|
I opened up a PMR, once again, on this bind issue.
Their MO is to pick some level of bind, 9.7.4-P1, in our case, and stay
there. Instead of porting over current levels of bind that have addressed
these CVE's, they then patch what they've ported over to then address
these CVE's. There are a couple of problems with that:
- External scans still say "hey you are on an obsolete version of bind -
CRITICAL ISSUE!!!" and make your security audit look less than optimum.
- They do not publish the CVE's addressed in PTF cover letters or in APARs
that I can see at: http://www.ibm.com/n_dir/nas4apar.nsf/nas4aparhome
IBM did send me an email saying "this list of CVE's have been addressed by
PTF SI51699". I still would like a site that tells me that, especially
since seeing the following:
CVE-2013-6320 A Winsock API Bug can cause a side-effect affecting
BIND ACLs <----- Planned for future PTF fix.
doesn't really scream at me that this list 'really' covers what CVE's have
been fixed by this PTF. And, just to mention, that this is a 2013 CVE
that's yet to be addressed.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: rob@xxxxxxxxx
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 03/17/2015 12:35 PM
Subject: RE: How to determine what version of bind you are running?
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
It's important to note that our DNS is for external internet use. So when
you are running really old versions of bind that have CVE numbers
beginning with the year of the CVE, and that year is three years old, it
shows you that IBM is really slow on fixing known internet hacks.
IBM's argument in the past is that many of these CVE's only apply to Java
based versions of BIND, which, apparently is much more susceptible to
certain overflows than their C++ based version.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.