Re: [OT] Linux Worm (fwd)

Edward S. Marshall (esm@logic.net)
Sat, 24 Mar 2001 11:50:03 -0600


On Sat, Mar 24, 2001 at 11:11:50AM -0600, Jesse Pollard wrote:
> Bind itself has been proven over many years. This is the first major
> problem found.

This is so blatantly incorrect as to be laughable. BIND 4 and 8 had a
long and glorious history of serious security flaws; a quick search of
the www.securityfocus.com vulnerability archives for "BIND" returns a
ton of results, ranging from root compromises to denial of service
attacks to cache poisoning problems.

> If you want a fix, get bind v9. Besides handling IP version
> 4, it also handles version 6.

I'll believe in BIND 9's safety after it's been widely deployed; with few
OS vendors actually bundling BIND 9 at this point, it's received very
little real-world attention.

> It really isn't, but the new bind may be. There is even an update
> to bind 8 that contains a fix for the problem.

Until the next design flaw produces yet-another-vulnerability?

While other packages might not be free software, I don't have the luxury
of following principles in lieu of security.

Last post from me on the subject, because this has next to nothing to do
with the Linux kernel.

-- 
Edward S. Marshall <esm@logic.net>                http://www.nyx.net/~emarshal/
-------------------------------------------------------------------------------
[                  Felix qui potuit rerum cognoscere causas.                  ]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/