CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Res

[andyf]

Does this effect our cpanel installs? if so, any idea when the update is going in (or has it already?).

Cheers,
Andy

[itf]

YES! Our Cpanel servers use BIND 9.2.1 which is vulnerable

BIND 9 contains a copy of the BIND 8.3.x resolver library (lib/bind). This will be updated with the next BIND 9 releases (9.2.2/9.3.0) in the meantime

[feanor]

Just keep &security updates& enabled within your panels........... (in the update section of WHManager)
That's by far the most important, and you should never circumvent that no matter how much you think auto-updates are going to ruin your life.

In this case, you only get daemon patches that defend your system against the latest exploits. The day that redhat constructs an rpm to patch an exploit, you can bet darkorb will have it in the rpmupdate that very night. And until an rpm is released, if not immediately, in most cases cpanel will release a patch (whatever procedure is required to secure the daemon without a version update), until the rpm or source is tangible to the public.

That's been my experience, anyway.

[masood]

Yes, just got the SSH rpm update from layer2.cpanel.net

This thing rocks

[itf]

Cpanel is one of the bests; as &feanor& wrote wait for the latest update from Red Hat but if you are under attack you can install bind 8.3.3 which is not vulnerable

But if you are not just wait

[masood]

Looks like the attack has started :-(

BIND is the worst open source software I have dealt with. So many vulnerabilities so often.

I like tinydns. it rocks

[TRAIN YARD SOFTWARE]

will running redhat &up2date& have problems with cpanel?

[feanor]

That all depends how you fine tune the up2date config. If you go too far, you can begin updating packages that may actually affect your cpanel install, as the updates will come from redhat instead of cpanel's storehouse of packages they have deemed worthy to work with the cpanel software.

I would recommend not using up2date on a cpanel machine so you don't CROSS the STREAMS
(ghostbusters)

But perhaps darkorb can answer this more explicitly?
up2date does have its uses, its just that cpanel already has a mechanism like this built in.

[NetGeek]

Hi

How could I know the auto update kicked off ? it was turned off couple of days then I turned it on when I read about that ssh bug.

And how do I do it manualy, just in case ?

[TRAIN YARD SOFTWARE]

feanor, thankx

[shaun]

netgrek, you can make the updates run manualy in the panel. Scroll down to the bottom area, or log in as root and run /scripts/sysup and /scripts/rpmup


Bind is by far the worst most buggy'est service i think i have ever ran into. it's rediculis. We run tinydns on our main nameservers here at OC it would be nice to see cpanel switch.