Hello Jordan, Red Hat have been building their BIND packages with --disable-isc-spnego configure parameter for years, all versions still somehow supported by Red Hat are built with them. This means the mentioned issue should not affect Red Hat packages. Please visit [1] to check affected versions.
Your version is still vulnerable to CVE-2021-25215 [2] [3] however, upgrade to a fixed version is required anyway. But your BIND9 kerberos support should be fine as it is. Best Regards, Petr 1. https://access.redhat.com/security/cve/CVE-2021-25216 2. https://access.redhat.com/security/cve/CVE-2021-25215 3. https://bugzilla.redhat.com/show_bug.cgi?id=1953857 On 4/30/21 4:21 PM, Jordan Tinsley wrote: > I have a question - > > Is BIND 9.11.6 (Extended Support Version) vulnerable? If this is vanilla build without special parameters, it is most likely vulnerable. > > Is BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 (Extended Support Version) > vulnerable? This version is not vulnerable. Check named -V | grep disable-isc-spnego, if it finds the string, it is not affected. > > Thanks -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
