CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Res

andyf

Well-Known Member
Jan 7, 2002
249
0
316
UK
Does this effect our cpanel installs? if so, any idea when the update is going in (or has it already?).

Cheers,
Andy
 

itf

Well-Known Member
May 9, 2002
620
0
316
YES! Our Cpanel servers use BIND 9.2.1 which is vulnerable

BIND 9 contains a copy of the BIND 8.3.x resolver library (lib/bind). This will be updated with the next BIND 9 releases (9.2.2/9.3.0) in the meantime
 

feanor

Well-Known Member
Aug 13, 2001
835
0
316
Just keep &security updates& enabled within your panels........... (in the update section of WHManager)
That's by far the most important, and you should never circumvent that no matter how much you think auto-updates are going to ruin your life.

In this case, you only get daemon patches that defend your system against the latest exploits. The day that redhat constructs an rpm to patch an exploit, you can bet darkorb will have it in the rpmupdate that very night. And until an rpm is released, if not immediately, in most cases cpanel will release a patch (whatever procedure is required to secure the daemon without a version update), until the rpm or source is tangible to the public.

That's been my experience, anyway.
 

masood

Well-Known Member
Jun 14, 2002
78
0
156
Yes, just got the SSH rpm update from layer2.cpanel.net :p

This thing rocks :)
 

itf

Well-Known Member
May 9, 2002
620
0
316
Cpanel is one of the bests; as &feanor& wrote wait for the latest update from Red Hat but if you are under attack you can install bind 8.3.3 which is not vulnerable

But if you are not just wait ;)
 

masood

Well-Known Member
Jun 14, 2002
78
0
156
Looks like the attack has started :-(

BIND is the worst open source software I have dealt with. So many vulnerabilities so often.

I like tinydns. it rocks :p
 

feanor

Well-Known Member
Aug 13, 2001
835
0
316
That all depends how you fine tune the up2date config. If you go too far, you can begin updating packages that may actually affect your cpanel install, as the updates will come from redhat instead of cpanel's storehouse of packages they have deemed worthy to work with the cpanel software.

I would recommend not using up2date on a cpanel machine so you don't CROSS the STREAMS
(ghostbusters)

But perhaps darkorb can answer this more explicitly?
up2date does have its uses, its just that cpanel already has a mechanism like this built in.
 

NetGeek

Well-Known Member
Mar 4, 2002
67
0
306
Hi

How could I know the auto update kicked off ? it was turned off couple of days then I turned it on when I read about that ssh bug.

And how do I do it manualy, just in case ?
 

shaun

Well-Known Member
PartnerNOC
Verifed Vendor
Nov 9, 2001
702
1
318
San Clemente, Ca
cPanel Access Level
DataCenter Provider
Twitter
netgrek, you can make the updates run manualy in the panel. Scroll down to the bottom area, or log in as root and run /scripts/sysup and /scripts/rpmup


Bind is by far the worst most buggy'est service i think i have ever ran into. it's rediculis. We run tinydns on our main nameservers here at OC it would be nice to see cpanel switch.