[CentOS] current bind version

Thu Feb 24 13:12:53 UTC 2011
Nico Kadel-Garcia <nkadel at gmail.com>

On Wed, Feb 23, 2011 at 10:23 PM, John R Pierce <pierce at hogranch.com> wrote:
> On 02/23/11 6:08 PM, Machin, Greg wrote:
>> Hi.
>> I have had an enquiry from the Network and Security guy. He wants to
>> know why CentOS 5.5 /RHEL 5 is using a very old version of bind
>> “bind-chroot-9.3.6-4.P1.el5_5.3” when the latest release that has many
>> security fixes is on 9.7.3 . I understand that its to maintain a known
>> stable platform by in introducing new elements etc .. Is there an
>> official explanation / document that I can direct him to.
> to put it bluntly, your security guy is pretty much worthless as such if
> he thinks security is audited by checking version numbers.
> sadly, this is too common.

No, it's actually useful. Backporting is painful, expensive, and often
unreliable, and leaves various any unpublished zero-day exploits in
the wild. It also indicates feature incompatibility with other tools
that rely on the new features.

I went through this last week with OpenSSH version 5.x (not currently
available for RHEL or CentOS 5 except by third party provided
software), and bash. Turns out that OpenSSH 5.x doesn't read your
.bashrc for non-login sessions, OpenSSH 4.x did. RHEL 6 addressed this
for normal use by updating bash so it gets handled more like people
expect it to behave, but I had users very upset that the new OpenSSH
with the new features did not handle their reset PATH settings from
their .bashrc.