Cve-2015-5477
Can someone from cPanel confirm when patches for the Critical BIND vulnerability (CVE-2015-5477) disclosed yesterday will be available in upcp?
-
Patches to BIND come from the operating system vendor. Once they are available, upcp will install the new RPM from your system repository. 0 -
The CentOS forum mentions, the only way to get this update is to use the cr repository (continuous release). I'm not sure if that means we can't get 9.8.2-0.37.rc1.el6_7.2 through a normal yum update eventually. For now, I'm thinking to be safe, though I should install from this cr repository. If I enable this repository, will that screw up the cPanel update process? I enabled it on a non cPanel server and yum went from no updates to... Install 12 Package(s) Upgrade 263 Package(s) and a new kernel So are all of these potentially missing security patches we can't get and if so, how bad will it mess with cPanel if we enable it? Thanks, Chuck 0 -
Thank you, that is very clear. :-) 0 -
I advise against using the CentOS CR repository on a production machine. There's a higher potential for bugs because it's not tested as thoroughly as the full release.
Would you consider it safe to enable CR repository, upgrade bind only, and then disable CR again? EDIT: This is for our cPanel DNS only servers0 -
Would you consider it safe to enable CR repository, upgrade bind only, and then disable CR again?
I don't foresee any problems with this action if you are only updating the bind package. Feel free to let us know the outcome if you decide to proceed with this option. Thank you.0 -
I don't foresee any problems with this action if you are only updating the bind package. Feel free to let us know the outcome if you decide to proceed with this option. Thank you.
Updated my three cPanel DNS Only servers like this;# yum install centos-release-cr # yum-config-manager --enable cr # yum update bind # yum-config-manager --disable cr And then restarded named, don't know if this is actually needed but is quick: # /etc/init.d/named restart And check if applied: # rpm -q --changelog bind | grep CVE-2015-5477
Tested a few lookups and I can't see anything wrong, but only run for a few minutes so can't really tell.0 -
Tested a few lookups and I can't see anything wrong, but only run for a few minutes so can't really tell.
Thank you for taking the time to provide the steps you used to temporarily enable the CentOS CR repo.0 -
Thank you for taking the time to provide the steps you used to temporarily enable the CentOS CR repo.
No problem =) I saw that the rpms was updated on my regular cpanel servers yesterday, was that cloudlinux taking care or cpanel?0 -
I saw that the rpms was updated on my regular cpanel servers yesterday, was that cloudlinux taking care or cpanel?
Are you referring to the BIND RPMs on a CentOS 6 server? Thank you.0 -
Thanks weetabix! :) Updated my three cPanel DNS Only servers like this;
# yum install centos-release-cr # yum-config-manager --enable cr # yum update bind # yum-config-manager --disable cr And then restarded named, don't know if this is actually needed but is quick: # /etc/init.d/named restart And check if applied: # rpm -q --changelog bind | grep CVE-2015-5477
Tested a few lookups and I can't see anything wrong, but only run for a few minutes so can't really tell.0 -
Are you referring to the BIND RPMs on a CentOS 6 server? Thank you.
IndeedThanks weetabix! :)
No problem, happy to help0 -
I saw that the rpms was updated on my regular cpanel servers yesterday, was that cloudlinux taking care or cpanel?
That would have came from Cloud Linux, as cPanel does not manage system RPMs such as Bind. Thank you.0
Please sign in to leave a comment.
Comments
13 comments