Quoting likot ([EMAIL PROTECTED]):
> i never said it was a cert advisory, as far as i can
> remember this was the thread that lead to that
> advisory being corrected ( meaning they released
> another advisory correcting themselves )
But the correction did _not_ assert a problem in BIND9.
To refresh your memory, you were raising this 2002 CERT advisory as an
example of a problem in BIND _after_ the bottom-up rewrite by Nominum.
My point is that this is fallacious, since the CERT advisory concerned
yet another hole in _BIND8_ spaghetti code, this time in the resolver
library.
The "correction" essentially just stated that the aforementioned
spaghetti code (and related vulnerability) was also present in several
other resolver libraries decended from the same legacy BSD code,
including the one in glibc.
> yes, but it was correcting the first advisory saying
> that if you _use_ bind 9 cache you are safe ( which
> you qouted and the one i was correcting )
Actually, the first advisory did _not_ say that. It said that _if_
queries are filtered through a BIND9 cache, they are harmless.
Bernstein rushed to jump on the ISC quotation to that effect,
attributing to them (_in error_) a supposed assertion that use of BIND9
is a cure-all for the resolver problem. However, ISC did _not_ say
that.
Florian Weimer, in the post following that (you quoted the URL, but
maybe didn't _read_ it?) corrected Bernstein's misreading of the ISC
statement. And, Dek, I've already explained this. Quoting my prior
e-mail:
That's not a CERT advisory _either_, but rather Florian Weimer
analysing Bernstein's post, finding it to have been somewhat
illogical in attributing a sweeping meaning to ISC's statement
not present in the original -- and commenting further.
> http://www.cert.org/advisories/CA-2002-19.html
>
> "Use of a local caching DNS server is not an effective
> workaround
>
> When this advisory was initially published, it was
> thought that a caching DNS server that reconstructs
> DNS responses would prevent malicious code from
> reaching systems with vulnerable resolver libraries. "
>
> that was the main point.
The CERT staff were being diplomatic. What this really says, between
the lines is: "Look, probably nobody but Dan Bernstein so radically
and conveniently misread the earlier brief quotation from the ISC.
But just in case anybody did, and just to get that pain-in-the-ass
Bernstein off our case, let's clarify that you're not likely to be
able to guarantee that a resolver gets information only from your
BIND9 cache. Therefore, as anyone reading the initial advisory
attentively and not just spoiling for _any_ excuse to criticise the ISC
already knows, using a BIND9 caching server isn't an infallible magic
bullet against this resolver problem. Does that make you happy, Dan?
Will you please go bother someone else, now?"
[That rather far-fetched Sendmail vulnerability:]
> yes i never said it was a workable exploit i said there was an _issue_
It's an "issue" in pretty much the sense of saying "If you can somehow
make your MTA stand on its head and sing the Marseillaise, it'll probably
get a nasty nosebleed."
"Issue", my left foot.
--
Cheers,
Rick Moen Emacs is a decent operating system,
[EMAIL PROTECTED] but it still lacks a good text editor.
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
