US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3.
Optionally, one can wait on a backport.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Larry Vaden Sent: Wednesday, February 23, 2011 12:27 PM To: CentOS mailing list Subject: [CentOS]http://www.securityweek.com/high-severity-bind-vulnera bility-advisory-issued
US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3.
Optionally, one can wait on a backport.
Optionally, start BIND with the parameter to restrict BIND to one thread (-n 1). This prevents the deadlock which, though fatal to BIND when it happens, is a remote probability. ******************************************************************* This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.Hubbell.com - Hubbell Incorporated**
Larry Vaden wrote:
US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3.
Optionally, one can wait on a backport.
Larry, go away. You don't seem to contribute anything at all to the list, other than your obnoxiousness, and your desire to start flamewars, which presumably give you some kind of jollies.
Yes, most of us saw this today on slashdot, if nowhere else. I would expect RH to have the fix out in a day or two, and CentOS to have it out the same day.
mark
On 02/23/2011 12:55 PM, m.roth@5-cent.us wrote:
Larry Vaden wrote:
US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3.
Optionally, one can wait on a backport.
Larry, go away. You don't seem to contribute anything at all to the list, other than your obnoxiousness, and your desire to start flamewars, which presumably give you some kind of jollies.
Yes, most of us saw this today on slashdot, if nowhere else. I would expect RH to have the fix out in a day or two, and CentOS to have it out the same day.
mark
Mark,
I don't want to raise the drama, so please don't take this wrong. In this case though, I do think that a warning on the ML about a security issue is justified. You can't be too careful.
That said, Larry, your recent messages to the list have been problematic. Reactions like this to your messages should be a pretty clear indication that your messages have been less than contributing to the community. Take a step back and think about your posts until stress has diminished.
Everyone else; I'll admit right off that I am just another user. That said, there are list admins. If there are issues with a given poster, please locate these admins and send a private email. This is equal parts effective and helps to keep the drama to a minimum.
With this, I'll withdraw from this discussion.
I don't want to raise the drama, so please don't take this wrong. In this case though, I do think that a warning on the ML about a security issue is justified. You can't be too careful.
Except that this issue does not affect BIND in rhel and thus CentOS therefore making it yet more pointless drivel from the OP.
He obviously has a fascination with the BIND version in rhel but after reading all his nonsense and looking at the texoma site I doubt it had anything to do with the alleged hack of his server.
James
Many thanks to Markus Falb for publishing his excellent research - the same research that Larry could also have done.
"This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6."
James Hogarth wrote:
He obviously has a fascination with the BIND version ...
Larry doesn't. Larry is desperate to win 'approval' or 'praise' from others. He means well. Larry should seek help, confide in someone and unload all his problems privately and confidentially. Then he will be, and feel, a lot better.
Great to know this list has good researchers like Markus Falb.
With best regards,
Paul. England, EU.
On Wed, Feb 23, 2011 at 1:14 PM, Always Learning centos@g7.u22.net wrote:
Many thanks to Markus Falb for publishing his excellent research - the same research that Larry could also have done.
"This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6."
You are overlooking those on the list who are affected. Enuf said.
On Wed, 2011-02-23 at 13:23 -0600, Larry Vaden wrote:
On Wed, Feb 23, 2011 at 1:14 PM, Always Learning centos@g7.u22.net wrote:
Many thanks to Markus Falb for publishing his excellent research - the same research that Larry could also have done.
"This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6."You are overlooking those on the list who are affected. Enuf said.
Larry,
I suspect the vast majority of Centos 5 users simply install Centos software. They do not routinely install non-Centos versions to replace Centos versions.
This list is about Centos versions of software - hence its simple title, the "Centos Mailing List".
If a user installs non-Centos versions of software it is for the user to take extra precautions if case of bugs affecting non-Centos software.
If you had done the necessary research Centos users would not get alarmed at serious reports of dangerous bugs in Centos software. Your posting clearly inferred the dangers affected the Centos version which, it subsequently transpired, was untrue. I hope you can understand this point that there is a distinct difference between Centos application software and non-Centos application software running on the Centos operating system.
With best regards,
Paul. England, EU.
On 2/23/2011 2:23 PM, Larry Vaden wrote:
On Wed, Feb 23, 2011 at 1:14 PM, Always Learningcentos@g7.u22.net wrote:
Many thanks to Markus Falb for publishing his excellent research - the same research that Larry could also have done.
"This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6."You are overlooking those on the list who are affected. Enuf said.
Larry,
Did you get your broken nameserver(s) fixed? Or are you maybe just complaining here trying to get a new release out which more than likely will not fix your issue, but it is easier to blame CentOS than to look at your install? If so, you more than likely will be let down when you find there is no magic wand in a new update.
