Does bind8.2.3 enough?
Barry Margolin
barmar at genuity.net
Mon Mar 4 16:27:28 UTC 2002
In article <a5t5eo$lkc at pub3.rc.vix.com>, Jim Reid <jim at rfc1035.com> wrote:
>>>>>> "David" == David Xiao <xiao at info.sta.net.cn> writes:
>
> David> Oh,the meaning of security here I mentioned is the version
> David> of BIND with vulnerability. Does bind8.2.3 have fixed all
> David> the vulnerabilities found to the present?
>
>The ISC web page makes it perfectly clear which known security
>vulnerabilities exist in which old versions of BIND. Obviously no-one
>can provide that information about unknown vulnerabilities which may
>or may not exist. This does not mean it's OK to run old code that has
>known security holes plugged.
But supposedly none of the fixes between 8.2.3 and 8.2.5 were known
security holes.
> A number of bugs have been fixed since
>8.2.3: read the CHANGES file in the BIND release. It would be foolish
>to run older, more buggy code. Why do you seem to prefer to run old
>code that has known bugs even when they are fixed in a later version?
Sometimes upgrading is inconvenient, so it's only done to resolve critical
problems. If the fixes between 8.2.3 and 8.2.5 are not security-related,
and only related to features that don't concern you, it's not high
priority.
--
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list