Re: [CentOS] Bind Vulnerability CVE-2016-2775

[Jonathan Billings]

On Thu, Sep 01, 2016 at 08:34:08AM +, James Pearson wrote:
>
> Sidharth Sharma:
> >
> > When we can expect Security Update for Bind Vulnerability on Centos 6.8/7.2?
> > ISC BIND Lightweight Resolver Protocol Req Processing Dos Vulnerability:
>  >CVE-2016-2775
> 
> See:
> 
>  https://access.redhat.com/security/cve/cve-2016-2775

The important takeaway is that Red Hat has marked it as "Will Not
Fix", and in the BZ, the statement is:

"Red Hat Product Security has rated this issue as having Moderate
security impact. This issue is not currently planned to be addressed
in future updates. For additional information, refer to the Issue
Severity Classification:
https://access.redhat.com/security/updates/classification/. 

Note that this issue only affects BIND deployments that make use of
the non-default lightweight resolver protocol for name resolution. "

-- 
Jonathan Billings 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bind Vulnerability CVE-2016-2775

[Mike Burger]

On 2016-09-01 4:34 am, James Pearson wrote:

Sidharth Sharma:


When we can expect Security Update for Bind Vulnerability on Centos 
6.8/7.2?
ISC BIND Lightweight Resolver Protocol Req Processing Dos 
Vulnerability:

 >CVE-2016-2775

See:

 https://access.redhat.com/security/cve/cve-2016-2775


Ouch!

 Affected Packages State
PlatformPackage State
Red Hat Enterprise Linux 5  bind97  Will not fix
Red Hat Enterprise Linux 6  bindWill not fix
Red Hat Enterprise Linux 5  bindWill not fix
Red Hat Enterprise Linux 7  bindWill not fix

--
Mike Burger
http://www.bubbanfriends.org

"It's always suicide-mission this, save-the-planet that. No one ever 
just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bind Vulnerability CVE-2016-2775

[James Pearson]

Sidharth Sharma:
>
> When we can expect Security Update for Bind Vulnerability on Centos 6.8/7.2?
> ISC BIND Lightweight Resolver Protocol Req Processing Dos Vulnerability:
 >CVE-2016-2775

See:

 https://access.redhat.com/security/cve/cve-2016-2775

James Pearson
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Codrin Cean]

On 07/30/2009 10:32 PM, Ned Slider wrote:
 Benjamin Franz wrote:
 Ned Slider wrote:
 Benjamin Franz wrote:

 Ned Slider wrote:

 The fix has been available for a long time:

 https://rhn.redhat.com/errata/RHBA-2009-0440.html

 I'm not sure that is the 'fix'. My systems were completely up-to-date as
 of last week so I should not have had a problem with that. And yet I did.

 $ rpm -q yum-metadata-parser
 yum-metadata-parser-1.1.2-3.el5

 What do you have?

 $ rpm -q yum-metadata-parser
 yum-metadata-parser-1.1.2-2.el5

 CentOS has not release this update.


 Ah.  That explains it.


 You can get it from here:

 http://elrepo.org/linux/fasttrack/el5/

 or you can wait for 5.4 to be released which will contain this update.

Thank you !

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[shprahi shprahi]

Hi All,

I am using Caching DNS server with Bind 9

bind-utils-9.3.4-10.P1.el5_3.1
bind-9.3.4-10.P1.el5_3.1
bind-chroot-9.3.4-10.P1.el5_3.1
system-config-bind-4.0.3-2.el5.centos
bind-libs-9.3.4-10.P1.el5_3.1

I am getting

Error :

named[22851]: mem.c:1061: REQUIREctx) != ((void *)0))  (((const
isc__magic_t *)(ctx))-magic == ((('M')  24 | ('e')  16 | ('m')  8 |
('C')) failed named[22851]: exiting (due to assertion failure)


Is this related to above bug?

Thanks in advance
shprahi



On Wed, Jul 29, 2009 at 9:45 PM, Kenneth Porter sh...@sewingwitch.comwrote:

 Slashdot carried this story yesterday on a BIND vulnerability:

 
 http://it.slashdot.org/story/09/07/29/0028231/New-DoS-Vulnerability-In-All-Versions-of-BIND-9
 

 The upstream report:

 https://www.isc.org/node/474

 Red Hat's Bugzilla:

 https://bugzilla.redhat.com/show_bug.cgi?id=514292

 From what I'm reading, if one has an Internet-facing master for a zone,
 one
 is vulnerable, even if dynamic DNS isn't being used.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Mogens Kjaer]

On 07/29/2009 10:15 PM, Karanbir Singh wrote:
...
 The CentOS update have now been released, you should be able to yum
 update on C5 already.


