[CentOS] BIND vulnerability

Wed Jul 29 17:29:38 UTC 2009
Lucian@lastdot.org <lucian at lastdot.org>

On Wed, Jul 29, 2009 at 5:59 PM, David Hrbáč<hrbac.conf at seznam.cz> wrote:
> RedShift napsal(a):
>> According to a commenter, this should provide a temporary countermeasure:
>>
>> iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'
>>
>> Haven't tested it, would like to know the results...
>>
>
> Well, good point, but Centos does not ship libipt_u32.so. Even more
> Centos 4.x is now undergoing rebuild process, so no updates even
> security updates are being released. Which is something I can accept.
>
> Those looking for patched bind for Centos 4.x may use packages I have
> built with CVE-2009-0696 patch.
> http://fs12.vsb.cz/hrb33/el4/hrb/testing/i386/repoview/letter_b.group.html
> http://fs12.vsb.cz/hrb33/el4/hrb/testing/x86_64/repoview/letter_b.group.html

Well done, David but there's a little problem with those rpms:
Preparing...                ########################################### [100%]
        package bind-libs-9.2.4-30.el4_7.2 (which is newer than
bind-libs-9.2.4-30.el4.hrb.2.1) is already installed
        package bind-utils-9.2.4-30.el4_7.2 (which is newer than
bind-utils-9.2.4-30.el4.hrb.2.1) is already installed
        package bind-9.2.4-30.el4_7.2 (which is newer than
bind-9.2.4-30.el4.hrb.2.1) is already installed
        package bind-chroot-9.2.4-30.el4_7.2 (which is newer than
bind-chroot-9.2.4-30.el4.hrb.2.1) is already installed
Maybe you can bump the version a bit.

>
> Regards,
> David Hrbáč
>
>
>
>
>
>
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>