On Wed, Sep 16, 2009 at 3:39 PM, Henning Brauer <lists-open...@bsws.de>
wrote:
>> Building from source is light years more difficult than
>> 'apt-get update && apt-get upgrade, or 'yum upgrade' or
>> the like.
>
> so don't fucking do it, use releases and packages.
So how does one remedy CVE-2009-0696 like that? From the web site:
007: RELIABILITY FIX: July 29, 2009 All architectures
A vulnerability has been found in BIND's named server
(CVE-2009-0696). An attacker could crash a server with a specially
crafted dynamic update message to a zone for which the server is
master.
A source code patch exists which remedies this problem.
Sounds like building from source is necessary to me. As does:
http://www.openbsd.org/faq/faq10.html#Patches
If there genuinely is something as easy as "yum update bind", then
great. But if so, it doesn't seem to be documented, and this is the
reason I haven't rolled out more OpenBSD boxen in the real world. I
run OpenBSD on my own machines. But I'm with Cian here. Keeping up
to date really is its Achilles heel compared to other OSes, and is
holding it back for corporate use.
Tet
--
b�It seems intuitively obvious to me, which means that it might be
wrong.b� -- Chris Torek
