topic Re: Bind Vulnerabilities in Operating System - HP-UX

Bind Vulnerabilities

Wes Kaufmann — Fri, 16 Feb 2001 18:55:13 GMT

Anyone know when HP will come out with Bind Fixes. It sure seems as though HP is running a bit slow on bind fixes. I don't like having to keep my bind servers in a vulnerable state for a month or so.

Because HP is running so slow I'm consdering compiling on 11 8.2.3 from isc. Anyone have any luck with it. How's 4.9.8?

Re: Bind Vulnerabilities

John Bolene — Fri, 16 Feb 2001 21:33:59 GMT

There was a story recently that both version 4 and 8 had a hole and that version 9 was the one to use.
There is a way to send update packets to these older versions that tell them to update their cached configurations without requiring a verified source. This allows an underhanded person to change the IP that the name resolves to until the cached entry expires.

Re: Bind Vulnerabilities

Mike Keighley — Mon, 19 Feb 2001 12:42:32 GMT

4.9.8 and 8.2.3 are both considered stable.
ALL previous versions of 4.X and 8.X have security holes.

9.1.0 is also available.

9.1.1rc2 is in beta.

refer to:
http://www.isc.org/products/BIND/
http://www.cert.org/advisories/CA-2001-02.html

Re: Bind Vulnerabilities

Wes Kaufmann — Mon, 19 Feb 2001 15:11:17 GMT

Thanks for the answer. I just noticed that bind9 is available at the HP software depot. Anyone have any exeriences with it? How big of a pain is it to convert from 8 to 9?

Re: Bind Vulnerabilities

Brian Hackley — Mon, 19 Feb 2001 19:13:28 GMT

Wes,
The BIND 9.1 distribution from HP is for HPUX 11i (11.11) only. HP is still in the process of preparing the patches for the fixes for 11.0 (8.1.2) and 10.20/11.0 (4.9.7). I would love to give you release dates for these patches, however this is not possible. Our past experience has been to announce patches for security issues at the time of patch release and not prior to that time. The most important reason for this that it is possible for last-minute holdups to occur, or testing problems to delay release. In that light, I'd recommend signing up for HP Security bulletins to receive notifications when the patches are made available.
I know this doesn't fully address the concerns and issues that you raised, but I hope it does help. Regards,
Brian Hackley

Re: Bind Vulnerabilities

Usman — Tue, 27 Feb 2001 05:07:10 GMT

We were running bind 4.9.7 on HP-UX 11.0. Instead of waiting for HP-UX patch, we have successfully installed ISC Bind 8.2.3. Our dns servers are now on production for about 2 weeks without any problem.

regards,
Usman

Re: Bind Vulnerabilities

Wes Kaufmann — Fri, 02 Mar 2001 19:09:28 GMT

We got all of our machines fixed today with the HP patch. We're happy campers for now that is until the next vulnerability comes out. I believe we are going to have to start compiling the ISC code since it makes everyone here to nervous to wait for a HP patch on something that is announced to the entire hacker world such as the CERT Bind announcement was. I probably had 15 scans hit our firewall looking for DNS servers.

Re: Bind Vulnerabilities

John Bolene — Fri, 02 Mar 2001 19:51:25 GMT

fyi, those patch numbers are

11.00: PHNE_23274 (BIND 4.9.7)
11.00: * (BIND 8.1.2)
11.11: PHNE_23275 (BIND 8.1.2)
11.04: PHNE_22919 (BIND 4.9.7)
10.20: PHNE_23277 (BIND 4.9.7)
10.24: PHNE_23439 (BIND 4.9.7)
10.10: PHNE_23277 (BIND 4.9.7)
10.01: PHNE_23277 (BIND 4.9.7)

* Note: If you have upgraded HP-UX 11.00 BIND to 8.1.2 via the WEB upgrade you need to upgrade with the latest version of the BIND package, 1.3 via the website below.

http://www.software.hp.com/products/DNS_BIND/index.html

Re: Bind Vulnerabilities

Bill Pontius — Tue, 08 May 2001 18:11:40 GMT

Very interestiinnnggg. HP came here to check web security and ran a Nessus Scan Report. It reported the need to upgrade to 8.2.3 or 4.9.8 and another case to 8.2.2-P5 or later. I checked with HP on the latest Bind and on 5/2/1 they emailed me that 10.20 Bind 4.9.7 with PHNE_23277 was the latest which we had. So I guess we are current while being 4-5 releases back.

Re: Bind Vulnerabilities

Wes Kaufmann — Fri, 24 Jun 2005 11:13:25 GMT

thanks