Vulnerability BIND CVE-2018-5743

Support for security such as Firewalls and securing linux
Post Reply
benodilo
Posts: 3
Joined: 2019/05/02 07:46:20

Vulnerability BIND CVE-2018-5743

Post by benodilo » 2019/05/02 12:52:51

Hello,

A high faillure as posted the 24 avril :
https://kb.isc.org/docs/cve-2018-5743

The last update seem really old :
rpm -q --changelog bind | less
* ven. nov. 23 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-73
- Fixes debug level comments (#1647539)

The BIND package don't have backporting security Fixes ?

Thks for help !

Best regards.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Vulnerability BIND CVE-2018-5743

Post by TrevorH » 2019/05/02 13:17:53

If you're looking for a fix for CVE-2018-15473 then you'd do better looking at the openssh package since that is an openssh vulnerability not one in bind.

That's a low severity username exposure and is already fixed in the copy of openssh for CentOS 6. The update for 7 is not yet available and I suspect that it will be part of 7.7 if/when that arrives in due course (there's not even a RHEL 7.7 beta as yet).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Vulnerability BIND CVE-2018-5743

Post by TrevorH » 2019/05/02 13:20:09

Meanwhile, once you remove the typos from the CVE id, you need to look at https://access.redhat.com/security/cve/cve-2018-5743 and its linked bugzilla entry. Now also corrected in the thread subject (previously was CVE-2018-15473)
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

benodilo
Posts: 3
Joined: 2019/05/02 07:46:20

Re: Vulnerability BIND CVE-2018-5743

Post by benodilo » 2019/05/02 13:42:32

Sorry for subject error... :oops:
The subject is for BIND.

I'm a beginner on bug tracking, I learn the bugzilla entry and i see patch for upper versions but not for the actual packet 9.9.4 (centos 7.6).

Do you think we will have an update ?

Sorry again but I do not know the process of package updates... :D

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Vulnerability BIND CVE-2018-5743

Post by TrevorH » 2019/05/02 14:50:41

https://access.redhat.com/security/cve/cve-2018-5743 will change once there is a fix. At present there is a table in there with RHEL7 and 6 and 5 listed and 6+7 both say "Affected" and the other two say "Will not fix" because those are out of support. When RH release a fix for RHEL that page will change and where it says "Affected" now will point to an entry on the Redhat errata page listing the fix.

Once Redhat release the fixed version for RHEL then and only then will CentOS pick up the newly released source package and rebuild it for CentOS.

You might be able to use iptables rate limiting in the meantime to bypass the problem.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

benodilo
Posts: 3
Joined: 2019/05/02 07:46:20

Re: Vulnerability BIND CVE-2018-5743

Post by benodilo » 2019/05/03 07:47:13

Thank you very much for your comprehensive explanations and advice.

Have a nice day !

Post Reply