Re: US-CERT Vulnerability Note VU#800113

Subject: Re: US-CERT Vulnerability Note VU#800113

From: "Chris Barker" <email@hidden>

Date: Fri, 25 Jul 2008 17:42:43 -0700

Delivered-to: email@hidden

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type:references; bh=SKo2Z6Qger9z7wnQaLQccn6LRv+d4H5udTnHf+V86Cc=; b=HXhbo0EivALDtXnFSLrQZglPf+VCQhpiY/KIE/ukR62ZfieTohS123C50w7FcFKBCI 2m/5pRuIA1NVNuy5bUPgV1YcF5oboKvbVptSVgsTxi/S9IN3q4koHoAFhSmzkDrbEvkP CuX6TCuL4gNMGjn5V7Cp6elGIoMZrl6jxxoFg=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=ZhnisWRxNV0tkR+KN6TdbycE3/wjsVQpBHPKQm/QBPcCK7o4pif5rfnwDZM7S1o6Ua BbBL17UQTDJjNCyXqUjMOeqcH2vPUF07n7ULsxii8qcWQgj72S9nGtuT8wPq+Xb/u7VQ BGQbe7ua3ZLmmcDBv2UqSuvl5uze0TtvmU63w=

On Fri, Jul 25, 2008 at 4:39 PM, Chris Barker <email@hidden> wrote:

On Fri, Jul 25, 2008 at 3:15 PM, Bill Larson <email@hidden> wrote:

On Jul 25, 2008, at 9:44 AM, Dave Pooser wrote:

If you come away from this discussion with one lesson, let it be that
you better be prepared to patch things yourself. Apple has mislead

the newbies into thinking that everything is covered for them. It
isn't. My recommendation is: start reading those O'Reilly books and
really understand what's going on under the hood. You can't expect

vendors to bail you out every time.

...although vendors who are not Apple did in fact bail their users out this
time. Apple stands essentially alone in *not* bothering to patch this gaping
vulnerability. And if I wanted to compile my own software every time I

needed an update, I'd use Fedora.

Not defending Apple, or Fedora, just making a statement.

I am reading the CERT notice about this. At the bottom is a list of vendors and the status of their DNS server software.

Apple was notified by CERT on 05/05/2008 and they have NOT responded at all. Personally, I think this is inexcusable. They could have given any number of responses to CERT but provided the single most worst response possible.

Bill Larson

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

For fun, I submitted a radar security bug about the vulnerability, will see if it is closed or what the duplicate ticket is.

--
Chris Barker
Purveyor of Fine Suggestions
ACSA

Actually, on another related note:

Anyone here have an Applecare XServe warranty and/or "MacOS X Server Support" contract, want to call up and see about seeing if you can get an answer from them (I guess if you have preferred, since you have unlimited tickets)?

I mean, you are paying money for the support, and you should find out if Apple will give you your moneys worth.

--
Chris Barker
Purveyor of Fine Suggestions
ACSA

_______________________________________________ Do not post admin requests to the list. They will be ignored. Macos-x-server mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden

References:
	>Re: US-CERT Vulnerability Note VU#800113 (From: Dave Pooser <email@hidden>)
	>Re: US-CERT Vulnerability Note VU#800113 (From: Bill Larson <email@hidden>)
	>Re: US-CERT Vulnerability Note VU#800113 (From: "Chris Barker" <email@hidden>)