FW: CVE-2013-2266 Question

G.W. Haywood bind at jubileegroup.co.uk
Thu Mar 28 11:21:29 UTC 2013 

Hi there,

On Wed, 27 Mar 2013, Manson, John wrote:

> Does 'make clear' affect the running named

No.  The 'configure' step and the 'make' steps are repsectively
configuring the software source files for your environment before the
build (more or less compile and link) process, and then the building,
optionally testing and finally installing the new software (binaries
such as named, and for example vanilla configuration files - or what
you could think of as templates in a new installation).  If you have
an existing set of configuration files, the install process will not
touch them.  This is in keeping with the Principle Of Least Surprise. :)

Nothing you do in the build/test/install process affects the already
running processes.  Normally one builds new software in a directory
owned by a non-privileged user while logged in as that user.  Then
only switch to a privileged user to install files (in places in the
filesystem where the unprivileged user cannot write them) by giving
the command 'make install'.  Sometimes a test might need to be run as
a privileged user or might require a special test environment which
must be set up by a privileged user.  The BIND package tests fall into
the latter category, see below.  Many people don't run the tests but
it's a good idea to run them if only for peace of mind.

> or is it best to stop named and start it afterward?

You should stop and start named after the newly built software has
been installed.  There's no need to stop it before building a new
version.

> Do I also need to run configure again or just make?

You don't really need to run configure again unless something else has
changed, but I would generally rebuild from scratch so that I know
that everything is as I expect.  It takes very little effort.

> Will dig and rndc be updated as well?

Yes, they are rebuilt together with named and installed when you do
the 'make install' step.

Here's what I did on one of my nameservers the day before yesterday:

8<----------------------------------------------------------------------
26 Mar 2013

==== bind ====

97. Downloaded, built and installed, nameserver restarted.

     $ cd ~/tgz
     $ wget ftp://ftp.isc.org/isc/bind9/9.9.2-P2/bind-9.9.2-P2.tar.gz
     $ cd ~/src/net
     $ rm -rf bind-9.9.2
     $ tar xzvf ~/tgz/bind-9.9.2-P2.tar.gz
     $ cd bind-9.9.2-P2
     $ ./configure --prefix=/usr/local --sysconfdir=/etc --with-openssl 
STD_CDEFINES="-DDIG_SIGCHASE=1"
     $ make
     $ su
     # bin/tests/system/ifconfig.sh up
     # exit
     $ make test
...
I:System test result summary:
I:        50 PASS
I:         2 SKIPPED
make[2]: Leaving directory `/home/ged/src/net/bind-9.9.2-P2/bin/tests/system'
make[1]: Leaving directory `/home/ged/src/net/bind-9.9.2-P2/bin/tests'
     $ su
     # bin/tests/system/ifconfig.sh down
     # make install
     # killall named ; sleep 2 ; /usr/local/sbin/named -4 -u named
     # exit
8<----------------------------------------------------------------------

Note that I've trimmed reams and reams of build and test output above,
I've just included the last four lines of the test output.  Some of it
can take a while.  The test system creates interfaces on 10.53.0.x and
in the unlikely event that you're using those addresses on your system
while you test the BIND package you will probably need to do something
to prevent an unpleasant experience.

--

73,
Ged.

More information about the bind-users mailing list