DNS fix?

[shall]

When will Parallels be releasing an update to patch the BIND DNS service?

http://securosis.com/publications/CERT Advisory.doc

http://www.smh.com.au/news/security/critical-flaw-rocks-the-internet/2008/07/09/1215282882891.html

http://www.doxpara.com/

http://www.isc.org/index.pl?/sw/bind/

 

[sergius]

When will Parallels be releasing an update to patch the BIND DNS service?

http://securosis.com/publications/CERT Advisory.doc

http://www.smh.com.au/news/security/critical-flaw-rocks-the-internet/2008/07/09/1215282882891.html

http://www.doxpara.com/

http://www.isc.org/index.pl?/sw/bind/

Hello shall,

The next Plesk version will be released with updated BIND 9.4.2-P1.

 

[shall]

What's the ETA on that?

The discoverer will be publishing the vulnerability August 2nd. We have to be able to test the Plesk patch and fix the issues that are inevitably going to be caused by the Plesk update before the DNS poisoning from these is in the wild - which is going to be around August 3rd (if not sooner).

 

[dynamicnet]

Greetings:

See http://www.theregister.co.uk/2008/07/09/dns_bug_student_discovery/

This vulnerability was reported approximately three years ago.

If your servers are secured, and your DNS servers secured (which means you only transfer between your own name severs, and only recursive queries through your own servers), then the DNS poisoning to worry about is not your own cluster, those servers external to yours.

That's why all parties need to patch. If it was just Plesk users who patched or just H-Sphere users who patched, the threat would still be present from the outside world.

In any event, we are all waiting on patching -- Plesk, H-Sphere, and other Parallels products as every patched server contributes to the overall health of the net.

Thank you.