Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477

Reindl Harald h.reindl at thelounge.net
Tue Sep 8 08:30:03 UTC 2015 


Am 08.09.2015 um 06:46 schrieb stavrostseriotis:
> Ok here is what I did:
>
> ·After extracting the package I looked out at directories
> */usr/local/bin *and */usr/local/sbin *as mentioned in the procedure but
> I found that there are no files there.

man updatedb
man locate

> ·I run *configure* command *without openssl* because I had trouble with
> the openssl library when it was enabled. Also since I am not currently
> using DNSSEC I guess that this is not a problem.

confiure pretty sure says what install prefix is used

> ·Then I run *make* and I didn’t get any error.
>
> ·I run *make install* and I didn’t get any error again.
>
> ·Stopped named service
>
> ·I copied the /etc/named.conf file and then created another empty file
> as instructed with the correct permissions.
>
> ·Started named service. It started normally without any error and also
> the process that was up is the same as before.
>
> ·When I do *named –V* and also *rpm –q bind* I still see the same
> versions as before.
>
> Yes I know that if I was using the RedHat package I wouldn’t had this
> problem because I already do this for other linux machines. Just this
> machine is old and when it was configured to work as nameserver the guys
> did it this way. Now we are in the process to build a new machine for
> nameserver with RedHat subscription and everything but until that
> happens it will be best if we can get rid of this security vulnerability
> cause I don’t know how long it will take.
>
> Thank you for your responses.
>
> *From:*bind-users-bounces at lists.isc.org
> [mailto:bind-users-bounces at lists.isc.org] *On Behalf Of *Timothe Litt
> *Sent:* Monday, September 07, 2015 2:29 PM
> *To:* bind-users at lists.isc.org
> *Subject:* Re: Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477
>
>     Subject:
>
>     Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477
>
>     From:
>
>     stavrostseriotis <StavrosTseriotis at semltd.com.cy>
>     <mailto:StavrosTseriotis at semltd.com.cy>
>
>     Date:
>
>     07-Sep-15 05:24
>
>     To:
>
>     bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>
>     Hello,
>
>     I have a RedHat 5.11 machine and currently I am facing the issue
>     with BIND vulnerability CVE-2015-5477. I cannot update my BIND using
>     yum because I didn’t install BIND from RedHat at the first place so
>     I need to do it manually.
>
>     I downloaded the package of version 9.9.7-P2 from isc website but
>     since it is not an rpm file I have to build it myself.
>
>     I followed the instructions I found on website
>     https://deepthought.isc.org/article/AA-00768/0/Getting-started-with-BIND-ho
>     but it does not change the version of bind. I don’t know what I am
>     doing wrong.
>
>     I am wondering if you can give me a little guideline on how to build
>     and install the new version.
>
>     Thank you
>
> "does not change the version of bind" - as reported how?  By named -V?
> Or by a DNS query to version.bind CH TXT?
>
> If the former, you probably have more than one named executable - with
> the old one earlier in your PATH.  "which named" should help.  If the
> latter, did you remember to restart named?  And did the restart
> succeed?  And does your startup process have the same PATH as your
> terminal?  (Often they do not.)
>
> Re-read the instructions - and pay special attention to how you run
> configure.  The default is to build/install in /usr/local/*bin - which
> is not the default for most distributions' startup files.
>
> I strongly recommend keeping track of each step as you build (a big
> scrollback buffer helps).  Either write your own instructions, or turn
> it into a script.  There are enough steps that it's easy to make a
> mistake - and you will be re-building bind again to upgrade.  Plus, if
> you ask for help, you will be able to provide the details of what you
> did.  Without details of what you did and what you see, people can't
> provide specific help.
>
> Note that RedHat usually has a number of patches (often for SeLinux and
> systemd) that you won't get if you build yourself from ISC sources.
>
> Or remove bind and switch to the RedHat version.  You're paying RedHat
> to do the maintenance, so unless you have local patches or very special
> requirements, you might as well let them do the work.
>
> Typically, if you really need the latest from ISC on RedHat you're
> better off getting the SRC RPM from RedHat & modifying the rpmbuild
> config file to fetch the latest ISC source, then build RPMs.  If you
> stay with the same ISC code stream, you won't have too many patch
> conflicts to resolve.  After you've done this once or twice, you'll want
> to revisit you need for local changes - either decide they're not that
> important, or offer them to ISC.  Maintaining a private version is work.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150908/dca57071/attachment.bin>

More information about the bind-users mailing list