vulnerability of bind

Warren Kumari warren at kumari.net
Tue Dec 14 19:08:40 UTC 2010 

A question like this comes along avery few weeks....

Just download the latest bind source from: http://www.isc.org/software/bind 
, configure, make, make test, install.

This is my cheat sheet (I do this every few months on ~10 servers -- I  
keep meaning to set up a puppet / similar script to take care of this  
for me, but never seem to manage to collect enough toits):


-----
== Get source ==

    ftp://ftp.isc.org/isc/bind9/

Unzip / untar source.

   cd /usr/local/src/bind
   sudo wget ftp://ftp.isc.org/isc/bind9/9.7.2-P3/bind-9.7.2-P3.tar.gz

Now get and validate the GPG signature.
   sudo wget ftp://ftp.isc.org/isc/bind9/9.7.2-P3/bind-9.7.2-P3.tar.gz.sha256.asc
   gpg --verify bind-9.7.2-P3.tar.gz.sha256.asc bind-9.7.2-P3.tar.gz

Assuming all is good:
   sudo tar -xvzf bind-9.7.2-P3.tar.gz
   sudo rm bind-9.7.2-P3.tar.gz.*
   sudo chown -R wkumari.wkumari bind-9.7.2-P3/

   cd bind-9.7.2-P3/

Make sure you have the required dependencies

   sudo apt-get install openssl libssl-dev gcc

And now build
   ./configure --with-openssl=yes --with-randomdev=/dev/urandom
   make

And lets run some tests:
   make test

Check and install the new version:

   named -v
   which named
   make install
   named -v


Restart bind:
   sudo /etc/init.d/bind9 stop
   sudo /etc/init.d/bind9 start
   dig www.kumari.net +dnssec @localhost

----


Obviously, replace the versions with something sane, and the user /  
check domain with something else...

Oh, also tell your package manager that you no longer want it to do,  
well, whatever it thinks it is doing...


W


On Dec 14, 2010, at 1:28 PM, fakessh @ wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> hello bind network
>
>
> I just realized that my version of bind and vulnerable and I'm  
> wondering
> if by upgrading to version 9.5.2-P4 I would always be vulnerable
>
>
>
> i use centos 5.5 and use
> http://www.pramberger.at/peter/services/repository/rhel5/ deposit
>
>
> thanks
> - --
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
> gpg --keyserver pgp.mit.edu --recv-key 092164A7
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iD8DBQFNB7dLtXI/OwkhZKcRAhA7AJ9P5y0Lp5KpX3rNmas4rEnNX33FMwCfdQUq
> Bg9aAabFVLPFYYk8zLeTLUE=
> =jhLX
> -----END PGP SIGNATURE-----
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101214/c69d13bb/attachment.html>

More information about the bind-users mailing list