vulnerability of bind
Warren Kumari
warren at kumari.net
Tue Dec 14 19:08:40 UTC 2010
A question like this comes along avery few weeks....
Just download the latest bind source from: http://www.isc.org/software/bind
, configure, make, make test, install.
This is my cheat sheet (I do this every few months on ~10 servers -- I
keep meaning to set up a puppet / similar script to take care of this
for me, but never seem to manage to collect enough toits):
-----
== Get source ==
ftp://ftp.isc.org/isc/bind9/
Unzip / untar source.
cd /usr/local/src/bind
sudo wget ftp://ftp.isc.org/isc/bind9/9.7.2-P3/bind-9.7.2-P3.tar.gz
Now get and validate the GPG signature.
sudo wget ftp://ftp.isc.org/isc/bind9/9.7.2-P3/bind-9.7.2-P3.tar.gz.sha256.asc
gpg --verify bind-9.7.2-P3.tar.gz.sha256.asc bind-9.7.2-P3.tar.gz
Assuming all is good:
sudo tar -xvzf bind-9.7.2-P3.tar.gz
sudo rm bind-9.7.2-P3.tar.gz.*
sudo chown -R wkumari.wkumari bind-9.7.2-P3/
cd bind-9.7.2-P3/
Make sure you have the required dependencies
sudo apt-get install openssl libssl-dev gcc
And now build
./configure --with-openssl=yes --with-randomdev=/dev/urandom
make
And lets run some tests:
make test
Check and install the new version:
named -v
which named
make install
named -v
Restart bind:
sudo /etc/init.d/bind9 stop
sudo /etc/init.d/bind9 start
dig www.kumari.net +dnssec @localhost
----
Obviously, replace the versions with something sane, and the user /
check domain with something else...
Oh, also tell your package manager that you no longer want it to do,
well, whatever it thinks it is doing...
W
On Dec 14, 2010, at 1:28 PM, fakessh @ wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> hello bind network
>
>
> I just realized that my version of bind and vulnerable and I'm
> wondering
> if by upgrading to version 9.5.2-P4 I would always be vulnerable
>
>
>
> i use centos 5.5 and use
> http://www.pramberger.at/peter/services/repository/rhel5/ deposit
>
>
> thanks
> - --
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
> gpg --keyserver pgp.mit.edu --recv-key 092164A7
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iD8DBQFNB7dLtXI/OwkhZKcRAhA7AJ9P5y0Lp5KpX3rNmas4rEnNX33FMwCfdQUq
> Bg9aAabFVLPFYYk8zLeTLUE=
> =jhLX
> -----END PGP SIGNATURE-----
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101214/c69d13bb/attachment.html>
More information about the bind-users
mailing list