On Sat, 03 Feb 2001 18:34:36 EST, jlewis@lewis.org said:
It seems we already have the beginnings of this system. The [currently known] holes in <8.2.3 were found and fixed. The root-servers all got upgraded. Then we got a message posted around midnight EST friday night on nanog (not bugtraq) with alot less detail than the average bugtraq post basically saying, "there's holes...you better upgrade". At that point, it's off to the races. You can bet people downloaded source for 8.2.3 and compared its code to previous versions looking for the holes. Did you upgrade before the first cracker found a hole and wrote an exploit?
Umm.. to be honest, I was upgraded about 2 hours after Paul's *Sunday* note (the one that made clear that the security holes affected 8.2.2-P7). I interpreted his Friday night note as "Here's 8.2.3, if you're on 8.2.2 there's security patches" with "security patches" meaning "the stuff we've fixed in -P7 but you've missed if you don't do the -P? releases". I'm positive I'm not the only person who missed the "-P7 is vulnerable" implication in the Friday night note - although I'm also sure that Paul was being intentionally obscure there... Valdis Kletnieks Operating Systems Analyst Virginia Tech