Re: How to determine what version of bind you are running?

Rob:

I could not agree more about IBM's needed revisions to its security
patching process and the need to be more open on what CVE's
are patched by what PTF. (including both base IBMi products as well as the
PASE ported apps).

I love when you see in the PTF cover letter "Integrity Issue", makes me
really comfortable (Not!)

We rely on IBM iSeries based bind heavily and security by obscurity is not
acceptable.

We spend an inordinate amount of time trying to patching security scans
(windows, ibmi, linux, etc) and the IBMi
is always an issue tracking down information/ptf's etc.

Jim

Jim W Grant
Senior VP, Chief Information Officer
Web: www.pdpgroupinc.com





From: rob@xxxxxxxxx
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 03/19/2015 10:17 AM
Subject: Re: How to determine what version of bind you are running?
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Yes I saw that. The problem I have with the concept of porting over some
old version of bind, and patching that is multifold.
One, IBM doesn't publish publicly what CVE's are addressed by what PTF's.
I had someone from IBM email me a list. My confidence in that list was
shaky at best being as one of them had (future fix) trailing it.
Two, the external audit functions still see the old bind version and have
no way of knowing that the CVE's have been patched. Therefore we still
have several critical errors on our audit.


Rob Berendt