CVE-2015-4620 bind-9.8.2 affected will there be an update?
CVE-2015-4620 bind-9.8.2 affected will there be an update?
Dear all,
Regarding the CVE-2015-4620 vulnerability, I see that CentOS and RHEL have provided updates for their 9.9.4 v7 packages [1]. However upstream announces[2] that the vulnerability affects far more versions (BIND 9.7.1 -> 9.7.7, 9.8.0 -> 9.8.8, 9.9.0 -> 9.9.7, 9.10.0 -> 9.10.2-P1) although it only provides patches for 9.9.7 and 9.10.2.
[1] https://lwn.net/Alerts/651838/
[2] https://kb.isc.org/article/AA-01267
Since our Centos6 version (9.8.2) falls within the range of affected versions (according to ISC), is there a plan to backport the fix to CentOS 6?
As an indication Debian has already backported it to its versions 9.8.4 (wheezy, oldstable) and even 9.7.3 (squeeze oldoldstable).
https://security-tracker.debian.org/tra ... -2015-4620
Regards,
Miguel Telleria
Regarding the CVE-2015-4620 vulnerability, I see that CentOS and RHEL have provided updates for their 9.9.4 v7 packages [1]. However upstream announces[2] that the vulnerability affects far more versions (BIND 9.7.1 -> 9.7.7, 9.8.0 -> 9.8.8, 9.9.0 -> 9.9.7, 9.10.0 -> 9.10.2-P1) although it only provides patches for 9.9.7 and 9.10.2.
[1] https://lwn.net/Alerts/651838/
[2] https://kb.isc.org/article/AA-01267
Since our Centos6 version (9.8.2) falls within the range of affected versions (according to ISC), is there a plan to backport the fix to CentOS 6?
As an indication Debian has already backported it to its versions 9.8.4 (wheezy, oldstable) and even 9.7.3 (squeeze oldoldstable).
https://security-tracker.debian.org/tra ... -2015-4620
Regards,
Miguel Telleria
Re: CVE-2015-4620 bind-9.8.2 affected will there be un updat
https://bugzilla.redhat.com/show_bug.cgi?id=1237258#c2 indicates that RHEL 6 is affected, and therefore CentOS 6 is also affected. There does not seem to be a fix available for RHEL 6 yet, but once there is, it will also be published for CentOS 6.
Re: CVE-2015-4620 bind-9.8.2 affected will there be un updat
Breaking news -- https://rhn.redhat.com/errata/RHSA-2015-1471.html
This update will be included in CentOS 6.7 (or in 6.7's updates), which is currently being prepared to be built. Building all the packages, creating the .isos, testing everything and syncing the files to the mirrors takes some time, so I'm hoping that this update would be pushed to the CR repository in the meantime.
This update will be included in CentOS 6.7 (or in 6.7's updates), which is currently being prepared to be built. Building all the packages, creating the .isos, testing everything and syncing the files to the mirrors takes some time, so I'm hoping that this update would be pushed to the CR repository in the meantime.
Re: CVE-2015-4620 bind-9.8.2 affected will there be an updat
bind-9.8.2-0.37.rc1.el6_7.1 is now available through the CR (continuous release) repository.
Re: CVE-2015-4620 bind-9.8.2 affected will there be an updat
Hello, not sure if this is the best place to report this, we, major cable operator in Portugal, operate several CEntOS boxes running DNS cache resolvers for our customers internet access.
After upgrading from:
Installed:
bind.x86_64 32:9.8.2-0.30.rc1.el6_6.3 bind-libs.x86_64 32:9.8.2-0.30.rc1.el6_6.3 bind-utils.x86_64 32:9.8.2-0.30.rc1.el6_6.3
To
Removed:
bind.x86_64 32:9.8.2-0.37.rc1.el6_7.2 bind-libs.x86_64 32:9.8.2-0.37.rc1.el6_7.2 bind-utils.x86_64 32:9.8.2-0.37.rc1.el6_7.2
Our DNS servers suffered several recurring outages (extended +4s delays in query response time) that forced to roll back this upgrade.
After upgrading from:
Installed:
bind.x86_64 32:9.8.2-0.30.rc1.el6_6.3 bind-libs.x86_64 32:9.8.2-0.30.rc1.el6_6.3 bind-utils.x86_64 32:9.8.2-0.30.rc1.el6_6.3
To
Removed:
bind.x86_64 32:9.8.2-0.37.rc1.el6_7.2 bind-libs.x86_64 32:9.8.2-0.37.rc1.el6_7.2 bind-utils.x86_64 32:9.8.2-0.37.rc1.el6_7.2
Our DNS servers suffered several recurring outages (extended +4s delays in query response time) that forced to roll back this upgrade.
Re: CVE-2015-4620 bind-9.8.2 affected will there be an updat
Now that CentOS 6.7 has been released, you can get your fixed version of bind with a simple yum update.
Re: CVE-2015-4620 bind-9.8.2 affected will there be an updat
If anyone reading this could help out to properly address this issue you are most welcome and I have stumbled across a serious issue this really needs to be addressed.
In my previous post I stated that the current CVE-2015-4620 patch affected our caching DNS performance to the point of missing or having +4s extended delay responses.
CPU usage as taken the CPU from <15% to >98% with this patch.
The real catch here, and probably why no one else is complaining,is RPZ. This issue is directly related to RPZ usage.
Once we disable all response-policy section and issued a rndc reconfig immediately the CPU dropped to previous values and no more outages were noticed.
In my previous post I stated that the current CVE-2015-4620 patch affected our caching DNS performance to the point of missing or having +4s extended delay responses.
CPU usage as taken the CPU from <15% to >98% with this patch.
The real catch here, and probably why no one else is complaining,is RPZ. This issue is directly related to RPZ usage.
Once we disable all response-policy section and issued a rndc reconfig immediately the CPU dropped to previous values and no more outages were noticed.
Re: CVE-2015-4620 bind-9.8.2 affected will there be an updat
If you're a major ISP then you should almost certainly be using a RHEL system for this and then you could complain directly to the people who maintain the codebase and have the ability to track down the problem and fix it.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke