BLSA-2017:0072 – [重要] bind 安全警告及修复方法



  • BLSA-2017:0072 – [重要] bind 安全警告及修复方法

    问题描述

    BIND是一个应用非常广泛的DNS协议的实现,它是美国加州大学Berkeley分校开发和维护的一套DNS域名解析服务软件。但是最近暴露BIND在处理TSIG认证方式中存在漏洞(CVE-2017-3143、CVE-2017-3142),对系统安全产生影响。鉴于bind使用的广泛性,建议所有使用受影响产品的用户都安装BCLinux提供的的更新补丁。

    BIND简介
    Bind是一款开放源码的DNS服务器软件,用作域名解析,由美国加州大学Berkeley分校开发和维护的,全名为Berkeley Internet Name Domain。它是目前世界上使用最为广泛的DNS服务器软件,支持各种unix平台和windows平台。在Linux平台下,Bind软件提供的bind-utils工具包,提供了一些DNS相关的工具,比如dig、host、nslookup和nsupdate等。使用这些工具可以进行域名解析和DNS调试工作。

    影响版本

    • BigCloud Enterprise Linux 7
    • Red Hat Enterprise Linux 7
    • CentOS Linux 7

    详细介绍

    安全修复

    • CVE-2017-3143[重要]
      BIND在处理TSIG身份验证以进行动态更新时遇到了一个漏洞。能够与BIND服务器进行通信的远程攻击者通过为动态更新请求伪造有效的TSIG或SIG(0) 签名,从而利用这个漏洞来操纵区域的内容。
    • CVE-2017-3142[中等]
      BIND处理AXFR请求的TSIG认证方式中发现了一处漏洞。能够与BIND服务器进行通信的远程攻击者可以通过发送特殊构造的请求数据包来利用该漏洞来查看区域的全部内容。

    漏洞修复

    • BZ#1459649
      ICANN计划在2017年10月期间执行根区域DNSSEC密钥签名密钥(KSK)转换。通过添加新的根区域KSK来维护最新的KSK,来确保验证DNS解析在转换后继续执行。

    解决方案

    BCLinux的官方源已经可以提供更新的 bind软件包,受影响的BCLinux 客户端用户需要升级到 9.9.4-50.el7_3.1.x86_64 版本 。

    BCLINX 用户安装更新步骤如下:
    1.检查YUM源设置,确保使用的是BCLinux官方YUM源

    [root@BCLinux ~]# ll /etc/yum.repos.d/
    total 16
    -rw-r--r--. 1 root root 1127 Jan  7  2016 BCLinux-Base.repo
    -rw-r--r--. 1 root root  794 Jan  7  2016 BCLinux-Kernel.repo
    -rw-r--r--. 1 root root 1153 Jan  7  2016 BCLinux-Source.repo
    -rw-r--r--. 1 root root  801 Jan  7  2016 BigCloud.repo
    

