[plug] incase anyone wasnt aware..CERT advisory [ BIND ]

The Thought Assassin assassin at live.wasp.net.au
Tue Nov 14 14:12:30 WST 2000 

On Tue, 14 Nov 2000, Bret Busby wrote:
> Christian wrote:
> > On Tue, Nov 14, 2000 at 11:12:10AM +0800, Desiree wrote:
> > > CERT Advisory CA-2000-20 Mulitple Denial-of-Service Problems in ISC BIND
> > There are new security bugs announced several times daily so I'm not
> > sure that we need to post them to this list
> A couple of points:
> A while ago, from memory, I raised a similar issue on the mailing list
> At that time, from memory, advice was given that no-one using Linux,
> should be using BIND, unless it was absolutely necessary,
> and, that people should check whether BIND was running on their systems,
> and, if so, unless they were running DNS servers, or something, they
> should immediately disable BIND, as BIND itself posed a security risk,

It is not BIND itself that is a risk, it is just generally a bad idea to
leave something listening as root on an exposed port, unless you really
need to. Eventually, there _will_ be a security hole, and the chances are
someone evil will know about it before you do. (since you are unlikely to
pay attention to bug reports for software you don't know you are running)

At the time, BIND was at the end of a very bad run of security holes, and
was probably the first thing a cracker would look for. These days BIND
doesn't seem to be so bad, but it's still unwise to run it unnecessarily.

If someone needs to run BIND (or any other network service) then they
should choose to install it (opt-in rather than opt-out) and make sure
they stay abreast of security isues such as this latest one. This is not
the forum they should be tracking for security reports, and if they are
not tracking the appropriate forum(s)*, then they should not be running
networking software. As such, there is no benefit in reposting security
notices here. (with the possible exception of flaws in the Linux TCP/IP
stack which does affect everyone here, whether they are running external
network services or not.)

I am, of course, merely reiterating what Christian said, but hopefully
with enough detail to satisfy Bret's curiousity.

-Greg Mildenhall

* If nothing else, then at least the security updates page for Debian or
the (inferior :) distro of your choice.

More information about the plug mailing list