Re: [CentOS] Bind Vulnerability CVE-2016-2775
On Thu, Sep 01, 2016 at 08:34:08AM +, James Pearson wrote: > > Sidharth Sharma: > > > > When we can expect Security Update for Bind Vulnerability on Centos 6.8/7.2? > > ISC BIND Lightweight Resolver Protocol Req Processing Dos Vulnerability: > >CVE-2016-2775 > > See: > > https://access.redhat.com/security/cve/cve-2016-2775 The important takeaway is that Red Hat has marked it as "Will Not Fix", and in the BZ, the statement is: "Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Note that this issue only affects BIND deployments that make use of the non-default lightweight resolver protocol for name resolution. " -- Jonathan Billings___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind Vulnerability CVE-2016-2775
On 2016-09-01 4:34 am, James Pearson wrote: Sidharth Sharma: When we can expect Security Update for Bind Vulnerability on Centos 6.8/7.2? ISC BIND Lightweight Resolver Protocol Req Processing Dos Vulnerability: >CVE-2016-2775 See: https://access.redhat.com/security/cve/cve-2016-2775 Ouch! Affected Packages State PlatformPackage State Red Hat Enterprise Linux 5 bind97 Will not fix Red Hat Enterprise Linux 6 bindWill not fix Red Hat Enterprise Linux 5 bindWill not fix Red Hat Enterprise Linux 7 bindWill not fix -- Mike Burger http://www.bubbanfriends.org "It's always suicide-mission this, save-the-planet that. No one ever just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind Vulnerability CVE-2016-2775
Sidharth Sharma: > > When we can expect Security Update for Bind Vulnerability on Centos 6.8/7.2? > ISC BIND Lightweight Resolver Protocol Req Processing Dos Vulnerability: >CVE-2016-2775 See: https://access.redhat.com/security/cve/cve-2016-2775 James Pearson ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
On 07/30/2009 10:32 PM, Ned Slider wrote: Benjamin Franz wrote: Ned Slider wrote: Benjamin Franz wrote: Ned Slider wrote: The fix has been available for a long time: https://rhn.redhat.com/errata/RHBA-2009-0440.html I'm not sure that is the 'fix'. My systems were completely up-to-date as of last week so I should not have had a problem with that. And yet I did. $ rpm -q yum-metadata-parser yum-metadata-parser-1.1.2-3.el5 What do you have? $ rpm -q yum-metadata-parser yum-metadata-parser-1.1.2-2.el5 CentOS has not release this update. Ah. That explains it. You can get it from here: http://elrepo.org/linux/fasttrack/el5/ or you can wait for 5.4 to be released which will contain this update. Thank you ! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
Hi All, I am using Caching DNS server with Bind 9 bind-utils-9.3.4-10.P1.el5_3.1 bind-9.3.4-10.P1.el5_3.1 bind-chroot-9.3.4-10.P1.el5_3.1 system-config-bind-4.0.3-2.el5.centos bind-libs-9.3.4-10.P1.el5_3.1 I am getting Error : named[22851]: mem.c:1061: REQUIREctx) != ((void *)0)) (((const isc__magic_t *)(ctx))-magic == ((('M') 24 | ('e') 16 | ('m') 8 | ('C')) failed named[22851]: exiting (due to assertion failure) Is this related to above bug? Thanks in advance shprahi On Wed, Jul 29, 2009 at 9:45 PM, Kenneth Porter sh...@sewingwitch.comwrote: Slashdot carried this story yesterday on a BIND vulnerability: http://it.slashdot.org/story/09/07/29/0028231/New-DoS-Vulnerability-In-All-Versions-of-BIND-9 The upstream report: https://www.isc.org/node/474 Red Hat's Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=514292 From what I'm reading, if one has an Internet-facing master for a zone, one is vulnerable, even if dynamic DNS isn't being used. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
On 07/29/2009 10:15 PM, Karanbir Singh wrote: ... The CentOS update have now been released, you should be able to yum update on C5 already. Thanks! On my C5 server: # rpm -qa bind bind-9.3.4-10.P1.el5_3.3 On my RHEL 5 server: # rpm -qa bind bind-9.3.4-10.P1.el5_3.1 # yum clean all # yum update ... Setting up Update Process No Packages marked for Update CentOS quicker than upstream? :-) Mogens -- Mogens Kjaer, Carlsberg A/S, Computer Department Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark Phone: +45 33 27 53 25, Mobile: +45 22 12 53 25 Email: m...@crc.dk Homepage: http://www.crc.dk ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