Thanks!

On my C5 server:

# rpm -qa bind
bind-9.3.4-10.P1.el5_3.3

On my RHEL 5 server:

# rpm -qa bind
bind-9.3.4-10.P1.el5_3.1
# yum clean all
# yum update
...
Setting up Update Process
No Packages marked for Update

CentOS quicker than upstream? :-)

Mogens

-- 
Mogens Kjaer, Carlsberg A/S, Computer Department
Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark
Phone: +45 33 27 53 25, Mobile: +45 22 12 53 25
Email: m...@crc.dk Homepage: http://www.crc.dk
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Bob Hoffman]

 Been watching the bind thing for a few days and waiting for my daily yum to
update.
Finally did it by hand and got an interesting message.

The python dependency killed my yum...lol. A quick look online and I see a
few thousand fedora and redhat issues with this python thing. Strange that
it is trying to install a package update only to find that package is not
there. Yeesh

But was able to run yum update bind and get the issues resolved.


-- Running transaction check
--- Package python.x86_64 0:2.4.3-24.el5_3.6 set to be updated
-- Processing Dependency: /usr/lib64/python2.4 for package: libxslt-python
-- Processing Dependency: /usr/lib64/python2.4 for package: gamin-python
-- Processing Dependency: /usr/lib64/python2.4 for package: libxml2-python
-- Finished Dependency Resolution
libxslt-python-1.1.17-2.el5_2.2.x86_64 from installed has depsolving
problems
  -- Missing Dependency: /usr/lib64/python2.4 is needed by package
libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed)
libxml2-python-2.6.26-2.1.2.7.x86_64 from installed has depsolving problems
  -- Missing Dependency: /usr/lib64/python2.4 is needed by package
libxml2-python-2.6.26-2.1.2.7.x86_64 (installed)
gamin-python-0.1.7-8.el5.x86_64 from installed has depsolving problems
  -- Missing Dependency: /usr/lib64/python2.4 is needed by package
gamin-python-0.1.7-8.el5.x86_64 (installed)
Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed)
Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
libxml2-python-2.6.26-2.1.2.7.x86_64 (installed)
Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
gamin-python-0.1.7-8.el5.x86_64 (installed)

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Christoph Maser]

yum clean all




financial.com AG

Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | 
Germany
Frankfurt branch office/Niederlassung Frankfurt: Messeturm | 
Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany
Management board/Vorstand: Dr. Steffen Boehnert (CEO/Vorsitzender) | Dr. Alexis 
Eisenhofer | Dr. Yann Samson | Matthias Wiederwach
Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender)
Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID 
number/St.Nr.: DE205 370 553
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Rob Kampen]

Bob Hoffman wrote:

 Been watching the bind thing for a few days and waiting for my daily yum to
update.
Finally did it by hand and got an interesting message.

The python dependency killed my yum...lol. A quick look online and I see a
few thousand fedora and redhat issues with this python thing. Strange that
it is trying to install a package update only to find that package is not
there. Yeesh

But was able to run yum update bind and get the issues resolved.


-- Running transaction check
--- Package python.x86_64 0:2.4.3-24.el5_3.6 set to be updated
-- Processing Dependency: /usr/lib64/python2.4 for package: libxslt-python
-- Processing Dependency: /usr/lib64/python2.4 for package: gamin-python
-- Processing Dependency: /usr/lib64/python2.4 for package: libxml2-python
-- Finished Dependency Resolution
libxslt-python-1.1.17-2.el5_2.2.x86_64 from installed has depsolving
problems
  -- Missing Dependency: /usr/lib64/python2.4 is needed by package
libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed)
libxml2-python-2.6.26-2.1.2.7.x86_64 from installed has depsolving problems
  -- Missing Dependency: /usr/lib64/python2.4 is needed by package
libxml2-python-2.6.26-2.1.2.7.x86_64 (installed)
gamin-python-0.1.7-8.el5.x86_64 from installed has depsolving problems
  -- Missing Dependency: /usr/lib64/python2.4 is needed by package
gamin-python-0.1.7-8.el5.x86_64 (installed)
Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed)
Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
libxml2-python-2.6.26-2.1.2.7.x86_64 (installed)
Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
gamin-python-0.1.7-8.el5.x86_64 (installed)

