CentOS

Hello,

A high faillure as posted the 24 avril :
https://kb.isc.org/docs/cve-2018-5743

The last update seem really old :
rpm -q --changelog bind | less
* ven. nov. 23 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-73
- Fixes debug level comments (#1647539)

The BIND package don't have backporting security Fixes ?

Thks for help !

Best regards.

If you're looking for a fix for CVE-2018-15473 then you'd do better looking at the openssh package since that is an openssh vulnerability not one in bind.

That's a low severity username exposure and is already fixed in the copy of openssh for CentOS 6. The update for 7 is not yet available and I suspect that it will be part of 7.7 if/when that arrives in due course (there's not even a RHEL 7.7 beta as yet).

Meanwhile, once you remove the typos from the CVE id, you need to look at https://access.redhat.com/security/cve/cve-2018-5743 and its linked bugzilla entry. Now also corrected in the thread subject (previously was CVE-2018-15473)

Sorry for subject error...
The subject is for BIND.

I'm a beginner on bug tracking, I learn the bugzilla entry and i see patch for upper versions but not for the actual packet 9.9.4 (centos 7.6).

Do you think we will have an update ?

Sorry again but I do not know the process of package updates...

https://access.redhat.com/security/cve/cve-2018-5743 will change once there is a fix. At present there is a table in there with RHEL7 and 6 and 5 listed and 6+7 both say "Affected" and the other two say "Will not fix" because those are out of support. When RH release a fix for RHEL that page will change and where it says "Affected" now will point to an entry on the Redhat errata page listing the fix.

Once Redhat release the fixed version for RHEL then and only then will CentOS pick up the newly released source package and rebuild it for CentOS.

You might be able to use iptables rate limiting in the meantime to bypass the problem.

Thank you very much for your comprehensive explanations and advice.

Have a nice day !