BIND, DHCP, and CVE-2014-0160 (the OpenSSL "Heartbleed" bug)
Michael McNally
mcnally at isc.org
Fri Apr 11 07:47:42 UTC 2014
Earlier this week, the OpenSSL project (http://openssl.org) announced
CVE-2014-0160, disclosing a very serious security flaw in the OpenSSL
library, affecting versions 1.0.1 and 1.0.2-beta (including OpenSSL
1.0.1f and 1.0.2-beta1) In many stories, this vulnerability is being
referred to as the "Heartbleed" bug.
Because ISC products can be built to link against OpenSSL libraries,
users of BIND 9 and ISC DHCP have asked us to clarify whether or not
their systems are at risk due to CVE-2014-0160. Rather than answer
questions individually, we hope that this will clarify the matter for
our users and reassure them that their services are safe from this
security vulnerability.
1) Is BIND vulnerable?
After consulting with our developers, we are pleased
to report that BIND 9 does not make use of the vulnerable
parts of the OpenSSL libraries, so BIND services are NOT
at risk from CVE-2014-0160.
2) Is ISC DHCP vulnerable?
ISC DHCP does not use the affected parts of the OpenSSL
library, either. ISC DHCP services are not at risk from
CVE-2014-0160.
3) What about Windows binary packages?
For the benefit of Windows users, ISC provides installable
binary distributions of BIND 9 for those who wish to run it
on Windows servers. At the time of this message, the most
recent Windows binary distributions include vulnerable
versions of the OpenSSL shared libraries. These shared
library files are safe for use with BIND 9 because BIND
does not use the flawed parts of the library, but operators
should not use the provided libraries with other applications.
Future versions of the Windows binary distributions will
include updated OpenSSL libraries with the security issues
fixed, but we have no current plans to release emergency
security releases for Windows because the libraries provided
are safe for BIND 9.
Michael McNally
ISC Support
More information about the bind-users
mailing list