<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
    <div class="moz-cite-prefix">On 08-Sep-15 00:46, stavrostseriotis
      wrote:<br>
    </div>
    <blockquote cite="mid:002f01d0e9f1$460c8480$d2258d80$@semltd.com.cy"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";
        color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0cm;
        margin-right:0cm;
        margin-bottom:0cm;
        margin-left:36.0pt;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;
        color:black;}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:black;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:1624384071;
        mso-list-type:hybrid;
        mso-list-template-ids:2030843542 67633153 67633155 67633157 67633153 67633155 67633157 67633153 67633155 67633157;}
@list l0:level1
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Symbol;}
@list l0:level2
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:"Courier New";}
@list l0:level3
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Wingdings;}
@list l0:level4
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Symbol;}
@list l0:level5
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:"Courier New";}
@list l0:level6
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Wingdings;}
@list l0:level7
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Symbol;}
@list l0:level8
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:"Courier New";}
@list l0:level9
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Wingdings;}
ol
        {margin-bottom:0cm;}
ul
        {margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US">Ok here is what I did:<o:p></o:p></span></p>
        <p class="MsoListParagraph"
          style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
            style="font-size:11.0pt;font-family:Symbol;color:black"
            lang="EN-US"><span style="mso-list:Ignore">·<span
                style="font:7.0pt "Times New Roman"">        
              </span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US">After extracting the package I looked out at
            directories </span><b><span lang="EN-US">/usr/local/bin </span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US">and </span><b><span lang="EN-US">/usr/local/sbin
            </span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US">as mentioned in the procedure but I found that
            there are no files there</span><span lang="EN-US">.</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US"><o:p></o:p></span></p>
        <p class="MsoListParagraph"
          style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
            style="font-size:11.0pt;font-family:Symbol;color:black"
            lang="EN-US"><span style="mso-list:Ignore">·<span
                style="font:7.0pt "Times New Roman"">        
              </span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US">I run <b>configure</b> command <b>without
              openssl</b> because I had trouble with the openssl library
            when it was enabled. Also since I am not currently using
            DNSSEC I guess that this is not a problem.<o:p></o:p></span></p>
        <p class="MsoListParagraph"
          style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
            style="font-size:11.0pt;font-family:Symbol;color:black"
            lang="EN-US"><span style="mso-list:Ignore">·<span
                style="font:7.0pt "Times New Roman"">        
              </span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US">Then I run <b>make</b> and I didn’t get any
            error.<o:p></o:p></span></p>
        <p class="MsoListParagraph"
          style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
            style="font-size:11.0pt;font-family:Symbol;color:black"
            lang="EN-US"><span style="mso-list:Ignore">·<span
                style="font:7.0pt "Times New Roman"">        
              </span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US">I run <b>make install</b> and I didn’t get any
            error again.<o:p></o:p></span></p>
        <p class="MsoListParagraph"
          style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
            style="font-size:11.0pt;font-family:Symbol;color:black"
            lang="EN-US"><span style="mso-list:Ignore">·<span
                style="font:7.0pt "Times New Roman"">        
              </span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US">Stopped named service<o:p></o:p></span></p>
        <p class="MsoListParagraph"
          style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
            style="font-size:11.0pt;font-family:Symbol;color:black"
            lang="EN-US"><span style="mso-list:Ignore">·<span
                style="font:7.0pt "Times New Roman"">        
              </span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US">I copied the /etc/named.conf file and then
            created another empty file as instructed with the correct
            permissions.<o:p></o:p></span></p>
        <p class="MsoListParagraph"
          style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
            style="font-size:11.0pt;font-family:Symbol;color:black"
            lang="EN-US"><span style="mso-list:Ignore">·<span
                style="font:7.0pt "Times New Roman"">        
              </span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US">Started named service. It started normally
            without any error and also the process that was up is the
            same as before.<o:p></o:p></span></p>
        <p class="MsoListParagraph"
          style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
            style="font-size:11.0pt;font-family:Symbol;color:black"
            lang="EN-US"><span style="mso-list:Ignore">·<span
                style="font:7.0pt "Times New Roman"">        
              </span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US">When I do <b>named –V</b> and also <b>rpm –q
              bind</b> I still see the same versions as before.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US">Yes I know that if I was using the RedHat
            package I wouldn’t had this problem because I already do
