topic Re: HP Supported BIND Version in Operating System - HP-UX

HP Supported BIND Version

Kenneth Penland — Mon, 06 Aug 2007 12:22:01 GMT

It looks like BIND version 9.3.2 is the latest and greatest verion that is supported by HP currently. However there is a new CERT out that says that this version is vulnerable and to upgrade to at least 9.3.4-P1.
Does anyone know when HP will come out with a newer "supported" version?

Re: HP Supported BIND Version

Steven E. Protter — Mon, 06 Aug 2007 12:43:15 GMT

Shalom,

The HP supported version of BIND is provided by HP on http://software.hp.com

The site is down for me, but if you search for BIND, you will find it there.

HP does considerable testing on new releases to insure no negative impact on systems. They also have a mysterious (to me) method of deciding what releases to port and test.

If they decide to port and test its usually several months from when BIND is released and release of a new version of on the above site.

Critical security fixes are provided through binary release in some cases.

https://h30046.www3.hp.com/subprofile.php?SUBS=ITRC

You can sign up in the link above, which you may need to cut and paste into your browser.

If there is a binary response to this CERT, you will find it there.

Note also that unless you are exposed to the public Internet many CERT releases are important to deal with but need not be treated as production down emergencies.

SEP

Re: HP Supported BIND Version

Kenneth Penland — Mon, 06 Aug 2007 13:33:26 GMT

The vulnerability I am referring to is:
ISC Bind Remote Cache Poisoning Vulnerability (IAVA 2007-A-0039)

and I can't seem to find it anywhere on HP's site. Even the CERT itself does not refer to HP's site, but rather www.isc.org for an "unaffected version".

what my security folks are asking me for is a date when there will be an HP supported version available, so I need to know if/when a new version will be released?

Re: HP Supported BIND Version

A. Clay Stephenson — Mon, 06 Aug 2007 13:48:06 GMT

One option would be to download the source from www.isc.org and build it yourself. A lot can be said for getting the product directly from the horse's mouth --- and ISC has patches for BIND and DHCP before anyone else. These are some of the few products I actually prefer to build rather than using HP's binaries --- sometimes because the new features that I need are available nowhere else and because the security patches are available quickly. I've never had a problem with security auditors as long as a given version is displayed BUT if it must be a supported version, you can get support from ISC as well.

Re: HP Supported BIND Version

Pete Randall — Mon, 06 Aug 2007 13:49:31 GMT

That's a tough question for a user forum to answer when you're really looking for an official HP response.

Your only hope is that an HP person that is active on the Forums has an answer for you.

Pete

Re: HP Supported BIND Version

Kenneth Penland — Mon, 06 Aug 2007 14:37:27 GMT

True..True... Pete..but I guess I was hoping for an answer like: "here is a link to HP's estimated software release dates web page" or something like that.

Problem I run into is being a government agency, we get orders from up on high saying we must be secure, but those same people also say we must use "supported" software provided by HP.

Thanks for your thoughts, this looks like it is going to have to be left up to the management folks to figure out.

Re: HP Supported BIND Version

Sameer_Nirmal — Mon, 06 Aug 2007 15:32:00 GMT

As per the SECURITY BULLETIN published at

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01123426&dimid=1445121192&dicid=alr_aug07&jumpid=em_alerts/us/aug07/all/xbu/emailsubid/mrm/mcc/loc/rbu_category-HPSBUX02251SSRT071/alerts

it seems that the issue is addressed.

Re: HP Supported BIND Version

Kenneth Penland — Mon, 06 Aug 2007 16:24:52 GMT

sweet, thank you...that was a tough one to locate!