Hello Jordan,
Red Hat have been building their BIND packages with --disable-isc-spnego
configure parameter for years, all versions still somehow supported by
Red Hat are built with them. This means the mentioned issue should not
affect Red Hat packages. Please visit [1] to check affected versions.
Your version is still vulnerable to CVE-2021-25215 [2] [3] however,
upgrade to a fixed version is required anyway. But your BIND9 kerberos
support should be fine as it is.
Best Regards,
Petr
1. https://access.redhat.com/security/cve/CVE-2021-25216
2. https://access.redhat.com/security/cve/CVE-2021-25215
3. https://bugzilla.redhat.com/show_bug.cgi?id=1953857
On 4/30/21 4:21 PM, Jordan Tinsley wrote:
> I have a question -
>
> Is BIND 9.11.6 (Extended Support Version) vulnerable?
If this is vanilla build without special parameters, it is most likely
vulnerable.
>
> Is BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 (Extended Support Version)
> vulnerable?
This version is not vulnerable. Check named -V | grep
disable-isc-spnego, if it finds the string, it is not affected.
>
> Thanks
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
OpenPGP_signature
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users