There is a bug Heartbleed in OpenSSL. I built ISC BIND 9.9.5 with OpenSSL 1.0.1e enable. Should I re-built BIND with OpenSSL 1.0.1g?
Asked
Active
Viewed 175 times
2 Answers
2
No, it does not appear to me that BIND is vulnerable to the heartbleed exploit. Exploiting the vulnerability requires asking for TLS heartbeat functionality, and that requires a TLS connection, or one that can be uprated to TLS, to exist. BIND doesn't offer any functionality like that, that I know of. Merely being linked against vulnerable libraries does not, in and of itself, make a service vulnerable to the attack (vide OpenSSH, which is linked to the libraries, but apparently uses them for key generation functions, not the network-enabled parts of the protocol).
I think a proper understanding of vulnerabilities and impact is important for prioritising patching. Disruption of all kinds involves instability and risk, and you don't want to be doing things in the middle of the day if they could safely wait until next Saturday evening's patch window.
It would definitely be a good idea to upgrade your OpenSSL, and relink any tools built against it, but I don't think you need to feel vulnerable until you do, on this particular count. Honestly, a better use of your time would be to migrate away from hand-built software if at all possible.
MadHatter
- 78,442
- 20
- 178
- 229
-
I believe Bind use OpenSSL like OpenSSH does, to generate keys and signatures (for DNSSEC in Bind's case). – NickW Apr 10 '14 at 13:50
-
@MadHatter Thanks, I am researching base on you answer now. – Tuan Apr 11 '14 at 02:36
1
Bind cannot be vulnerable to this kind of attack as it uses OpenSSL for other things than TLS.
Florin Asăvoaie
- 6,932
- 22
- 35