FS#22553 - critical vulnerabilities in BIND
Attached to Project:
Arch Linux
Opened by Geert Hendrickx (ghen) - Saturday, 22 January 2011, 18:04 GMT
Last edited by Gaetan Bisson (vesath) - Monday, 24 January 2011, 12:31 GMT
Opened by Geert Hendrickx (ghen) - Saturday, 22 January 2011, 18:04 GMT
Last edited by Gaetan Bisson (vesath) - Monday, 24 January 2011, 12:31 GMT
|
Details
I know outdated packages should normally not be reported
this way, but I already flagged the BIND package as outdated
>7 weeks ago, and e-mailed the maintainer several times
(with patches)...
BIND 9.7.3-P2 has three *critical* vulnerabilities, addressed in BIND 9.7.3-P3, and ISC recommends to upgrade *immediately* for certain setups: http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories The diff to update is attached, it's trivial. I'm running this on an authoritative NS with no problems. |
This task depends upon
Closed by Gaetan Bisson (vesath)
Monday, 24 January 2011, 12:31 GMT
Reason for closing: Fixed
Additional comments about closing: 9.7.2.P3-3 in [extra]
Monday, 24 January 2011, 12:31 GMT
Reason for closing: Fixed
Additional comments about closing: 9.7.2.P3-3 in [extra]
It really is a pile of crap, which is why it needs to be upgraded *immediately* almost every month; NSD is a much safer and lightweight alternative.
Anyway, since I will also be cleaning up the PKGBUILD, the package will maybe be released tomorrow or the day after.
But lots of people rely on BIND, so it really should be kept up-to-date wrt. security fixes.
Since I have changed lots of things (although it's mostly packaging cleanup), I'd appreciate if you could tell me whether it runs fine with your setup.
If there is no issue, I will move it to [extra].
I don't like all the chowning and chmodding in general, everybody's setup is different and your permissions/ownerships may not apply to others.
Also, I don't think daemons usually should have ownership of their own config files, just read access.
And particularly, with BIND and DNSSEC, many people keep their DNS keys inside /var/named, but unreadable for the named user (if they sign their zones with external tools, as root or another user). The chown -R makes them readable for the nameserver process, which poses a serious security risk!
The updated binaries work fine though.
I'm building the new version right now: x86_64 is taking some time, but i686 is done; if your architecture is i686 I can send you the package right away, otherwise they'll both be in [testing] in an hour or so.
It is there now, please let me know if it works for you.
I made it not not change any file permission on update.
Also root.hint, localhost.zone etc keep their original 640 root:named permissions now (I did not notice these problems since I'm not running it as a recursive resolver).
Thanks!