BIND is not vulnerable directly (for this particular CVE). glibc is vulnerable. BIND is linked to your system's glibc, so as long as you install the new glibc and restart bind (or reboot your system preferably), you are fine.
On Fri, Feb 19, 2016 at 10:58 AM, Paul Stewart <[email protected]> wrote: > Good question.... it either means that BIND packages haven't been > repackaged with the updates yet (which often they are) or that they are not > vulnerable. > > A quick scan of > https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html > > Doesn't show anything specific to glibc that has been acknowledged on > their side and given how long it's been public I would assume that it's not > a concern at the moment .... > > Paul > > > -----Original Message----- > From: Af [mailto:[email protected]] On Behalf Of Ken Hohhof > Sent: Friday, February 19, 2016 10:08 AM > To: [email protected] > Subject: Re: [AFMUG] update and patch your linux servers, people! > > I have yum set to download and install all updates automatically, my > question was if I look at yum.log and see glibc updated 2 days ago but not > a package like BIND, am I still vulnerable. Sounds like I am OK. > > > -----Original Message----- > From: Paul Stewart > Sent: Friday, February 19, 2016 4:59 AM > To: [email protected] > Subject: Re: [AFMUG] update and patch your linux servers, people! > > Glibc is widely used .. (including in the kernel code as well) ... perhaps > the question is, why wouldn't you update everything? > > -----Original Message----- > From: Af [mailto:[email protected]] On Behalf Of Ken Hohhof > Sent: Thursday, February 18, 2016 9:00 PM > To: [email protected] > Subject: Re: [AFMUG] update and patch your linux servers, people! > > OK, at the risk of exposing my ignorance, is it sufficient to update glibc > (I see that yum-cron has already done this for me), and perhaps to restart > some services like named? Or is glibc compiled into packages like BIND and > those need to be updated? > > I'm thinking the glibc libraries are not compiled into the applications > but are called at run time, but I really don't know. > > > > -----Original Message----- > From: Josh Reynolds > Sent: Thursday, February 18, 2016 4:53 PM > To: [email protected] > Subject: Re: [AFMUG] update and patch your linux servers, people! > > #oldnews > > Another thing you want to do is limit inbound dns responses to 1024 > and less on most platforms, including mikrotik. They may use uClibc > though, I am not sure. > > Most UBNT devices are not vulnerable to this, although EdgeRouter and > CloudKey were (and probably that old ubnt nvr appliance). Thankfully > they both receive patches from debian upstream, so it's just an > apt-get update ; apt-get upgrade -y away. > > On Thu, Feb 18, 2016 at 4:48 PM, Eric Kuhnke <[email protected]> > wrote: > > > http://linux.slashdot.org/story/16/02/18/157239/magnitude-of-glibc-vulnerability-coming-to-light > > > > > http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/ > > > > http://www.kb.cert.org/vuls/id/457759 > > > > > > If it has glibc on it and looks up things by DNS, it needs to be patched. > > That's just about every Linux distro in existence. > > > > > >