Been watching the bind thing for a few days and waiting for my daily yum to update. Finally did it by hand and got an interesting message. The python dependency killed my yum...lol. A quick look online and I see a few thousand fedora and redhat issues with this python thing. Strange that it is trying to install a package update only to find that package is not there. Yeesh But was able to run yum update bind and get the issues resolved. -- Running transaction check --- Package python.x86_64 0:2.4.3-24.el5_3.6 set to be updated -- Processing Dependency: /usr/lib64/python2.4 for package: libxslt-python -- Processing Dependency: /usr/lib64/python2.4 for package: gamin-python -- Processing Dependency: /usr/lib64/python2.4 for package: libxml2-python -- Finished Dependency Resolution libxslt-python-1.1.17-2.el5_2.2.x86_64 from installed has depsolving problems -- Missing Dependency: /usr/lib64/python2.4 is needed by package libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed) libxml2-python-2.6.26-2.1.2.7.x86_64 from installed has depsolving problems -- Missing Dependency: /usr/lib64/python2.4 is needed by package libxml2-python-2.6.26-2.1.2.7.x86_64 (installed) gamin-python-0.1.7-8.el5.x86_64 from installed has depsolving problems -- Missing Dependency: /usr/lib64/python2.4 is needed by package gamin-python-0.1.7-8.el5.x86_64 (installed) Error: Missing Dependency: /usr/lib64/python2.4 is needed by package libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed) Error: Missing Dependency: /usr/lib64/python2.4 is needed by package libxml2-python-2.6.26-2.1.2.7.x86_64 (installed) Error: Missing Dependency: /usr/lib64/python2.4 is needed by package gamin-python-0.1.7-8.el5.x86_64 (installed) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
yum clean all financial.com AG Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert (CEO/Vorsitzender) | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
Bob Hoffman wrote: Been watching the bind thing for a few days and waiting for my daily yum to update. Finally did it by hand and got an interesting message. The python dependency killed my yum...lol. A quick look online and I see a few thousand fedora and redhat issues with this python thing. Strange that it is trying to install a package update only to find that package is not there. Yeesh But was able to run yum update bind and get the issues resolved. -- Running transaction check --- Package python.x86_64 0:2.4.3-24.el5_3.6 set to be updated -- Processing Dependency: /usr/lib64/python2.4 for package: libxslt-python -- Processing Dependency: /usr/lib64/python2.4 for package: gamin-python -- Processing Dependency: /usr/lib64/python2.4 for package: libxml2-python -- Finished Dependency Resolution libxslt-python-1.1.17-2.el5_2.2.x86_64 from installed has depsolving problems -- Missing Dependency: /usr/lib64/python2.4 is needed by package libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed) libxml2-python-2.6.26-2.1.2.7.x86_64 from installed has depsolving problems -- Missing Dependency: /usr/lib64/python2.4 is needed by package libxml2-python-2.6.26-2.1.2.7.x86_64 (installed) gamin-python-0.1.7-8.el5.x86_64 from installed has depsolving problems -- Missing Dependency: /usr/lib64/python2.4 is needed by package gamin-python-0.1.7-8.el5.x86_64 (installed) Error: Missing Dependency: /usr/lib64/python2.4 is needed by package libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed) Error: Missing Dependency: /usr/lib64/python2.4 is needed by package libxml2-python-2.6.26-2.1.2.7.x86_64 (installed) Error: Missing Dependency: /usr/lib64/python2.4 is needed by package gamin-python-0.1.7-8.el5.x86_64 (installed) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I found that for all three of my bind servers that it needed yum clean all yum update to find the updates and install - no issues with py. HTH rob begin:vcard fn:Rob Kampen n:Kampen;Rob email;internet:r...@kampensonline.net tel;cell:407-341-3815 version:2.1 end:vcard ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
