BIND, DHCP, and CVE-2014-0160 (the OpenSSL “Heartbleed” bug)

Earlier this week, the OpenSSL project  announced CVE-2014-0160, disclosing a very serious security flaw in the OpenSSL library, affecting versions 1.0.1 and 1.0.2-beta (including OpenSSL 1.0.1f and 1.0.2-beta1) In many stories, this vulnerability is being referred to as the “Heartbleed” bug.

Because ISC products can be built to link against OpenSSL libraries, users of BIND 9 and ISC DHCP have asked us to clarify whether or not their systems are at risk due to CVE-2014-0160. Rather than answer questions individually, we hope that this will clarify the matter for our users and reassure them that their services are safe from this security vulnerability.

  • Is BIND vulnerable? After consulting with our developers, we are pleased to report that BIND 9 does not make use of the vulnerable parts of the OpenSSL libraries, so BIND services are NOT at risk from CVE-2014-0160.
  • Is ISC DHCP vulnerable? ISC DHCP does not use the affected parts of the OpenSSL library, either. ISC DHCP services are NOT at risk from CVE-2014-0160.
  • What about Windows binary packages? For the benefit of Windows users, ISC provides installable binary distributions of BIND 9 for those who wish to run it on Windows servers. At the time of this message, the most recent Windows binary distributions include vulnerable versions of the OpenSSL shared libraries. These shared library files are safe for use with BIND 9 because BIND does not use the flawed parts of the library, but operators should not use the provided libraries with other applications. Future versions of the Windows binary distributions will include updated OpenSSL libraries with the security issues fixed, but we have no current plans to release emergency security releases for Windows because the libraries provided are safe for BIND 9.

3 Comments

  1. Geoff Nixon April 11, 2014 Reply

    And BIND10 is not affected either, by virtue of not using OpenSSL at all (it uses Botan).
    …right?

    • Vicky Risk April 11, 2014 Reply

      Right. Actually, I believe that was the *whole point* of using Botan.

  2. Vicky April 15, 2014 Reply

Leave a reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Protected with IP Blacklist CloudIP Blacklist Cloud

What is 13 + 9 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)