Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: US-CERT Vulnerability Note VU#800113


On Jul 25, 2008, at 9:13 PM, email@hidden wrote:

From: Bill Larson <email@hidden>
Subject: Re: US-CERT Vulnerability Note VU#800113
To: Dave Pooser <email@hidden>
Cc: OS X server list <email@hidden>
Message-ID: <email@hidden">email@hidden>
Content-Type: text/plain; charset="us-ascii"

On Jul 25, 2008, at 9:44 AM, Dave Pooser wrote:

If you come away from this discussion with one lesson, let it be that
you better be prepared to patch things yourself.  Apple has mislead
the newbies into thinking that everything is covered for them.  It
isn't.  My recommendation is: start reading those O'Reilly books and
really understand what's going on under the hood.  You can't expect
vendors to bail you out every time.

...although vendors who are not Apple did in fact bail their users  
out this
time. Apple stands essentially alone in *not* bothering to patch  
this gaping
vulnerability. And if I wanted to compile my own software every time I
needed an update, I'd use Fedora.

Not defending Apple, or Fedora, just making a statement.

I am reading the CERT notice about this.  At the bottom is a list of  
vendors and the status of their DNS server software.

Apple was notified by CERT on 05/05/2008 and they have NOT responded  
at all.  Personally, I think this is inexcusable.  They could have  
given any number of responses to CERT but provided the single most  
worst response possible.

Bill Larson

For those of you who have avoided the list of vendors who have either complied (Force10, Foundry), not complied (Microsoft, Sun Microsystems, IBM, Slackware, Mandrake, Red Hat, etc), or just ignored the news so far (Apple, OpenDNS, SIemens, Sony), I've copied the list below.

Rather than just attack Apple only for this, I think it is pretty telling that the list so far seems to indicate that not many of these companies are taking this issue as seriously as it needs to be taken.

Maybe some of these companies have released patches already, but their status has not been updated, I don't know, but since we are basing our screams and shouts off this page, let us look at it in its entirety:

http://www.kb.cert.org/vuls/id/800113
Systems Affected
Vendor Status Date Updated
3com, Inc. Unknown 10-Jul-2008
Alcatel-Lucent Unknown 23-Jul-2008
Apple Computer, Inc. Unknown 5-May-2008
AT&T Unknown 21-Apr-2008
Avaya, Inc. Vulnerable 16-Jul-2008
Avici Systems, Inc. Unknown 21-Apr-2008
Belkin, Inc. Unknown 13-Jul-2008
Blue Coat Systems Vulnerable 22-Jul-2008
BlueCat Networks, Inc. Vulnerable 22-Jul-2008
Check Point Software Technologies Not Vulnerable 23-Jul-2008
Cisco Systems, Inc. Vulnerable 10-Jul-2008
Conectiva Inc. Unknown 5-May-2008
Cray Inc. Unknown 5-May-2008
D-Link Systems, Inc. Unknown 2-May-2008
Data Connection, Ltd. Unknown 21-Apr-2008
Debian GNU/Linux Vulnerable 9-Jul-2008
djbdns Not Vulnerable 10-Jul-2008
dnsmasq Vulnerable 11-Jul-2008
DragonFly BSD Project Unknown 3-Jul-2008
EMC Corporation Unknown 21-Apr-2008
Engarde Secure Linux Unknown 5-May-2008
Ericsson Unknown 21-Apr-2008
Extreme Networks Unknown 21-Apr-2008
F5 Networks, Inc. Vulnerable 14-Jul-2008
Fedora Project Unknown 5-May-2008
Force10 Networks, Inc. Not Vulnerable 11-Jul-2008
Foundry Networks, Inc. Not Vulnerable 10-Jul-2008
FreeBSD, Inc. Vulnerable 14-Jul-2008
Fujitsu Vulnerable 18-Jul-2008
Gentoo Linux Vulnerable 12-Jul-2008
Gnu ADNS Unknown 5-May-2008
GNU glibc Unknown 5-May-2008
Hewlett-Packard Company Vulnerable 16-Jul-2008
Hitachi Unknown 21-Apr-2008
Honeywell Unknown 21-Apr-2008
IBM Corporation Vulnerable 12-Jul-2008
IBM Corporation (zseries) Unknown 5-May-2008
IBM eServer Unknown 21-Apr-2008
Infoblox Vulnerable 21-Jul-2008
Ingrian Networks, Inc. Unknown 5-May-2008
Intel Corporation Unknown 21-Apr-2008
Internet Systems Consortium Vulnerable 14-Jul-2008
JH Software Not Vulnerable 10-Jul-2008
Juniper Networks, Inc. Vulnerable 10-Jul-2008
Linux Kernel Archives Unknown 3-Jun-2008
Lucent Technologies Unknown 21-Apr-2008
Luminous Networks Unknown 21-Apr-2008
Mandriva, Inc. Vulnerable 22-Jul-2008
MaraDNS Not Vulnerable 10-Jul-2008
Men & Mice Unknown 5-May-2008
Metasolv Software, Inc. Unknown 5-May-2008
Microsoft Corporation Vulnerable 8-Jul-2008
MontaVista Software, Inc. Unknown 5-May-2008
Motorola, Inc. Unknown 21-Apr-2008
Multinet (owned Process Software Corporation) Unknown 21-Apr-2008
Multitech, Inc. Unknown 21-Apr-2008
NEC Corporation Not Vulnerable 18-Jul-2008
NetApp Unknown 3-Jul-2008
NetBSD Unknown 5-May-2008
Netgear, Inc. Unknown 21-Apr-2008
Network Appliance, Inc. Unknown 21-Apr-2008
Nixu Vulnerable 9-Jul-2008
NLnet Labs Not Vulnerable 10-Jul-2008
Nokia Unknown 21-Apr-2008
Nominum Vulnerable 10-Jul-2008
Nortel Networks, Inc. Unknown 21-Apr-2008
Novell, Inc. Vulnerable 14-Jul-2008
OpenBSD Vulnerable 24-Jul-2008
OpenDNS Not Vulnerable 10-Jul-2008
Openwall GNU/*/Linux Vulnerable 17-Jul-2008
PePLink Not Vulnerable 10-Jul-2008
Posadis project Unknown 14-Jul-2008
PowerDNS Not Vulnerable 10-Jul-2008
QNX, Software Systems, Inc. Unknown 5-May-2008
Red Hat, Inc. Vulnerable 10-Jul-2008
Redback Networks, Inc. Unknown 21-Apr-2008
Secure Computing Network Security Division Vulnerable 17-Jul-2008
Shadowsupport Unknown 5-May-2008
Siemens Unknown 8-Jul-2008
Silicon Graphics, Inc. Unknown 5-May-2008
Slackware Linux Inc. Vulnerable 12-Jul-2008
Sony Corporation Unknown 21-Apr-2008
Sun Microsystems, Inc. Vulnerable 10-Jul-2008
SUSE Linux Vulnerable 11-Jul-2008
The SCO Group Unknown 5-May-2008
Trustix Secure Linux Unknown 5-May-2008
Turbolinux Unknown 5-May-2008
Ubuntu Vulnerable 10-Jul-2008
Wind River Systems, Inc. Vulnerable 9-Jul-2008
ZyXEL Unknown 21-Apr-2008

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.