Earlier this week, the OpenSSL project announced CVE-2014-0160, disclosing a very serious security flaw in the OpenSSL library, affecting versions 1.0.1 and 1.0.2-beta (including OpenSSL 1.0.1f and 1.0.2-beta1) In many stories, this vulnerability is being referred to as the “Heartbleed” bug.
Because ISC products can be built to link against OpenSSL libraries, users of BIND 9 and ISC DHCP have asked us to clarify whether or not their systems are at risk due to CVE-2014-0160. Rather than answer questions individually, we hope that this will clarify the matter for our users and reassure them that their services are safe from this security vulnerability.
- Is BIND vulnerable? After consulting with our developers, we are pleased to report that BIND 9 does not make use of the vulnerable parts of the OpenSSL libraries, so BIND services are NOT at risk from CVE-2014-0160.
- Is ISC DHCP vulnerable? ISC DHCP does not use the affected parts of the OpenSSL library, either. ISC DHCP services are NOT at risk from CVE-2014-0160.
- What about Windows binary packages? For the benefit of Windows users, ISC provides installable binary distributions of BIND 9 for those who wish to run it on Windows servers. At the time of this message, the most recent Windows binary distributions include vulnerable versions of the OpenSSL shared libraries. These shared library files are safe for use with BIND 9 because BIND does not use the flawed parts of the library, but operators should not use the provided libraries with other applications. Future versions of the Windows binary distributions will include updated OpenSSL libraries with the security issues fixed, but we have no current plans to release emergency security releases for Windows because the libraries provided are safe for BIND 9.