BIND version / vulnerabilty report

rogeriobrito · February 23, 2012, 6:18pm

Hello all,

One of my customers did a vulnerability test on my server and he’s sent me a report containing several BIND issues, like:

“Obsolete ISC BIND installation: ISC BIND Versions 9.4-ESV-R5 or earlier are considered obsolete and will not receive any update from the supplier, even the most critical.”

My box is a Centos 5.7, the reported BIND version is BIND version 9.3.6, under chroot /var/named/chroot

I’ve updated every single package that was available last week, and on the System Information Page I don’t have any package available to update. So I’m pretty sure my system is up to date.

So, is it possible that BIND is not up to date? Or is it not showing the correct version? Either way, how do I show to my customer that the system is up to date?

Thank you

Rogerio

Eric · February 23, 2012, 7:03pm

Howdy,

While the folks who produce BIND may not offer additional updates for that version – RedHat and CentOS will backport security fixes into any of the software versions included in their distribution.

So, as long as you’re fully up to date with all the packages on your system (which you can do by running “yum update”, you should be in good shape!

-Eric

rogeriobrito · February 28, 2012, 12:00am

Thanks Eric,

Is there a way to tell BIND not to show the version number, like we can do in Apache?

[]s

Rogerio

Eric · February 28, 2012, 4:10am

Howdy,

I haven’t tried this before, but I did find this after a little Googling, it may do the trick for you:

http://www.brandonhutchinson.com/Determining_hiding_BIND_version_number.html

rogeriobrito · February 28, 2012, 1:36pm

Hi Eric,

I’ve done some searching as well, and I found out that what seems to be the best way is:

options {
    version none;
}

Thank you

Rogerio