Bob Hoffman wrote: Been watching the bind thing for a few days and waiting for my daily yum to update. Finally did it by hand and got an interesting message. The python dependency killed my yum...lol. A quick look online and I see a few thousand fedora and redhat issues with this python thing. Strange that it is trying to install a package update only to find that package is not there. Yeesh But was able to run yum update bind and get the issues resolved. -- Running transaction check --- Package python.x86_64 0:2.4.3-24.el5_3.6 set to be updated -- Processing Dependency: /usr/lib64/python2.4 for package: libxslt-python -- Processing Dependency: /usr/lib64/python2.4 for package: gamin-python -- Processing Dependency: /usr/lib64/python2.4 for package: libxml2-python -- Finished Dependency Resolution libxslt-python-1.1.17-2.el5_2.2.x86_64 from installed has depsolving problems -- Missing Dependency: /usr/lib64/python2.4 is needed by package libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed) libxml2-python-2.6.26-2.1.2.7.x86_64 from installed has depsolving problems -- Missing Dependency: /usr/lib64/python2.4 is needed by package libxml2-python-2.6.26-2.1.2.7.x86_64 (installed) gamin-python-0.1.7-8.el5.x86_64 from installed has depsolving problems -- Missing Dependency: /usr/lib64/python2.4 is needed by package gamin-python-0.1.7-8.el5.x86_64 (installed) Error: Missing Dependency: /usr/lib64/python2.4 is needed by package libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed) Error: Missing Dependency: /usr/lib64/python2.4 is needed by package libxml2-python-2.6.26-2.1.2.7.x86_64 (installed) Error: Missing Dependency: /usr/lib64/python2.4 is needed by package gamin-python-0.1.7-8.el5.x86_64 (installed) _ Try doing: yum clean all yum update That did it for me. Thanks goes to John R. Dennison for the fix. -- Benjamin Franz ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
Benjamin Franz wrote: Bob Hoffman wrote: Been watching the bind thing for a few days and waiting for my daily yum to update. Finally did it by hand and got an interesting message. The python dependency killed my yum...lol. A quick look online and I see a few thousand fedora and redhat issues with this python thing. Strange that it is trying to install a package update only to find that package is not there. Yeesh But was able to run yum update bind and get the issues resolved. -- Running transaction check --- Package python.x86_64 0:2.4.3-24.el5_3.6 set to be updated -- Processing Dependency: /usr/lib64/python2.4 for package: libxslt-python -- Processing Dependency: /usr/lib64/python2.4 for package: gamin-python -- Processing Dependency: /usr/lib64/python2.4 for package: libxml2-python -- Finished Dependency Resolution libxslt-python-1.1.17-2.el5_2.2.x86_64 from installed has depsolving problems -- Missing Dependency: /usr/lib64/python2.4 is needed by package libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed) libxml2-python-2.6.26-2.1.2.7.x86_64 from installed has depsolving problems -- Missing Dependency: /usr/lib64/python2.4 is needed by package libxml2-python-2.6.26-2.1.2.7.x86_64 (installed) gamin-python-0.1.7-8.el5.x86_64 from installed has depsolving problems -- Missing Dependency: /usr/lib64/python2.4 is needed by package gamin-python-0.1.7-8.el5.x86_64 (installed) Error: Missing Dependency: /usr/lib64/python2.4 is needed by package libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed) Error: Missing Dependency: /usr/lib64/python2.4 is needed by package libxml2-python-2.6.26-2.1.2.7.x86_64 (installed) Error: Missing Dependency: /usr/lib64/python2.4 is needed by package gamin-python-0.1.7-8.el5.x86_64 (installed) _ Try doing: yum clean all yum update That did it for me. Thanks goes to John R. Dennison for the fix. The fix has been available for a long time: https://rhn.redhat.com/errata/RHBA-2009-0440.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
