possible bind package bug

Support for security such as Firewalls and securing linux
carock
Posts: 8
Joined: 2005/06/23 19:41:45
Contact:

possible bind package bug

Postby carock » 2018/03/23 17:21:22

Our security scanner flagged our CentOS 6.9 Bind version with missing security fix for CVE-2016-2775.

Checking the changelog, this CVE fix is missing from there.

However, RedHat shows this CVE fix was published for RHEL6 with this errata RHBA-2017:0651

https://access.redhat.com/errata/RHBA-2017:0651

The package version listed in that document as fixed is bind-9.8.2-0.62.rc1.el6.x86_64.rpm

yum update shows my installed package as bind-9.8.2-0.62.rc1.el6_9.5.x86_64

And a grep of the changelog shows no match for that CVE.

#rpm -q --changelog bind | grep -B 1 CVE-2016-2775
#

Do you think this was omitted in the CentOS version, or just a changelog error?

My CentOS kernel: 2.6.32-696.23.1.el6.x86_64

Thanks,
Chuck

User avatar
TrevorH
Forum Moderator
Posts: 22599
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: possible bind package bug

Postby TrevorH » 2018/03/23 17:34:04

The package changelog should be inherited from the RHEL package as they are built from the same SRPM. I queried the changelog for the one you say is meant to fix this and that has no entry for it either - repoquery --changelog bind-9.8.2-0.62.rc1.el6.x86_64 | less

Packages that are changed by CentOS have .centos. in their names so this one is unchanged from the copy that was issued for RHEL. It just looks like they forgot to add the CVE number to the changelog.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke