Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477

stavrostseriotis StavrosTseriotis at semltd.com.cy
Tue Sep 8 04:46:06 UTC 2015 

Ok here is what I did:

.         After extracting the package I looked out at directories
/usr/local/bin and /usr/local/sbin as mentioned in the procedure but I found
that there are no files there.

.         I run configure command without openssl because I had trouble with
the openssl library when it was enabled. Also since I am not currently using
DNSSEC I guess that this is not a problem.

.         Then I run make and I didn't get any error.

.         I run make install and I didn't get any error again.

.         Stopped named service

.         I copied the /etc/named.conf file and then created another empty
file as instructed with the correct permissions.

.         Started named service. It started normally without any error and
also the process that was up is the same as before.

.         When I do named -V and also rpm -q bind I still see the same
versions as before.

 

Yes I know that if I was using the RedHat package I wouldn't had this
problem because I already do this for other linux machines. Just this
machine is old and when it was configured to work as nameserver the guys did
it this way. Now we are in the process to build a new machine for nameserver
with RedHat subscription and everything but until that happens it will be
best if we can get rid of this security vulnerability cause I don't know how
long it will take.

 

Thank you for your responses.

 

From: bind-users-bounces at lists.isc.org
[mailto:bind-users-bounces at lists.isc.org] On Behalf Of Timothe Litt
Sent: Monday, September 07, 2015 2:29 PM
To: bind-users at lists.isc.org
Subject: Re: Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477

 


Subject: 

Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477


From: 

stavrostseriotis  <mailto:StavrosTseriotis at semltd.com.cy>
<StavrosTseriotis at semltd.com.cy>


Date: 

07-Sep-15 05:24

 


To: 

bind-users at lists.isc.org

 

Hello,

 

I have a RedHat 5.11 machine and currently I am facing the issue with BIND
vulnerability CVE-2015-5477. I cannot update my BIND using yum because I
didn't install BIND from RedHat at the first place so I need to do it
manually.

I downloaded the package of version 9.9.7-P2 from isc website but since it
is not an rpm file I have to build it myself.

I followed the instructions I found on website
https://deepthought.isc.org/article/AA-00768/0/Getting-started-with-BIND-ho
but it does not change the version of bind. I don't know what I am doing
wrong.

I am wondering if you can give me a little guideline on how to build and
install the new version.

 

Thank you

"does not change the version of bind" - as reported how?  By named -V?  Or
by a DNS query to version.bind CH TXT?

If the former, you probably have more than one named executable - with the
old one earlier in your PATH.  "which named" should help.  If the latter,
did you remember to restart named?  And did the restart succeed?  And does
your startup process have the same PATH as your terminal?  (Often they do
not.)

Re-read the instructions - and pay special attention to how you run
configure.  The default is to build/install in /usr/local/*bin - which is
not the default for most distributions' startup files.

I strongly recommend keeping track of each step as you build (a big
scrollback buffer helps).  Either write your own instructions, or turn it
into a script.  There are enough steps that it's easy to make a mistake -
and you will be re-building bind again to upgrade.  Plus, if you ask for
help, you will be able to provide the details of what you did.  Without
details of what you did and what you see, people can't provide specific
help.

Note that RedHat usually has a number of patches (often for SeLinux and
systemd) that you won't get if you build yourself from ISC sources.  

Or remove bind and switch to the RedHat version.  You're paying RedHat to do
the maintenance, so unless you have local patches or very special
requirements, you might as well let them do the work.  

Typically, if you really need the latest from ISC on RedHat you're better
off getting the SRC RPM from RedHat & modifying the rpmbuild config file to
fetch the latest ISC source, then build RPMs.  If you stay with the same ISC
code stream, you won't have too many patch conflicts to resolve.  After
you've done this once or twice, you'll want to revisit you need for local
changes - either decide they're not that important, or offer them to ISC.
Maintaining a private version is work.




Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 

 

 


____________________________________________________________

The information in this e-mail and any of its attachments is confidential
and intended only for the individual to whom it is addressed. If you are
not the intended recipient you should immediately notify the sender and
delete the message and all of its attachments. Do not copy through
any means or use for any reason or reveal its content to anyone. This
message cannot be guaranteed to be secure or error-free or delivered
on time. The sender bears no responsibility for any virus, loss, disruption
or any other damage caused to the sender by the content of this email.
This email has been scanned by an antivirus.
____________________________________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150908/06431ded/attachment-0001.html>

More information about the bind-users mailing list