vixie at isc.org
Tue Jun 14 17:42:10 UTC 2011
> From: Rick Jones <rick.jones2 at hp.com>
> Date: Tue, 14 Jun 2011 10:22:07 -0700
> > the workaround problem is not as interesting to me; if someone knows they
> > are vulnerable then they should upgrade as soon as possible and should "red
> > flag" that installation until the upgrade is complete. workarounds don't
> > necessarily "stick", another operator may come later and revert the config.
> Difficult question I suppose, but how long is the piece of string from
> discovery to workaround and then to fix? In particular how long is it
> usually from workaround to fix? If it is typically more than, oh, I'll
> just pull 36 hours from the ether one would seem to run the very real
> risk of:
> "Oh, *that* log message. It is always going-off. Just disable it."
i agree that would be a problem.
> Or would you only raise the red flag when the fix was available?
ISC is often in the enviable position of being able to release a fix at
the same time as the vulnerability is announced. workarounds, in that
context, are meant to tide people over until they can do their upgrades
(which often involves significant lab testing time if they're a large
More information about the bind-workers