HPE Community
Operating System - HP-UX
1837900 Members
3212 Online
110123 Solutions
New Discussion

Bind Vulnerabilities

 
SOLVED
Go to solution
Wes Kaufmann
Super Advisor

‎02-16-2001 10:55 AM

‎02-16-2001 10:55 AM

Bind Vulnerabilities

Anyone know when HP will come out with Bind Fixes. It sure seems as though HP is running a bit slow on bind fixes. I don't like having to keep my bind servers in a vulnerable state for a month or so.

Because HP is running so slow I'm consdering compiling on 11 8.2.3 from isc. Anyone have any luck with it. How's 4.9.8?
0 Kudos
9 REPLIES 9
John Bolene
Honored Contributor

‎02-16-2001 01:33 PM

‎02-16-2001 01:33 PM

Re: Bind Vulnerabilities

There was a story recently that both version 4 and 8 had a hole and that version 9 was the one to use.
There is a way to send update packets to these older versions that tell them to update their cached configurations without requiring a verified source. This allows an underhanded person to change the IP that the name resolves to until the cached entry expires.
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
0 Kudos
Mike Keighley
Frequent Advisor

‎02-19-2001 04:42 AM

‎02-19-2001 04:42 AM

Re: Bind Vulnerabilities

4.9.8 and 8.2.3 are both considered stable.
ALL previous versions of 4.X and 8.X have security holes.

9.1.0 is also available.

9.1.1rc2 is in beta.

refer to:
http://www.isc.org/products/BIND/
http://www.cert.org/advisories/CA-2001-02.html
nil illegitimi root-andum
0 Kudos
Wes Kaufmann
Super Advisor

‎02-19-2001 07:11 AM

‎02-19-2001 07:11 AM

Re: Bind Vulnerabilities

Thanks for the answer. I just noticed that bind9 is available at the HP software depot. Anyone have any exeriences with it? How big of a pain is it to convert from 8 to 9?
0 Kudos
Brian Hackley
Honored Contributor

‎02-19-2001 11:13 AM

‎02-19-2001 11:13 AM

Re: Bind Vulnerabilities

Wes,
The BIND 9.1 distribution from HP is for HPUX 11i (11.11) only. HP is still in the process of preparing the patches for the fixes for 11.0 (8.1.2) and 10.20/11.0 (4.9.7). I would love to give you release dates for these patches, however this is not possible. Our past experience has been to announce patches for security issues at the time of patch release and not prior to that time. The most important reason for this that it is possible for last-minute holdups to occur, or testing problems to delay release. In that light, I'd recommend signing up for HP Security bulletins to receive notifications when the patches are made available.
I know this doesn't fully address the concerns and issues that you raised, but I hope it does help. Regards,
Brian Hackley
Ask me about telecommuting!
0 Kudos
Usman
Advisor

‎02-26-2001 09:07 PM

‎02-26-2001 09:07 PM

Re: Bind Vulnerabilities

We were running bind 4.9.7 on HP-UX 11.0. Instead of waiting for HP-UX patch, we have successfully installed ISC Bind 8.2.3. Our dns servers are now on production for about 2 weeks without any problem.

regards,
Usman
0 Kudos
Wes Kaufmann
Super Advisor

‎03-02-2001 11:09 AM

‎03-02-2001 11:09 AM

Re: Bind Vulnerabilities

We got all of our machines fixed today with the HP patch. We're happy campers for now that is until the next vulnerability comes out. I believe we are going to have to start compiling the ISC code since it makes everyone here to nervous to wait for a HP patch on something that is announced to the entire hacker world such as the CERT Bind announcement was. I probably had 15 scans hit our firewall looking for DNS servers.
0 Kudos
John Bolene
Honored Contributor

‎03-02-2001 11:51 AM

‎03-02-2001 11:51 AM

Solution

Re: Bind Vulnerabilities

fyi, those patch numbers are

11.00: PHNE_23274 (BIND 4.9.7)
11.00: * (BIND 8.1.2)
11.11: PHNE_23275 (BIND 8.1.2)
11.04: PHNE_22919 (BIND 4.9.7)
10.20: PHNE_23277 (BIND 4.9.7)
10.24: PHNE_23439 (BIND 4.9.7)
10.10: PHNE_23277 (BIND 4.9.7)
10.01: PHNE_23277 (BIND 4.9.7)

* Note: If you have upgraded HP-UX 11.00 BIND to 8.1.2 via the WEB upgrade you need to upgrade with the latest version of the BIND package, 1.3 via the website below.

http://www.software.hp.com/products/DNS_BIND/index.html
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
0 Kudos
Bill Pontius
Frequent Advisor

‎05-08-2001 11:11 AM

‎05-08-2001 11:11 AM

Re: Bind Vulnerabilities

Very interestiinnnggg. HP came here to check web security and ran a Nessus Scan Report. It reported the need to upgrade to 8.2.3 or 4.9.8 and another case to 8.2.2-P5 or later. I checked with HP on the latest Bind and on 5/2/1 they emailed me that 10.20 Bind 4.9.7 with PHNE_23277 was the latest which we had. So I guess we are current while being 4-5 releases back.
so let it be wriiten so let it be done
0 Kudos
Wes Kaufmann
Super Advisor

‎06-24-2005 04:13 AM

‎06-24-2005 04:13 AM

Re: Bind Vulnerabilities

thanks
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.