Ned Slider wrote: Benjamin Franz wrote: Bob Hoffman wrote: Been watching the bind thing for a few days and waiting for my daily yum to update. Finally did it by hand and got an interesting message. The python dependency killed my yum...lol. A quick look online and I see a few thousand fedora and redhat issues with this python thing. Strange that it is trying to install a package update only to find that package is not there. Yeesh But was able to run yum update bind and get the issues resolved. -- Running transaction check --- Package python.x86_64 0:2.4.3-24.el5_3.6 set to be updated -- Processing Dependency: /usr/lib64/python2.4 for package: libxslt-python -- Processing Dependency: /usr/lib64/python2.4 for package: gamin-python -- Processing Dependency: /usr/lib64/python2.4 for package: libxml2-python -- Finished Dependency Resolution libxslt-python-1.1.17-2.el5_2.2.x86_64 from installed has depsolving problems -- Missing Dependency: /usr/lib64/python2.4 is needed by package libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed) libxml2-python-2.6.26-2.1.2.7.x86_64 from installed has depsolving problems -- Missing Dependency: /usr/lib64/python2.4 is needed by package libxml2-python-2.6.26-2.1.2.7.x86_64 (installed) gamin-python-0.1.7-8.el5.x86_64 from installed has depsolving problems -- Missing Dependency: /usr/lib64/python2.4 is needed by package gamin-python-0.1.7-8.el5.x86_64 (installed) Error: Missing Dependency: /usr/lib64/python2.4 is needed by package libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed) Error: Missing Dependency: /usr/lib64/python2.4 is needed by package libxml2-python-2.6.26-2.1.2.7.x86_64 (installed) Error: Missing Dependency: /usr/lib64/python2.4 is needed by package gamin-python-0.1.7-8.el5.x86_64 (installed) _ Try doing: yum clean all yum update That did it for me. Thanks goes to John R. Dennison for the fix. The fix has been available for a long time: https://rhn.redhat.com/errata/RHBA-2009-0440.html I'm not sure that is the 'fix'. My systems were completely up-to-date as of last week so I should not have had a problem with that. And yet I did. -- Benjamin Franz ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
Benjamin Franz wrote: Ned Slider wrote: The fix has been available for a long time: https://rhn.redhat.com/errata/RHBA-2009-0440.html I'm not sure that is the 'fix'. My systems were completely up-to-date as of last week so I should not have had a problem with that. And yet I did. $ rpm -q yum-metadata-parser yum-metadata-parser-1.1.2-3.el5 What do you have? CentOS has not release this update. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
Benjamin Franz wrote: Ned Slider wrote: Benjamin Franz wrote: Ned Slider wrote: The fix has been available for a long time: https://rhn.redhat.com/errata/RHBA-2009-0440.html I'm not sure that is the 'fix'. My systems were completely up-to-date as of last week so I should not have had a problem with that. And yet I did. $ rpm -q yum-metadata-parser yum-metadata-parser-1.1.2-3.el5 What do you have? $ rpm -q yum-metadata-parser yum-metadata-parser-1.1.2-2.el5 CentOS has not release this update. Ah. That explains it. You can get it from here: http://elrepo.org/linux/fasttrack/el5/ or you can wait for 5.4 to be released which will contain this update. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
On 07/29/2009 05:15 PM, Kenneth Porter wrote: From what I'm reading, if one has an Internet-facing master for a zone, one is vulnerable, even if dynamic DNS isn't being used. yes, which is one of many reasons why a zone masters is usually setup to not be publicly available. -- Karanbir Singh : http://www.karan.org/ : 2522...@icq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
