From: Paul D. Robertson (no email)
Date: Wed Jan 02 2002 - 21:06:34 EST
On Wed, 2 Jan 2002, Len Conrad wrote:
> >Always (for performance reasons)- however it's important to ensure that
> >the DNS isn't exploitable- after WU-FTP, BIND is pretty high on the list of
> >*nix exploit vectors
>
> This has not been true for over a year for ISC BIND8, and ISC BIND9 hasn't
> yet been compromised.
Not everyone runs ISC BIND directly- especially if they're using
vendor-supplied software, and definitely a large number of places don't update
nearly often enough. Also, I think we've still got a couple weeks before we hit
"over a year."
> Check with SANS where the put BIND at the top of risks, BUT at least they
> qualify that warning by saying it's the old versions of BIND that are still
> running years after they were exploited.
None the less- BIND's history doesn't instill confidence and irregardless
of that protecting BIND only makes sense on a mail server.
WU-FTPD, BIND and Sendmail fall into the "large codebase that's historically
been broken" category.
The current BIND trend is a very significant improvement, but Sendmail's
had some smooth stretches too.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
which may have no basis whatsoever in fact."
-
To unsubscribe, send mail to with content
(not subject): unsubscribe postfix-users
|
|
|