    2.安装更新

    [root@BCLinux ~]# yum update bind
    Loaded plugins: fastestmirror, langpacks
    Loading mirror speeds from cached hostfile
    Resolving Dependencies
    --> Running transaction check
    ---> Package bind.x86_64 32:9.9.4-38.el7_3.3 will be updated
    --> Processing Dependency: bind = 32:9.9.4-38.el7_3.3 for package: 32:bind-chroot-9.9.4-38.el7_3.3.x86_64
    --> Processing Dependency: bind = 32:9.9.4-38.el7_3.3 for package: 32:bind-pkcs11-9.9.4-38.el7_3.3.x86_64
    ---> Package bind.x86_64 32:9.9.4-50.el7_3.1 will be an update
    --> Processing Dependency: bind-libs = 32:9.9.4-50.el7_3.1 for package: 32:bind-9.9.4-50.el7_3.1.x86_64
    --> Running transaction check
    ---> Package bind-chroot.x86_64 32:9.9.4-38.el7_3.3 will be updated
    ---> Package bind-chroot.x86_64 32:9.9.4-50.el7_3.1 will be an update
    ---> Package bind-libs.x86_64 32:9.9.4-38.el7_3.3 will be updated
    --> Processing Dependency: bind-libs = 32:9.9.4-38.el7_3.3 for package: 32:bind-sdb-9.9.4-38.el7_3.3.x86_64
    --> Processing Dependency: bind-libs = 32:9.9.4-38.el7_3.3 for package: 32:bind-pkcs11-libs-9.9.4-38.el7_3.3.x86_64
    --> Processing Dependency: bind-libs = 32:9.9.4-38.el7_3.3 for package: 32:bind-devel-9.9.4-38.el7_3.3.x86_64
    --> Processing Dependency: bind-libs = 32:9.9.4-38.el7_3.3 for package: 32:bind-utils-9.9.4-38.el7_3.3.x86_64
    ---> Package bind-libs.x86_64 32:9.9.4-50.el7_3.1 will be an update
    --> Processing Dependency: bind-license = 32:9.9.4-50.el7_3.1 for package: 32:bind-libs-9.9.4-50.el7_3.1.x86_64
    ---> Package bind-pkcs11.x86_64 32:9.9.4-38.el7_3.3 will be updated
    ---> Package bind-pkcs11.x86_64 32:9.9.4-50.el7_3.1 will be an update
    --> Running transaction check
    ---> Package bind-devel.x86_64 32:9.9.4-38.el7_3.3 will be updated
    ---> Package bind-devel.x86_64 32:9.9.4-50.el7_3.1 will be an update
    ---> Package bind-license.noarch 32:9.9.4-38.el7_3.3 will be updated
    --> Processing Dependency: bind-license = 32:9.9.4-38.el7_3.3 for package: 32:bind-libs-lite-9.9.4-38.el7_3.3.x86_64
    ---> Package bind-license.noarch 32:9.9.4-50.el7_3.1 will be an update
    ---> Package bind-pkcs11-libs.x86_64 32:9.9.4-38.el7_3.3 will be updated
    --> Processing Dependency: bind-pkcs11-libs = 32:9.9.4-38.el7_3.3 for package: 32:bind-pkcs11-utils-9.9.4-38.el7_3.3.x86_64
    --> Processing Dependency: bind-pkcs11-libs = 32:9.9.4-38.el7_3.3 for package: 32:bind-pkcs11-devel-9.9.4-38.el7_3.3.x86_64
    ---> Package bind-pkcs11-libs.x86_64 32:9.9.4-50.el7_3.1 will be an update
    ---> Package bind-sdb.x86_64 32:9.9.4-38.el7_3.3 will be updated
    ---> Package bind-sdb.x86_64 32:9.9.4-50.el7_3.1 will be an update
    ---> Package bind-utils.x86_64 32:9.9.4-38.el7_3.3 will be updated
    ---> Package bind-utils.x86_64 32:9.9.4-50.el7_3.1 will be an update
    --> Running transaction check
    ---> Package bind-libs-lite.x86_64 32:9.9.4-38.el7_3.3 will be updated
    --> Processing Dependency: bind-libs-lite = 32:9.9.4-38.el7_3.3 for package: 32:bind-lite-devel-9.9.4-38.el7_3.3.x86_64
    ---> Package bind-libs-lite.x86_64 32:9.9.4-50.el7_3.1 will be an update
    ---> Package bind-pkcs11-devel.x86_64 32:9.9.4-38.el7_3.3 will be updated
    ---> Package bind-pkcs11-devel.x86_64 32:9.9.4-50.el7_3.1 will be an update
    ---> Package bind-pkcs11-utils.x86_64 32:9.9.4-38.el7_3.3 will be updated
    ---> Package bind-pkcs11-utils.x86_64 32:9.9.4-50.el7_3.1 will be an update
    --> Running transaction check
    ---> Package bind-lite-devel.x86_64 32:9.9.4-38.el7_3.3 will be updated
    ---> Package bind-lite-devel.x86_64 32:9.9.4-50.el7_3.1 will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    =====================================================================================================================================
     Package                             Arch                     Version                                Repository                 Size
    =====================================================================================================================================
    Updating:
     bind                                x86_64                   32:9.9.4-50.el7_3.1                    updates                   1.8 M
    Updating for dependencies:
     bind-chroot                         x86_64                   32:9.9.4-50.el7_3.1                    updates                    85 k
     bind-devel                          x86_64                   32:9.9.4-50.el7_3.1                    updates                   395 k
     bind-libs                           x86_64                   32:9.9.4-50.el7_3.1                    updates                   1.0 M
     bind-libs-lite                      x86_64                   32:9.9.4-50.el7_3.1                    updates                   730 k
     bind-license                        noarch                   32:9.9.4-50.el7_3.1                    updates                    83 k
     bind-lite-devel                     x86_64                   32:9.9.4-50.el7_3.1                    updates                   305 k
     bind-pkcs11                         x86_64                   32:9.9.4-50.el7_3.1                    updates                   295 k
     bind-pkcs11-devel                   x86_64                   32:9.9.4-50.el7_3.1                    updates                   104 k
     bind-pkcs11-libs                    x86_64                   32:9.9.4-50.el7_3.1                    updates                   1.1 M
     bind-pkcs11-utils                   x86_64                   32:9.9.4-50.el7_3.1                    updates                   197 k
     bind-sdb                            x86_64                   32:9.9.4-50.el7_3.1                    updates                   351 k
     bind-utils                          x86_64                   32:9.9.4-50.el7_3.1                    updates                   202 k
    
    Transaction Summary
    =====================================================================================================================================
    Upgrade  1 Package (+12 Dependent packages)
    
    Total download size: 6.6 M
    Is this ok [y/d/N]: y
    

    4.复查

    [root@BCLinux ~]# rpm -q bind
    bind-9.9.4-50.el7_3.1.x86_64
    

    5.重启应用
    安装升级包以后,重启应用,更新生效。

    外部链接

    1.BCLinux安全更新


登录后回复
 

与 BC-LINUX 的连接断开,我们正在尝试重连,请耐心等待