Kenneth Porter wrote: Slashdot carried this story yesterday on a BIND vulnerability: http://it.slashdot.org/story/09/07/29/0028231/New-DoS-Vulnerability-In-All-Versions-of-BIND-9 According to a commenter, this should provide a temporary countermeasure: iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30270xF=5' Haven't tested it, would like to know the results... Glenn The upstream report: https://www.isc.org/node/474 Red Hat's Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=514292 From what I'm reading, if one has an Internet-facing master for a zone, one is vulnerable, even if dynamic DNS isn't being used. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
RedShift napsal(a): According to a commenter, this should provide a temporary countermeasure: iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30270xF=5' Haven't tested it, would like to know the results... Well, good point, but Centos does not ship libipt_u32.so. Even more Centos 4.x is now undergoing rebuild process, so no updates even security updates are being released. Which is something I can accept. Those looking for patched bind for Centos 4.x may use packages I have built with CVE-2009-0696 patch. http://fs12.vsb.cz/hrb33/el4/hrb/testing/i386/repoview/letter_b.group.html http://fs12.vsb.cz/hrb33/el4/hrb/testing/x86_64/repoview/letter_b.group.html Regards, David Hrbáč ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
On Wed, Jul 29, 2009 at 5:59 PM, David Hrbáčhrbac.c...@seznam.cz wrote: RedShift napsal(a): According to a commenter, this should provide a temporary countermeasure: iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30270xF=5' Haven't tested it, would like to know the results... Well, good point, but Centos does not ship libipt_u32.so. Even more Centos 4.x is now undergoing rebuild process, so no updates even security updates are being released. Which is something I can accept. Those looking for patched bind for Centos 4.x may use packages I have built with CVE-2009-0696 patch. http://fs12.vsb.cz/hrb33/el4/hrb/testing/i386/repoview/letter_b.group.html http://fs12.vsb.cz/hrb33/el4/hrb/testing/x86_64/repoview/letter_b.group.html Well done, David but there's a little problem with those rpms: Preparing...### [100%] package bind-libs-9.2.4-30.el4_7.2 (which is newer than bind-libs-9.2.4-30.el4.hrb.2.1) is already installed package bind-utils-9.2.4-30.el4_7.2 (which is newer than bind-utils-9.2.4-30.el4.hrb.2.1) is already installed package bind-9.2.4-30.el4_7.2 (which is newer than bind-9.2.4-30.el4.hrb.2.1) is already installed package bind-chroot-9.2.4-30.el4_7.2 (which is newer than bind-chroot-9.2.4-30.el4.hrb.2.1) is already installed Maybe you can bump the version a bit. Regards, David Hrbáč ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
On 07/29/2009 06:29 PM, luc...@lastdot.org wrote: Those looking for patched bind for Centos 4.x may use packages I have built with CVE-2009-0696 patch. http://fs12.vsb.cz/hrb33/el4/hrb/testing/i386/repoview/letter_b.group.html http://fs12.vsb.cz/hrb33/el4/hrb/testing/x86_64/repoview/letter_b.group.html there are packages linked to people.redhat.com that point at the ones in QA at Red Hat at the moment, I would recommend you use those -- Karanbir Singh : http://www.karan.org/ : 2522...@icq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
On Wednesday, July 29, 2009 6:36 PM +0100 Karanbir Singh mail-li...@karan.org wrote: there are packages linked to people.redhat.com that point at the ones in QA at Red Hat at the moment, I would recommend you use those RHEL errata are up: Red Hat Enterprise Linux 5 Via RHSA-2009:1179 https://rhn.redhat.com/errata/RHSA-2009-1179.html Red Hat Enterprise Linux 4 Via RHSA-2009:1180 https://rhn.redhat.com/errata/RHSA-2009-1180.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
On Jul 29, 2009, at 11:21 AM, Karanbir Singh wrote: yes, which is one of many reasons why a zone masters is usually setup to not be publicly available. The localhost 127.0.0.1 zone can also be used as an attack vector according to the folks on the DNS Ops list, so it's looking like pretty much every bind installation will need to be updated. --Chris ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
