FAQ
US-CERT encourages users and administrators using the affected
versions of BIND to upgrade to BIND 9.7.3.

Optionally, one can wait on a backport.

Search Discussions

  • Brunner, Brian T. at Feb 23, 2011 at 12:45 pm

    -----Original Message-----
    From: centos-bounces at centos.org
    [mailto:centos-bounces at centos.org] On Behalf Of Larry Vaden
    Sent: Wednesday, February 23, 2011 12:27 PM
    To: CentOS mailing list
    Subject:
    [CentOS]http://www.securityweek.com/high-severity-bind-vulnera
    bility-advisory-issued

    US-CERT encourages users and administrators using the affected
    versions of BIND to upgrade to BIND 9.7.3.

    Optionally, one can wait on a backport.
    Optionally, start BIND with the parameter to restrict BIND to one thread
    (-n 1).
    This prevents the deadlock which, though fatal to BIND when it happens,
    is a remote probability.
    *******************************************************************
    This email and any files transmitted with it are confidential and
    intended solely for the use of the individual or entity to whom
    they are addressed. If you have received this email in error please
    notify the system manager. This footnote also confirms that this
    email message has been swept for the presence of computer viruses.
    www.Hubbell.com - Hubbell Incorporated**
  • Mark Roth at Feb 23, 2011 at 12:55 pm

    Larry Vaden wrote:
    US-CERT encourages users and administrators using the affected
    versions of BIND to upgrade to BIND 9.7.3.

    Optionally, one can wait on a backport.
    Larry, go away. You don't seem to contribute anything at all to the list,
    other than your obnoxiousness, and your desire to start flamewars, which
    presumably give you some kind of jollies.

    Yes, most of us saw this today on slashdot, if nowhere else. I would
    expect RH to have the fix out in a day or two, and CentOS to have it out
    the same day.

    mark
  • Digimer at Feb 23, 2011 at 1:07 pm

    On 02/23/2011 12:55 PM, m.roth at 5-cent.us wrote:
    Larry Vaden wrote:
    US-CERT encourages users and administrators using the affected
    versions of BIND to upgrade to BIND 9.7.3.

    Optionally, one can wait on a backport.
    Larry, go away. You don't seem to contribute anything at all to the list,
    other than your obnoxiousness, and your desire to start flamewars, which
    presumably give you some kind of jollies.

    Yes, most of us saw this today on slashdot, if nowhere else. I would
    expect RH to have the fix out in a day or two, and CentOS to have it out
    the same day.

    mark
    Mark,

    I don't want to raise the drama, so please don't take this wrong. In
    this case though, I do think that a warning on the ML about a security
    issue is justified. You can't be too careful.

    That said, Larry, your recent messages to the list have been
    problematic. Reactions like this to your messages should be a pretty
    clear indication that your messages have been less than contributing to
    the community. Take a step back and think about your posts until stress
    has diminished.

    Everyone else; I'll admit right off that I am just another user. That
    said, there are list admins. If there are issues with a given poster,
    please locate these admins and send a private email. This is equal parts
    effective and helps to keep the drama to a minimum.

    With this, I'll withdraw from this discussion.

    --
    Digimer
    E-Mail: digimer at alteeve.com
    AN!Whitepapers: http://alteeve.com
    Node Assassin: http://nodeassassin.org
  • James Hogarth at Feb 23, 2011 at 2:03 pm

    I don't want to raise the drama, so please don't take this wrong. In
    this case though, I do think that a warning on the ML about a security
    issue is justified. You can't be too careful.
    Except that this issue does not affect BIND in rhel and thus CentOS
    therefore making it yet more pointless drivel from the OP.

    He obviously has a fascination with the BIND version in rhel but after
    reading all his nonsense and looking at the texoma site I doubt it had
    anything to do with the alleged hack of his server.

    James
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.centos.org/pipermail/centos/attachments/20110223/4f0cf640/attachment.html
  • Always Learning at Feb 23, 2011 at 2:14 pm
    Many thanks to Markus Falb for publishing his excellent research - the
    same research that Larry could also have done.

    "This issue did not affect the versions of bind as shipped with
    Red Hat Enterprise Linux 4, 5, or 6."

    James Hogarth wrote:
    He obviously has a fascination with the BIND version ...
    Larry doesn't. Larry is desperate to win 'approval' or 'praise' from
    others. He means well. Larry should seek help, confide in someone and
    unload all his problems privately and confidentially. Then he will be,
    and feel, a lot better.

    Great to know this list has good researchers like Markus Falb.


    With best regards,

    Paul.
    England,
    EU.
  • Larry Vaden at Feb 23, 2011 at 2:23 pm

    On Wed, Feb 23, 2011 at 1:14 PM, Always Learning wrote:
    Many thanks to Markus Falb for publishing his excellent research - the
    same research that Larry could also have done.

