Bind

[pgolding]

Hi

I am running CENTOS 5.10 and the version of BIND is 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.69.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6

I have run YUM and there are no updates waiting. I have also checked my yum.conf to check if BIND is excluded and its not

exclude=bind-chroot courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* my sql* nsd* perl* php* proftpd* pure-ftpd* ruby* spamassassin* squirrelmail*

I have spoken to my provider and they do not offer version CENTOS 6.0 in their VPS platform.

My question is how do I go about manually upgrading my version of bind to a supported version. I am not au faux with LINUX having a Windows background, so if you could be really clear with any assistance I would be grateful

Thanks in advance

Paul

[TrevorH]

That is a supported version. The support comes from Redhat. They backpoort all security fixes from the current code to the older releases that they maintain. If you run rpm -q bind it should report bind-9.3.6-20.P1.el5_8.6

[pgolding]

Hi Trevor

So my bind vulnerability is patched? but my vulnerability scan does not recognise the fact its been backported? - Is there a header or something within BIND I could update to quash the security alert?

I appreciate you help

Thanks

Paul

[gerald_clark]

Get a scanner that recognizes that one of the premier enterprise operating systems in the world patches their programs.
Please read http://wiki.centos.org/FAQ/General #23.

[TrevorH]

Which vulnerability is it? You can check the rpm changelog like this rpm -q --changelog bind | grep CVE-yyyy-nnnn to see if it is listed there. If it then it is definitely fixed. If it isn't then search google for "CVE-yyy-nnn site:redhat.com" and see if Redhat have a statement there that says the version that they ship is not vulnerable to whatever the CVE is.

[gerald_clark]

You appear to have a bigger problem.
Those excludes suggest you are running a control panel that has replaced supported versions of CentOS supplied programs with unsupported versions.
We cannot support these systems as they have made unknown changes, and have their own support venues.

[pgolding]

Which vulnerability is it? You can check the rpm changelog like this rpm -q --changelog bind | grep CVE-yyyy-nnnn to see if it is listed there. If it then it is definitely fixed. If it isn't then search google for "CVE-yyy-nnn site:redhat.com" and see if Redhat have a statement there that says the version that they ship is not vulnerable to whatever the CVE is.

Hi Trevor

Its not a particular CVE - the message my scanner tells me is - EOL/Obsolete Software: ISC BIND 9.1.x - 9.5.x Detected

My change log tells me I am running it has been backported to 9.3.6-20.P1.el5_8.6 - which has a build date of Jan 2013 - making me think the scanner is showing a false/positive

rpm -q --changelog bind | grep CV
- fix CVE-2012-5166
- fix CVE-2012-4244
- fix CVE-2012-3817
- fix CVE-2012-1667 and CVE-2012-1033
- fixes for CVE-2010-3762, CVE-2010-3613 and CVE-2010-3614
CVE-2010-0097)
- improve fix for CVE-2009-4022 (#538744)
- fix CVE-2009-0696 (#514292)
- bind-9.3-CVE-2008-1447.patch
- bind-9.3-CVE-2008-0122.patch
- CVE-2008-1447
- CVE-2008-0122 (small buffer overflow in inet_network)
- CVE-2007-6283 (#419421)
- fixed cryptographically weak query id generator (CVE-2007-2926)
- added fix for #224445 - CVE-2007-0493 BIND might crash after
- added fix for #225229 - CVE-2007-0494 BIND dnssec denial of service
- added upstream patch for correct SIG handling - CVE-2006-4095
- backport selected fixes from upstream bind9 'v9_3_3b1' CVS version:

I see you are in Brighton - me too, would it be possible to have a chat about some work? - if so can you PM please

[TrevorH]

Your scanner is just doing a version check so is pretty fatally flawed in the real world. All packages in RHEL are maintained and supported by Redhat from the release of the major version for 10 years so CentOS 5 will receive security updates until 2017, CentOS 6 until 2020. Redhat have a policy of taking the fix from the code from later versions and backporting it to the version that was originally released and keeping the version number the same. Most long term support linux distros do the same thing so will cause false positives in your scanner for all of them. Ignore the warning and make sure you keep up to date by regularly running yum update and you should be fine.

[pgolding]

Trevor

Thank you, you are a star - its had me pretty flummoxed

As I mentioned before, if you are in line for some work, or know someone I would be grateful if you could send me a PM - It would be great to have a knowledgeable person give my setup the once over

Once again, thank you!

Paul