[openbeosnetteam] Re: New stack
- From: Luke Fowler <luke.fowler@xxxxxxxxxxx>
- To: openbeosnetteam@xxxxxxxxxxxxx
- Date: Wed, 23 Jul 2003 16:49:04 -0700
on Wed, 23 Jul 2003 15:23:35 -0300 (BRT)
"Bruno G. Albuquerque" <bga@xxxxxxxxxxxxx> wrote:
On Wed, 23 Jul 2003, Leon Timmermans wrote:
> Why obviously?
Because 90% of the world use it and it is a proven framework? :)
> I know BIND (including it's client library) has a bad reputation,
specially
> considering security.
Heh. The last significant flaw I heard concerning BIND was like 1 and a
half year ago.
-Bruno
Bruno,
The last BIND vunerability I know of was much more recent than that. Try
this last November.
Here's a quote from the CERT post:
Multiple vulnerabilities have been found in BIND (Berkeley Internet Name
Domain). One of these vulnerabilities (VU#852283) may allow remote
attackers to execute arbitrary code with the privileges of the user
running named, typically root. Other vulnerabilities (VU#229595,
VU#581682) may allow remote attackers to disrupt the normal operation of
your name server, possibly causing a crash. A vulnerability in the DNS
resolver library (VU#844360) may allow remote attackers to execute
arbitrary code with the privileges of applications that issue network
name or address requests.
Link: http://www.cert.org/advisories/CA-2002-31.html
Note that this is just the one I remember and that it applies only to
some BIND 4 and BIND 8 versions.
I do however agree that ISC BIND is the standard to which we must adhere.
Thanks,
-Luke
Other related posts: