BIND vulnerability on Centos 6

[faris]

I'm hesitant to post this, but just in case it helps someone:

The latest Bind vulnerability is quite annoying as it allows an attacker to remotely crash it.

For reasons that don't make much sense to me, there is currently no fixed version in the normal Centos 6 repos (this only applies to Centos 6 - not 5 or 7).

An easy way to obtain a fixed packages for Centos 6 is via the Centos 6 CR repo.
( http://wiki.centos.org/AdditionalResour ... itories/CR )

# yum install centos-release-cr
# yum upgrade bind
# service named restart

( then disable the repo by editing /etc/yum.repos.d/CentOS-CR.repo to change enabled to 0 )

I know some people feel that you should always enable the CR repo, but I don't feel the same way:

"The continuous release (CR) repository makes generally available packages that will appear in the next point release of CentOS, on a testing and hotfix basis until formally released"

[prupert]

If you use that argument against CR, you should definitely not use the Atomic or ASL repos.

I for one am strongly recommending to enable CR permanently. They are certainly not test builds, and did pass major QA. Most CR packages are just waiting for the next point release. Right now the CR mostly holds builds of RHEL 6.7, because CentOS is still officially at 6.6. Simply said, CR is now the closest thing to RHEL 6.7 you can get with CentOS 6.6. (And it does not only contain security fixes for bind alone, several other moderate or important security updates are in CR as well.)

[scott]

The "testing" nature of the CR repo is probably more legal. One of things centos has to remove are the redhat trademarks, I'll bet those CR packages are in there because they havent finished that part.