Re: CVE-2021-25216

2021-05-03 Thread Petr Menšík 
Hello Jordan,

Red Hat have been building their BIND packages with --disable-isc-spnego
configure parameter for years, all versions still somehow supported by
Red Hat are built with them. This means the mentioned issue should not
affect Red Hat packages. Please visit [1] to check affected versions.

Your version is still vulnerable to CVE-2021-25215 [2] [3] however,
upgrade to a fixed version is required anyway. But your BIND9 kerberos
support should be fine as it is.

Best Regards,
Petr

1. https://access.redhat.com/security/cve/CVE-2021-25216
2. https://access.redhat.com/security/cve/CVE-2021-25215
3. https://bugzilla.redhat.com/show_bug.cgi?id=1953857

On 4/30/21 4:21 PM, Jordan Tinsley wrote:
> I have a question -
> 
> Is BIND 9.11.6 (Extended Support Version) vulnerable?
If this is vanilla build without special parameters, it is most likely
vulnerable.
> 
> Is BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 (Extended Support Version)
> vulnerable?
This version is not vulnerable. Check named -V | grep
disable-isc-spnego, if it finds the string, it is not affected.
> 
> Thanks

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB



OpenPGP_signature
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CVE-2021-25216

2021-04-30 Thread @lbutlr 
On 30 Apr 2021, at 08:21, Jordan Tinsley  wrote:
> Is BIND 9.11.6 (Extended Support Version) vulnerable?
> 
> Is BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 (Extended Support Version) 
> vulnerable?

The CVE descriptions indicates both of those versions are vulnerable.

"In BIND 9.5.0 -> 9.11.29 … configured to use GSS-TSIG features" is how the 
description starts. 


-- 
Wally: That's my nickname, "Waly" with one el.
Dilbert: Who calls you that?
Wally: Most people, they just don't realize it.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

CVE-2021-25216

2021-04-30 Thread Jordan Tinsley 
I have a question -

Is BIND 9.11.6 (Extended Support Version) vulnerable?

Is BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 (Extended Support Version)
vulnerable?

Thanks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users