FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 07-29-2008, 03:54 PM
Mike C
 
Default Patch bind to pluig Kaminsky DNS vulnerability for FC7?

Does anyone know if there is an easy way to fix bind (bind-chroot) running
in an old machine running FC7 so that it offers the same protection as
bind-chroot-9.5.0-28.P1.fc8
and
bind-9.5.0-33.P1.fc9.i386
??

Can one use the src rpm for F8 and re-configure it for FC7?

I guess there are still quite a lot of servers in use that are running
EOLed Fedoras.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-29-2008, 04:18 PM
Todd Zullinger
 
Default Patch bind to pluig Kaminsky DNS vulnerability for FC7?

Mike C wrote:
> Does anyone know if there is an easy way to fix bind (bind-chroot)
> running in an old machine running FC7 so that it offers the same
> protection as
> bind-chroot-9.5.0-28.P1.fc8
> and
> bind-9.5.0-33.P1.fc9.i386
> ??
>
> Can one use the src rpm for F8 and re-configure it for FC7?

Sure, you should be able to rebuild the F-8 bind srpm or update bind
on F-7 to 9.4.2-P1.

Then you'll get to do it again soon for any other packages that have
security problems. IMO, your time would be better spent updating
those boxes to a supported release of Fedora (or RHEL or CentOS) --
unless you're already quite good at building packages and backporting
patches.

> I guess there are still quite a lot of servers in use that are
> running EOLed Fedoras.

That means a lot of admins get to see how much work is really involved
in keeping software up to date (or learn the joys of having their
boxes rooted).

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
Formerly we suffered from crimes; now we suffer from laws.
-- Publius Cornelius Tacitus, Roman historian, AD 56 - c. 120

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-29-2008, 05:13 PM
Les Mikesell
 
Default Patch bind to pluig Kaminsky DNS vulnerability for FC7?

Mike C wrote:
Does anyone know if there is an easy way to fix bind (bind-chroot) running
in an old machine running FC7 so that it offers the same protection as

bind-chroot-9.5.0-28.P1.fc8
and
bind-9.5.0-33.P1.fc9.i386
??

Can one use the src rpm for F8 and re-configure it for FC7?

I guess there are still quite a lot of servers in use that are running
EOLed Fedoras.


While you could probably patch every hole yourself with source builds or
rebuilding src rpms from newer fedora versions, you would be better off
not using Fedora if you can't or don't want to keep up with the upgrade
cycle, and fortunately there are distributions designed for that
situation. RHEL5 would be very similar if you want a version with paid
support or CentOS5 if you don't. Either will have several more years of
continuing update support. They aren't even such a bad choice for
desktop use now that the updates have brought OpenOffice and Firefox up
to near-current releases (an unusual move - most updates are just
backported bug/security fixes).


--
Les Mikesell
lesmikesell@gmail.com

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-29-2008, 07:19 PM
Mike
 
Default Patch bind to pluig Kaminsky DNS vulnerability for FC7?

Les Mikesell <lesmikesell <at> gmail.com> writes:

> While you could probably patch every hole yourself with source builds or
> rebuilding src rpms from newer fedora versions, you would be better off
> not using Fedora if you can't or don't want to keep up with the upgrade
> cycle, and fortunately there are distributions designed for that
> situation. RHEL5 would be very similar if you want a version with paid
> support or CentOS5 if you don't. Either will have several more years of
> continuing update support. They aren't even such a bad choice for
> desktop use now that the updates have brought OpenOffice and Firefox up
> to near-current releases (an unusual move - most updates are just
> backported bug/security fixes).

Well all but one of the boxes under my control is more up to date but that
one is a laptop physically a long way from me and it will be a while before
I get a chance to have a day away to do the upgrade - I was just looking for
an interim measure....

Thanks anyway.




--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-29-2008, 08:26 PM
"Mark Haney"
 
Default Patch bind to pluig Kaminsky DNS vulnerability for FC7?

Les Mikesell wrote:

Mike C wrote:


Can one use the src rpm for F8 and re-configure it for FC7?



While you could probably patch every hole yourself with source builds
or rebuilding src rpms from newer fedora versions, you would be better
off not using Fedora if you can't or don't want to keep up with the
upgrade cycle, and fortunately there are distributions designed for
that situation. RHEL5 would be very similar if you want a version
with paid support or CentOS5 if you don't. Either will have several
more years of continuing update support. They aren't even such a bad
choice for desktop use now that the updates have brought OpenOffice
and Firefox up to near-current releases (an unusual move - most
updates are just backported bug/security fixes).


