[CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued

Wed Feb 23 20:17:17 UTC 2011
Keith Keller <kkeller at wombat.san-francisco.ca.us>

On Wed, Feb 23, 2011 at 07:28:15PM +0000, Trutwin, Joshua wrote:

[ > Larry Vaden wrote: (please don't snip attributions)]

> > Please take off the blinders and realize there are lots of folks (some x% of a
> > million or more) on this list who compile from current source in order to
> > minimize their risks and are therefore the subject audience.

If they have compiled from source then it is by definition not a CentOS

> > On the one hand, you have Paul Vixie and crew (authors of BIND) and
> > US_CERT saying "US-CERT encourages users and administrators using the
> > affected versions of BIND to upgrade to BIND 9.7.3."

Anyone running a CentOS-provided version of BIND is not using an
affected version.

> > On the other hand, you
> > have "don't bother me with reality, I'm comfortable, am not affected and
> > don't want to read messages to those who are affected."

Those messages are offtopic on this mailing list, so I sympathize with
people who have the attitude you describe.  Someone who had more
credibility with the list might be able to post offtopic messages (which
they would have marked [OT]) without causing a flamewar.

> I've only been subscribed here a week and this topic seems very heated, so sorry if this stirs the pot up again, but don't patches for these things get back-ported?  So even if you're running bind v9.5.1 on CentOS/upstream 4/5.x you'd still have security fixes like those in this article backported right?

If you're running BIND 9.5.1, you are not susceptible to the bug that
Larry posted at all.  In general, security bugs that are applicable to
RHEL packages are patched upstream then rebuilt and released by CentOS.

> And yeah I suppose rolling your own is always an option but in my experience it's to easy to get behind.  This seems more like a Slackware approach tho, nothing against Slack of course!

Rolling one's own is an option for any distribution, including CentOS.
But rolling one's own by definition removes those packages from the
support stream for that distro, so should be taken into consideration
when deciding whether to roll one's own or not.


kkeller at wombat.san-francisco.ca.us

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20110223/7acd0b34/attachment-0005.sig>