In message <20110705200619.gb99...@isc.org>, Evan Hunt writes: > > on the ISC website i don't see that the 9.4-ESV-R4-P1 is affected by the > > CVE-2011-2464 is it because it's not really affected? or it's affected > > but i don't see it on "versions affected" because the 9.4-ESV-R4-P1 has > > it's EOL date to jun2011. > > To be very precise with my language: It is not *exposed*. > > The issue has two layers. First, there's an underlying bug that's been > dormant in our code for a very long time, but there was no way to trigger > it... and, second, there's the trigger. Actually, there are two separate > triggers: one was introduced in 9.6 and another in 9.7. Neither of > them is in any version of 9.4. > > So, we *will* be releasing 9.4-ESV-R5 soon, and it contains a fix for the > underlying bug. But we didn't release a patch today because there's no > trigger.
Additionally we report if EoL code contains a security vulnerability even if the only fix is to upgrade to a more recent version. It is not in ISC's, nor the public's interest, to leave vulnerable code out there running. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
