On Wed, Nov 13, 2002 at 12:04:31PM -0800, Jeremy C. Reed wrote: > But I see the patches were made October 30 (if the dates are reliable). In fact I believe ISC have been sitting on this for almost a month. The CVE IDs were assigned October 16, and I have reason to believe that they learned of this no later than October 23. Members of BIND Forum were notified last week, from what I'm told. In my opinion, the main reason for ISC to use this method of distributing the patches rather than going through established channels (such as CERT) was to be able to convince software vendors and other bodies using/distributing BIND to become a member of BIND forum. I don't know if that worked out, but I have my doubts. >From my experience of the past two days, I believe they did not expect there to be such a demand for the patches. I know that most Linux distributors, as well as some BSD folks, tried to reach someone at ISC for 36 hours, without success (we were notified of the issue on Tuesday, approx 14 hours ahead of the publication of ISC's and ISS's announcements). Some of that may be blamed on technical issues (I found it curious that PGP-signed messages never got through, while unsigned messages did), but probably not all of it. The whole thing was a mess. Timelines for the publication of _anything_, from advisories to patches to updates, were either non-existing or shifting all the time. I don't have very fond memories of the OpenSSH update of a few months ago, but it is worth noting that the SSH folks gave everyone a chance to cover their bases first, and then went on to disclose details of the bug. We all have our little complaints about CERT now and then, and I also think that CERT could improve in this way or that. But incidents like this one also serve to remind that independent (and financially independently) bodies do make a very valuable contribution to the security community as a whole. Things could be so much worse... Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