On Wed, Jul 29, 2009 at 02:10:56PM -0500, Chris Boyd wrote: On Jul 29, 2009, at 11:21 AM, Karanbir Singh wrote: yes, which is one of many reasons why a zone masters is usually setup to not be publicly available. The localhost 127.0.0.1 zone can also be used as an attack vector according to the folks on the DNS Ops list, so it's looking like pretty much every bind installation will need to be updated. --Chris Do you have a link to a mailing lists post describing this? Would like to pass it along... Ray ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
On Wed, Jul 29, 2009 at 6:36 PM, Karanbir Singhmail-li...@karan.org wrote: On 07/29/2009 06:29 PM, luc...@lastdot.org wrote: Those looking for patched bind for Centos 4.x may use packages I have built with CVE-2009-0696 patch. http://fs12.vsb.cz/hrb33/el4/hrb/testing/i386/repoview/letter_b.group.html http://fs12.vsb.cz/hrb33/el4/hrb/testing/x86_64/repoview/letter_b.group.html there are packages linked to people.redhat.com that point at the ones in QA at Red Hat at the moment, I would recommend you use those Ok, thanks, but where exactly am I to see something useful on people.redhat.com? I can only see an image. -- Karanbir Singh : http://www.karan.org/ : 2522...@icq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
On Jul 29, 2009, at 2:19 PM, Ray Van Dolson wrote: Do you have a link to a mailing lists post describing this? Would like to pass it along... This is the head of the thread: https://lists.dns-oarc.net/pipermail/dns-operations/2009-July/004315.html Some of the relevant discussion: On Tue, Jul 28, 2009 at 06:21:22PM -0700, Peter Losher plos...@isc.org wrote a message of 30 lines which said: Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert. We tested that removing the zones which are typically there by default, and in mode master (such as localhost and 0.0.127.in-addr.arpa) works fine: the published exploit no longer works afterwards. This can be an interim solution for those who don't have a clean upgrade path (for instance, RHEL did not push the patch yet). ___ dns-operations mailing list dns-operati...@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations = like, for example, .localhost or 0.0.127.in-addr.arpa. --bill On Tue, Jul 28, 2009 at 11:47:46PM +0200, Michael Graff wrote: A purely cache only server should not be affected. Being auth for a single zone would make you be vulnerable. --Michael On Jul 28, 2009, at 23:26, Duane Wessels wess...@dns-oarc.net wrote: On Tue, 28 Jul 2009, Keith Mitchell wrote: dns_db_findrdataset() fails when the prerequisite section of the dynamic update message contains a record of type ?ANY? and where at least one RRset for this FQDN exists on the server. Does it affect only installations with authoritative data? Or are caches affected as well? DW ___ dns-operations mailing list dns-operati...@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations ___ = Tom Daly wrote: A purely cache only server should not be affected. Being auth for a single zone would make you be vulnerable. Some quick and dirty research/testing on our side indicates that being an authoritative slave doesn't make you vulnerable either, it is only if you are authoritative master, i.e.: zone blat.com { type master; ... }; Our (FreeBSD) testing indicates the same. Then again, if you choose to be RFC1912 compliant, you probably made yourself vulnerable. Unfortunately for this issue I added 1912 plus a bunch of other default zones to our default resolver config, so if you use our stuff out of the box you are vulnerable. Doug ___ dns-operations mailing list dns-operati...@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
