I opened up a PMR, once again, on this bind issue.
Their MO is to pick some level of bind, 9.7.4-P1, in our case, and stay
there. Instead of porting over current levels of bind that have addressed
these CVE's, they then patch what they've ported over to then address
these CVE's. There are a couple of problems with that:
- External scans still say "hey you are on an obsolete version of bind -
CRITICAL ISSUE!!!" and make your security audit look less than optimum.
- They do not publish the CVE's addressed in PTF cover letters or in APARs
that I can see at:
http://www.ibm.com/n_dir/nas4apar.nsf/nas4aparhome
IBM did send me an email saying "this list of CVE's have been addressed by
PTF SI51699". I still would like a site that tells me that, especially
since seeing the following:
CVE-2013-6320 A Winsock API Bug can cause a side-effect affecting
BIND ACLs <----- Planned for future PTF fix.
doesn't really scream at me that this list 'really' covers what CVE's have
been fixed by this PTF. And, just to mention, that this is a 2013 CVE
that's yet to be addressed.
Rob Berendt
midrange.com
