0

I have heard about a vulnerability in BIND. See here: http://www.isc.org/software/bind/advisories/cve-2011-0414

The issue appears to be with certain versions and my version (9.3.6) is earlier than any versions they mention. I did a yum install on BIND and it downloaed and installed the same version 9.3.6 which seems old.

So old in fact that I got to worrying. I know that CentOS doesn't upgrade versions and that instead it patches existing versions of applications. But where do you go to get the patches or are they downloaded periodically in the background. Am I to assume that the keepers of my CentOS repos are patching BIND (and other apps) so that when I update or install using YUM I get the latest safe version.

Without a new version number how do I know I'm patched?

columbo
  • 219
  • 2
  • 12

2 Answers2

3

cve-2011-0414 affects ISC BIND 9.7.1 through 9.7.2-P3, so if you are running 9.3.6 you are not vulnerable.

http://packetstormsecurity.org/files/cve/CVE-2011-0414

see also https://bugzilla.redhat.com/show_bug.cgi?id=679496

"Not vulnerable. This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6."

jamespo
  • 1,698
  • 12
  • 12
0

Also, it's beneficial not to equate version numbers in Enterprise Linux with version numbers in upstream source. It's best to treat them as a fork of the source, so the ssh app is really version 6.6.1p1-35.el7_3 , a fork from version 6.6.1p1 (35 code commits down that fork, usually). When they say bind-9.7.2-P3 is vulnerable, that's probably old news for bind-9.7.2-3.81.el6_9.5 .

user2066657
  • 336
  • 2
  • 13