Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477
Timothe Litt
litt at acm.org
Tue Sep 8 09:24:46 UTC 2015
On 08-Sep-15 00:46, stavrostseriotis wrote:
>
> Ok here is what I did:
>
> · After extracting the package I looked out at directories
> */usr/local/bin *and */usr/local/sbin *as mentioned in the procedure
> but I found that there are no files there.
>
> · I run *configure* command *without openssl* because I had
> trouble with the openssl library when it was enabled. Also since I am
> not currently using DNSSEC I guess that this is not a problem.
>
> · Then I run *make* and I didn’t get any error.
>
> · I run *make install* and I didn’t get any error again.
>
> · Stopped named service
>
> · I copied the /etc/named.conf file and then created another
> empty file as instructed with the correct permissions.
>
> · Started named service. It started normally without any error
> and also the process that was up is the same as before.
>
> · When I do *named –V* and also *rpm –q bind* I still see the
> same versions as before.
>
>
>
> Yes I know that if I was using the RedHat package I wouldn’t had this
> problem because I already do this for other linux machines. Just this
> machine is old and when it was configured to work as nameserver the
> guys did it this way. Now we are in the process to build a new machine
> for nameserver with RedHat subscription and everything but until that
> happens it will be best if we can get rid of this security
> vulnerability cause I don’t know how long it will take.
>
>
>
> Thank you for your responses.
>
>
>
You are not making it easy to diagnose your problem. The exact commands
that you are using and command output are missing.
From your description, you successfully built named and installed it -
somewhere.
You are not running the image that you built. To confirm the version of
what you built, from the build directory you can run "./bin/named/named
-V" This will also show us the configure options, including where it
should have been installed.
If the process has the same ID, you didn't successfully stop the old
named. This can happen if you have a mix of RedHat and non-RedHat
startup (init) files.
If rpq -q bind shows a version, then there is a RedHat package on the
system & you are trying to supersede it. You probably are using the
RedHat startup files, which may be different from what you expect. As I
wrote previously, the startup environment may have a different PATH from
your terminal.
You should have stopped named BEFORE running make install.
Please provide the output of at least:
named -V; echo $PATH; (build-directory)/bin/named/named -V; systemctl
status named.service; find / -xdev -type f -name named -ls
A few lines from make install should confirm that the new file is being
installed where you expect it.
lsof -p (named's pid) will confirm which image is actually running.
systemctl show --all named.service will show what service you're trying
to start.
systemctl status named.service should match
Or run service named status & look in /etc/init.d/named if you're not
running systemd/named is a SYSV script on your version of RedHat.
You should not have trouble building with openssl. Make sure that you
have the openssl-dev RPMs installed. Don't try to build that from
source; RedHat heavily patches it & other packages depend on the changes.
Switching to the RedHat version of named may be your best option. This
should not be difficult; make uninstall; yum install; edit the config.
Depending on how your predecessors did things, you may need to yum
remove first, possibly with --force.
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
> *From:*bind-users-bounces at lists.isc.org
> [mailto:bind-users-bounces at lists.isc.org] *On Behalf Of *Timothe Litt
> *Sent:* Monday, September 07, 2015 2:29 PM
> *To:* bind-users at lists.isc.org
> *Subject:* Re: Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477
>
>
>
> Subject:
>
> Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477
>
> From:
>
> stavrostseriotis <StavrosTseriotis at semltd.com.cy>
> <mailto:StavrosTseriotis at semltd.com.cy>
>
> Date:
>
> 07-Sep-15 05:24
>
>
>
> To:
>
> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>
>
>
> Hello,
>
>
>
> I have a RedHat 5.11 machine and currently I am facing the issue
> with BIND vulnerability CVE-2015-5477. I cannot update my BIND
> using yum because I didn’t install BIND from RedHat at the first
> place so I need to do it manually.
>
> I downloaded the package of version 9.9.7-P2 from isc website but
> since it is not an rpm file I have to build it myself.
>
> I followed the instructions I found on website
> https://deepthought.isc.org/article/AA-00768/0/Getting-started-with-BIND-ho
> but it does not change the version of bind. I don’t know what I am
> doing wrong.
>
> I am wondering if you can give me a little guideline on how to
> build and install the new version.
>
>
>
> Thank you
>
> "does not change the version of bind" - as reported how? By named
> -V? Or by a DNS query to version.bind CH TXT?
>
> If the former, you probably have more than one named executable - with
> the old one earlier in your PATH. "which named" should help. If the
> latter, did you remember to restart named? And did the restart
> succeed? And does your startup process have the same PATH as your
> terminal? (Often they do not.)
>
> Re-read the instructions - and pay special attention to how you run
> configure. The default is to build/install in /usr/local/*bin - which
> is not the default for most distributions' startup files.
>
> I strongly recommend keeping track of each step as you build (a big
> scrollback buffer helps). Either write your own instructions, or turn
> it into a script. There are enough steps that it's easy to make a
> mistake - and you will be re-building bind again to upgrade. Plus, if
> you ask for help, you will be able to provide the details of what you
> did. Without details of what you did and what you see, people can't
> provide specific help.
>
> Note that RedHat usually has a number of patches (often for SeLinux
> and systemd) that you won't get if you build yourself from ISC sources.
>
> Or remove bind and switch to the RedHat version. You're paying RedHat
> to do the maintenance, so unless you have local patches or very
> special requirements, you might as well let them do the work.
>
> Typically, if you really need the latest from ISC on RedHat you're
> better off getting the SRC RPM from RedHat & modifying the rpmbuild
> config file to fetch the latest ISC source, then build RPMs. If you
> stay with the same ISC code stream, you won't have too many patch
> conflicts to resolve. After you've done this once or twice, you'll
> want to revisit you need for local changes - either decide they're not
> that important, or offer them to ISC. Maintaining a private version
> is work.
>
>
> Timothe Litt
> ACM Distinguished Engineer
> --------------------------
> This communication may not represent the ACM or my employer's views,
> if any, on the matters discussed.
>
>
>
>
>
> ____________________________________________________________
>
> The information in this e-mail and any of its attachments is confidential
> and intended only for the individual to whom it is addressed. If you are
> not the intended recipient you should immediately notify the sender and
> delete the message and all of its attachments. Do not copy through
> any means or use for any reason or reveal its content to anyone. This
> message cannot be guaranteed to be secure or error-free or delivered
> on time. The sender bears no responsibility for any virus, loss, disruption
> or any other damage caused to the sender by the content of this email.
> This email has been scanned by an antivirus.
> ____________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150908/9cd144f9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4994 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150908/9cd144f9/attachment-0001.bin>
More information about the bind-users
mailing list