'Re: [oss-security] BIND Operational Notification: Enabling the new BIND option "stale-answer-client-'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] BIND Operational Notification: Enabling the new BIND option "stale-answer-client-
From:       Ondřej Surý <ondrej () isc ! org>
Date:       2021-02-19 10:27:27
Message-ID: 82FEB890-2BBE-4E1E-968B-3CC16744C784 () isc ! org
[Download RAW message or body]

Hi Hanno,

by the time Michael was writing the message, we were still reviewing
the fix for the issue.

The fix has been made public now:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4714

FTR we are not treating this as a security issue as this is a newly
introduced option and disabled by default. Same reason why not
make a new release in a haste. There's a whole QA machinery
around the release which means that we would be able to speed
up the release only by a week or so, and that doesn't make much
sense.

Cheers,
Ondrej
--
Ondřej Surý (He/Him)
ondrej@isc.org

> On 19. 2. 2021, at 9:17, Hanno Böck <hanno@hboeck.de> wrote:
> 
> On Thu, 18 Feb 2021 20:09:47 -0900
> ISC Security Officer <security-officer@isc.org> wrote:
> 
>> 2)  If you already have packages based on 9.16.12, we expect to have
>> a patch ready well before the next maintenance release.  A candidate
>> patch is under review now and can be delivered after review and
>> quality assurance testing.  If you wish to receive updates on the
>> progress of this patch, please e-mail your request to
>> security-officer@isc.org
> 
> I am confused by your actions here.
> 
> You warn people about a messed up release (can happen, no problem), you
> say you have a preliminary patch, but you make it extra complicated to
> get that patch? Why not just post the patch?
> 
> Also I read into your words that you don't plan to publish a quick
> followup release, which would be the right thing to do ("we expect to
> have a patch ready well before the next maintenance release" - I read
> that as you don't plan to make a new maintenance release as soon as
> the patch is ready, which would be the right thing to do).
> 
> 
> --
> Hanno Böck
> https://hboeck.de/


["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmAvko8ACgkQg3Kkd++u
WcL9lQ/+KtrMhbhIhpQ0BaqDyO6zoUPo+ZlpkQ0OqfegM5R+3WgzH6UZ7TNq7vrF
FU0wfdCwbVzZiLTUk18OKFSRNu0ssFRavl1CkXu+fc4IPvBklYQ6Ln9X7RYt9i8r
3/RCNkfdOW8XiCjHN5qYjw+7U+fK0PZYHnJ2ZPh/JfmwrYPIsowUAcgovX6qoq8f
X0lFWV2tc+ak/jJ62rmJRYcjBR4yJh0NEC9f1e/QHK+p3x7Ts1HwSq1HPf1w+OuC
ArHAwc8SCKIZLH/sCq+OfV6r+CN3np1bf0s4LY7vjz5EGjmdCTyKfcw8v+IZGcnV
f/WKIUVZABbMgjWmtn1MeNv4cDgGOczKSkPaDJEnxRQaBQWvBdJGfoMD3+zvsyK7
t98L0+ZEWyGL10oeUlUZBo5zWmPT+vJ//t6wlsub1qh2iOBpvZvM7SNyC5GIR1Fh
io7JBMZwHHPjA/VNaV5H1EGSWHgO3ycISa3YhVcHvybHKFxNZdBpWij4yqO63Fnh
6fV/Dsr6NlDkdUpP6ZawLnDft3JhoHntaKmjGcf4bPzZfMXl4WoeA9rqJ9bOpqpZ
qMP2ojSd04InwMYpm8QXlid1PPeULJxHJsnerFpL0CVg7ufTzYKQTnljwIueKkMa
OjghNDyuuWqbGa5xlKbD7DTANxYxu0j96/8mXOUwHdBFHaGTwro=
=ub4Z
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic