8-STABLE base BIND version number typo ?
ml at my.gd
Mon Aug 27 08:11:25 UTC 2012
We're currently running Nessus PCI DSS scans on our infrastructure to
eliminate known vulnerabilities and problems.
The scan reports that my version of BIND is vulnerable to exploits I
*know* it isn't.
The problem, to me, seems to be with the version number as reported by
named -V :
BIND 9.6.-ESV-R7-P2 built with '--prefix=/usr'
'--enable-threads' '--enable-getifaddrs' '--disable-linux-caps'
'--with-openssl=/usr' '--with-randomdev=/dev/random' '--without-idn'
(notice the .- notation)
This is the base's BIND running on 8.3-STABLE 64 bits compiled and
built on 22/08/12 :
FreeBSD pf1-dmz-gs.[snip] 8.3-STABLE FreeBSD 8.3-STABLE #2: Wed Aug 22
10:41:47 CEST 2012
I have verified that building the exact same version from the ports,
at /usr/ports/dns/bind96 yields the correct version number and the
vulnerabilities are no longer reported by the scan, which uses BIND's
version number as a reference.
Has anyone else noticed the same oddity, that I might fill a PR ?
More information about the freebsd-questions