Re: http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, Feb 23, 2011 at 07:28:15PM +0000, Trutwin, Joshua wrote:

[ > Larry Vaden wrote: (please don't snip attributions)]

> > Please take off the blinders and realize there are lots of folks (some x% of a
> > million or more) on this list who compile from current source in order to
> > minimize their risks and are therefore the subject audience.

If they have compiled from source then it is by definition not a CentOS
issue.

> > On the one hand, you have Paul Vixie and crew (authors of BIND) and
> > US_CERT saying "US-CERT encourages users and administrators using the
> > affected versions of BIND to upgrade to BIND 9.7.3."

Anyone running a CentOS-provided version of BIND is not using an
affected version.

> > On the other hand, you
> > have "don't bother me with reality, I'm comfortable, am not affected and
> > don't want to read messages to those who are affected."

Those messages are offtopic on this mailing list, so I sympathize with
people who have the attitude you describe.  Someone who had more
credibility with the list might be able to post offtopic messages (which
they would have marked [OT]) without causing a flamewar.

> I've only been subscribed here a week and this topic seems very heated, so sorry if this stirs the pot up again, but don't patches for these things get back-ported?  So even if you're running bind v9.5.1 on CentOS/upstream 4/5.x you'd still have security fixes like those in this article backported right?

If you're running BIND 9.5.1, you are not susceptible to the bug that
Larry posted at all.  In general, security bugs that are applicable to
RHEL packages are patched upstream then rebuilt and released by CentOS.

> And yeah I suppose rolling your own is always an option but in my experience it's to easy to get behind.  This seems more like a Slackware approach tho, nothing against Slack of course!

Rolling one's own is an option for any distribution, including CentOS.
But rolling one's own by definition removes those packages from the
support stream for that distro, so should be taken into consideration
when deciding whether to roll one's own or not.

--keith


-- 
kkeller@xxxxxxxxxxxxxxxxxxxxxxxxxx

Attachment: pgpQGaCGVy980.pgp
Description: PGP signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux