Our security scanner flagged our CentOS 6.9 Bind version with missing security fix for CVE-2016-2775.
Checking the changelog, this CVE fix is missing from there.
However, RedHat shows this CVE fix was published for RHEL6 with this errata RHBA-2017:0651
https://access.redhat.com/errata/RHBA-2017:0651
The package version listed in that document as fixed is bind-9.8.2-0.62.rc1.el6.x86_64.rpm
yum update shows my installed package as bind-9.8.2-0.62.rc1.el6_9.5.x86_64
And a grep of the changelog shows no match for that CVE.
#rpm -q --changelog bind | grep -B 1 CVE-2016-2775
#
Do you think this was omitted in the CentOS version, or just a changelog error?
My CentOS kernel: 2.6.32-696.23.1.el6.x86_64
Thanks,
Chuck
possible bind package bug
Re: possible bind package bug
The package changelog should be inherited from the RHEL package as they are built from the same SRPM. I queried the changelog for the one you say is meant to fix this and that has no entry for it either - repoquery --changelog bind-9.8.2-0.62.rc1.el6.x86_64 | less
Packages that are changed by CentOS have .centos. in their names so this one is unchanged from the copy that was issued for RHEL. It just looks like they forgot to add the CVE number to the changelog.
Packages that are changed by CentOS have .centos. in their names so this one is unchanged from the copy that was issued for RHEL. It just looks like they forgot to add the CVE number to the changelog.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke