Slashdot carried this story yesterday on a BIND vulnerability:

< http://it.slashdot.org/story/09/07/29/0028231/New-DoS-Vulner[..] >

The upstream report:

< https://www.isc.org/node/474> >

Red Hat's Bugzilla:

< https://bugzilla.redhat.com/show_bug.cgi?id=514292> >

is vulnerable, even if dynamic DNS isn't being used.

yes, which is one of many reasons why a zone masters is usually setup to
not be publicly available.

--
Karanbir Singh :  http://www.karan.org/   : 2522219@icq

According to a commenter, this should provide a temporary countermeasure:

iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'

Haven't tested it, would like to know the results...

Glenn

RedShift napsal(a):

Well, good point, but Centos does not ship libipt_u32.so. Even more
Centos 4.x is now undergoing rebuild process, so no updates even
security updates are being released. Which is something I can accept.

Those looking for patched bind for Centos 4.x may use packages I have
built with CVE-2009-0696 patch. http://fs12.vsb.cz/hrb33/el4/hrb/testing/i386/repoview/lette[..]  http://fs12.vsb.cz/hrb33/el4/hrb/testing/x86_64/repoview/let[..]

Regards,
David Hrbá�

Well done, David but there's a little problem with those rpms:
Preparing...                ########################################### [100%]
        package bind-libs-9.2.4-30.el4_7.2 (which is newer than
bind-libs-9.2.4-30.el4.hrb.2.1) is already installed
        package bind-utils-9.2.4-30.el4_7.2 (which is newer than
bind-utils-9.2.4-30.el4.hrb.2.1) is already installed
        package bind-9.2.4-30.el4_7.2 (which is newer than
bind-9.2.4-30.el4.hrb.2.1) is already installed
        package bind-chroot-9.2.4-30.el4_7.2 (which is newer than
bind-chroot-9.2.4-30.el4.hrb.2.1) is already installed
Maybe you can bump the version a bit.

there are packages linked to people.redhat.com that point at the ones in
QA at Red Hat at the moment, I would recommend you use those

--
Karanbir Singh :  http://www.karan.org/   : 2522219@icq

On Wednesday, July 29, 2009 6:36 PM +0100 Karanbir Singh

RHEL errata are up:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1179  https://rhn.redhat.com/errata/RHSA-2009-1179.html

  Red Hat Enterprise Linux 4

Via RHSA-2009:1180  https://rhn.redhat.com/errata/RHSA-2009-1180.html

The localhost 127.0.0.1 zone can also be used as an attack vector  
according to the folks on the DNS Ops list, so it's looking like  
pretty much every bind installation will need to be updated.

--Chris

to pass it along...

Ray

Ok, thanks, but
where exactly am I to see something useful on people.redhat.com? I can
only see an image.

This is the head of the thread:

https://lists.dns-oarc.net/pipermail/dns-operations/2009-Jul[..]

Some of the relevant discussion:

"Testing indicates that the attack packet has to be formulated against a
zone for which that machine is a master. Launching the attack against
slave zones does not trigger the assert.

We tested that removing the zones which are typically there by
default, and in mode master (such as localhost and
0.0.127.in-addr.arpa) works fine: the published exploit no longer
works afterwards.

This can be an interim solution for those who don't have a clean
upgrade path (for instance, RHEL did not push the patch yet).

Lucian*******napsal(a):

Right... 30.el4_7.2 > 30.el4.hrb.2.1 :o) I do not want to change the
version more because:
- I do not want to have el4_7, it's not Centos release
- EL4.8 ships 30.el4_8.4

So I do not want to release 31.el4_7.2 ...

As to included patch, it the very same code RH released within the
latest errata.
Regards,
David

The CentOS update have now been released, you should be able to yum
update on C5 already.

--
Karanbir Singh :  http://www.karan.org/   : 2522219@icq

Lucian*******napsal(a):

Maybe he is pointing to  http://people.redhat.com/atkac/bind/.  But I do
not see the point. This is RHEL 4.8 version with patch. Anyone running
Centos 4.8? I'm still with 4.7 so bind-libs-9.2.4-30.el4_7.2 with patch
is the way for me, far better then having unpatched bind, waiting
another couple of weeks to get bind updated finally. Sorry.
David Hrbá�

http://lists.centos.org/pipermail/centos-devel/2009-July/004[..]

I've updated 2 machines, and had no problems here. But some wider
testing would be good and we can get them into the main repos so more
people benefit.

--
Karanbir Singh :  http://www.karan.org/   : 2522219@icq

4.8 packages for the most part should install on 4.7 w/o a fuss.
I installed 4.6 packages on 4.4 for quite some time, and I install
some 5.3 packages on 5.2 without any issues. One of the nice
things about a stable(binary compatibility) distro.

nate

In-Reply-To=<4A70B20C.5020808*******>
Reply-To:

(Apologies if this isn't in the thread properly; I'm trying to fake it from
the website headers :-))

I just updated one machine; the process ended up with named not running.

