Today, in response to CVE-2012-5166 (see this article for more details: https://kb.isc.org/article/AA-00801 ) ISC has released eight new versions of BIND.
We realize this may be a little confusing for our users and so we hope that this will explain the proliferation of releases and be helpful to BIND users who are unsure which version to select. Currently BIND has four supported development branches, BIND 9.6-ESV, 9.7, 9.8, and 9.9. The software defect reported in CVE-2012-5166 was reported to us after we had made public release candidates for the next maintenance releases of each branch. However, in the event of a security vulnerability, our policy is to attempt to provide replacement versions which fix only the security vulnerability, to minimize the exposure to operators that other behavior changes may have an impact on their use of BIND. Therefore, because of the unusual timing in the discovery of this vulnerability we are releasing two versions for each development branch. Versions labeled with the suffix "-P4" are security-only versions which include no other changes besides those necessary to address CVE-2012-5166. We are also releasing point releases which are release versions superseding the previously published release candidates. The point release versions contain the security fix for CVE-2012-5166 *and* contain the other bug fixes and functionality changes previously included in the release candidates. When selecting a replacement version you should choose a -P4 if you are currently running a -P3 version and wish to receive ONLY the security fix. 9.6-ESV-R7-P4 9.7.6-P4 9.8.3-P4, or 9.9.1-P4 Otherwise we recommend that you upgrade to the latest release version of your branch, selecting from one of the releases below: 9.6-ESV-R8 9.7.7 9.8.4 9.9.2 Michael McNally ISC Support _______________________________________________ bind-announce mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-announce
