Peda, Allan (NYC-GIS)
2019-Jun-24 13:07 UTC
[CentOS] Vulnerabilities to bind-libs bind-utils - possible to remove these on webservers
I think the subject says it all. We don't run named. It seems there are chronic issues with bind. Can these packages be removed? We locally authenticate. I see this: Removing for dependencies: bind-utils ipa-client sssd sssd-ad sssd-ipa We shouldn't need any of that with local authentication (/etc passwd and /etc/shadow) right? This message contains information which may be confidential and privileged. Unless you are the intended recipient (or authorized to receive this message for the intended recipient), you may not use, copy, disseminate or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail, and delete the message. Thank you very much.
Mauricio Tavares
2019-Jun-24 13:20 UTC
[CentOS] Vulnerabilities to bind-libs bind-utils - possible to remove these on webservers
On Mon, Jun 24, 2019 at 9:07 AM Peda, Allan (NYC-GIS) <Allan.Peda at interpublic.com> wrote:> > I think the subject says it all. We don't run named. It seems there are chronic issues with bind. Can these packages be removed? > > We locally authenticate. I see this: > > Removing for dependencies: > bind-utils > ipa-client > sssd > sssd-ad > sssd-ipa > > We shouldn't need any of that with local authentication (/etc passwd and /etc/shadow) right? >Which packages installed them as dependencies?> > This message contains information which may be confidential and privileged. Unless you are the intended recipient (or authorized to receive this message for the intended recipient), you may not use, copy, disseminate or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail, and delete the message. Thank you very much. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
mark
2019-Jun-24 13:41 UTC
[CentOS] Vulnerabilities to bind-libs bind-utils - possible to remove these on webservers
Peda, Allan (NYC-GIS) wrote:> I think the subject says it all. We don't run named. It seems there are > chronic issues with bind. Can these packages be removed? > > We locally authenticate. I see this: > > Removing for dependencies: > bind-utils ipa-client sssd sssd-ad sssd-ipa > > We shouldn't need any of that with local authentication (/etc passwd and > /etc/shadow) right?Are you running sssd? Are you connected to the AD? mark (we do, and we are)
Peda, Allan (NYC-GIS)
2019-Jun-24 15:49 UTC
[CentOS] Vulnerabilities to bind-libs bind-utils - possible to remove these on webservers
I just tried out removal of bind-utils on a soon to be retired machine. It
seems fine with the caveat that we lose /bin/host and /bin/dig
Perhaps a perl script might suffice to emulate 'host' on machines that
might need the occasional networking debug session. Just typed this up, so
FWIW:
use Net::DNS;
my $res = Net::DNS::Resolver->new();
my $sought = $ARGV[0];
my $a_query = $res->search($sought);
if ($a_query) {
foreach my $rr ($a_query->answer) {
if( $rr->type eq 'A' ){
printf("%s has address %s\n", $sought, $rr->address);
} elsif( $rr->type eq 'CNAME' ){
printf("%s is an alias for %s\n", $sought, $rr->cname);
$sought = $rr->cname;
}
}
} else {
warn "Unable to obtain a record for $ARGV[0]: ",
$res->errorstring, "\n";
}
?On 6/24/19, 10:02 AM, "CentOS on behalf of mark" <centos-bounces
at centos.org on behalf of m.roth at 5-cent.us> wrote:
Peda, Allan (NYC-GIS) wrote:
> I think the subject says it all. We don't run named. It seems
there are
> chronic issues with bind. Can these packages be removed?
>
> We locally authenticate. I see this:
>
> Removing for dependencies:
> bind-utils ipa-client sssd sssd-ad sssd-ipa
>
> We shouldn't need any of that with local authentication (/etc
passwd and
> /etc/shadow) right?
Are you running sssd? Are you connected to the AD?
mark (we do, and we are)
_______________________________________________
CentOS mailing list
CentOS at centos.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.centos.org_mailman_listinfo_centos&d=DwICAg&c=Ftw_YSVcGmqQBvrGwAZugGylNRkk-uER0-5bY94tjsc&r=Tou2GfskafF_UnC0yPjAjEzLDhbALx-0EDoLp3_iSss&m=a3ZtigkKfdV2C-tKLDVYICLN8wbT_4sjV2wJ41VSGK8&s=IN9NvDKi-LGcoVnrMKW6KR7GRFUcA0OT_SQ4UEaDmb0&e=
This message contains information which may be confidential and privileged.
Unless you are the intended recipient (or authorized to receive this message for
the intended recipient), you may not use, copy, disseminate or disclose to
anyone the message or any information contained in the message. If you have
received the message in error, please advise the sender by reply e-mail, and
delete the message. Thank you very much.