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
  

I found that for all three of my bind servers that it needed
yum clean all
yum update
to find the updates and install - no issues with py.
HTH rob
begin:vcard
fn:Rob Kampen
n:Kampen;Rob
email;internet:r...@kampensonline.net
tel;cell:407-341-3815
version:2.1
end:vcard

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Benjamin Franz]

Bob Hoffman wrote:
  Been watching the bind thing for a few days and waiting for my daily yum to
 update.
 Finally did it by hand and got an interesting message.

 The python dependency killed my yum...lol. A quick look online and I see a
 few thousand fedora and redhat issues with this python thing. Strange that
 it is trying to install a package update only to find that package is not
 there. Yeesh

 But was able to run yum update bind and get the issues resolved.


 -- Running transaction check
 --- Package python.x86_64 0:2.4.3-24.el5_3.6 set to be updated
 -- Processing Dependency: /usr/lib64/python2.4 for package: libxslt-python
 -- Processing Dependency: /usr/lib64/python2.4 for package: gamin-python
 -- Processing Dependency: /usr/lib64/python2.4 for package: libxml2-python
 -- Finished Dependency Resolution
 libxslt-python-1.1.17-2.el5_2.2.x86_64 from installed has depsolving
 problems
   -- Missing Dependency: /usr/lib64/python2.4 is needed by package
 libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed)
 libxml2-python-2.6.26-2.1.2.7.x86_64 from installed has depsolving problems
   -- Missing Dependency: /usr/lib64/python2.4 is needed by package
 libxml2-python-2.6.26-2.1.2.7.x86_64 (installed)
 gamin-python-0.1.7-8.el5.x86_64 from installed has depsolving problems
   -- Missing Dependency: /usr/lib64/python2.4 is needed by package
 gamin-python-0.1.7-8.el5.x86_64 (installed)
 Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
 libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed)
 Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
 libxml2-python-2.6.26-2.1.2.7.x86_64 (installed)
 Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
 gamin-python-0.1.7-8.el5.x86_64 (installed)

 _

Try doing: yum clean all  yum update

That did it for me.

Thanks goes to John R. Dennison for the fix.

-- 
Benjamin Franz

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Ned Slider]

Benjamin Franz wrote:
 Bob Hoffman wrote:
  Been watching the bind thing for a few days and waiting for my daily yum to
 update.
 Finally did it by hand and got an interesting message.

 The python dependency killed my yum...lol. A quick look online and I see a
 few thousand fedora and redhat issues with this python thing. Strange that
 it is trying to install a package update only to find that package is not
 there. Yeesh

 But was able to run yum update bind and get the issues resolved.


 -- Running transaction check
 --- Package python.x86_64 0:2.4.3-24.el5_3.6 set to be updated
 -- Processing Dependency: /usr/lib64/python2.4 for package: libxslt-python
 -- Processing Dependency: /usr/lib64/python2.4 for package: gamin-python
 -- Processing Dependency: /usr/lib64/python2.4 for package: libxml2-python
 -- Finished Dependency Resolution
 libxslt-python-1.1.17-2.el5_2.2.x86_64 from installed has depsolving
 problems
   -- Missing Dependency: /usr/lib64/python2.4 is needed by package
 libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed)
 libxml2-python-2.6.26-2.1.2.7.x86_64 from installed has depsolving problems
   -- Missing Dependency: /usr/lib64/python2.4 is needed by package
 libxml2-python-2.6.26-2.1.2.7.x86_64 (installed)
 gamin-python-0.1.7-8.el5.x86_64 from installed has depsolving problems
   -- Missing Dependency: /usr/lib64/python2.4 is needed by package
 gamin-python-0.1.7-8.el5.x86_64 (installed)
 Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
 libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed)
 Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
 libxml2-python-2.6.26-2.1.2.7.x86_64 (installed)
 Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
 gamin-python-0.1.7-8.el5.x86_64 (installed)

 _
 
 Try doing: yum clean all  yum update
 
 That did it for me.
 
 Thanks goes to John R. Dennison for the fix.
 

