[nycbug-talk] BIND vulnerability

Miles Nordin carton at Ivy.NET
Thu Jul 10 11:47:20 EDT 2008


>>>>> "jc" == Jesse Callaway <bonsaime at gmail.com> writes:

    jc> I wonder if that "notification date" for FreeBSD is to be
    jc> believed?

This isn't a real vulnerability.  It has a posting-date, not a
discovery date, because it's merely awareness-raising.  Frankly it's
mostly publicity for the posters.  The format is deceptive, but the
inarguable point is that new attacks based on this vector do not
become dramatically more likely after the posting as they do with a
normal vulnerability announcement.  

Follow the links in the vulnerability.  The most interesting one is
the multiple-outstanding-requests link which is 2002, and is fixed in
BIND since 9.2.1, but still mentioned in their advisory with all this
hazy FUD about who's affected.  Don't let these screaming monkeys make
you hysterical.

``thinking that software can protect you from forged DNS packets with
the current DNS protocol is like thinking that shorts and a T-shirt
will protect you from the winter wind in Chicago.''  -- Daniel
J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

great.  glad to hear it, Bernstein.  Then I'll keep using bind.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20080710/969a094d/attachment.bin>


More information about the talk mailing list