From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705) Description of problem: Hello Redhat, I am using 7.3 and bind-9.2.1 which came with the system. I ran nessus and it indicates that there is security issues with bind-9.2.1, is it possible that Redhat can issue an errata for that so that 7.3 can run bind-9.2.2? Thanks. Output from nessus: The remote BIND 9 server, according to its version number, is vulnerable to a buffer overflow which may allow an attacker to gain a shell on this host or to disable this server. Solution : upgrade to bind 9.2.2 or downgrade to the 8.x series See also : http://www.isc.org/products/BIND/bind9.html Risk factor : High Thanks. - Colin Kong Version-Release number of selected component (if applicable): redhat-7.3 bind-9.2.1-1.7x.2 How reproducible: Always Steps to Reproduce: 1. Install nessus. 2. Use the default settings of nessus to scan a redhat-7.3 system running bind 9.2.1. 3. Read ``domain (53/tcp)'' section in the report output by nessus. Additional info:
This is most likely a false positive that is triggered because we backport security fixes without moving to new upstream versions of packages like bind. See https://www.redhat.com/advice/speaks_backport.html for some background about this. If Nessus gives you an associated CVE name, such as CAN-2002-0651 (which is most likely the issue it is telling you about) you can search the Red Hat web site to find out which update contained a fix for the issue. (For CAN-2002-0651 it is http://rhn.redhat.com/errata/RHSA-2002-133.html)