Bind

Issues related to software problems.
Post Reply
pgolding
Posts: 4
Joined: 2014/06/19 07:55:50

Bind

Post by pgolding » 2014/06/19 08:04:39

Hi

I am running CENTOS 5.10 and the version of BIND is 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.69.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6

I have run YUM and there are no updates waiting. I have also checked my yum.conf to check if BIND is excluded and its not

exclude=bind-chroot courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* my sql* nsd* perl* php* proftpd* pure-ftpd* ruby* spamassassin* squirrelmail*

I have spoken to my provider and they do not offer version CENTOS 6.0 in their VPS platform.

My question is how do I go about manually upgrading my version of bind to a supported version. I am not au faux with LINUX having a Windows background, so if you could be really clear with any assistance I would be grateful

Thanks in advance

Paul

User avatar
TrevorH
Forum Moderator
Posts: 26864
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Bind

Post by TrevorH » 2014/06/19 08:26:21

That is a supported version. The support comes from Redhat. They backpoort all security fixes from the current code to the older releases that they maintain. If you run rpm -q bind it should report bind-9.3.6-20.P1.el5_8.6
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

pgolding
Posts: 4
Joined: 2014/06/19 07:55:50

Re: Bind

Post by pgolding » 2014/06/19 15:15:25

Hi Trevor

So my bind vulnerability is patched? but my vulnerability scan does not recognise the fact its been backported? - Is there a header or something within BIND I could update to quash the security alert?

I appreciate you help

Thanks

Paul

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: Bind

Post by gerald_clark » 2014/06/19 15:22:06

Get a scanner that recognizes that one of the premier enterprise operating systems in the world patches their programs.
Please read http://wiki.centos.org/FAQ/General #23.

User avatar
TrevorH
Forum Moderator
Posts: 26864
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Bind

Post by TrevorH » 2014/06/19 17:41:53

Which vulnerability is it? You can check the rpm changelog like this rpm -q --changelog bind | grep CVE-yyyy-nnnn to see if it is listed there. If it then it is definitely fixed. If it isn't then search google for "CVE-yyy-nnn site:redhat.com" and see if Redhat have a statement there that says the version that they ship is not vulnerable to whatever the CVE is.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: Bind

Post by gerald_clark » 2014/06/19 17:51:04

You appear to have a bigger problem.
Those excludes suggest you are running a control panel that has replaced supported versions of CentOS supplied programs with unsupported versions.
We cannot support these systems as they have made unknown changes, and have their own support venues.

pgolding
Posts: 4
Joined: 2014/06/19 07:55:50

Re: Bind

Post by pgolding » 2014/06/19 19:47:55

TrevorH wrote:Which vulnerability is it? You can check the rpm changelog like this rpm -q --changelog bind | grep CVE-yyyy-nnnn to see if it is listed there. If it then it is definitely fixed. If it isn't then search google for "CVE-yyy-nnn site:redhat.com" and see if Redhat have a statement there that says the version that they ship is not vulnerable to whatever the CVE is.

Hi Trevor

Its not a particular CVE - the message my scanner tells me is - EOL/Obsolete Software: ISC BIND 9.1.x - 9.5.x Detected

My change log tells me I am running it has been backported to 9.3.6-20.P1.el5_8.6 - which has a build date of Jan 2013 - making me think the scanner is showing a false/positive

rpm -q --changelog bind | grep CV
- fix CVE-2012-5166
- fix CVE-2012-4244
- fix CVE-2012-3817
- fix CVE-2012-1667 and CVE-2012-1033
- fixes for CVE-2010-3762, CVE-2010-3613 and CVE-2010-3614
CVE-2010-0097)
- improve fix for CVE-2009-4022 (#538744)
- fix CVE-2009-0696 (#514292)
- bind-9.3-CVE-2008-1447.patch
- bind-9.3-CVE-2008-0122.patch
- CVE-2008-1447
- CVE-2008-0122 (small buffer overflow in inet_network)
- CVE-2007-6283 (#419421)
- fixed cryptographically weak query id generator (CVE-2007-2926)
- added fix for #224445 - CVE-2007-0493 BIND might crash after
- added fix for #225229 - CVE-2007-0494 BIND dnssec denial of service
- added upstream patch for correct SIG handling - CVE-2006-4095
- backport selected fixes from upstream bind9 'v9_3_3b1' CVS version:

I see you are in Brighton - me too, would it be possible to have a chat about some work? - if so can you PM please

User avatar
TrevorH
Forum Moderator
Posts: 26864
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Bind

Post by TrevorH » 2014/06/19 23:32:16

Your scanner is just doing a version check so is pretty fatally flawed in the real world. All packages in RHEL are maintained and supported by Redhat from the release of the major version for 10 years so CentOS 5 will receive security updates until 2017, CentOS 6 until 2020. Redhat have a policy of taking the fix from the code from later versions and backporting it to the version that was originally released and keeping the version number the same. Most long term support linux distros do the same thing so will cause false positives in your scanner for all of them. Ignore the warning and make sure you keep up to date by regularly running yum update and you should be fine.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

pgolding
Posts: 4
Joined: 2014/06/19 07:55:50

Re: Bind

Post by pgolding » 2014/06/20 07:28:52

Trevor

Thank you, you are a star - its had me pretty flummoxed :)

As I mentioned before, if you are in line for some work, or know someone I would be grateful if you could send me a PM - It would be great to have a knowledgeable person give my setup the once over

Once again, thank you!

Paul

Post Reply

Return to “CentOS 5 - Software Support”