Subject: Re: vulnerability list change
To: email@example.com, Thomas Klausner <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 06/28/2002 22:47:07
In message <20020629024032.B58B27C0D@berkshire.research.att.com>, "Steven M. Be
>In message <20020629011235.A94F14B25@coconut.itojun.org>, firstname.lastname@example.org wr
>>>> >From download-vulnerability-list:
>>>> New vulnerability list (15224 bytes) is smaller than existing list (15232
>>>> Was something removed intentionally, or is this bad?
>>>The bind-9.2.1 vulnerability line was removed, since bind-9.2.1 is not
>>>vulnerable IIUC. Normally, the file size should be increased anyway,
>>>but this seems to have been overlooked this time.
>> maybe i should have commented out the line instead? sorry for
>Yes, absolutely -- download-vulnerability-list won't overwrite a list
>with a shorter one. I had to remove my old one manually.
The answer is simpler: according to ISC, 9.2.1 is vulnerable -- see the
statement at http://www.cert.org/advisories/CA-2002-19.html
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)