[Fed-Talk] missing CVE-2009-4022 documentation
[Fed-Talk] missing CVE-2009-4022 documentation
- Subject: [Fed-Talk] missing CVE-2009-4022 documentation
- From: Michael Kluskens <email@hidden>
- Date: Thu, 13 Jan 2011 09:30:00 -0500
Regarding 10.5.8 Apple's web site is missing documentation for CVE-2009-4022 even though it's highly probable that Apple has back ported patches to BIND/named.
The failure to document all back ported patches regarding CVE's is common to both 10.6.x and 10.5.8 as well as OS X and OS X Server.
Many commercial and government organizations require that all security advisories, typically referenced by their CVE number, be handled and documented. Unfortunately, Apple's Security documentation is missing just enough of these CVE's to make running OS X a lot harder then need be. For example, CVE-2009-4022 regards BIND, the executable is "named." There exists no documentation on Apple's web site regarding this; meanwhile the version number returned by the binary under 10.5.8 is flagged by the widely used security audit program Retina <http://www.eeye.com/> as being vulnerable. It's obvious by the dates of changes to this binary that Apple has backported patches to this program but without documentation there is no proof. No proof then no permission to operate. No permission to operate and no future purchases of Apple computers.
Similar issues exist with OS X 10.6.x and with "ntpd" and "openssl" and I have reported the missing documentation issues with these in the past with at best unsatisfactory responses and at worse no response at all.
Apple would score a major coup if their currently supported OS's would simply pass basic security audits by programs such as Retina. The problem is that OS X is very close to trivially passing these audits but a couple of the items are not trivial to fix solely because of the missing documentation.
Michael
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden