Slashdot Mirror
Critical BIND Denial-of-Service Flaw Could Take Down DNS Servers
alphadogg writes: Attackers could exploit a new vulnerability in BIND, the most popular Domain Name System (DNS) server software, to disrupt the Internet for many users. The vulnerability affects all versions of BIND 9, from BIND 9.1.0 to BIND 9.10.2-P2, and can be exploited to crash DNS servers that are powered by the software. The vulnerability announced and patched by the Internet Systems Consortium is critical because it can be used to crash both authoritative and recursive DNS servers with a single packet.
I noticed this on Google News yesterday - checked a CentOS 7 box to find that yum had installed the patch overnight on 7/28 and systemd had restarted named for me. Good work, everybody. Make sure your updates are working.
Oh, hai dollar-short Slashdot.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Patched updates rolled out long before /. reported it (shock, horror).
If Debian is any guide most distros have already done the same and anyone running unattended-updates for security patches has been updated for several days (25th).
A heads up for those running CentOS 6.6. This issue is not patched by default (because CentOS is in the midst of the transition from 6.6 to 6.7). Sysadmins using bog-standard CentOS 6.6 bind will need to enable the continuous release (CR) repository and update bind using that.
See the CentOS 6 Security Support forum post CVE-2015-5477 patch for centos 6
Wondering if this issue is serious enough to warrant the CentOS folk putting some patched bind rpms in the CentOS 6.6 updates repo? My guess is that a lot of people might miss the patch otherwise.
Don't you just long for the days when sendmail and bind would be always in the news because of some flaw or other? Heck, didn't we all run alternatives because sendmail and bind were so buggy...
How long has it been since we last had a Bind security issue...