I did
  rpm -Uvh bind-utils-9.2.4-30.el4_8.4.i386.rpm bind-9.2.4-30.el4_8.4.i386.rpm bind-libs-9.2.4-30.el4_8.4.i386.rpm

and got

  Jul 29 20:29:15 linode named:  succeeded
  Jul 29 20:29:16 linode named[2873]: shutting down: flushing changes
  Jul 29 20:29:16 linode named[2873]: stopping command channel on 127.0.0.1#953
  Jul 29 20:29:16 linode named[2873]: no longer listening on 127.0.0.1#53
  Jul 29 20:29:16 linode named[2873]: no longer listening on 66.160.141.105#53
  Jul 29 20:29:17 linode named[2873]: exiting
  Jul 29 20:29:18 linode named:  failed

After a restart it appeared to work...

  Jul 29 20:29:41 linode named[31609]: starting BIND 9.2.4 -u named
  Jul 29 20:29:41 linode named[31609]: using 4 CPUs
  Jul 29 20:29:41 linode named[31609]: loading configuration from '/etc/named.conf'

etc...

The daemon seems to be responding properly to requests after this manual
start.

--

rgds
Stephen

Thanks!

On my C5 server:

# rpm -qa bind
bind-9.3.4-10.P1.el5_3.3

On my RHEL 5 server:

# rpm -qa bind
bind-9.3.4-10.P1.el5_3.1
# yum clean all
# yum update
Setting up Update Process
No Packages marked for Update

CentOS quicker than upstream? :-)

Mogens

--
Mogens Kjaer, Carlsberg A/S, Computer Department
Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark
Phone: +45 33 27 53 25, Mobile: +45 22 12 53 25
Email: mk*******

Been watching the bind thing for a few days and waiting for my daily yum to
update.
Finally did it by hand and got an interesting message.

The python dependency killed my yum...lol. A quick look online and I see a
few thousand fedora and redhat issues with this python thing. Strange that
it is trying to install a package update only to find that package is not
there..... Yeesh

But was able to run yum update bind and get the issues resolved.

--> Running transaction check
---> Package python.x86_64 0:2.4.3-24.el5_3.6 set to be updated
--> Processing Dependency: /usr/lib64/python2.4 for package: libxslt-python
--> Processing Dependency: /usr/lib64/python2.4 for package: gamin-python
--> Processing Dependency: /usr/lib64/python2.4 for package: libxml2-python
--> Finished Dependency Resolution
libxslt-python-1.1.17-2.el5_2.2.x86_64 from installed has depsolving
problems
  --> Missing Dependency: /usr/lib64/python2.4 is needed by package
libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed)
libxml2-python-2.6.26-2.1.2.7.x86_64 from installed has depsolving problems
  --> Missing Dependency: /usr/lib64/python2.4 is needed by package
libxml2-python-2.6.26-2.1.2.7.x86_64 (installed)
gamin-python-0.1.7-8.el5.x86_64 from installed has depsolving problems
  --> Missing Dependency: /usr/lib64/python2.4 is needed by package
gamin-python-0.1.7-8.el5.x86_64 (installed)
Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
libxslt-python-1.1.17-2.el5_2.2.x86_64 (installed)
Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
libxml2-python-2.6.26-2.1.2.7.x86_64 (installed)
Error: Missing Dependency: /usr/lib64/python2.4 is needed by package
gamin-python-0.1.7-8.el5.x86_64 (installed)

yum clean all

financial.com AG

Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany
Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany
Management board/Vorstand: Dr. Steffen Boehnert (CEO/Vorsitzender) | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach
Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender)
Register court/Handelsregister: Munich � HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553

I found that for all three of my bind servers that it needed
yum clean all
yum update
to find the updates and install - no issues with py.
HTH rob

Try doing: yum clean all && yum update

That did it for me.

Thanks goes to John R. Dennison for the fix.

--
Benjamin Franz

The "fix" has been available for a long time:

https://rhn.redhat.com/errata/RHBA-2009-0440.html

I'm not sure that is the 'fix'. My systems were completely up-to-date as
of last week so I should not have had a problem with that. And yet I did.

--
Benjamin Franz

$ rpm -q yum-metadata-parser
yum-metadata-parser-1.1.2-3.el5

What do you have?

CentOS has not release this update.

$ rpm -q yum-metadata-parser
yum-metadata-parser-1.1.2-2.el5

Ah.  That explains it.

--
Benjamin Franz

You can get it from here:

http://elrepo.org/linux/fasttrack/el5/

or you can wait for 5.4 to be released which will contain this update.

Hi All,

I am using Caching DNS server with Bind 9

bind-utils-9.3.4-10.P1.el5_3.1
bind-9.3.4-10.P1.el5_3.1
bind-chroot-9.3.4-10.P1.el5_3.1
system-config-bind-4.0.3-2.el5.centos
bind-libs-9.3.4-10.P1.el5_3.1

I am getting

Error :

named[22851]: mem.c:1061: REQUIRE((((ctx) != ((void *)0)) && (((const
isc__magic_t *)(ctx))->magic == ((('M') << 24 | ('e') << 16 | ('m') << 8 |
('C')))))) failed named[22851]: exiting (due to assertion failure)

Is this related to above bug?

Thanks in advance
shprahi

Thank you !