CVE-2015-4620 bind-9.8.2 affected will there be an update?

[mtelleria]

Dear all,

Regarding the CVE-2015-4620 vulnerability, I see that CentOS and RHEL have provided updates for their 9.9.4 v7 packages [1]. However upstream announces[2] that the vulnerability affects far more versions (BIND 9.7.1 -> 9.7.7, 9.8.0 -> 9.8.8, 9.9.0 -> 9.9.7, 9.10.0 -> 9.10.2-P1) although it only provides patches for 9.9.7 and 9.10.2.

[1] https://lwn.net/Alerts/651838/
[2] https://kb.isc.org/article/AA-01267

Since our Centos6 version (9.8.2) falls within the range of affected versions (according to ISC), is there a plan to backport the fix to CentOS 6?

As an indication Debian has already backported it to its versions 9.8.4 (wheezy, oldstable) and even 9.7.3 (squeeze oldoldstable).
https://security-tracker.debian.org/tra ... -2015-4620

Regards,

Miguel Telleria

[avij]

https://bugzilla.redhat.com/show_bug.cgi?id=1237258#c2 indicates that RHEL 6 is affected, and therefore CentOS 6 is also affected. There does not seem to be a fix available for RHEL 6 yet, but once there is, it will also be published for CentOS 6.

[avij]

Breaking news -- https://rhn.redhat.com/errata/RHSA-2015-1471.html

This update will be included in CentOS 6.7 (or in 6.7's updates), which is currently being prepared to be built. Building all the packages, creating the .isos, testing everything and syncing the files to the mirrors takes some time, so I'm hoping that this update would be pushed to the CR repository in the meantime.

[avij]

bind-9.8.2-0.37.rc1.el6_7.1 is now available through the CR (continuous release) repository.

[KillerDAN]

Hello, not sure if this is the best place to report this, we, major cable operator in Portugal, operate several CEntOS boxes running DNS cache resolvers for our customers internet access.

After upgrading from:

Installed:
bind.x86_64 32:9.8.2-0.30.rc1.el6_6.3 bind-libs.x86_64 32:9.8.2-0.30.rc1.el6_6.3 bind-utils.x86_64 32:9.8.2-0.30.rc1.el6_6.3

To

Removed:
bind.x86_64 32:9.8.2-0.37.rc1.el6_7.2 bind-libs.x86_64 32:9.8.2-0.37.rc1.el6_7.2 bind-utils.x86_64 32:9.8.2-0.37.rc1.el6_7.2

Our DNS servers suffered several recurring outages (extended +4s delays in query response time) that forced to roll back this upgrade.

[avij]

Now that CentOS 6.7 has been released, you can get your fixed version of bind with a simple yum update.

[KillerDAN]

If anyone reading this could help out to properly address this issue you are most welcome and I have stumbled across a serious issue this really needs to be addressed.

In my previous post I stated that the current CVE-2015-4620 patch affected our caching DNS performance to the point of missing or having +4s extended delay responses.

CPU usage as taken the CPU from <15% to >98% with this patch.

The real catch here, and probably why no one else is complaining,is RPZ. This issue is directly related to RPZ usage.

Once we disable all response-policy section and issued a rndc reconfig immediately the CPU dropped to previous values and no more outages were noticed.

[TrevorH]

If you're a major ISP then you should almost certainly be using a RHEL system for this and then you could complain directly to the people who maintain the codebase and have the ability to track down the problem and fix it.