I am currently running ubuntu 16.04.01 LTS with BIND 9.10.3-P4 that is the latest available version of bind on the ubuntu repositories. I was informed that the current version that I am running is vulnerable and we should update to Bind 9.10.4-P3 or later. Should I use ISC version of bind and remove the ubuntu one?
Asked
Active
Viewed 548 times
0
-
9.10.4 is not mentioned in the changelog or am i not looking correctly? – Zist Nov 18 '16 at 16:11
-
2What vulnerability are we talking about? CVE-2016-8864 is fixed in Ubuntu. – fkraiem Nov 18 '16 at 16:24
-
the version of ISC BIND running on the remote name server is 9.9.x prior to 9.9.9-P3, 9.10.x prior to 9.10.4-P3, or 9.11.x prior to 9.11.0rc3. It is, therefore, affected by a denial of service vulnerability within file buffer.c due to improper construction of responses to crafted requests. An unauthenticated, remote attacker can exploit this, via a specially crafted query, to cause an assertion failure, resulting in a daemon exit. – Zist Nov 18 '16 at 16:29
1 Answers
2
The vulnerability you are referring to in the comments is CVE-2016-2776. It was fixed in Ubuntu 16.04 in version 1:9.10.3.dfsg.P4-8ubuntu1.1 of the BIND packages. You can check your installed version with dpkg -l | grep bind, and if you have at least that version, you can disregard the notice you received, as it does not apply to you.
fkraiem
- 12,555
- 4
- 35
- 40
-
thank you for your help. I'm currently running 1:9.10.3.dfsg.P4-8ubuntu1.2 – Zist Nov 18 '16 at 17:36