Sorry to keep this thread going, but perhaps one more clarification. The original post said that the bug occured on RedHat 5.1 of our system administrator. I immediately emailed Red Hat (haven't heard from them yet), and also posted to Debian. I got a reply from Debian within 12 hours and looked for the new package number in package-updates. I didn't find it so I looked in current distribution and found it with correct version number.
On Sat, 24 Oct 1998, Lukas Eppler wrote: > On Fri, 23 Oct 1998, King Lee wrote: > > > The bug is real, and Debian has a fix. See security > > lists in Debian. If you are running Debian 2.0 > > you might have a security hole. There was also security > > problems with bind. The fixes appear in the current distributions > > (2.0.2 I think) not in package-updates. > > Why the bloody hell not? I think that it was moved from package-updates to the main distribution so that if you downloaded it or purchased a new cdrom, it would have the updates in it. Seems reasonable. > > Sorry, this makes me angry. Debian does a whole lot on finding these > holes, then spreading the information they are there, but then every one > has to read at least debian-user or visit the security page on the web to > find out. We have such a great distribution system and make no use of it. System administration with responsibility for security (and other things) is inhierently complex. All you can ask for is someone to point the way, and it's up to you track it down. King Lee