Yes you can use the current F9 src rpm and build it for F7. I did the
same thing for FC6. As for Les' contention about the upgrade cycle,
while I generally agree in this respect I would like to add, if I COULD
upgrade my current FC6 system to something newer I would. But, I can't
because of this silly mkinitrd bug that is not allowing my Qlogic FCcard
firmware to load on boot. With that said, I'm stuck as it were until
that's fixed. Sure, I could probably upgrade despite that, but I
won't. I have too much running on that system to manually unload/load
that blasted module after every reboot, even if I don't reboot it
often. It's a silly bug that should never be a problem.


So, in some cases it's not a matter of 'keeping up with the Fedora's',
it's a matter of other problems.


--
Mark Haney
mhaney@ercbroadband.org
Fedora release 9 (Sulphur)
Kernel: 2.6.25.10-86.fc9.i686 GNU/Linux

16:31:50 up 3 days, 6:20, 2 users, load average: 0.96, 0.77, 0.85



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-30-2008, 10:41 AM
Mike C
 
Default Patch bind to pluig Kaminsky DNS vulnerability for FC7?

Mark Haney <mhaney <at> ercbroadband.org> writes:

> Yes you can use the current F9 src rpm and build it for F7. I did the
> same thing for FC6. As for Les' contention about the upgrade cycle,

Thanks Mark - having never done this kind of building before is there a
good easy to follow link to a guide explaining the basic steps?

I have had a brief look at
http://docs.fedoraproject.org/drafts/rpm-guide-en/
http://www.redhatmagazine.com/2007/12/04/hacking-rpms-with-rpmrebuild/
http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/en-US/

RHEL510/html/Para-Virtualized_Drivers/

chap-Para-Virtualized_Drivers-Rebuilding_the_RPM_packages_from_source_code.html

But I don't seem to be able to apply these to the case of taking an F9
(s)rpm and rebuilding for fc7?

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-30-2008, 12:22 PM
John Austin
 
Default Patch bind to pluig Kaminsky DNS vulnerability for FC7?

On Wed, 2008-07-30 at 10:41 +0000, Mike C wrote:
> Mark Haney <mhaney <at> ercbroadband.org> writes:
>
> > Yes you can use the current F9 src rpm and build it for F7. I did the
> > same thing for FC6. As for Les' contention about the upgrade cycle,
>
> Thanks Mark - having never done this kind of building before is there a
> good easy to follow link to a guide explaining the basic steps?
>
> I have had a brief look at
> http://docs.fedoraproject.org/drafts/rpm-guide-en/
> http://www.redhatmagazine.com/2007/12/04/hacking-rpms-with-rpmrebuild/
> http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/en-US/
>
RHEL510/html/Para-Virtualized_Drivers/
>
chap-Para-Virtualized_Drivers-Rebuilding_the_RPM_packages_from_source_code.html
>
> But I don't seem to be able to apply these to the case of taking an F9
> (s)rpm and rebuilding for fc7?
>
Hi

Please see below my notes to myself when doing the same for F5
Hope they help

John



tarifa hints_info 1003# cat bind_build_maui_F5

Down loaded latest bind source from
[updates-source]
name=Fedora $releasever - Updates Source
failovermethod=priority
#baseurl=http://download.fedora.redhat.com/pub/fedora/linux/updates/$releasever/SRPMS/
################################################## #############
[root@maui ~]# yum install yum-utils rpmdevtools

As ja not root (I think !!??)

maui.jaa.org.uk ~ 1004# rpmdev-setuptree

rpm -i bind-9.5.0-33.P1.fc9.src.rpm
################################################## #############
cd rpmbuild/SPECS
maui.jaa.org.uk SPECS 1015# rpmbuild -bb bind.spec
error: Failed build dependencies:
postgresql-devel is needed by bind-9.5.0-33.P1.i386
unixODBC-devel is needed by bind-9.5.0-33.P1.i386
################################################## #############
As root again
yum install postgresql-devel
Installed: postgresql-devel.i386 0:8.1.9-1.fc5
Dependency Installed: postgresql.i386 0:8.1.9-1.fc5
Dependency Updated: postgresql-libs.i386 0:8.1.9-1.fc5

yum install unixODBC-devel
Installed: unixODBC-devel.i386 0:2.2.11-6.2.1
################################################## #############
As ja
cd rpmbuild/SPECS
rpmbuild -bb bind.spec

