Andrew Sullivan wrote:
> On Fri, Jul 25, 2008 at 11:02:03AM -0400, Tom Lane wrote:
>> I just noted that cvs.postgresql.org and svr1.postgresql.org are not
>> running the latest bind release, which means that they are vulnerable to
>> the DNS cache poisoning attack recently discovered by Dan Kaminsky.
>> Vixie and co think this is a pretty big deal, so folks might want to
>> update sooner rather than later.
> This is an extremely big deal. The numbers I've seen suggest windows
> somewhere around 10 minutes. If the systems above are doing
> recursion, then they need to be patched right away. (If they're
> running both authority and recursive services in the same BIND
> instance, I suggest that the practice be abandoned immediately.)
cvs.postgresql.org is not running bind at all - what it is using are two
(purely) recursive resolvers upstream. One of them is only going to get
upgraded tomorrow(some changes need to be rolled out in a staged
fashion) the other one was done a while ago - I have simply removed that
one from the resolv.conf for the time being.
In response to
pgsql-www by date
|Next:||From: Alvaro Herrera||Date: 2008-07-27 23:46:57|
|Subject: Re: Insecure DNS servers on PG infrastructure|
|Previous:||From: Tom Lane||Date: 2008-07-27 18:52:26|
|Subject: Re: Insecure DNS servers on PG infrastructure |