The fix has been available for a long time:

https://rhn.redhat.com/errata/RHBA-2009-0440.html

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Benjamin Franz]

Ned Slider wrote:
 Benjamin Franz wrote:
   
 Bob Hoffman wrote:
 
  Been watching the bind thing for a few days and waiting for my daily yum to
 update.
 Finally did it by hand and got an interesting message.

 The python dependency killed my yum...lol. A quick look online and I see a
 few thousand fedora and redhat issues with this python thing. Strange that
 it is trying to install a package update only to find that package is not
 there. Yeesh

 But was able to run yum update bind and get the issues resolved.


 -- Running transaction check
 --- Package python.x86_64 0:2.4.3-24.el5_3.6 set to be updated
 -- Processing Dependency: /usr/lib64/python2.4 for package: libxslt-python
 -- Processing Dependency: /usr/lib64/python2.4 for package: gamin-python
 -- Processing Dependency: /usr/lib64/python2.4 for package: libxml2-python
 -- Finished Dependency Resolution
 libxslt-python-1.1.17-2.el5_2.2.x86_64 from installed has depsolving
 problems
   -- Missing Dependency: /usr/lib64/python2.4 is needed by package
 libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed)
 libxml2-python-2.6.26-2.1.2.7.x86_64 from installed has depsolving problems
   -- Missing Dependency: /usr/lib64/python2.4 is needed by package
 libxml2-python-2.6.26-2.1.2.7.x86_64 (installed)
 gamin-python-0.1.7-8.el5.x86_64 from installed has depsolving problems
   -- Missing Dependency: /usr/lib64/python2.4 is needed by package
 gamin-python-0.1.7-8.el5.x86_64 (installed)
 Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
 libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed)
 Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
 libxml2-python-2.6.26-2.1.2.7.x86_64 (installed)
 Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
 gamin-python-0.1.7-8.el5.x86_64 (installed)

 _
   
 Try doing: yum clean all  yum update

 That did it for me.

 Thanks goes to John R. Dennison for the fix.

 

 The fix has been available for a long time:

 https://rhn.redhat.com/errata/RHBA-2009-0440.html
   

I'm not sure that is the 'fix'. My systems were completely up-to-date as 
of last week so I should not have had a problem with that. And yet I did.

-- 
Benjamin Franz

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Ned Slider]

Benjamin Franz wrote:
 Ned Slider wrote:

 
 The fix has been available for a long time:

 https://rhn.redhat.com/errata/RHBA-2009-0440.html
   
 
 I'm not sure that is the 'fix'. My systems were completely up-to-date as 
 of last week so I should not have had a problem with that. And yet I did.
 

$ rpm -q yum-metadata-parser
yum-metadata-parser-1.1.2-3.el5

What do you have?

CentOS has not release this update.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Ned Slider]

Benjamin Franz wrote:
 Ned Slider wrote:
 Benjamin Franz wrote:
   
 Ned Slider wrote:   
 
 The fix has been available for a long time:

 https://rhn.redhat.com/errata/RHBA-2009-0440.html
   
 I'm not sure that is the 'fix'. My systems were completely up-to-date as 
 of last week so I should not have had a problem with that. And yet I did.
 
 $ rpm -q yum-metadata-parser
 yum-metadata-parser-1.1.2-3.el5

 What do you have?
   
 $ rpm -q yum-metadata-parser
 yum-metadata-parser-1.1.2-2.el5
 
 CentOS has not release this update.
   
 
 Ah.  That explains it.
 

You can get it from here:

http://elrepo.org/linux/fasttrack/el5/

or you can wait for 5.4 to be released which will contain this update.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Karanbir Singh]

On 07/29/2009 05:15 PM, Kenneth Porter wrote:
 From what I'm reading, if one has an Internet-facing master for a zone, one
 is vulnerable, even if dynamic DNS isn't being used.

yes, which is one of many reasons why a zone masters is usually setup to 
not be publicly available.

-- 
Karanbir Singh : http://www.karan.org/  : 2522...@icq
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[RedShift]

Kenneth Porter wrote:
 Slashdot carried this story yesterday on a BIND vulnerability:
 
 http://it.slashdot.org/story/09/07/29/0028231/New-DoS-Vulnerability-In-All-Versions-of-BIND-9
 

According to a commenter, this should provide a temporary countermeasure:

iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30270xF=5'

Haven't tested it, would like to know the results...


