possible bind package bug

Support for security such as Firewalls and securing linux
Post Reply
Posts: 8
Joined: 2005/06/23 19:41:45

possible bind package bug

Post by carock » 2018/03/23 17:21:22

Our security scanner flagged our CentOS 6.9 Bind version with missing security fix for CVE-2016-2775.

Checking the changelog, this CVE fix is missing from there.

However, RedHat shows this CVE fix was published for RHEL6 with this errata RHBA-2017:0651


The package version listed in that document as fixed is bind-9.8.2-0.62.rc1.el6.x86_64.rpm

yum update shows my installed package as bind-9.8.2-0.62.rc1.el6_9.5.x86_64

And a grep of the changelog shows no match for that CVE.

#rpm -q --changelog bind | grep -B 1 CVE-2016-2775

Do you think this was omitted in the CentOS version, or just a changelog error?

My CentOS kernel: 2.6.32-696.23.1.el6.x86_64


User avatar
Forum Moderator
Posts: 25394
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: possible bind package bug

Post by TrevorH » 2018/03/23 17:34:04

The package changelog should be inherited from the RHEL package as they are built from the same SRPM. I queried the changelog for the one you say is meant to fix this and that has no entry for it either - repoquery --changelog bind-9.8.2-0.62.rc1.el6.x86_64 | less

Packages that are changed by CentOS have .centos. in their names so this one is unchanged from the copy that was issued for RHEL. It just looks like they forgot to add the CVE number to the changelog.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply