> Three bugs in bind 4 and 8 were announced this morning, November 12. > At least one has the possibility of arbitrary code execution [. . .] > I don't know of a similar incident when the known patches to such a > serious problem were withheld by a software provider. Speaking for myself, I never expected anything different. In my experience, when security information is restricted, the people who have it aren't particularly concerned about getting it to the people who don't. More than a year and a half ago, when I saw ISC's message indicating that security information about BIND would be withheld from the public, I removed BIND from all my systems and installed djbdns. Particularly ironic in light of ISC's apparent delay in releasing patches is this from the BIND Member Forum FAQ: Q: So the bind-members Forum programme does not restrict or delay any access to which the industry has become accustomed? A: Right. The documents referred to are archived at: http://marc.theaimsgroup.com/?l=bind-announce&m=98097021832397 http://marc.theaimsgroup.com/?l=bind-announce&m=98126980802945 Regards, Matt
