On Tue, 19 May 1998 10:55:12 +0200, "Cedric MARSOT" wrote:
>I said exactly the same thing when the fix has been posted by RedHat. I told
>them that bind 4.9.6-7 was still vulnerable and they reply to me that the
>security hole has been corrected ...
>
>So I am not the only one that found the problem ....
I maintain that 4.9.6-7 and 4.9.6-1.1 (for 4.2) are not vulnerable. I am
working with the person who posted the original report to confirm this.
Let me emphasise:
The BIND security problem was reported by Paul Vixie (who maintains
it) before any announcements were made. This was to ensure that all vendors
had the patched releases ready to go. The versions listed above are the
direct result of Paul's patches.
There is currently a script floating around that some people are
confusing for an exploit. This script (boft) simply checks if the server has
the fake-iquery option turned on or off. This script cannot report as to
whether or not the binary is vulerable to an attack through this hole.
At this time there has been no exploit posted for bind to the security mailing
lists.
--
Bryan C. Andregg * <[EMAIL PROTECTED]> * Red Hat Software
"Hey, wait a minute, you clowns are on dope!"
-- Owen Cheese in 'Shakes the Clown'
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
