Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability- advisory-issued
On Wed, February 23, 2011 13:07, Markus Falb wrote: On 23.2.2011 18:27, Larry Vaden wrote: US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3. Optionally, one can wait on a backport. Ahhh! Have a look at the relevant bugzilla ticket at https://bugzilla.redhat.com/show_bug.cgi?id=679496 and read ...snip This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6. snap... I guess this is what you you get when you settle for an 'enterprisey' distro. Dated software that somebody else got to find the bugs in. Poor chaps. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3. Optionally, one can wait on a backport. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Larry Vaden Sent: Wednesday, February 23, 2011 12:27 PM To: CentOS mailing list Subject: [CentOS]http://www.securityweek.com/high-severity-bind-vulnera bility-advisory-issued US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3. Optionally, one can wait on a backport. Optionally, start BIND with the parameter to restrict BIND to one thread (-n 1). This prevents the deadlock which, though fatal to BIND when it happens, is a remote probability. *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.Hubbell.com - Hubbell Incorporated** ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
Larry Vaden wrote: US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3. Optionally, one can wait on a backport. Larry, go away. You don't seem to contribute anything at all to the list, other than your obnoxiousness, and your desire to start flamewars, which presumably give you some kind of jollies. Yes, most of us saw this today on slashdot, if nowhere else. I would expect RH to have the fix out in a day or two, and CentOS to have it out the same day. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
On 23.2.2011 18:27, Larry Vaden wrote: US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3. Optionally, one can wait on a backport. Ahhh! Have a look at the relevant bugzilla ticket at https://bugzilla.redhat.com/show_bug.cgi?id=679496 and read ...snip This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6. snap... -- Best Regards, Markus Falb signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
On 02/23/2011 12:55 PM, m.r...@5-cent.us wrote: Larry Vaden wrote: US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3. Optionally, one can wait on a backport. Larry, go away. You don't seem to contribute anything at all to the list, other than your obnoxiousness, and your desire to start flamewars, which presumably give you some kind of jollies. Yes, most of us saw this today on slashdot, if nowhere else. I would expect RH to have the fix out in a day or two, and CentOS to have it out the same day. mark Mark, I don't want to raise the drama, so please don't take this wrong. In this case though, I do think that a warning on the ML about a security issue is justified. You can't be too careful. That said, Larry, your recent messages to the list have been problematic. Reactions like this to your messages should be a pretty clear indication that your messages have been less than contributing to the community. Take a step back and think about your posts until stress has diminished. Everyone else; I'll admit right off that I am just another user. That said, there are list admins. If there are issues with a given poster, please locate these admins and send a private email. This is equal parts effective and helps to keep the drama to a minimum. With this, I'll withdraw from this discussion. -- Digimer E-Mail: digi...@alteeve.com AN!Whitepapers: http://alteeve.com Node Assassin: http://nodeassassin.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
I don't want to raise the drama, so please don't take this wrong. In this case though, I do think that a warning on the ML about a security issue is justified. You can't be too careful. Except that this issue does not affect BIND in rhel and thus CentOS therefore making it yet more pointless drivel from the OP. He obviously has a fascination with the BIND version in rhel but after reading all his nonsense and looking at the texoma site I doubt it had anything to do with the alleged hack of his server. James ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
Many thanks to Markus Falb for publishing his excellent research - the same research that Larry could also have done. This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6. James Hogarth wrote: He obviously has a fascination with the BIND version ... Larry doesn't. Larry is desperate to win 'approval' or 'praise' from others. He means well. Larry should seek help, confide in someone and unload all his problems privately and confidentially. Then he will be, and feel, a lot better. Great to know this list has good researchers like Markus Falb. With best regards, Paul. England, EU. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