    ? ? ? ?"This issue did not affect the versions of bind as shipped with
    ? ? ? ?Red Hat Enterprise Linux 4, 5, or 6."
    You are overlooking those on the list who are affected. Enuf said.
  • Always Learning at Feb 23, 2011 at 3:15 pm

    On Wed, 2011-02-23 at 13:23 -0600, Larry Vaden wrote:
    On Wed, Feb 23, 2011 at 1:14 PM, Always Learning wrote:

    Many thanks to Markus Falb for publishing his excellent research - the
    same research that Larry could also have done.

    "This issue did not affect the versions of bind as shipped with
    Red Hat Enterprise Linux 4, 5, or 6."
    You are overlooking those on the list who are affected. Enuf said.
    Larry,

    I suspect the vast majority of Centos 5 users simply install Centos
    software. They do not routinely install non-Centos versions to replace
    Centos versions.

    This list is about Centos versions of software - hence its simple title,
    the "Centos Mailing List".

    If a user installs non-Centos versions of software it is for the user to
    take extra precautions if case of bugs affecting non-Centos software.

    If you had done the necessary research Centos users would not get
    alarmed at serious reports of dangerous bugs in Centos software. Your
    posting clearly inferred the dangers affected the Centos version which,
    it subsequently transpired, was untrue. I hope you can understand this
    point that there is a distinct difference between Centos application
    software and non-Centos application software running on the Centos
    operating system.


    With best regards,

    Paul.
    England,
    EU.
  • John Hinton at Feb 23, 2011 at 4:05 pm

    On 2/23/2011 2:23 PM, Larry Vaden wrote:
    On Wed, Feb 23, 2011 at 1:14 PM, Always Learningwrote:
    Many thanks to Markus Falb for publishing his excellent research - the
    same research that Larry could also have done.

    "This issue did not affect the versions of bind as shipped with
    Red Hat Enterprise Linux 4, 5, or 6."
    You are overlooking those on the list who are affected. Enuf said.
    Larry,

    Did you get your broken nameserver(s) fixed? Or are you maybe just
    complaining here trying to get a new release out which more than likely
    will not fix your issue, but it is easier to blame CentOS than to look
    at your install? If so, you more than likely will be let down when you
    find there is no magic wand in a new update.

    That said... I personally believe that upstream provides a rather stock
    install of bind, perhaps meant more for an intranet than the internet?
    Bind just might be the single hardest part of running a webserver. But,
    I spent a number of days reading on hardening bind and then the testing
    and moving into production. Larry, have you done this?

    If texoma.net is one of the affected domains, I note that there are some
    problems with DNS for that domain. The 2 level3.net nameservers are not
    providing either full or maybe correct information. If this is the case
    for other domain you manage, this is a serious problem and as DNS can be
    rather finicky, might be the root of your entire perceived problem.

    And, if you think you had an injection, please do some googling on
    hardening bind. There is a lot of good information out there. To me,
    this is what is needed today and is well beyond a standard bind
    installation done by CentOS.

    If in fact texoma.net is an example of the problem with all of the
    domains under your control, please fix your own house and quit
    complaining here until you have cleaned up things on your end. What I
    see has 0 to do with the bind version on CentOS. In fact, if you don't
    fix this before an upgrade, you may have a larger mess afterwards.

    I don't envy the task as I know very well that this is not easy.
    Alternatively, maybe you should consider using a service such as
    dnsmadeeasy... although they recently experienced a significant downtime
    themselves due to a huge DoS attack coming in from all over the world.

    Is it possibly a bit hypocritical to complain about other people's
    houses being dirty when you live in a dirty house yourself?

    Best,
    John Hinton
  • Larry Vaden at Feb 23, 2011 at 2:21 pm

    On Wed, Feb 23, 2011 at 1:03 PM, James Hogarth wrote:
    Except that this issue does not affect BIND in rhel and thus CentOS
    therefore making it yet more pointless drivel from the OP.
    Please take off the blinders and realize there are lots of folks (some
    x% of a million or more) on this list who compile from current source
    in order to minimize their risks and are therefore the subject
    audience.

    On the one hand, you have Paul Vixie and crew (authors of BIND) and
    US_CERT saying "US-CERT encourages users and administrators using the
    affected versions of BIND to upgrade to BIND 9.7.3." On the other
    hand, you have "don't bother me with reality, I'm comfortable, am not
    affected and don't want to read messages to those who are affected."