            this for other linux machines. Just this machine is old and
            when it was configured to work as nameserver the guys did it
            this way. Now we are in the process to build a new machine
            for nameserver with RedHat subscription and everything but
            until that happens it will be best if we can get rid of this
            security vulnerability cause I don’t know how long it will
            take.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US">Thank you for your responses.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"
            lang="EN-US"><o:p> </o:p></span></p>
      </div>
    </blockquote>
    You are not making it easy to diagnose your problem.  The exact
    commands that you are using and command output are missing.<br>
    <br>
    From your description, you successfully built named and installed it
    - somewhere.<br>
    <br>
    You are not running the image that you built.  To confirm the
    version of what you built, from the build directory you can run
    "./bin/named/named -V"  This will also show us the configure
    options, including where it should have been installed.<br>
    <br>
    If the process has the same ID, you didn't successfully stop the old
    named.  This can happen if you have a mix of RedHat and non-RedHat
    startup (init) files.  <br>
    <br>
    If rpq -q bind shows a version, then there is a RedHat package on
    the system & you are trying to supersede it.  You probably are
    using the RedHat startup files, which may be different from what you
    expect.  As I wrote previously, the startup environment may have a
    different PATH from your terminal.<br>
    <br>
    You should have stopped named BEFORE running make install.<br>
    <br>
    Please provide the output of at least:<br>
    named -V; echo $PATH; (build-directory)/bin/named/named -V;
    systemctl status named.service; find / -xdev -type f -name named -ls<br>
    <br>
    A few lines from make install should confirm that the new file is
    being installed where you expect it.<br>
    <br>
    lsof -p (named's pid) will confirm which image is actually running.<br>
    <br>
    systemctl show --all named.service will show what service you're
    trying to start.<br>
    systemctl status named.service should match<br>
    <br>
    Or run service named status & look in /etc/init.d/named if
    you're not running systemd/named is a SYSV script on your version of
    RedHat.<br>
    <br>
    You should not have trouble building with openssl.  Make sure that
    you have the openssl-dev RPMs installed.  Don't try to build that
    from source; RedHat heavily patches it & other packages depend
    on the changes.<br>
    <br>
    Switching to the RedHat version of named may be your best option. 
    This should not be difficult; make uninstall; yum install; edit the
    config.  Depending on how your predecessors did things, you may need
    to yum remove first, possibly with --force.<br>
    <br>
    <br>
    <pre>Timothe Litt<o:p></o:p></pre>
    <pre>ACM Distinguished Engineer<o:p></o:p></pre>
    <pre>--------------------------<o:p></o:p></pre>
    <pre>This communication may not represent the ACM or my employer's views,<o:p></o:p></pre>
    <pre>if any, on the matters discussed. </pre>
    <br>
    <blockquote cite="mid:002f01d0e9f1$460c8480$d2258d80$@semltd.com.cy"
      type="cite">
      <div class="WordSection1">
        <div>
          <div style="border:none;border-top:solid #B5C4DF
            1.0pt;padding:3.0pt 0cm 0cm 0cm">
            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
                  lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
                lang="EN-US"> <a class="moz-txt-link-abbreviated" href="mailto:bind-users-bounces@lists.isc.org">bind-users-bounces@lists.isc.org</a>
                [<a class="moz-txt-link-freetext" href="mailto:bind-users-bounces@lists.isc.org">mailto:bind-users-bounces@lists.isc.org</a>] <b>On Behalf
                  Of </b>Timothe Litt<br>
                <b>Sent:</b> Monday, September 07, 2015 2:29 PM<br>
                <b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
                <b>Subject:</b> Re: Install BIND 9.9.7-P2 to fix
                vulnerability CVE-2015-5477<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <div>
          <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
            <table class="MsoNormalTable" style="width:100.0%"
              border="0" cellpadding="0" cellspacing="0" width="100%">
              <tbody>
                <tr>
                  <td style="padding:0cm 0cm 0cm 0cm">
                    <div>
                      <p class="MsoNormal">Subject: <o:p></o:p></p>
                    </div>
                    <p class="MsoNormal">Install BIND 9.9.7-P2 to fix
                      vulnerability CVE-2015-5477<o:p></o:p></p>
                  </td>
                </tr>
                <tr>
                  <td style="padding:0cm 0cm 0cm 0cm">
                    <div>
                      <p class="MsoNormal">From: <o:p></o:p></p>
                    </div>
                    <p class="MsoNormal">stavrostseriotis <a
                        moz-do-not-send="true"
                        href="mailto:StavrosTseriotis@semltd.com.cy"><a class="moz-txt-link-rfc2396E" href="mailto:StavrosTseriotis@semltd.com.cy"><StavrosTseriotis@semltd.com.cy></a></a><o:p></o:p></p>
                  </td>
                </tr>
                <tr>
                  <td style="padding:0cm 0cm 0cm 0cm">
                    <div>
                      <p class="MsoNormal">Date: <o:p></o:p></p>
                    </div>
                    <p class="MsoNormal">07-Sep-15 05:24<o:p></o:p></p>
                  </td>
                </tr>
              </tbody>
            </table>
            <p class="MsoNormal"><span style="display:none"><o:p> </o:p></span></p>
            <table class="MsoNormalTable" style="width:100.0%"
              border="0" cellpadding="0" cellspacing="0" width="100%">
              <tbody>
                <tr>
                  <td style="padding:0cm 0cm 0cm 0cm">
                    <div>
                      <p class="MsoNormal">To: <o:p></o:p></p>
                    </div>
