Re: current bind version

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 02/24/2011 07:12 AM, Nico Kadel-Garcia wrote:
> On Wed, Feb 23, 2011 at 10:23 PM, John R Pierce <pierce@xxxxxxxxxxxx> wrote:
>> On 02/23/11 6:08 PM, Machin, Greg wrote:
>>>
>>> Hi.
>>>
>>> I have had an enquiry from the Network and Security guy. He wants to
>>> know why CentOS 5.5 /RHEL 5 is using a very old version of bind
>>> “bind-chroot-9.3.6-4.P1.el5_5.3” when the latest release that has many
>>> security fixes is on 9.7.3 . I understand that its to maintain a known
>>> stable platform by in introducing new elements etc .. Is there an
>>> official explanation / document that I can direct him to.
>>>
>>>
>>
>> to put it bluntly, your security guy is pretty much worthless as such if
>> he thinks security is audited by checking version numbers.
>>
>> sadly, this is too common.
> 
> No, it's actually useful. Backporting is painful, expensive, and often
> unreliable, and leaves various any unpublished zero-day exploits in
> the wild. It also indicates feature incompatibility with other tools
> that rely on the new features.
>

The above may or may not be true (I think red hat does a very good job
of addressing security and stability with backporting) ... BUT ... if
you do not like backports, then RHEL (and since we rebuild those
sources, CentOS) is not the distribution that you want to be using.
Backporting is what red hat does to fix most security issues.  If you
have a philosophical problem with backporting (many people do, that is
their prerogative) then some other enterprise Linux version would be a
much better choice.

I am not saying this to be a smart a$$ or be negative ... just saying
that other enterprise distributions exist that provide long term
stability without backports ... Unbuntu LTS is a free example.  They
also provide integration of all their system libraries and audit their
software for security compliance.

> I went through this last week with OpenSSH version 5.x (not currently
> available for RHEL or CentOS 5 except by third party provided
> software), and bash. Turns out that OpenSSH 5.x doesn't read your
> .bashrc for non-login sessions, OpenSSH 4.x did. RHEL 6 addressed this
> for normal use by updating bash so it gets handled more like people
> expect it to behave, but I had users very upset that the new OpenSSH
> with the new features did not handle their reset PATH settings from
> their .bashrc.

I would think that using an enterprise distribution of Linux where
several hundreds of developers are testing the integration would serve
you better than building your own openssh, your own bind, your own
"everything else" and trying to bolt it onto the backport model that red
hat uses to keep your stuff secure.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux