Updating bind 9.11 to 9.16

I

itsensellc

Verified User
Joined
Jul 15, 2005
Messages
53
Hello all - a client of mine flagged my server because it's running the Almalinux 8 default 9.11. What's weird though is I see 9.16 in the appstream repositories. When I run update of course it tells me there is nothing to update which I believe is because 9.16 is a different package name. My question: is it as simple as removing bind 9.11 and installing 9.16? I'm not quite sure how it would get all the zone records after I do that nor do I totally understand the repercussions. But I know I need to get it done since 9.11 has some vulnerabilities. TIA!
 
I would keep my hands of. Your client has no business to flag your server as bind/named BIND 9.11.36 is the current safe version for Almalinux 8.
If you are running that, then your fine. Client has to learn how linux works if he doesn't agree.

Version 9.16 is from Almalinux 9. So if the client want's that, he has to change or upgrade his system to Almalinux 9.

Now my question is: why does the client wants that version 9.16? Because he sees there is "something new" and he wants the newest? Then he should learn that certain application in Linux are also bound to dependencies.

Or maybe he read this somewhere?
BIND 9.11 was supported until March, 2022.
BIND 9.16 is our old Stable/ESV version, supported until April, 2024.

Then 9.16 will not help him either because it is already april 2024.
But that is for standalone versions, not OS supported versions. OS is always running behind.

In other words, Almalinux still supports it's named version and there was even an update recently.

itsensellc said:
But I know I need to get it done since 9.11 has some vulnerabilities.
Click to expand...
No you don't and no it doesn't.

Proof here:

Vulnerabilities in ISC BIND 9.11.36

List of known vulnerabilities in ISC BIND in version 9.11.36
www.cybersecurity-help.cz www.cybersecurity-help.cz
already fixed last year. And as said, quite recent there was another bind update.

Just keep your OS and it's packages updated and your fine and you won't have any bind/named vulnerabilities in the OS version of named.

However, if you don't believe me, or your client get's nasty, feel freel to compile and update manually to a newer version. But remember that is not supported by DA as it's a not required customisation of the OS.
And you need to backup named.conf and all zone files too. Which is a good thing anyway once a while, even without changes.
 
Richard G said:
I would keep my hands of. Your client has no business to flag your server as bind/named BIND 9.11.36 is the current safe version for Almalinux 8.
If you are running that, then your fine. Client has to learn how linux works if he doesn't agree.

Version 9.16 is from Almalinux 9. So if the client want's that, he has to change or upgrade his system to Almalinux 9.

Now my question is: why does the client wants that version 9.16? Because he sees there is "something new" and he wants the newest? Then he should learn that certain application in Linux are also bound to dependencies.

Or maybe he read this somewhere?
BIND 9.11 was supported until March, 2022.
BIND 9.16 is our old Stable/ESV version, supported until April, 2024.

Then 9.16 will not help him either because it is already april 2024.
But that is for standalone versions, not OS supported versions. OS is always running behind.

In other words, Almalinux still supports it's named version and there was even an update recently.


No you don't and no it doesn't.

Proof here:

Vulnerabilities in ISC BIND 9.11.36

List of known vulnerabilities in ISC BIND in version 9.11.36
www.cybersecurity-help.cz www.cybersecurity-help.cz
already fixed last year. And as said, quite recent there was another bind update.

Just keep your OS and it's packages updated and your fine and you won't have any bind/named vulnerabilities in the OS version of named.

However, if you don't believe me, or your client get's nasty, feel freel to compile and update manually to a newer version. But remember that is not supported by DA as it's a not required customisation of the OS.
And you need to backup named.conf and all zone files too. Which is a good thing anyway once a while, even without changes.
Click to expand...
I believe you :)
Yes this is an unusual situation to have a shared server audited as if it was a dedicated resource. Most of it I was ok with but this I'm definitely not comfortable with. I was just having a hard time understanding why it appeared 9.16 was available but wasn't being chosen and now I understand why - it being for Almalinux 9 makes total sense. Having the proof that it's being patched is really what's key here so that is what I'll share and leave it at that.

Thanks!
 
itsensellc said:
Having the proof that it's being patched is really what's key here so that is what I'll share and leave it at that.
Click to expand...
You're welcome.

I recently also had a customer who used some tool on a site (maybe the same as your customer) and thought he found some "issues" with my server which could be improved according to the audit result. However, he didn't flagged the server and nicely asked if they (that site) could be right.

It indeed mostly takes some explaining and some proof that these kind of sites are just snapshots in time and not always fully applicable to shared servers. So I understand you.

Glad to be of help!
 
Normally OS vendors "backport" the new fixes on their files, even is there an old version mentioned
 
just add this to your named.conf

Code: 
version "Security fixed by OS backport comparative";

then, no more customer report this to you anymore ?, I guest.
 
You must log in or register to reply here.
Back
Top