I’d like to know if the present version of Bind in CentOS 6 (bind-9.8.2-0.47.rc1.el6_8.1.x86_64) is vulerable to CVE-2016-2776.
According to https://www.isc.org/downloads/, version 9.8.x is End-of-Life (EOL) as of Sep 2014.
https://access.redhat.com/security/cve/cve-2016-2776 check versions against CentOS package numbers :)
2016-10-17 8:28 GMT+03:00 マスターズ イアン :
CentOS mailing list CentOS@CentOS.org https://lists.CentOS.org/mailman/listinfo/CentOS
Red Hat continues to maintain their own fork of 9.8 for EL6, and this RHSA https://rhn.redhat.com/errata/RHSA-2016-1944.html says that version of bind you mention does indeed include the fix to that CVE. CentOS is built from the same SRPM’s.
john r pierce, recycling bits in santa cruz
Querying the current bind-libs changelog shows the CVE has been addressed in the current version.
rpm -q –changelog bind-libs | grep CVE-2016-2776
– Fix CVE-2016-2776
Thanks for all the replies, especially the one with the rpm -q command in it (thanks Phil). I didn’t know you could do that with rpm. Very useful indeed.