Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477
Reindl Harald
h.reindl at thelounge.net
Tue Sep 8 08:30:03 UTC 2015
Am 08.09.2015 um 06:46 schrieb stavrostseriotis:
> Ok here is what I did:
>
> ·After extracting the package I looked out at directories
> */usr/local/bin *and */usr/local/sbin *as mentioned in the procedure but
> I found that there are no files there.
man updatedb
man locate
> ·I run *configure* command *without openssl* because I had trouble with
> the openssl library when it was enabled. Also since I am not currently
> using DNSSEC I guess that this is not a problem.
confiure pretty sure says what install prefix is used
> ·Then I run *make* and I didn’t get any error.
>
> ·I run *make install* and I didn’t get any error again.
>
> ·Stopped named service
>
> ·I copied the /etc/named.conf file and then created another empty file
> as instructed with the correct permissions.
>
> ·Started named service. It started normally without any error and also
> the process that was up is the same as before.
>
> ·When I do *named –V* and also *rpm –q bind* I still see the same
> versions as before.
>
> Yes I know that if I was using the RedHat package I wouldn’t had this
> problem because I already do this for other linux machines. Just this
> machine is old and when it was configured to work as nameserver the guys
> did it this way. Now we are in the process to build a new machine for
> nameserver with RedHat subscription and everything but until that
> happens it will be best if we can get rid of this security vulnerability
> cause I don’t know how long it will take.
>
> Thank you for your responses.
>
> *From:*bind-users-bounces at lists.isc.org
> [mailto:bind-users-bounces at lists.isc.org] *On Behalf Of *Timothe Litt
> *Sent:* Monday, September 07, 2015 2:29 PM
> *To:* bind-users at lists.isc.org
> *Subject:* Re: Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477
>
> Subject:
>
> Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477
>
> From:
>
> stavrostseriotis <StavrosTseriotis at semltd.com.cy>
> <mailto:StavrosTseriotis at semltd.com.cy>
>
> Date:
>
> 07-Sep-15 05:24
>
> To:
>
> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>
> Hello,
>
> I have a RedHat 5.11 machine and currently I am facing the issue
> with BIND vulnerability CVE-2015-5477. I cannot update my BIND using
> yum because I didn’t install BIND from RedHat at the first place so
> I need to do it manually.
>
> I downloaded the package of version 9.9.7-P2 from isc website but
> since it is not an rpm file I have to build it myself.
>
> I followed the instructions I found on website
> https://deepthought.isc.org/article/AA-00768/0/Getting-started-with-BIND-ho
> but it does not change the version of bind. I don’t know what I am
> doing wrong.
>
> I am wondering if you can give me a little guideline on how to build
> and install the new version.
>
> Thank you
>
> "does not change the version of bind" - as reported how? By named -V?
> Or by a DNS query to version.bind CH TXT?
>
> If the former, you probably have more than one named executable - with
> the old one earlier in your PATH. "which named" should help. If the
> latter, did you remember to restart named? And did the restart
> succeed? And does your startup process have the same PATH as your
> terminal? (Often they do not.)
>
> Re-read the instructions - and pay special attention to how you run
> configure. The default is to build/install in /usr/local/*bin - which
> is not the default for most distributions' startup files.
>
> I strongly recommend keeping track of each step as you build (a big
> scrollback buffer helps). Either write your own instructions, or turn
> it into a script. There are enough steps that it's easy to make a
> mistake - and you will be re-building bind again to upgrade. Plus, if
> you ask for help, you will be able to provide the details of what you
> did. Without details of what you did and what you see, people can't
> provide specific help.
>
> Note that RedHat usually has a number of patches (often for SeLinux and
> systemd) that you won't get if you build yourself from ISC sources.
>
> Or remove bind and switch to the RedHat version. You're paying RedHat
> to do the maintenance, so unless you have local patches or very special
> requirements, you might as well let them do the work.
>
> Typically, if you really need the latest from ISC on RedHat you're
> better off getting the SRC RPM from RedHat & modifying the rpmbuild
> config file to fetch the latest ISC source, then build RPMs. If you
> stay with the same ISC code stream, you won't have too many patch
> conflicts to resolve. After you've done this once or twice, you'll want
> to revisit you need for local changes - either decide they're not that
> important, or offer them to ISC. Maintaining a private version is work.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150908/dca57071/attachment.bin>
More information about the bind-users
mailing list