Wrote: /home/ja/rpmbuild/RPMS/i386/bind-9.5.0-33.P1.i386.rpm
Wrote: /home/ja/rpmbuild/RPMS/i386/bind-sdb-9.5.0-33.P1.i386.rpm
Wrote: /home/ja/rpmbuild/RPMS/i386/bind-libs-9.5.0-33.P1.i386.rpm
Wrote: /home/ja/rpmbuild/RPMS/i386/bind-utils-9.5.0-33.P1.i386.rpm
Wrote: /home/ja/rpmbuild/RPMS/i386/bind-devel-9.5.0-33.P1.i386.rpm
Wrote: /home/ja/rpmbuild/RPMS/i386/bind-chroot-9.5.0-33.P1.i386.rpm
Wrote: /home/ja/rpmbuild/RPMS/i386/bind-debuginfo-9.5.0-33.P1.i386.rpm

################################################## #############
maui.jaa.org.uk SPECS 1018# rpm -qa|grep -i bind
ypbind-1.19-0.i386
bind-9.3.3-0.2.rc2.fc5.i386!!!!!!!!!!!!!!!!!!!!!!!!!!
system-config-bind-4.0.0-38_FC5.noarch
bind-utils-9.3.3-0.2.rc2.fc5.i386!!!!!!!!!!!!!!!!!!!!
bind-libs-9.3.3-0.2.rc2.fc5.i386!!!!!!!!!!!!!!!!!!!!!
bind-chroot-9.3.3-0.2.rc2.fc5.i386!!!!!!!!!!!!!!!!!!!
kdebindings-3.5.2-0.1.fc5.i386
################################################## #############
As root
rpm -U bind-9.5.0-33.P1.i386.rpm bind-chroot-9.5.0-33.P1.i386.rpm bind-libs-9.5.0-33.P1.i386.rpm bind-utils-9.5.0-33.P1.i386.rpm



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-30-2008, 01:44 PM
Mike C
 
Default Patch bind to pluig Kaminsky DNS vulnerability for FC7?

John Austin <ja <at> jaa.org.uk> writes:

> Please see below my notes to myself when doing the same for F5
> Hope they help
>
> John
Fantastic - thank you very much for this...


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-30-2008, 09:08 PM
Mike
 
Default Patch bind to pluig Kaminsky DNS vulnerability for FC7?

John Austin <ja <at> jaa.org.uk> writes:

> Please see below my notes to myself when doing the same for F5
> Hope they help

Your notes were just spot on - I adapted and ran these steps on the FC7 box
that needed the change and it worked fine. The main difference was that
I had caching-nameserver running and that was a dependency that could not
be fulfilled since that rpm went obsolete well before F9 - so I simply
yum removed caching-nameserver, and then did yum localupdate --nogpgcheck
on the list of newly created rpms.

Once completee I noted that /etc/sysconfig/named had changed so I replaced
the old with the new one. Finally restarted named and it seems fine.

This basic technique may well be adaptable to other back ports for security
fixes in the future so I am particularly grateful for your help with this.

Thanks again.
Mike

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-30-2008, 11:37 PM
Todd Zullinger
 
Default Patch bind to pluig Kaminsky DNS vulnerability for FC7?

Mike wrote:
> and then did yum localupdate --nogpgcheck on the list of newly
> created rpms.

If you'd like to not have to disable the gpg signature check, that's
only a few more steps (most of which only need to be done once).

# Generate a key
gpg --gen-key # the defaults for key type and size are fine.

# Tell rpm what key to use (replace the keyid [8218AC56] with the
# keyid or the email address of the key you just created.
echo '%_gpg_name 8218AC56'>> ~/.rpmmacros

# Export the key from gpg
gpg -a --export 8218ac56> /tmp/rpm-gpg.asc

# Import the key to the rpm database (as root)
rpm --import /tmp/rpm-gpg.asc

# Whenever you (re)build a package, add --sign to the rpmbuild command
rpmbuild --rebuild --sign bind-9.5.0-33.P1.fc9.src.rpm

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
Nothing is wrong with California that a rise in the ocean level
wouldn't cure.
-- Ross MacDonald (1915-1983)

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 08:50 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org