#1  
Old 13th March 2013, 15:16
jims_a_winner jims_a_winner is offline
Junior Member
 
Join Date: Mar 2013
Posts: 10
Thanks: 3
Thanked 0 Times in 0 Posts
Default BIND Version Vulnerabilities.

I have been using ISPConfig3 for several years now, I have recently run into an issue involving Payment Card Industry Compliance, I have to get PCI Compliance on all my servers.

I am running ISPConfig 3 on CentOS 6.3 (64bit) and have followed the perfect server guide (apache/courier).

I have managed to resolve all my compliance issues except one! BIND!. Here is an extract from the security scan.

Quote:
Title: vulnerable BIND version: 9.8.2rc1 Impact: This document covers several BIND vulnerabilities that malicious users can exploit to gain unauthorized, privileged access to target machines, disrupt service on target machines, or launch DNS spoofing attacks. Data Received: version.bind.??0?CH?TXT?"9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6" Resolution: Check for package updates from the vendor. Upgrade BIND to 9.7.6-P4, 9.6-ESV-R7-P4 or higher. For BIND 9.8.x, upgrade to version higher than 9.8.4-P1, and for 9.9.x, upgrade to version higher than 9.9.2-P1. As a workaround, ensure that the RPZ contains a AAAA rewrite rule for every A rewrite rule. The latest version of BIND is available from the [http://www.isc.org/products/BIND] Internet Software Consortium. Risk Factor: High/ CVSS2 Base Score: 8.5 (AV:N/AC:L/Au:N/C:P/I:N/A:C) CVE: CVE-2012-1667 BID: 55852 Additional CVEs: CVE-2012-5688CVE-2012-5166CVE-2012-4244CVE-2012-3817CVE-2012-5689[Less]
Any information on this issue or how I can go about updating my BIND build or if this version is patched where I can get the patch information to prove that this build of BIND is not vulnerable anymore.

Kind Regards,
Jim
Reply With Quote
Sponsored Links
  #2  
Old 13th March 2013, 15:55
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,995
Thanks: 840
Thanked 5,649 Times in 4,459 Posts
Default

You should consider to ask this questions the centos devs on the centos dev mailinglist.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
jims_a_winner (13th March 2013)
  #3  
Old 13th March 2013, 16:30
jims_a_winner jims_a_winner is offline
Junior Member
 
Join Date: Mar 2013
Posts: 10
Thanks: 3
Thanked 0 Times in 0 Posts
 
Default

Can anyone send a message to the developers? I understand I just send a message with my query to centos-devel@centos.org?

Thank you for the information, I was more concerned that if I performed an update to the BIND version I would cause problems with the running of my freshly installed ISPConfig server! (I have spent about 10 days configuring all the services to become compliant)

if/when I get an answer from the centos developers I will post back here with the results?

thanks for your help till.

Jim
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
apt-get upgrade problem with MySQL francx Installation/Configuration 1 21st June 2012 20:09
Php include files dme1409 General 2 16th January 2012 10:55
HotSaNIC domino Tips/Tricks/Mods 23 6th November 2006 06:19
KErnel not showing all my memory Jorem Kernel Questions 8 13th April 2006 13:59
Bind-Chroot-Howto (Debian) spaz HOWTO-Related Questions 5 9th March 2006 15:50


All times are GMT +2. The time now is 15:58.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.