Concerning a recent OpenSSL security issue and new BIND build-time checks

Michael McNally mcnally at isc.org
Tue Dec 15 21:40:20 UTC 2015


The OpenSSL project recently announced several security issues including
OpenSSL Security Advisory CVE-2015-1794.  The official advisory from the
OpenSSL project can be found at http://openssl.org/news/secadv/20151203.txt
but in brief: versions 1.0.2 through 1.0.2d have a vulnerability that
potentially weakens encryption security in BIND.  Version 1.0.2e is
recommended as the secured version.

Operators using DNSSEC or any other features of BIND that depend
onOpenSSL in a production environment are therefore advised to first
update their version of OpenSSL before building and linking new BIND
executables.

Other vulnerabilities have been disclosed in older versions of
OpenSSL that are not believed to affect BIND but could affect the
security of other programs that make use of OpenSSL libraries.
Please consult the OpenSSL project's security disclosure page for
more information about OpenSSL security issues.

As of 15 December 2015, and versions 9.9.8-P2 and 9.10.3-P2, BIND
will refuse to build with certain OpenSSL versions considered to contain
security issues.  If for some reason you are unable to upgrade your
OpenSSL libraries the version check can be bypassed when building
BIND by using: "configure --disable-openssl-version-check"

The Windows binary packages included in today's releases of BIND 9.9.8-P2
and BIND 9.10.3-P2 have been built using OpenSSL 1.0.2e


More information about the bind-announce mailing list