On Wed, Feb 23, 2011 at 1:03 PM, James Hogarth james.hoga...@gmail.com wrote: Except that this issue does not affect BIND in rhel and thus CentOS therefore making it yet more pointless drivel from the OP. Please take off the blinders and realize there are lots of folks (some x% of a million or more) on this list who compile from current source in order to minimize their risks and are therefore the subject audience. On the one hand, you have Paul Vixie and crew (authors of BIND) and US_CERT saying US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3. On the other hand, you have don't bother me with reality, I'm comfortable, am not affected and don't want to read messages to those who are affected. Wisdom from a top security manager at Internet2 was presented on this list. Ignore his advice all you want. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
On Wed, Feb 23, 2011 at 1:14 PM, Always Learning cen...@g7.u22.net wrote: Many thanks to Markus Falb for publishing his excellent research - the same research that Larry could also have done. This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6. You are overlooking those on the list who are affected. Enuf said. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
2011/2/23 Larry Vaden va...@texoma.net: On Wed, Feb 23, 2011 at 1:03 PM, James Hogarth james.hoga...@gmail.com wrote: Except that this issue does not affect BIND in rhel and thus CentOS therefore making it yet more pointless drivel from the OP. Please take off the blinders and realize there are lots of folks (some x% of a million or more) on this list who compile from current source in order to minimize their risks and are therefore the subject audience. It is not wise to install packages from sources because it messes the package management. -- Eero ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
Please take off the blinders and realize there are lots of folks (some x% of a million or more) on this list who compile from current source in order to minimize their risks and are therefore the subject audience. On the one hand, you have Paul Vixie and crew (authors of BIND) and US_CERT saying US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3. On the other hand, you have don't bother me with reality, I'm comfortable, am not affected and don't want to read messages to those who are affected. I've only been subscribed here a week and this topic seems very heated, so sorry if this stirs the pot up again, but don't patches for these things get back-ported? So even if you're running bind v9.5.1 on CentOS/upstream 4/5.x you'd still have security fixes like those in this article backported right? And yeah I suppose rolling your own is always an option but in my experience it's to easy to get behind. This seems more like a Slackware approach tho, nothing against Slack of course! Josh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
On 2/23/2011 1:21 PM, Larry Vaden wrote: On Wed, Feb 23, 2011 at 1:03 PM, James Hogarthjames.hoga...@gmail.com wrote: Except that this issue does not affect BIND in rhel and thus CentOS therefore making it yet more pointless drivel from the OP. Please take off the blinders and realize there are lots of folks (some x% of a million or more) on this list who compile from current source in order to minimize their risks and are therefore the subject audience. Someone who thinks they can do things better themselves than RH does it probably isn't going to take advice from a random mail list poster. And when you compile your own source you take on the responsibility of tracking updates yourself. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
On Wed, Feb 23, 2011 at 1:25 PM, Eero Volotinen eero.voloti...@iki.fi wrote: It is not wise to install packages from sources because it messes the package management. Agreed; that is why folks like Jeff Johnson and John Stanley share their knowledge about how to do it such that your outcome doesn't occur. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
On Wed, 2011-02-23 at 13:23 -0600, Larry Vaden wrote: On Wed, Feb 23, 2011 at 1:14 PM, Always Learning cen...@g7.u22.net wrote: Many thanks to Markus Falb for publishing his excellent research - the same research that Larry could also have done. This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6. You are overlooking those on the list who are affected. Enuf said. Larry, I suspect the vast majority of Centos 5 users simply install Centos software. They do not routinely install non-Centos versions to replace Centos versions. This list is about Centos versions of software - hence its simple title, the Centos Mailing List. If a user installs non-Centos versions of software it is for the user to take extra precautions if case of bugs affecting non-Centos software. If you had done the necessary research Centos users would not get alarmed at serious reports of dangerous bugs in Centos software. Your posting clearly inferred the dangers affected the Centos version which, it subsequently transpired, was untrue. I hope you can understand this point that there is a distinct difference between Centos application software and non-Centos application software running on the Centos operating system. With best regards, Paul. England, EU. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