    Wisdom from a top security manager at Internet2 was presented on this
    list. Ignore his advice all you want.
  • Eero Volotinen at Feb 23, 2011 at 2:25 pm

    2011/2/23 Larry Vaden <vaden at texoma.net>:
    On Wed, Feb 23, 2011 at 1:03 PM, James Hogarth wrote:

    Except that this issue does not affect BIND in rhel and thus CentOS
    therefore making it yet more pointless drivel from the OP.
    Please take off the blinders and realize there are lots of folks (some
    x% of a million or more) on this list who compile from current source
    in order to minimize their risks and are therefore the subject
    audience.
    It is not wise to install packages from sources because it messes the package
    management.

    --
    Eero
  • Larry Vaden at Feb 23, 2011 at 2:34 pm

    On Wed, Feb 23, 2011 at 1:25 PM, Eero Volotinen wrote:
    It is not wise to install packages from sources because it messes the package
    management.
    Agreed; that is why folks like Jeff Johnson and John Stanley share
    their knowledge about how to do it such that your outcome doesn't
    occur.
  • Trutwin, Joshua at Feb 23, 2011 at 2:28 pm

    Please take off the blinders and realize there are lots of folks (some x% of a
    million or more) on this list who compile from current source in order to
    minimize their risks and are therefore the subject audience.

    On the one hand, you have Paul Vixie and crew (authors of BIND) and
    US_CERT saying "US-CERT encourages users and administrators using the
    affected versions of BIND to upgrade to BIND 9.7.3." On the other hand, you
    have "don't bother me with reality, I'm comfortable, am not affected and
    don't want to read messages to those who are affected."
    I've only been subscribed here a week and this topic seems very heated, so sorry if this stirs the pot up again, but don't patches for these things get back-ported? So even if you're running bind v9.5.1 on CentOS/upstream 4/5.x you'd still have security fixes like those in this article backported right?

    And yeah I suppose rolling your own is always an option but in my experience it's to easy to get behind. This seems more like a Slackware approach tho, nothing against Slack of course!

    Josh
  • Keith Keller at Feb 23, 2011 at 3:17 pm
    On Wed, Feb 23, 2011 at 07:28:15PM +0000, Trutwin, Joshua wrote:

    [ > Larry Vaden wrote: (please don't snip attributions)]
    Please take off the blinders and realize there are lots of folks (some x% of a
    million or more) on this list who compile from current source in order to
    minimize their risks and are therefore the subject audience.
    If they have compiled from source then it is by definition not a CentOS
    issue.
    On the one hand, you have Paul Vixie and crew (authors of BIND) and
    US_CERT saying "US-CERT encourages users and administrators using the
    affected versions of BIND to upgrade to BIND 9.7.3."
    Anyone running a CentOS-provided version of BIND is not using an
    affected version.
    On the other hand, you
    have "don't bother me with reality, I'm comfortable, am not affected and
    don't want to read messages to those who are affected."
    Those messages are offtopic on this mailing list, so I sympathize with
    people who have the attitude you describe. Someone who had more
    credibility with the list might be able to post offtopic messages (which
    they would have marked [OT]) without causing a flamewar.
    I've only been subscribed here a week and this topic seems very heated, so sorry if this stirs the pot up again, but don't patches for these things get back-ported? So even if you're running bind v9.5.1 on CentOS/upstream 4/5.x you'd still have security fixes like those in this article backported right?
    If you're running BIND 9.5.1, you are not susceptible to the bug that
    Larry posted at all. In general, security bugs that are applicable to
    RHEL packages are patched upstream then rebuilt and released by CentOS.
    And yeah I suppose rolling your own is always an option but in my experience it's to easy to get behind. This seems more like a Slackware approach tho, nothing against Slack of course!
    Rolling one's own is an option for any distribution, including CentOS.
    But rolling one's own by definition removes those packages from the
    support stream for that distro, so should be taken into consideration
    when deciding whether to roll one's own or not.

    --keith


    --
    kkeller at wombat.san-francisco.ca.us

    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: not available
    Type: application/pgp-signature
    Size: 197 bytes
    Desc: not available
    Url : http://lists.centos.org/pipermail/centos/attachments/20110223/7acd0b34/attachment.bin
  • Les Mikesell at Feb 23, 2011 at 2:34 pm

    On 2/23/2011 1:21 PM, Larry Vaden wrote:
    On Wed, Feb 23, 2011 at 1:03 PM, James Hogarthwrote:
    Except that this issue does not affect BIND in rhel and thus CentOS
    therefore making it yet more pointless drivel from the OP.
    Please take off the blinders and realize there are lots of folks (some
    x% of a million or more) on this list who compile from current source
    in order to minimize their risks and are therefore the subject
    audience.
    Someone who thinks they can do things better themselves than RH does it
    probably isn't going to take advice from a random mail list poster. And
    when you compile your own source you take on the responsibility of
    tracking updates yourself.