                    <p class="MsoNormal"><a moz-do-not-send="true"
                        href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><o:p></o:p></p>
                  </td>
                </tr>
              </tbody>
            </table>
            <p class="MsoNormal"><o:p> </o:p></p>
            <p class="MsoNormal"
              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
                lang="EN-US">Hello,</span><o:p></o:p></p>
            <p class="MsoNormal"
              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
                lang="EN-US"> </span><o:p></o:p></p>
            <p class="MsoNormal"
              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
                lang="EN-US">I have a RedHat 5.11 machine and currently
                I am facing the issue with BIND vulnerability
                CVE-2015-5477. I cannot update my BIND using yum because
                I didn’t install BIND from RedHat at the first place so
                I need to do it manually.</span><o:p></o:p></p>
            <p class="MsoNormal"
              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
                lang="EN-US">I downloaded the package of version
                9.9.7-P2 from isc website but since it is not an rpm
                file I have to build it myself.</span><o:p></o:p></p>
            <p class="MsoNormal"
              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
                lang="EN-US">I followed the instructions I found on
                website <a moz-do-not-send="true"
href="https://deepthought.isc.org/article/AA-00768/0/Getting-started-with-BIND-ho">https://deepthought.isc.org/article/AA-00768/0/Getting-started-with-BIND-ho</a>
                but it does not change the version of bind. I don’t know
                what I am doing wrong.</span><o:p></o:p></p>
            <p class="MsoNormal"
              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
                lang="EN-US">I am wondering if you can give me a little
                guideline on how to build and install the new version.</span><o:p></o:p></p>
            <p class="MsoNormal"
              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
                lang="EN-US"> </span><o:p></o:p></p>
            <p class="MsoNormal"
              style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
                lang="EN-US">Thank you</span><o:p></o:p></p>
          </blockquote>
          <p class="MsoNormal">"does not change the version of bind" -
            as reported how?  By named -V?  Or by a DNS query to
            version.bind CH TXT?<br>
            <br>
            If the former, you probably have more than one named
            executable - with the old one earlier in your PATH.  "which
            named" should help.  If the latter, did you remember to
            restart named?  And did the restart succeed?  And does your
            startup process have the same PATH as your terminal?  (Often
            they do not.)<br>
            <br>
            Re-read the instructions - and pay special attention to how
            you run configure.  The default is to build/install in
            /usr/local/*bin - which is not the default for most
            distributions' startup files.<br>
            <br>
            I strongly recommend keeping track of each step as you build
            (a big scrollback buffer helps).  Either write your own
            instructions, or turn it into a script.  There are enough
            steps that it's easy to make a mistake - and you will be
            re-building bind again to upgrade.  Plus, if you ask for
            help, you will be able to provide the details of what you
            did.  Without details of what you did and what you see,
            people can't provide specific help.<br>
            <br>
            Note that RedHat usually has a number of patches (often for
            SeLinux and systemd) that you won't get if you build
            yourself from ISC sources.  <br>
            <br>
            Or remove bind and switch to the RedHat version.  You're
            paying RedHat to do the maintenance, so unless you have
            local patches or very special requirements, you might as
            well let them do the work.  <br>
            <br>
            Typically, if you really need the latest from ISC on RedHat
            you're better off getting the SRC RPM from RedHat &
            modifying the rpmbuild config file to fetch the latest ISC
            source, then build RPMs.  If you stay with the same ISC code
            stream, you won't have too many patch conflicts to resolve. 
            After you've done this once or twice, you'll want to revisit
            you need for local changes - either decide they're not that
            important, or offer them to ISC.  Maintaining a private
            version is work.<br>
            <br>
            <br>
            <o:p></o:p></p>
          <pre>Timothe Litt<o:p></o:p></pre>
          <pre>ACM Distinguished Engineer<o:p></o:p></pre>
          <pre>--------------------------<o:p></o:p></pre>
          <pre>This communication may not represent the ACM or my employer's views,<o:p></o:p></pre>
          <pre>if any, on the matters discussed. <o:p></o:p></pre>
          <p class="MsoNormal"><o:p> </o:p></p>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
      </div>
      <pre>____________________________________________________________

The information in this e-mail and any of its attachments is confidential
and intended only for the individual to whom it is addressed. If you are
not the intended recipient you should immediately notify the sender and
delete the message and all of its attachments. Do not copy through
any means or use for any reason or reveal its content to anyone. This
message cannot be guaranteed to be secure or error-free or delivered
on time. The sender bears no responsibility for any virus, loss, disruption
or any other damage caused to the sender by the content of this email.
This email has been scanned by an antivirus.
____________________________________________________________
</pre>
    </blockquote>
    <br>
  </body>
</html>