Glenn



 The upstream report:
 
 https://www.isc.org/node/474
 
 Red Hat's Bugzilla:
 
 https://bugzilla.redhat.com/show_bug.cgi?id=514292
 
From what I'm reading, if one has an Internet-facing master for a zone, one 
 is vulnerable, even if dynamic DNS isn't being used.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
 
 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[David Hrbáč]

RedShift napsal(a):
 According to a commenter, this should provide a temporary countermeasure:
 
 iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30270xF=5'
 
 Haven't tested it, would like to know the results...
 

Well, good point, but Centos does not ship libipt_u32.so. Even more
Centos 4.x is now undergoing rebuild process, so no updates even
security updates are being released. Which is something I can accept.

Those looking for patched bind for Centos 4.x may use packages I have
built with CVE-2009-0696 patch.
http://fs12.vsb.cz/hrb33/el4/hrb/testing/i386/repoview/letter_b.group.html
http://fs12.vsb.cz/hrb33/el4/hrb/testing/x86_64/repoview/letter_b.group.html

Regards,
David Hrbáč









___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[luc...@lastdot.org]

On Wed, Jul 29, 2009 at 5:59 PM, David Hrbáčhrbac.c...@seznam.cz wrote:
 RedShift napsal(a):
 According to a commenter, this should provide a temporary countermeasure:

 iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30270xF=5'

 Haven't tested it, would like to know the results...


 Well, good point, but Centos does not ship libipt_u32.so. Even more
 Centos 4.x is now undergoing rebuild process, so no updates even
 security updates are being released. Which is something I can accept.

 Those looking for patched bind for Centos 4.x may use packages I have
 built with CVE-2009-0696 patch.
 http://fs12.vsb.cz/hrb33/el4/hrb/testing/i386/repoview/letter_b.group.html
 http://fs12.vsb.cz/hrb33/el4/hrb/testing/x86_64/repoview/letter_b.group.html

Well done, David but there's a little problem with those rpms:
Preparing...### [100%]
package bind-libs-9.2.4-30.el4_7.2 (which is newer than
bind-libs-9.2.4-30.el4.hrb.2.1) is already installed
package bind-utils-9.2.4-30.el4_7.2 (which is newer than
bind-utils-9.2.4-30.el4.hrb.2.1) is already installed
package bind-9.2.4-30.el4_7.2 (which is newer than
bind-9.2.4-30.el4.hrb.2.1) is already installed
package bind-chroot-9.2.4-30.el4_7.2 (which is newer than
bind-chroot-9.2.4-30.el4.hrb.2.1) is already installed
Maybe you can bump the version a bit.


 Regards,
 David Hrbáč









 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Karanbir Singh]

On 07/29/2009 06:29 PM, luc...@lastdot.org wrote:
 Those looking for patched bind for Centos 4.x may use packages I have
 built with CVE-2009-0696 patch.
 http://fs12.vsb.cz/hrb33/el4/hrb/testing/i386/repoview/letter_b.group.html
 http://fs12.vsb.cz/hrb33/el4/hrb/testing/x86_64/repoview/letter_b.group.html

there are packages linked to people.redhat.com that point at the ones in 
QA at Red Hat at the moment, I would recommend you use those

-- 
Karanbir Singh : http://www.karan.org/  : 2522...@icq
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Kenneth Porter]

On Wednesday, July 29, 2009 6:36 PM +0100 Karanbir Singh 
mail-li...@karan.org wrote:

 there are packages linked to people.redhat.com that point at the ones in
 QA at Red Hat at the moment, I would recommend you use those

RHEL errata are up:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1179 https://rhn.redhat.com/errata/RHSA-2009-1179.html

  Red Hat Enterprise Linux 4

Via RHSA-2009:1180 https://rhn.redhat.com/errata/RHSA-2009-1180.html
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Chris Boyd]

On Jul 29, 2009, at 11:21 AM, Karanbir Singh wrote:

 yes, which is one of many reasons why a zone masters is usually  
 setup to
 not be publicly available.


The localhost 127.0.0.1 zone can also be used as an attack vector  
according to the folks on the DNS Ops list, so it's looking like  
pretty much every bind installation will need to be updated.