luc...@lastdot.org napsal(a): Well done, David but there's a little problem with those rpms: Preparing...### [100%] package bind-libs-9.2.4-30.el4_7.2 (which is newer than bind-libs-9.2.4-30.el4.hrb.2.1) is already installed package bind-utils-9.2.4-30.el4_7.2 (which is newer than bind-utils-9.2.4-30.el4.hrb.2.1) is already installed package bind-9.2.4-30.el4_7.2 (which is newer than bind-9.2.4-30.el4.hrb.2.1) is already installed package bind-chroot-9.2.4-30.el4_7.2 (which is newer than bind-chroot-9.2.4-30.el4.hrb.2.1) is already installed Maybe you can bump the version a bit. Right... 30.el4_7.2 30.el4.hrb.2.1 :o) I do not want to change the version more because: - I do not want to have el4_7, it's not Centos release - EL4.8 ships 30.el4_8.4 So I do not want to release 31.el4_7.2 ... As to included patch, it the very same code RH released within the latest errata. Regards, David ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
On 07/29/2009 08:27 PM, luc...@lastdot.org wrote: where exactly am I to see something useful on people.redhat.com? I can only see an image. The CentOS update have now been released, you should be able to yum update on C5 already. -- Karanbir Singh : http://www.karan.org/ : 2522...@icq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
luc...@lastdot.org napsal(a): Ok, thanks, but where exactly am I to see something useful on people.redhat.com? I can only see an image. Maybe he is pointing to http://people.redhat.com/atkac/bind/. But I do not see the point. This is RHEL 4.8 version with patch. Anyone running Centos 4.8? I'm still with 4.7 so bind-libs-9.2.4-30.el4_7.2 with patch is the way for me, far better then having unpatched bind, waiting another couple of weeks to get bind updated finally. Sorry. David Hrbáč ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
On 07/29/2009 09:19 PM, David Hrbáč wrote: Maybe he is pointing to http://people.redhat.com/atkac/bind/. But I do not see the point. This is RHEL 4.8 version with patch. http://lists.centos.org/pipermail/centos-devel/2009-July/004794.html I've updated 2 machines, and had no problems here. But some wider testing would be good and we can get them into the main repos so more people benefit. -- Karanbir Singh : http://www.karan.org/ : 2522...@icq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
David HrbÃ¡Ä wrote: Maybe he is pointing to http://people.redhat.com/atkac/bind/. But I do not see the point. This is RHEL 4.8 version with patch. Anyone running Centos 4.8? I'm still with 4.7 so bind-libs-9.2.4-30.el4_7.2 with patch is the way for me, far better then having unpatched bind, waiting another couple of weeks to get bind updated finally. Sorry. 4.8 packages for the most part should install on 4.7 w/o a fuss. I installed 4.6 packages on 4.4 for quite some time, and I install some 5.3 packages on 5.2 without any issues. One of the nice things about a stable(binary compatibility) distro. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BIND vulnerability
In-Reply-To=4a70b20c.5020...@karan.org Reply-To: (Apologies if this isn't in the thread properly; I'm trying to fake it from the website headers :-)) Karanbir Singh wrote: http://lists.centos.org/pipermail/centos-devel/2009-July/004794.html I've updated 2 machines, and had no problems here. But some wider testing would be good and we can get them into the main repos so more people benefit. I just updated one machine; the process ended up with named not running. I did rpm -Uvh bind-utils-9.2.4-30.el4_8.4.i386.rpm bind-9.2.4-30.el4_8.4.i386.rpm bind-libs-9.2.4-30.el4_8.4.i386.rpm and got Jul 29 20:29:15 linode named: succeeded Jul 29 20:29:16 linode named[2873]: shutting down: flushing changes Jul 29 20:29:16 linode named[2873]: stopping command channel on 127.0.0.1#953 Jul 29 20:29:16 linode named[2873]: no longer listening on 127.0.0.1#53 Jul 29 20:29:16 linode named[2873]: no longer listening on 66.160.141.105#53 Jul 29 20:29:17 linode named[2873]: exiting Jul 29 20:29:18 linode named: failed After a restart it appeared to work... Jul 29 20:29:41 linode named[31609]: starting BIND 9.2.4 -u named Jul 29 20:29:41 linode named[31609]: using 4 CPUs Jul 29 20:29:41 linode named[31609]: loading configuration from '/etc/named.conf' etc... The daemon seems to be responding properly to requests after this manual start. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos