; configure; make install"
may not be trivial e.g. in case of embedded applications with remote
cross-compilation environments), I'm not sure this feature will work well
in non-default configurations.
Oh, the security company I work for flags nameservers where 'version.bind'
works, with the recommendation to switch it off. I have explained many times
that the operational advantages are huge, but the company line is to
advise customers to disable this feature. Sometimes, the world doesn't
want to be saved, unfortunately.
More information about the bind-workers