> On Fri, Jul 25, 2008 at 11:02:03AM -0400, Tom Lane wrote:
>> I just noted that cvs.postgresql.org and svr1.postgresql.org are not
>> running the latest bind release, which means that they are vulnerable to
>> the DNS cache poisoning attack recently discovered by Dan Kaminsky.
>> Vixie and co think this is a pretty big deal, so folks might want to
>> update sooner rather than later.
>
> This is an extremely big deal. The numbers I've seen suggest windows
> somewhere around 10 minutes. If the systems above are doing
> recursion, then they need to be patched right away. (If they're
> running both authority and recursive services in the same BIND
> instance, I suggest that the practice be abandoned immediately.)
cvs.postgresql.org is not running bind at all - what it is using are two
(purely) recursive resolvers upstream. One of them is only going to get
upgraded tomorrow(some changes need to be rolled out in a staged
fashion) the other one was done a while ago - I have simply removed that
one from the resolv.conf for the time being.
Stefan
--
Sent via pgsql-www mailing list (pgsql-www@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-www
No comments:
Post a Comment