That said... I personally believe that upstream provides a rather stock install of bind, perhaps meant more for an intranet than the internet? Bind just might be the single hardest part of running a webserver. But, I spent a number of days reading on hardening bind and then the testing and moving into production. Larry, have you done this?
If texoma.net is one of the affected domains, I note that there are some problems with DNS for that domain. The 2 level3.net nameservers are not providing either full or maybe correct information. If this is the case for other domain you manage, this is a serious problem and as DNS can be rather finicky, might be the root of your entire perceived problem.
And, if you think you had an injection, please do some googling on hardening bind. There is a lot of good information out there. To me, this is what is needed today and is well beyond a standard bind installation done by CentOS.
If in fact texoma.net is an example of the problem with all of the domains under your control, please fix your own house and quit complaining here until you have cleaned up things on your end. What I see has 0 to do with the bind version on CentOS. In fact, if you don't fix this before an upgrade, you may have a larger mess afterwards.
I don't envy the task as I know very well that this is not easy. Alternatively, maybe you should consider using a service such as dnsmadeeasy... although they recently experienced a significant downtime themselves due to a huge DoS attack coming in from all over the world.
Is it possibly a bit hypocritical to complain about other people's houses being dirty when you live in a dirty house yourself?
Best, John Hinton
On Wed, Feb 23, 2011 at 1:03 PM, James Hogarth james.hogarth@gmail.com wrote:
Except that this issue does not affect BIND in rhel and thus CentOS therefore making it yet more pointless drivel from the OP.
Please take off the blinders and realize there are lots of folks (some x% of a million or more) on this list who compile from current source in order to minimize their risks and are therefore the subject audience.
On the one hand, you have Paul Vixie and crew (authors of BIND) and US_CERT saying "US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3." On the other hand, you have "don't bother me with reality, I'm comfortable, am not affected and don't want to read messages to those who are affected."
Wisdom from a top security manager at Internet2 was presented on this list. Ignore his advice all you want.
2011/2/23 Larry Vaden vaden@texoma.net:
On Wed, Feb 23, 2011 at 1:03 PM, James Hogarth james.hogarth@gmail.com wrote:
Except that this issue does not affect BIND in rhel and thus CentOS therefore making it yet more pointless drivel from the OP.
Please take off the blinders and realize there are lots of folks (some x% of a million or more) on this list who compile from current source in order to minimize their risks and are therefore the subject audience.
It is not wise to install packages from sources because it messes the package management.
-- Eero
On Wed, Feb 23, 2011 at 1:25 PM, Eero Volotinen eero.volotinen@iki.fi wrote:
It is not wise to install packages from sources because it messes the package management.
Agreed; that is why folks like Jeff Johnson and John Stanley share their knowledge about how to do it such that your outcome doesn't occur.
Please take off the blinders and realize there are lots of folks (some x% of a million or more) on this list who compile from current source in order to minimize their risks and are therefore the subject audience.
On the one hand, you have Paul Vixie and crew (authors of BIND) and US_CERT saying "US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3." On the other hand, you have "don't bother me with reality, I'm comfortable, am not affected and don't want to read messages to those who are affected."
I've only been subscribed here a week and this topic seems very heated, so sorry if this stirs the pot up again, but don't patches for these things get back-ported? So even if you're running bind v9.5.1 on CentOS/upstream 4/5.x you'd still have security fixes like those in this article backported right?
And yeah I suppose rolling your own is always an option but in my experience it's to easy to get behind. This seems more like a Slackware approach tho, nothing against Slack of course!
Josh
On Wed, Feb 23, 2011 at 07:28:15PM +0000, Trutwin, Joshua wrote:
[ > Larry Vaden wrote: (please don't snip attributions)]
Please take off the blinders and realize there are lots of folks (some x% of a million or more) on this list who compile from current source in order to minimize their risks and are therefore the subject audience.
If they have compiled from source then it is by definition not a CentOS issue.
On the one hand, you have Paul Vixie and crew (authors of BIND) and US_CERT saying "US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3."
Anyone running a CentOS-provided version of BIND is not using an affected version.
On the other hand, you have "don't bother me with reality, I'm comfortable, am not affected and don't want to read messages to those who are affected."
Those messages are offtopic on this mailing list, so I sympathize with people who have the attitude you describe. Someone who had more credibility with the list might be able to post offtopic messages (which they would have marked [OT]) without causing a flamewar.
I've only been subscribed here a week and this topic seems very heated, so sorry if this stirs the pot up again, but don't patches for these things get back-ported? So even if you're running bind v9.5.1 on CentOS/upstream 4/5.x you'd still have security fixes like those in this article backported right?
