On Mon, 25 Aug 2003, Milan P. Stanic wrote: > So, I think I'm not slandering them or at least that isn't my > intention. I apologize if I did. Slander wasn't the correct word. It's just not a good idea to malign a whole set of coders and programs without solid reasoning behind it. >> As far as I can remember, the last exploit in dhcpd3-server happened >> well over 2 years ago. > > Do you follow DSA? > > Debian Security Advisory DSA 231-1 security@debian.org > http://www.debian.org/security/ Martin Schulze > January 17th, 2003 http://www.debian.org/security/faq This exploit is in minires, not dhcp3-server itself. [minires is a library used by dhcp3-server to provide NSUPDATE used in Dynamic DNS.] It also was found during an internal audit by ISC itself... > Debian Security Advisory DSA 245-1 security@debian.org > http://www.debian.org/security/ Martin Schulze > January 28th, 2003 http://www.debian.org/security/faq This is a DOS in dhcp3-relay, not in dhcp3-server itself. > I'm using ISC's dhcp to. But this doesn't mean I must praise it and > I can't see bugs. Heh. There are bugs in it, but many of them have been characterized, and they are typically fixed fairly rapidly. I can only remember a few really nasty ones, but you'd only run into them in rather strange setups.[1] Don Armstrong 1: Before the pool system got rewritten, the abandoned leases where not reclaimed in the proper order [eg, oldest abandoned lease to newest abandoned lease.] I only ran into it because I was operating on a large network with pools at near capacity. -- Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. http://www.donarmstrong.com http://www.anylevel.com http://rzlab.ucr.edu
Attachment:
pgpFDCOfqxRMu.pgp
Description: PGP signature