On Wed, Feb 23, 2011 at 07:28:15PM +, Trutwin, Joshua wrote: [ Larry Vaden wrote: (please don't snip attributions)] Please take off the blinders and realize there are lots of folks (some x% of a million or more) on this list who compile from current source in order to minimize their risks and are therefore the subject audience. If they have compiled from source then it is by definition not a CentOS issue. On the one hand, you have Paul Vixie and crew (authors of BIND) and US_CERT saying US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3. Anyone running a CentOS-provided version of BIND is not using an affected version. On the other hand, you have don't bother me with reality, I'm comfortable, am not affected and don't want to read messages to those who are affected. Those messages are offtopic on this mailing list, so I sympathize with people who have the attitude you describe. Someone who had more credibility with the list might be able to post offtopic messages (which they would have marked [OT]) without causing a flamewar. I've only been subscribed here a week and this topic seems very heated, so sorry if this stirs the pot up again, but don't patches for these things get back-ported? So even if you're running bind v9.5.1 on CentOS/upstream 4/5.x you'd still have security fixes like those in this article backported right? If you're running BIND 9.5.1, you are not susceptible to the bug that Larry posted at all. In general, security bugs that are applicable to RHEL packages are patched upstream then rebuilt and released by CentOS. And yeah I suppose rolling your own is always an option but in my experience it's to easy to get behind. This seems more like a Slackware approach tho, nothing against Slack of course! Rolling one's own is an option for any distribution, including CentOS. But rolling one's own by definition removes those packages from the support stream for that distro, so should be taken into consideration when deciding whether to roll one's own or not. --keith -- kkel...@wombat.san-francisco.ca.us pgpfJ3cDXHMbA.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
On 2/23/2011 2:23 PM, Larry Vaden wrote: On Wed, Feb 23, 2011 at 1:14 PM, Always Learningcen...@g7.u22.net wrote: Many thanks to Markus Falb for publishing his excellent research - the same research that Larry could also have done. This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6. You are overlooking those on the list who are affected. Enuf said. Larry, Did you get your broken nameserver(s) fixed? Or are you maybe just complaining here trying to get a new release out which more than likely will not fix your issue, but it is easier to blame CentOS than to look at your install? If so, you more than likely will be let down when you find there is no magic wand in a new update. That said... I personally believe that upstream provides a rather stock install of bind, perhaps meant more for an intranet than the internet? Bind just might be the single hardest part of running a webserver. But, I spent a number of days reading on hardening bind and then the testing and moving into production. Larry, have you done this? If texoma.net is one of the affected domains, I note that there are some problems with DNS for that domain. The 2 level3.net nameservers are not providing either full or maybe correct information. If this is the case for other domain you manage, this is a serious problem and as DNS can be rather finicky, might be the root of your entire perceived problem. And, if you think you had an injection, please do some googling on hardening bind. There is a lot of good information out there. To me, this is what is needed today and is well beyond a standard bind installation done by CentOS. If in fact texoma.net is an example of the problem with all of the domains under your control, please fix your own house and quit complaining here until you have cleaned up things on your end. What I see has 0 to do with the bind version on CentOS. In fact, if you don't fix this before an upgrade, you may have a larger mess afterwards. I don't envy the task as I know very well that this is not easy. Alternatively, maybe you should consider using a service such as dnsmadeeasy... although they recently experienced a significant downtime themselves due to a huge DoS attack coming in from all over the world. Is it possibly a bit hypocritical to complain about other people's houses being dirty when you live in a dirty house yourself? Best, John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] http://www.securityweek.com/high-severity-bind-vulnerability-advisory-issued
Larry Vaden wrote on Wed, 23 Feb 2011 13:21:23 -0600: Please take off the blinders and realize there are lots of folks (some x% of a million or more) on this list who compile from current source in order to minimize their risks and are therefore the subject audience. Nonsense, there is no minimization of risk by doing so. Please don't argue about the worthiness of your information. It's been said to you time and again that most here do not wish to see that kind of information. Thanks. Kai ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
