Three bugs in bind 4 and 8 were announced this morning, November 12. At least one has the possibility of arbitrary code execution, and the ISC web site lists it as 'Serious'. At 13:02 CST this afternoon per the ISC announcement, about an hour after receiving the bug announcement, I requested bind 8 patches from Lynda McGinley, Executive Director of ISC. I received a response from her roughly 8 hours later this evening that I had been added to the patch announce list. My thanks to Lynda for that, but she did not give direct information on where to get the patches, and I have received nothing from the patch announce list. I don't know when I can expect to receive anything -- tonight, next week, or next month? Earlier today I asked Lynda a question: why were patches not made available at the time of the announcement? Paraphrasing her response, since I have not asked her permission to forward verbatim what she wrote, she indicated that those in the bind forum that had subscribed to the early security notification had the patches readily available. She indicated that ISC wanted to make sure that the right audience had the patches first. I clarified to her that my understanding is that the early notification subscription was for the purpose of vendors being notified before public announcement so they could get software packages updated and available prior to announcement. Lynda affirmed this. My response to her was that the right audience should change in relation to announcement. Those that paid to be notified early had that expectation fulfilled. Before announcement, per current ISC practice, they are the right audience, and they got bind 4 and 8 patches. As of the moment of announcement, the right audience should be expanded to include all those placed at risk because they use the software. Failure to make the patches available suddenly puts many systems at rapidly increasing risk. I have not yet heard a satisfactory answer why were patches not publicly available when this announcement was made. More troubling, why has ISC not released the patches yet? As of 23:44 CST, about 12 hours after the first announcement, nothing beyond 8.3.3 is available in the normal directories on ftp.isc.org, yet updates clearly exist. Per the ISS announcement, to the best of their knowledge no crackers knew of these bugs, nor were there exploits available. From the moment of the announcement, that is no longer true. If these were truly unknown bugs, there was time to do this right, to fix the bugs and get the updates available. That time advantage is eroding very rapidly. I had held off upgrading to bind 9 because of its newness. Observing its release history, in my assessment it has not been any better than bind 8. There have been too many beta, release candidate and security fixes to be considered stable. Meanwhile, ISC's policies left me with no real choice. I've dropped everything else this evening and have upgraded to bind 9. I don't know of a similar incident when the known patches to such a serious problem were withheld by a software provider. This is particularly true in the case of software of which its security and stability are the most crucial to the operation of the Internet. This raises troubling questions about the future management of bind. What will happen when the next bind 9 bug hits? -- Michael
This archive was generated by hypermail 2b30 : Thu Nov 14 2002 - 06:11:13 PST