I have been using ISPConfig3 for several years now, I have recently run into an issue involving Payment Card Industry Compliance, I have to get PCI Compliance on all my servers.
I am running ISPConfig 3 on CentOS 6.3 (64bit) and have followed the perfect server guide (apache/courier).
I have managed to resolve all my compliance issues except one! BIND!. Here is an extract from the security scan.
Title: vulnerable BIND version: 9.8.2rc1 Impact: This document covers several BIND vulnerabilities that malicious users can exploit to gain unauthorized, privileged access to target machines, disrupt service on target machines, or launch DNS spoofing attacks. Data Received: version.bind.??0?CH?TXT?"9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6" Resolution: Check for package updates from the vendor. Upgrade BIND to 9.7.6-P4, 9.6-ESV-R7-P4 or higher. For BIND 9.8.x, upgrade to version higher than 9.8.4-P1, and for 9.9.x, upgrade to version higher than 9.9.2-P1. As a workaround, ensure that the RPZ contains a AAAA rewrite rule for every A rewrite rule. The latest version of BIND is available from the [http://www.isc.org/products/BIND] Internet Software Consortium. Risk Factor: High/ CVSS2 Base Score: 8.5 (AV:N/AC:L/Au:N/C:P/I:N/A:C) CVE: CVE-2012-1667 BID: 55852 Additional CVEs: CVE-2012-5688CVE-2012-5166CVE-2012-4244CVE-2012-3817CVE-2012-5689[Less]
Any information on this issue or how I can go about updating my BIND build or if this version is patched where I can get the patch information to prove that this build of BIND is not vulnerable anymore.