--Chris
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Ray Van Dolson]

On Wed, Jul 29, 2009 at 02:10:56PM -0500, Chris Boyd wrote:
 
 On Jul 29, 2009, at 11:21 AM, Karanbir Singh wrote:
 
  yes, which is one of many reasons why a zone masters is usually  
  setup to
  not be publicly available.
 
 
 The localhost 127.0.0.1 zone can also be used as an attack vector  
 according to the folks on the DNS Ops list, so it's looking like  
 pretty much every bind installation will need to be updated.
 
 --Chris

Do you have a link to a mailing lists post describing this?  Would like
to pass it along...

Ray
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[luc...@lastdot.org]

On Wed, Jul 29, 2009 at 6:36 PM, Karanbir Singhmail-li...@karan.org wrote:
 On 07/29/2009 06:29 PM, luc...@lastdot.org wrote:
 Those looking for patched bind for Centos 4.x may use packages I have
 built with CVE-2009-0696 patch.
 http://fs12.vsb.cz/hrb33/el4/hrb/testing/i386/repoview/letter_b.group.html
 http://fs12.vsb.cz/hrb33/el4/hrb/testing/x86_64/repoview/letter_b.group.html

 there are packages linked to people.redhat.com that point at the ones in
 QA at Red Hat at the moment, I would recommend you use those

Ok, thanks, but
where exactly am I to see something useful on people.redhat.com? I can
only see an image.


 --
 Karanbir Singh : http://www.karan.org/  : 2522...@icq
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Chris Boyd]

On Jul 29, 2009, at 2:19 PM, Ray Van Dolson wrote:

 Do you have a link to a mailing lists post describing this?  Would  
 like
 to pass it along...


This is the head of the thread:

https://lists.dns-oarc.net/pipermail/dns-operations/2009-July/004315.html

Some of the relevant discussion:

On Tue, Jul 28, 2009 at 06:21:22PM -0700,
Peter Losher plos...@isc.org wrote
a message of 30 lines which said:

Testing indicates that the attack packet has to be formulated against a
zone for which that machine is a master. Launching the attack against
slave zones does not trigger the assert.

We tested that removing the zones which are typically there by
default, and in mode master (such as localhost and
0.0.127.in-addr.arpa) works fine: the published exploit no longer
works afterwards.

This can be an interim solution for those who don't have a clean
upgrade path (for instance, RHEL did not push the patch yet).
___
dns-operations mailing list
dns-operati...@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

=

like, for example,  .localhost or  0.0.127.in-addr.arpa.

--bill


On Tue, Jul 28, 2009 at 11:47:46PM +0200, Michael Graff wrote:
A purely cache only server should not be affected. Being auth for a
single zone would make you be vulnerable.

--Michael


On Jul 28, 2009, at 23:26, Duane Wessels wess...@dns-oarc.net wrote:



On Tue, 28 Jul 2009, Keith Mitchell wrote:

dns_db_findrdataset() fails when the prerequisite section of the
dynamic
update message contains a record of type ?ANY? and where at least one
RRset for this FQDN exists on the server.

Does it affect only installations with authoritative data?  Or are
caches affected
as well?

DW
___
dns-operations mailing list
dns-operati...@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
___


=


Tom Daly wrote:
A purely cache only server should not be affected. Being auth for
a single zone would make you be vulnerable.

Some quick and dirty research/testing on our side indicates that
being an authoritative slave doesn't make you vulnerable either, it
is only if you are authoritative master, i.e.:

zone blat.com { type master; ... };

Our (FreeBSD) testing indicates the same.

Then again, if you choose to be RFC1912 compliant, you probably
made yourself vulnerable.

Unfortunately for this issue I added 1912 plus a bunch of other
default zones to our default resolver config, so if you use our stuff
out of the box you are vulnerable.


Doug
___
dns-operations mailing list
dns-operati...@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[David Hrbáč]

luc...@lastdot.org napsal(a):
 Well done, David but there's a little problem with those rpms:
 Preparing...### [100%]
 package bind-libs-9.2.4-30.el4_7.2 (which is newer than
 bind-libs-9.2.4-30.el4.hrb.2.1) is already installed
 package bind-utils-9.2.4-30.el4_7.2 (which is newer than
 bind-utils-9.2.4-30.el4.hrb.2.1) is already installed
 package bind-9.2.4-30.el4_7.2 (which is newer than
 bind-9.2.4-30.el4.hrb.2.1) is already installed
 package bind-chroot-9.2.4-30.el4_7.2 (which is newer than
 bind-chroot-9.2.4-30.el4.hrb.2.1) is already installed
 Maybe you can bump the version a bit.
 

