Security: BIND4 patching notes

From: Arrigo Triulzi (arrigo@albourne.com)
Date: Thu Nov 14 2002 - 05:49:26 EST

• Next message: Mohamed K. Ahmed: "AdvFS Magic Number Wrong"
• Previous message: Padiyath Kumar: "SUMMARY: Acrobat Reader"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dear all,

you might have by now been alerted to the latest BIND hole, in
particular this one affects both BIND 4 and BIND 8. The CERT advisory
can be read at:

    http://www.cert.org/advisories/CA-2002-31.html

The patches are downloadable from:

    http://www.isc.org/products/BIND/patches/

and they cover both BIND 4.9.10 and BIND 8.3.3 & 8.2.6. The patched
BIND 4.9.10 is referred to as BIND 4.9.11.

A few notes for those needing to patch Tru64 Unix version 4.0{D,F,G}
(sorry, I do not run 5.x):

1) BIND 4.9.10 compiles just fine under Tru64 Unix 4.0{D,F,G} by
   editing the Makefile and using the compile options for OSF/1
   version 3.x and above.

2) The patch to 4.9.10 does _not_ work with the standard patch program
   as it is a "unidiff" and the version shipped with Tru64 does not
   know how to deal with it. One solution is to install GNU patch or
   alternatively patch under Linux and then ship the patched sources
   across.

3) The patch is not clean, you will either need to prune all the
   "Index:" lines by hand or enter the filenames to be patched by hand
   each time. This is made easier by the fact that the filename which
   cannot be found is printed two lines above the query for a
   filename... The -p flag is not the issue.

4) Do not (as I did) decide to comment out the #define DEBUG in
   conf/options.h. The resulting BIND will _not_ fork into the
   background.

5) You should edit /usr/sbin/ndc once installed to add

       -b /etc/namedb/named.boot

   to both the "start" and "restart" entries of the case statement.
   This makes it compatible with the default Tru64 file layout.

6) Note that /sbin/named is not overwritten - you need to either fix
   /sbin/init.d/named _or_ copy the new one from /usr/sbin in its
   place.

For those who wish to get the above rapidly you can download the
patched sources (note: not point 5 above) from:

        http://www.alchemistowl.org/arrigo/bind-4.9.11-osf1.tar.gz

All you need is "make && make install", then follow 5 & 6 above.

Arrigo

-- 
Arrigo Triulzi <arrigo@albourne.com>
Albourne Partners Ltd. - London, UK

• Next message: Mohamed K. Ahmed: "AdvFS Magic Number Wrong"
• Previous message: Padiyath Kumar: "SUMMARY: Acrobat Reader"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:48:59 EDT