CESA-2015:1705 Important CentOS 6 bind Security Update

Support for security such as Firewalls and securing linux
Post Reply
lancelyons
Posts: 11
Joined: 2016/11/21 20:16:20

CESA-2015:1705 Important CentOS 6 bind Security Update

Post by lancelyons » 2016/12/05 21:13:49

Hi,

We recently had a couple machines flagged for the vulnerability CESA-2015:1705 Important CentOS 6 bind Security Update.

According to the documentation that is fixed by these files.

d8293c27b15583f7fe023689b26ce17bb941404b7315572827dd7ce87017feba bind-9.8.2-0.37.rc1.el6_7.4.x86_64.rpm
2bb369b78a4665e7f1d438127d337613b7a820033d50a9365924bfafb460a114 bind-chroot-9.8.2-0.37.rc1.el6_7.4.x86_64.rpm
6ff7c2354d68e3250c90f8e32d4ee6d7db2861f4198413a7b660a5b78abe04e1 bind-devel-9.8.2-0.37.rc1.el6_7.4.i686.rpm
b1f31ca252ecfd620a0503b2500cc52c46e322095985ec62d63ced8845b8d312 bind-devel-9.8.2-0.37.rc1.el6_7.4.x86_64.rpm
2ce9bea73835b2fa6dd34377e8400c0cf69489725753e86029e2392123e42ebf bind-libs-9.8.2-0.37.rc1.el6_7.4.i686.rpm
121a44eba6c130c6070994b5dd972ca3cb7e442900f2d897b4922df9a64c6db0 bind-libs-9.8.2-0.37.rc1.el6_7.4.x86_64.rpm
6da5e62c87f5bc54b9654bba2bf78bd7bb66ba3d56d0da53ff6bfd5c8351f25d bind-sdb-9.8.2-0.37.rc1.el6_7.4.x86_64.rpm
5e25d5248aaedcc0165462e09f622280af123bba1052fff0f14d1600f1f2a9dc bind-utils-9.8.2-0.37.rc1.el6_7.4.x86_64.rpm


on the machines flagged for the vulnerability we have the following bind files installed.

bind-utils-9.8.2-0.47.rc1.el6_8.3.x86_64
bind-libs-9.8.2-0.47.rc1.el6_8.3.x86_64


why would these machines be flagged? It seems like we have newer versions on our machines. Those are the only bind files installed when checking with rpm -qa

mghe
Posts: 766
Joined: 2015/11/24 12:04:43
Location: Katowice, Poland

Re: CESA-2015:1705 Important CentOS 6 bind Security Update

Post by mghe » 2016/12/05 21:17:45

Look into changelog of bind '# rpm -qi --changelog bind' and check what exactly was fixed.

Sometimes scanners check only version of software, not check what true was fixed.

lancelyons
Posts: 11
Joined: 2016/11/21 20:16:20

Re: CESA-2015:1705 Important CentOS 6 bind Security Update

Post by lancelyons » 2016/12/05 21:22:00

also for CESA-2016:1406 Important CentOS 6 kernel Security Update

the update for CESA-2016:1406 is supposed to be....
kernel-2.6.32-642.3.1.el6.x86_64.rpm
kernel-abi-whitelists-2.6.32-642.3.1.el6.noarch.rpm
kernel-debug-2.6.32-642.3.1.el6.x86_64.rpm
kernel-debug-devel-2.6.32-642.3.1.el6.i686.rpm
kernel-debug-devel-2.6.32-642.3.1.el6.x86_64.rpm
kernel-devel-2.6.32-642.3.1.el6.x86_64.rpm
kernel-doc-2.6.32-642.3.1.el6.noarch.rpm
kernel-firmware-2.6.32-642.3.1.el6.noarch.rpm
kernel-headers-2.6.32-642.3.1.el6.x86_64.rpm
perf-2.6.32-642.3.1.el6.x86_64.rpm
python-perf-2.6.32-642.3.1.el6.x86_64.rpm

and we have installed (as a result of rpm -qa | grep kernel )

kernel-firmware-2.6.32-642.6.2.el6.centos.plus.noarch
kernel-devel-2.6.32-573.22.1.el6.centos.plus.x86_64
kernel-devel-2.6.32-642.6.2.el6.centos.plus.x86_64
kernel-2.6.32-573.26.1.el6.centos.plus.x86_64
dracut-kernel-004-409.el6_8.2.noarch
libreport-plugin-kerneloops-2.0.9-32.el6.centos.x86_64
kernel-devel-2.6.32-642.4.2.el6.centos.plus.x86_64
kernel-2.6.32-642.6.2.el6.centos.plus.x86_64
kernel-headers-2.6.32-642.6.2.el6.centos.plus.x86_64
kernel-devel-2.6.32-642.1.1.el6.centos.plus.x86_64
kernel-2.6.32-573.22.1.el6.centos.plus.x86_64
kernel-2.6.32-642.1.1.el6.centos.plus.x86_64
kernel-2.6.32-642.4.2.el6.centos.plus.x86_64
kernel-devel-2.6.32-573.26.1.el6.centos.plus.x86_64


Couple things that puzzle me (being a rookie).

- the centos.plus does not match with the CVE or CESA. should this match?
- how do we have multiple kernel rpms showing as installed...
--------kernel-2.6.32-642.6.2.el6.centos.plus.x86_64
--------kernel-2.6.32-573.22.1.el6.centos.plus.x86_64
--------kernel-2.6.32-642.1.1.el6.centos.plus.x86_64
--------kernel-2.6.32-642.4.2.el6.centos.plus.x86_64

which one would be used?
Should it show only 1 and the latest?
ALso again, these are appended with centos.plus, does that make a difference?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CESA-2015:1705 Important CentOS 6 bind Security Update

Post by TrevorH » 2016/12/05 21:54:54

Kernels are always installed in parallel so that if you get an update that stops your system from booting, you still have a known working kernel to fall back to - you can choose which one from the grub menu at boot time.

CentOSPlus kernels are built from the same source as the standard kernel but they have several features enabled (modules etc) that are not part of the upstream standard kernel. The fact that you have them installed means that you have enabled the centosplus yum repo which is disabled out of the box. You only need the centosplus kernel if you have hardware that is not supported by the standard kernel. Otherwise it is the same as the upstream kernel and contains the same fixes.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

lancelyons
Posts: 11
Joined: 2016/11/21 20:16:20

Re: CESA-2015:1705 Important CentOS 6 bind Security Update

Post by lancelyons » 2016/12/05 22:17:01

Thanks Trevor for the explanation.

So its safe to say that we have new versions of those modules/rpms that were updated in that CVE/CESA not withstanding the python or perl modules.?

Is that a correct statement?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CESA-2015:1705 Important CentOS 6 bind Security Update

Post by TrevorH » 2016/12/05 22:26:25

Yes. And you also have the fix for the far more serious CVE-2016-5195 which is kernel 2.6.32-642.6.2 but there is a newer kernel still available which fixes still more bugs - 2.6.32-642.11.1.el6.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

lancelyons
Posts: 11
Joined: 2016/11/21 20:16:20

Re: CESA-2015:1705 Important CentOS 6 bind Security Update

Post by lancelyons » 2016/12/06 21:22:51

Thanks Trevor,

Do you know if all the security fixes related to CESA or CVE;s ultimately make it into the centos mirrors?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CESA-2015:1705 Important CentOS 6 bind Security Update

Post by TrevorH » 2016/12/06 21:33:04

If they are published for RHEL then they are rebuilt and published by CentOS too.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply