bind 4 and 8 patches are now available which appeared late last night http://www.isc.org/products/BIND/patches/ -glen > > Three bugs in bind 4 and 8 were announced this morning, November 12. At > least one has the possibility of arbitrary code execution, and > the ISC web site lists it as 'Serious'. > > At 13:02 CST this afternoon per the ISC announcement, about an hour > after receiving the bug announcement, I requested bind 8 patches > from Lynda McGinley, Executive Director of ISC. I received a > response from her roughly 8 hours later this evening that I had been > added to the patch announce list. My thanks to Lynda for that, but she > did not give direct information on where to get the patches, and I have > received nothing from the patch announce list. I don't know when I can > expect to receive anything -- tonight, next week, or next month? > > Earlier today I asked Lynda a question: why were patches not made > available at the time of the announcement? Paraphrasing her > response, since I have not asked her permission to forward verbatim what > she wrote, she indicated that those in the bind forum that had > subscribed to the early security notification had the patches > readily available. She indicated that ISC wanted to make sure that the > right audience had the patches first. > > I clarified to her that my understanding is that the early > notification subscription was for the purpose of vendors being > notified before public announcement so they could get software > packages updated and available prior to announcement. Lynda > affirmed this. > > My response to her was that the right audience should change in > relation to announcement. > > Those that paid to be notified early had that expectation fulfilled. > Before announcement, per current ISC practice, they are the right > audience, and they got bind 4 and 8 patches. > > As of the moment of announcement, the right audience should be > expanded to include all those placed at risk because they use the > software. Failure to make the patches available suddenly puts many > systems at rapidly increasing risk. > > I have not yet heard a satisfactory answer why were patches not > publicly available when this announcement was made. More troubling, why > has ISC not released the patches yet? As of 23:44 CST, about 12 hours > after the first announcement, nothing beyond 8.3.3 is > available in the normal directories on ftp.isc.org, yet updates > clearly exist. > > Per the ISS announcement, to the best of their knowledge no crackers > knew of these bugs, nor were there exploits available. From the > moment of the announcement, that is no longer true. If these were truly > unknown bugs, there was time to do this right, to fix the bugs and get > the updates available. That time advantage is eroding very rapidly. > > I had held off upgrading to bind 9 because of its newness. Observing its > release history, in my assessment it has not been any better > than bind 8. There have been too many beta, release candidate and > security fixes to be considered stable. Meanwhile, ISC's policies left > me with no real choice. I've dropped everything else this > evening and have upgraded to bind 9. > > I don't know of a similar incident when the known patches to such a > serious problem were withheld by a software provider. This is > particularly true in the case of software of which its security and > stability are the most crucial to the operation of the Internet. > > This raises troubling questions about the future management of bind. > What will happen when the next bind 9 bug hits? > > -- Michael