Right... 30.el4_7.2  30.el4.hrb.2.1 :o) I do not want to change the
version more because:
- I do not want to have el4_7, it's not Centos release
- EL4.8 ships 30.el4_8.4

So I do not want to release 31.el4_7.2 ...

As to included patch, it the very same code RH released within the
latest errata.
Regards,
David
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Karanbir Singh]

On 07/29/2009 08:27 PM, luc...@lastdot.org wrote:
 where exactly am I to see something useful on people.redhat.com? I can
 only see an image.

The CentOS update have now been released, you should be able to yum 
update on C5 already.

-- 
Karanbir Singh : http://www.karan.org/  : 2522...@icq
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[David Hrbáč]

luc...@lastdot.org napsal(a):
 
 Ok, thanks, but
 where exactly am I to see something useful on people.redhat.com? I can
 only see an image.

Maybe he is pointing to http://people.redhat.com/atkac/bind/. But I do
not see the point. This is RHEL 4.8 version with patch. Anyone running
Centos 4.8? I'm still with 4.7 so bind-libs-9.2.4-30.el4_7.2 with patch
is the way for me, far better then having unpatched bind, waiting
another couple of weeks to get bind updated finally. Sorry.
David Hrbáč
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Karanbir Singh]

On 07/29/2009 09:19 PM, David Hrbáč wrote:
 Maybe he is pointing to http://people.redhat.com/atkac/bind/. But I do
 not see the point. This is RHEL 4.8 version with patch.

http://lists.centos.org/pipermail/centos-devel/2009-July/004794.html

I've updated 2 machines, and had no problems here. But some wider 
testing would be good and we can get them into the main repos so more 
people benefit.

-- 
Karanbir Singh : http://www.karan.org/  : 2522...@icq
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[nate]

David Hrbáč wrote:

 Maybe he is pointing to http://people.redhat.com/atkac/bind/. But I do
 not see the point. This is RHEL 4.8 version with patch. Anyone running
 Centos 4.8? I'm still with 4.7 so bind-libs-9.2.4-30.el4_7.2 with patch
 is the way for me, far better then having unpatched bind, waiting
 another couple of weeks to get bind updated finally. Sorry.

4.8 packages for the most part should install on 4.7 w/o a fuss.
I installed 4.6 packages on 4.4 for quite some time, and I install
some 5.3 packages on 5.2 without any issues. One of the nice
things about a stable(binary compatibility) distro.

nate


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] BIND vulnerability

[Stephen Harris]

In-Reply-To=4a70b20c.5020...@karan.org
Reply-To: 

(Apologies if this isn't in the thread properly; I'm trying to fake it from
the website headers :-))

Karanbir Singh wrote:
 http://lists.centos.org/pipermail/centos-devel/2009-July/004794.html
 
 I've updated 2 machines, and had no problems here. But some wider 
 testing would be good and we can get them into the main repos so more 
 people benefit.

I just updated one machine; the process ended up with named not running.

I did 
  rpm -Uvh bind-utils-9.2.4-30.el4_8.4.i386.rpm bind-9.2.4-30.el4_8.4.i386.rpm 
bind-libs-9.2.4-30.el4_8.4.i386.rpm

and got

  Jul 29 20:29:15 linode named:  succeeded
  Jul 29 20:29:16 linode named[2873]: shutting down: flushing changes
  Jul 29 20:29:16 linode named[2873]: stopping command channel on 127.0.0.1#953
  Jul 29 20:29:16 linode named[2873]: no longer listening on 127.0.0.1#53
  Jul 29 20:29:16 linode named[2873]: no longer listening on 66.160.141.105#53
  Jul 29 20:29:17 linode named[2873]: exiting
  Jul 29 20:29:18 linode named:  failed

After a restart it appeared to work...

  Jul 29 20:29:41 linode named[31609]: starting BIND 9.2.4 -u named
  Jul 29 20:29:41 linode named[31609]: using 4 CPUs
  Jul 29 20:29:41 linode named[31609]: loading configuration from 
'/etc/named.conf'

etc...

The daemon seems to be responding properly to requests after this manual
start.

-- 

rgds
Stephen
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos