[CentOS] BIND vulnerability

Wed Jul 29 16:59:01 UTC 2009
David Hrbáč <hrbac.conf at seznam.cz>

RedShift napsal(a):
> According to a commenter, this should provide a temporary countermeasure:
> 
> iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'
> 
> Haven't tested it, would like to know the results...
> 

Well, good point, but Centos does not ship libipt_u32.so. Even more
Centos 4.x is now undergoing rebuild process, so no updates even
security updates are being released. Which is something I can accept.

Those looking for patched bind for Centos 4.x may use packages I have
built with CVE-2009-0696 patch.
http://fs12.vsb.cz/hrb33/el4/hrb/testing/i386/repoview/letter_b.group.html
http://fs12.vsb.cz/hrb33/el4/hrb/testing/x86_64/repoview/letter_b.group.html

Regards,
David Hrbáč