Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Glen Bishop (glen_at_glenbishop.com)
Date: Thu Nov 14 2002 - 08:30:58 CST
bind 4 and 8 patches are now available which appeared late last night
> Three bugs in bind 4 and 8 were announced this morning, November 12. At
> least one has the possibility of arbitrary code execution, and
> the ISC web site lists it as 'Serious'.
> At 13:02 CST this afternoon per the ISC announcement, about an hour
> after receiving the bug announcement, I requested bind 8 patches
> from Lynda McGinley, Executive Director of ISC. I received a
> response from her roughly 8 hours later this evening that I had been
> added to the patch announce list. My thanks to Lynda for that, but she
> did not give direct information on where to get the patches, and I have
> received nothing from the patch announce list. I don't know when I can
> expect to receive anything -- tonight, next week, or next month?
> Earlier today I asked Lynda a question: why were patches not made
> available at the time of the announcement? Paraphrasing her
> response, since I have not asked her permission to forward verbatim what
> she wrote, she indicated that those in the bind forum that had
> subscribed to the early security notification had the patches
> readily available. She indicated that ISC wanted to make sure that the
> right audience had the patches first.
> I clarified to her that my understanding is that the early
> notification subscription was for the purpose of vendors being
> notified before public announcement so they could get software
> packages updated and available prior to announcement. Lynda
> affirmed this.
> My response to her was that the right audience should change in
> relation to announcement.
> Those that paid to be notified early had that expectation fulfilled.
> Before announcement, per current ISC practice, they are the right
> audience, and they got bind 4 and 8 patches.
> As of the moment of announcement, the right audience should be
> expanded to include all those placed at risk because they use the
> software. Failure to make the patches available suddenly puts many
> systems at rapidly increasing risk.
> I have not yet heard a satisfactory answer why were patches not
> publicly available when this announcement was made. More troubling, why
> has ISC not released the patches yet? As of 23:44 CST, about 12 hours
> after the first announcement, nothing beyond 8.3.3 is
> available in the normal directories on ftp.isc.org, yet updates
> clearly exist.
> Per the ISS announcement, to the best of their knowledge no crackers
> knew of these bugs, nor were there exploits available. From the
> moment of the announcement, that is no longer true. If these were truly
> unknown bugs, there was time to do this right, to fix the bugs and get
> the updates available. That time advantage is eroding very rapidly.
> I had held off upgrading to bind 9 because of its newness. Observing its
> release history, in my assessment it has not been any better
> than bind 8. There have been too many beta, release candidate and
> security fixes to be considered stable. Meanwhile, ISC's policies left
> me with no real choice. I've dropped everything else this
> evening and have upgraded to bind 9.
> I don't know of a similar incident when the known patches to such a
> serious problem were withheld by a software provider. This is
> particularly true in the case of software of which its security and
> stability are the most crucial to the operation of the Internet.
> This raises troubling questions about the future management of bind.
> What will happen when the next bind 9 bug hits?
> -- Michael