CVE-2021-25216
Petr Menšík
pemensik at redhat.com
Mon May 3 12:48:08 UTC 2021
Hello Jordan,
Red Hat have been building their BIND packages with --disable-isc-spnego
configure parameter for years, all versions still somehow supported by
Red Hat are built with them. This means the mentioned issue should not
affect Red Hat packages. Please visit [1] to check affected versions.
Your version is still vulnerable to CVE-2021-25215 [2] [3] however,
upgrade to a fixed version is required anyway. But your BIND9 kerberos
support should be fine as it is.
Best Regards,
Petr
1. https://access.redhat.com/security/cve/CVE-2021-25216
2. https://access.redhat.com/security/cve/CVE-2021-25215
3. https://bugzilla.redhat.com/show_bug.cgi?id=1953857
On 4/30/21 4:21 PM, Jordan Tinsley wrote:
> I have a question -
>
> Is BIND 9.11.6 (Extended Support Version) vulnerable?
If this is vanilla build without special parameters, it is most likely
vulnerable.
>
> Is BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 (Extended Support Version)
> vulnerable?
This version is not vulnerable. Check named -V | grep
disable-isc-spnego, if it finds the string, it is not affected.
>
> Thanks
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210503/b04de787/attachment.bin>
More information about the bind-users
mailing list