    --
    Les Mikesell
    lesmikesell at gmail.com
  • R P Herrold at Feb 23, 2011 at 3:43 pm

    On Wed, 23 Feb 2011, Larry Vaden wrote:

    Please take off the blinders and realize there are lots of folks (some
    x% of a million or more) on this list who compile from current source
    in order to minimize their risks and are therefore the subject
    audience.
    and it is on topic in this venue, just how? You might as well
    exhort:

    - Look both ways before crossing the street

    - Always buckle your seatbelt

    - Never use an ISP that requires provising sufficient personal
    information as needed to facilitate identity theft [1]; and
    solicts credit card information without any indication of PCI/CISP
    controls or privacy policy [2]

    Mailman provides for 'per poster' moderation. It's time here,
    I think

    -- Russ herrold

    1. http://www.texoma.net/it/pricing.html
    "All suscribers [sic] must supply their choice of
    social security or driver's license number for unique
    identification within our accounting system"
    2. https://secure.texoma.net/make_payment.php
  • Mark Roth at Feb 23, 2011 at 3:46 pm

    R P Herrold wrote:
    On Wed, 23 Feb 2011, Larry Vaden wrote:

    Please take off the blinders and realize there are lots of folks (some
    x% of a million or more) on this list who compile from current source
    in order to minimize their risks and are therefore the subject
    audience.
    and it is on topic in this venue, just how? You might as well
    exhort: <snip>
    Mailman provides for 'per poster' moderation. It's time here,
    I think
    Moderator - here's a second vote to moderate Larry *out*.

    mark
  • Larry Vaden at Feb 23, 2011 at 4:11 pm

    On Wed, Feb 23, 2011 at 2:43 PM, R P Herrold wrote:
    - Never use an ISP that requires provising sufficient personal
    information as needed to facilitate identity theft [1]; and
    solicts credit card information without any indication of PCI/CISP
    controls or privacy policy [2]
    Thanks for the constructive criticism. The pricing page has been taken
    down until it can be updated. The language is from 1995.

    Wrt the payment mechanism, that will take longer to fix, but we will fix it.

    We will also look at BCPs wrt privacy.

    Again, thanks for the constructive criticism.
  • Kai Schaetzl at Feb 23, 2011 at 4:31 pm

    Larry Vaden wrote on Wed, 23 Feb 2011 13:21:23 -0600:

    Please take off the blinders and realize there are lots of folks (some
    x% of a million or more) on this list who compile from current source
    in order to minimize their risks and are therefore the subject
    audience.
    Nonsense, there is no "minimization of risk" by doing so.

    Please don't argue about the worthiness of your information. It's been
    said to you time and again that most here do not wish to see that kind of
    "information". Thanks.

    Kai
  • Markus Falb at Feb 23, 2011 at 1:07 pm

    On 23.2.2011 18:27, Larry Vaden wrote:
    US-CERT encourages users and administrators using the affected
    versions of BIND to upgrade to BIND 9.7.3.

    Optionally, one can wait on a backport.
    Ahhh!

    Have a look at the relevant bugzilla ticket at
    https://bugzilla.redhat.com/show_bug.cgi?idg9496
    and read

    ...snip
    This issue did not affect the versions of bind as shipped with
    Red Hat Enterprise Linux 4, 5, or 6.
    snap...

    --
    Best Regards, Markus Falb

    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: signature.asc
    Type: application/pgp-signature
    Size: 267 bytes
    Desc: OpenPGP digital signature
    Url : http://lists.centos.org/pipermail/centos/attachments/20110223/9259e1db/attachment.bin
  • James B. Byrne at Feb 24, 2011 at 12:48 pm

    On Wed, February 23, 2011 13:07, Markus Falb wrote:
    On 23.2.2011 18:27, Larry Vaden wrote:
    US-CERT encourages users and administrators using the affected
    versions of BIND to upgrade to BIND 9.7.3.

    Optionally, one can wait on a backport.
    Ahhh!

    Have a look at the relevant bugzilla ticket at
    https://bugzilla.redhat.com/show_bug.cgi?idg9496
    and read

    ...snip
    This issue did not affect the versions of bind as shipped with
    Red Hat Enterprise Linux 4, 5, or 6.
    snap...

    I guess this is what you you get when you settle for an
    'enterprisey' distro. Dated software that somebody else got to find
    the bugs in. Poor chaps.



    --
    *** E-Mail is NOT a SECURE channel ***
    James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
    Harte & Lyne Limited http://www.harte-lyne.ca
    9 Brockley Drive vox: +1 905 561 1241
    Hamilton, Ontario fax: +1 905 561 0757
    Canada L8E 3C3

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedFeb 23, '11 at 12:27p
activeFeb 24, '11 at 12:48p
posts21
users15
websitecentos.org
irc#centos

People

Translate

site design / logo © 2022 Grokbase