1

I am running Ubuntu Server 12.04.3 LTS with with BIND 9.8.1-P1 + to make sure I have the latest updates I ran

sudo apt-get update
sudo apt-get upgrade
sudo dist-upgrade

This all worked fine but I noticed that the Bind version is still 9.8.1-P1 & since found out that Ubuntu 12.04.3 has not released the latest recommend Bind version of 9.8.6-P1 or even 9.9.4-P1 to this Ubuntu release which is found on:-

https://www.isc.org/downloads/software-support-policy/bind-software-status/

Since there are security holes in this bind version 9.8.1-P1 we are unable to pass PCI Compliance:-

DNS Server Recursive Query Cache Poisoning Weakness dns (53/udp) CVE-1999-0024 Medium 5.0 Fail

Solution: Upgrade Bind to version 9.9.4-P1

DNS Server Cache Snooping Remote Information Disclosure dns (53/udp) Medium, 5.0, Fail (The vulnerability is not included in the NVD)

Solution: Upgrade Bind to version 9.9.4-P1 & add the following line to the options section of named.conf: allow-recursion { internaldns; }; eg. options { allow-query { internaldns; }; allow-recursion { internaldns; }; }; (This new feature was introduced in Bind 9.4) (http://fixunix.com/dns/496768-dns-cache-snooping.html)

So my question is how do I upgrade to bind version 9.9.4-P1 + also is it safe to run that version on Ubuntu 12.04 LTS?

Braiam
  • 67,791
  • 32
  • 179
  • 269
Jeremy
  • 13
  • 1
  • 3

3 Answers3

1

I don't know if it is safe or not, but you should be able to upgrade by using this PPA for Bind. I would uninstall the old version and then install the new version from this PPA by using the following commands.

sudo add-apt-repository ppa:malcscott/bind9.9
sudo apt-get update
sudo apt-get install bind9

The webpage for the Launchpad PPA is here.

Kenny Stier
  • 185
  • 1
  • 7
0

You can download the later versions from

https://kb.isc.org/article/AA-01069/0/BIND-9.9.4-P1-Release-Notes.html

But you have to compile it yourself (which isn't terrible difficult but it may be more than you have interest in doing)

I can't vouch for "safety" but if it compiles, that's a start. Try using a VPS you can throw away to do a trial run of compiling, BEFORE you try it on your production machine. Digital Ocean has Ubuntu VPSes for less than 1 penny-per-minute ($5/mo, actually). Spend an hour trying it out on a Ubuntu vps, and throw the VPS away when you're satisfied (or totally pissed off). You dont even have to spend $5!

GL

Xavier J
  • 531
  • 2
  • 8
0

Ubuntu already applied those patches, actually that CVE is quite old. "CVE-1999-0024" says the year of the issue, which was 1999 before Ubuntu existed. Whenever you have read that is lying or misinforming you.

Ubuntu and Debian and essentially everyone in the IT field, take very seriously (not really) security vulnerabilities, especially those in the open source. Security vulnerabilities gets priority in the release cycle and those are upgraded by default dialy to end users.

If you are running an updated version of Ubuntu then you can be sure that specific vulnerability is fixed.

Braiam
  • 67,791
  • 32
  • 179
  • 269