possible bind package bug

Support for security such as Firewalls and securing linux
Post Reply
carock
Posts: 8
Joined: 2005/06/23 19:41:45
Contact:

possible bind package bug

Post by carock » 2018/03/23 17:21:22

Our security scanner flagged our CentOS 6.9 Bind version with missing security fix for CVE-2016-2775.

Checking the changelog, this CVE fix is missing from there.

However, RedHat shows this CVE fix was published for RHEL6 with this errata RHBA-2017:0651

https://access.redhat.com/errata/RHBA-2017:0651

The package version listed in that document as fixed is bind-9.8.2-0.62.rc1.el6.x86_64.rpm

yum update shows my installed package as bind-9.8.2-0.62.rc1.el6_9.5.x86_64

And a grep of the changelog shows no match for that CVE.

#rpm -q --changelog bind | grep -B 1 CVE-2016-2775
#

Do you think this was omitted in the CentOS version, or just a changelog error?

My CentOS kernel: 2.6.32-696.23.1.el6.x86_64

Thanks,
Chuck

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: possible bind package bug

Post by TrevorH » 2018/03/23 17:34:04

The package changelog should be inherited from the RHEL package as they are built from the same SRPM. I queried the changelog for the one you say is meant to fix this and that has no entry for it either - repoquery --changelog bind-9.8.2-0.62.rc1.el6.x86_64 | less

Packages that are changed by CentOS have .centos. in their names so this one is unchanged from the copy that was issued for RHEL. It just looks like they forgot to add the CVE number to the changelog.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply