The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cve-2015-5477

Discussion in 'Security' started by Dakaix, Jul 30, 2015.

  1. Dakaix

    Dakaix Registered

    Joined:
    Mar 18, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Can someone from cPanel confirm when patches for the Critical BIND vulnerability (CVE-2015-5477) disclosed yesterday will be available in upcp?
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    56
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Patches to BIND come from the operating system vendor. Once they are available, upcp will install the new RPM from your system repository.
     
  3. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    The CentOS forum mentions, the only way to get this update is to use the cr repository (continuous release).

    https://www.centos.org/forums/viewtopic.php?f=17&t=53532

    CentOS describes this as a repository for any updates that will be included in the next point release i.e. 6.5 6.6 6.7 etc.

    http://wiki.centos.org/AdditionalResources/Repositories/CR

    I'm not sure if that means we can't get 9.8.2-0.37.rc1.el6_7.2 through a normal yum update eventually.

    For now, I'm thinking to be safe, though I should install from this cr repository.

    If I enable this repository, will that screw up the cPanel update process?

    I enabled it on a non cPanel server and yum went from no updates to...

    Install 12 Package(s)
    Upgrade 263 Package(s)

    and a new kernel

    So are all of these potentially missing security patches we can't get and if so, how bad will it mess with cPanel if we enable it?

    Thanks,
    Chuck
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,765
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Updates to Bind are provided by operating system vendors (e.g. CentOS, RedHat). You can find more information on this case at:

    https://access.redhat.com/security/cve/CVE-2015-5477

    You should be able to update Bind with your system package manager (YUM) when an update is made available by your OS vendor. The RPM change log will allow you to verify the patch has been applied. EX:

    Code:
    rpm -q --changelog bind | grep CVE-2015-5477
    In regards to the following quote:

    I advise against using the CentOS CR repository on a production machine. There's a higher potential for bugs because it's not tested as thoroughly as the full release.

    Thank you.
     
  5. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    Thank you, that is very clear. :)
     
  6. weetabix

    weetabix Well-Known Member

    Joined:
    Oct 26, 2006
    Messages:
    56
    Likes Received:
    1
    Trophy Points:
    8
    Would you consider it safe to enable CR repository, upgrade bind only, and then disable CR again?

    EDIT: This is for our cPanel DNS only servers
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,765
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I don't foresee any problems with this action if you are only updating the bind package. Feel free to let us know the outcome if you decide to proceed with this option.

    Thank you.
     
  8. weetabix

    weetabix Well-Known Member

    Joined:
    Oct 26, 2006
    Messages:
    56
    Likes Received:
    1
    Trophy Points:
    8
    Updated my three cPanel DNS Only servers like this;
    Code:
    # yum install centos-release-cr
    # yum-config-manager --enable cr
    # yum update bind
    # yum-config-manager --disable cr
    
    And then restarded named, don't know if this is actually needed but is quick:
    # /etc/init.d/named restart
    
    And check if applied:
    # rpm -q --changelog bind | grep CVE-2015-5477
    
    Tested a few lookups and I can't see anything wrong, but only run for a few minutes so can't really tell.
     
    internetfab likes this.
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,765
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Thank you for taking the time to provide the steps you used to temporarily enable the CentOS CR repo.
     
  10. weetabix

    weetabix Well-Known Member

    Joined:
    Oct 26, 2006
    Messages:
    56
    Likes Received:
    1
    Trophy Points:
    8
    No problem =)

    I saw that the rpms was updated on my regular cpanel servers yesterday, was that cloudlinux taking care or cpanel?
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,765
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Are you referring to the BIND RPMs on a CentOS 6 server?

    Thank you.
     
  12. internetfab

    internetfab Well-Known Member
    PartnerNOC

    Joined:
    Feb 20, 2003
    Messages:
    336
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Gothenburg, Sweden
    cPanel Access Level:
    DataCenter Provider
    Thanks weetabix! :)

     
  13. weetabix

    weetabix Well-Known Member

    Joined:
    Oct 26, 2006
    Messages:
    56
    Likes Received:
    1
    Trophy Points:
    8
    Indeed

    No problem, happy to help
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,765
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    That would have came from Cloud Linux, as cPanel does not manage system RPMs such as Bind.

    Thank you.
     
Loading...

Share This Page