If you're running BIND 9.5.1, you are not susceptible to the bug that Larry posted at all. In general, security bugs that are applicable to RHEL packages are patched upstream then rebuilt and released by CentOS.
And yeah I suppose rolling your own is always an option but in my experience it's to easy to get behind. This seems more like a Slackware approach tho, nothing against Slack of course!
Rolling one's own is an option for any distribution, including CentOS. But rolling one's own by definition removes those packages from the support stream for that distro, so should be taken into consideration when deciding whether to roll one's own or not.
--keith
On 2/23/2011 1:21 PM, Larry Vaden wrote:
On Wed, Feb 23, 2011 at 1:03 PM, James Hogarthjames.hogarth@gmail.com wrote:
Except that this issue does not affect BIND in rhel and thus CentOS therefore making it yet more pointless drivel from the OP.
Please take off the blinders and realize there are lots of folks (some x% of a million or more) on this list who compile from current source in order to minimize their risks and are therefore the subject audience.
Someone who thinks they can do things better themselves than RH does it probably isn't going to take advice from a random mail list poster. And when you compile your own source you take on the responsibility of tracking updates yourself.
On Wed, 23 Feb 2011, Larry Vaden wrote:
Please take off the blinders and realize there are lots of folks (some x% of a million or more) on this list who compile from current source in order to minimize their risks and are therefore the subject audience.
and it is on topic in this venue, just how? You might as well exhort:
- Look both ways before crossing the street
- Always buckle your seatbelt
- Never use an ISP that requires provising sufficient personal information as needed to facilitate identity theft [1]; and solicts credit card information without any indication of PCI/CISP controls or privacy policy [2]
Mailman provides for 'per poster' moderation. It's time here, I think
-- Russ herrold
1. http://www.texoma.net/it/pricing.html "All suscribers [sic] must supply their choice of social security or driver's license number for unique identification within our accounting system" 2. https://secure.texoma.net/make_payment.php
R P Herrold wrote:
On Wed, 23 Feb 2011, Larry Vaden wrote:
Please take off the blinders and realize there are lots of folks (some x% of a million or more) on this list who compile from current source in order to minimize their risks and are therefore the subject audience.
and it is on topic in this venue, just how? You might as well exhort:
<snip>
Mailman provides for 'per poster' moderation. It's time here, I think
Moderator - here's a second vote to moderate Larry *out*.
mark
On Wed, Feb 23, 2011 at 2:43 PM, R P Herrold herrold@owlriver.com wrote:
- Never use an ISP that requires provising sufficient personal
information as needed to facilitate identity theft [1]; and solicts credit card information without any indication of PCI/CISP controls or privacy policy [2]
Thanks for the constructive criticism. The pricing page has been taken down until it can be updated. The language is from 1995.
Wrt the payment mechanism, that will take longer to fix, but we will fix it.
We will also look at BCPs wrt privacy.
Again, thanks for the constructive criticism.
Larry Vaden wrote on Wed, 23 Feb 2011 13:21:23 -0600:
Please take off the blinders and realize there are lots of folks (some x% of a million or more) on this list who compile from current source in order to minimize their risks and are therefore the subject audience.
Nonsense, there is no "minimization of risk" by doing so.
Please don't argue about the worthiness of your information. It's been said to you time and again that most here do not wish to see that kind of "information". Thanks.
Kai
On 23.2.2011 18:27, Larry Vaden wrote:
US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3.
Optionally, one can wait on a backport.
Ahhh!
Have a look at the relevant bugzilla ticket at https://bugzilla.redhat.com/show_bug.cgi?id=679496 and read
...snip This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6. snap...
On Wed, February 23, 2011 13:07, Markus Falb wrote:
On 23.2.2011 18:27, Larry Vaden wrote:
US-CERT encourages users and administrators using the affected versions of BIND to upgrade to BIND 9.7.3.
Optionally, one can wait on a backport.
Ahhh!
Have a look at the relevant bugzilla ticket at https://bugzilla.redhat.com/show_bug.cgi?id=679496 and read
...snip This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6. snap...
I guess this is what you you get when you settle for an 'enterprisey' distro. Dated software that somebody else got to find the bugs in. Poor chaps.
-
Always Learning -
Brunner, Brian T. -
Digimer -
Eero Volotinen -
James B. Byrne -
James Hogarth -
John Hinton -
Kai Schaetzl -
Keith Keller -
Larry Vaden -
Les Mikesell -
m.roth@5-cent.us -
Markus Falb -
R P Herrold -
Trutwin, Joshua